SlideShare una empresa de Scribd logo

Jim Wojno: Incident Response - No Pain, No Gain!

Descargar como PPTX, PDF
C
centralohioissa

This document discusses strategies for incident response and gaining intelligence about adversaries. It emphasizes collecting diverse types of data from hash values to tactics, techniques, and procedures used. Combining different layers of information through data stacking and analytics can provide better accuracy and flexibility to understand attacks at varying levels of difficulty, from easy-to-change details to harder-to-modify tactics. The goal is to operationalize threat intelligence by hunting for known indicators but also finding unknown threats through anomaly detection and scalable analytics across all hosts.

Tecnología
1 de 24
Jim Wojno – Technical Account Manager jim.wojno@tanium.com Incident Response – No Pain No Gain
Balance of Power Favors the attacker • Pick time / place / method • Patient and persistent • Intel gathering – seeking weakness • Only has to succeed once – defender has to succeed every time
Please stop hurting my systems….
Shift the Balance Make the adversary’s job as hard as possible • Awareness window reduction • Security Basics / Hygiene • patching / segmentation / bastion hosts / 2FA • Intel gathering – all the cool kids are doing it… • Most relevant threat intel comes from inside • Verizon DBIR Report - ~3% overlap in threat feeds
Please stop hurting my network….
Quickly: • determine scope • limit damage • investigate and gather evidence • remediate • use lessons learned to spot future attacks Crucial to understand most important data to collect Incident Response Done Right
Intel requires data but is the sum of many parts Information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol46no3/article02.html Analysis is key – data without analysis is not intel Analysis transforms disconnected data points into actionable intel Data != Intel
Pyramid of Pain David Bianco – Mandiant • Model of Trivial to Tough • Ascending in difficulty • Begins with data – ends with intel Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Hash Values TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values High Confidence Low False Positive Rate Trivial to Change Fast burn rate – packers / custom shellcode md5sum/sha1sum/sha256sum md5, shasum –a 1|256 Powershell - Get-FileHash FCIV – File Checksum Integrity Verifier VirusTotal, Cymru, VirusShare, ViCheck.ca, ThreatExpert, etc
IP Addresses TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Easy to Change VPN, TOR, i2p to obfuscate Fast burn rate – unless hardcoded into bot/tools Firewall / web server / IPS logs / DNS cache / Event Logs (RDP) AV/HIPS Project HoneyPot, ThreatStop, IPVoid, Google, whois, TrustedSource, abuse.ch, etc
Domain Names TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Easy to Change Domain Generation Algorithms (DGA) Fast burn rate Browser history, firewall / IPS logs, DNS cache, DNS server logs, Event Logs, AV/HIPS Similar domains – misleading typos: totallylegit.com vs tota11ylegit.com OpenDNS – “Catching malware enmasse” – Defcon 22 MalwareDomainList, DGA List, Cymru, Malc0de, ZeusTracker, many, many more…
Network / Host Artifacts TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Harder to Change Higher Potential for False Positive mutex, strings in memory, user agent strings, Registry / persistence / scheduled tasks, files, directories, protocol anomalies (ex: non-http on port 80), beaconing activity, unsigned services, listeners with active connections Stacking / frequency analysis, autoruns / scheduled task review, volatile artifact analysis, NGFW / AV-HIP / IPS logs VirusTotal, Cymru, user-agents.org, IOCs
Tools TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Attackers are Humans Humans are Lazy Attackers are Lazy C2, tool / infrastructure reuse very common If it continues to work – why change it? Distinctive beaconing / protocol / port Common persistence mechanism webshell, mimikatz, putty/plink, winrar, netcat
TTPs TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Very Hard to Change If it continues to work – why change it? Attack patterns Tool versions Mission – Goal of intrusion Window size / parameters Commands / typos entered Language / Localization variables Data exfiltration technique Lateral movement / scanning technique This is the ultimate goal but few organizations have this level of maturity • 3rd party / Commercial Threat Intel
How do I Operationalize This?
Cross the Streams…
More is Better Combine layers / artifact types • Better accuracy • Flexibility • Multiple variations of same family
Hunting Methods: IOC Searches • Codified intelligence to find known-bad and likely-bad • Reliant upon good threat intel, leads, forensic findings • Key challenges: slow tools, short usable lifetime, insufficient context to classify IO Cs IO Cs IO Cs
Deep Dive Analysis Key challenge: costs span labor, computation, and risk.
Hunting Methods: Data Stacking & Analytics • Retrieve select set of artifacts from all hosts • Perform sub-search or frequency-of-occurrence analysis • Find anomalies and unknown bad • Key challenges: speed of data acquisition, scalability, ease of search
Jim Wojno – Technical Account Manager jim.wojno@tanium.com
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!

Recomendados

Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
Priyanka Aash
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
centralohioissa
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune System
centralohioissa
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 

Recomendados

Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
Priyanka Aash
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
centralohioissa
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune System
centralohioissa
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
Rob Fry
 

Más contenido relacionado

La actualidad más candente

Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 

La actualidad más candente (20)

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 

Similar a Jim Wojno: Incident Response - No Pain, No Gain!

The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 

Similar a Jim Wojno: Incident Response - No Pain, No Gain! (20)

Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Firewalls in cryptography
Firewalls in cryptographyFirewalls in cryptography
Firewalls in cryptography
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Ethical h
Ethical hEthical h
Ethical h
 
Ethical h
Ethical hEthical h
Ethical h
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 

Más de centralohioissa

Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
centralohioissa
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 

Más de centralohioissa (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Jim Wojno: Incident Response - No Pain, No Gain!

  • 1. Jim Wojno – Technical Account Manager jim.wojno@tanium.com Incident Response – No Pain No Gain
  • 2. Balance of Power Favors the attacker • Pick time / place / method • Patient and persistent • Intel gathering – seeking weakness • Only has to succeed once – defender has to succeed every time
  • 3. Please stop hurting my systems….
  • 4. Shift the Balance Make the adversary’s job as hard as possible • Awareness window reduction • Security Basics / Hygiene • patching / segmentation / bastion hosts / 2FA • Intel gathering – all the cool kids are doing it… • Most relevant threat intel comes from inside • Verizon DBIR Report - ~3% overlap in threat feeds
  • 5. Please stop hurting my network….
  • 6. Quickly: • determine scope • limit damage • investigate and gather evidence • remediate • use lessons learned to spot future attacks Crucial to understand most important data to collect Incident Response Done Right
  • 7. Intel requires data but is the sum of many parts Information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol46no3/article02.html Analysis is key – data without analysis is not intel Analysis transforms disconnected data points into actionable intel Data != Intel
  • 8.
  • 9. Pyramid of Pain David Bianco – Mandiant • Model of Trivial to Tough • Ascending in difficulty • Begins with data – ends with intel Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  • 10. Hash Values TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values High Confidence Low False Positive Rate Trivial to Change Fast burn rate – packers / custom shellcode md5sum/sha1sum/sha256sum md5, shasum –a 1|256 Powershell - Get-FileHash FCIV – File Checksum Integrity Verifier VirusTotal, Cymru, VirusShare, ViCheck.ca, ThreatExpert, etc
  • 11. IP Addresses TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Easy to Change VPN, TOR, i2p to obfuscate Fast burn rate – unless hardcoded into bot/tools Firewall / web server / IPS logs / DNS cache / Event Logs (RDP) AV/HIPS Project HoneyPot, ThreatStop, IPVoid, Google, whois, TrustedSource, abuse.ch, etc
  • 12. Domain Names TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Easy to Change Domain Generation Algorithms (DGA) Fast burn rate Browser history, firewall / IPS logs, DNS cache, DNS server logs, Event Logs, AV/HIPS Similar domains – misleading typos: totallylegit.com vs tota11ylegit.com OpenDNS – “Catching malware enmasse” – Defcon 22 MalwareDomainList, DGA List, Cymru, Malc0de, ZeusTracker, many, many more…
  • 13. Network / Host Artifacts TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Harder to Change Higher Potential for False Positive mutex, strings in memory, user agent strings, Registry / persistence / scheduled tasks, files, directories, protocol anomalies (ex: non-http on port 80), beaconing activity, unsigned services, listeners with active connections Stacking / frequency analysis, autoruns / scheduled task review, volatile artifact analysis, NGFW / AV-HIP / IPS logs VirusTotal, Cymru, user-agents.org, IOCs
  • 14. Tools TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Attackers are Humans Humans are Lazy Attackers are Lazy C2, tool / infrastructure reuse very common If it continues to work – why change it? Distinctive beaconing / protocol / port Common persistence mechanism webshell, mimikatz, putty/plink, winrar, netcat
  • 15. TTPs TTP Tools Network/Host Artifacts Domain Names IP Addresses Hash Values Very Hard to Change If it continues to work – why change it? Attack patterns Tool versions Mission – Goal of intrusion Window size / parameters Commands / typos entered Language / Localization variables Data exfiltration technique Lateral movement / scanning technique This is the ultimate goal but few organizations have this level of maturity • 3rd party / Commercial Threat Intel
  • 16. How do I Operationalize This?
  • 18. More is Better Combine layers / artifact types • Better accuracy • Flexibility • Multiple variations of same family
  • 19. Hunting Methods: IOC Searches • Codified intelligence to find known-bad and likely-bad • Reliant upon good threat intel, leads, forensic findings • Key challenges: slow tools, short usable lifetime, insufficient context to classify IO Cs IO Cs IO Cs
  • 20. Deep Dive Analysis Key challenge: costs span labor, computation, and risk.
  • 21. Hunting Methods: Data Stacking & Analytics • Retrieve select set of artifacts from all hosts • Perform sub-search or frequency-of-occurrence analysis • Find anomalies and unknown bad • Key challenges: speed of data acquisition, scalability, ease of search
  • 22. Jim Wojno – Technical Account Manager jim.wojno@tanium.com

Notas del editor

  1. Most of the native data retrieved from systems needs to be combined or aggregated with other data sets to see patterns of malicious behavior Low frequency of occurrence events that require data enrichment