1 / 50

Proactive Cyber Defence Solutions

Proactive Cyber Defence Solutions. Whoami. m k . f alla h i@gmail.c o m mk_fallahi MKF. Kazem Fallahi. R a vr. A g enda. Attack History Dwell Time Cyber Defence Evolution Threat Hunting Red Teaming. R a vr. H i s t o r y. Evolution. APT Insider Threats Mobile IoT.

helenap
Download Presentation

Proactive Cyber Defence Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Proactive Cyber DefenceSolutions

  2. Whoami mk.fallahi@gmail.com mk_fallahi MKF • KazemFallahi Ravr @Ravro_ir

  3. Agenda • AttackHistory • DwellTime • Cyber DefenceEvolution • Threat Hunting • RedTeaming Ravr @Ravro_ir

  4. History

  5. Evolution APT InsiderThreats Mobile IoT Spam Botnet DoS IdentityTheft Phishing Web Attack 2004 2007 2010 2013 now DDoS SocialEngineering Ransomware Virus Worm Trojan Ravr @Ravro_ir

  6. Data is the newoil Ravr @Ravro_ir

  7. APT Silent butEVIL Ravr @Ravro_ir

  8. APT • Advanced • Complex • Remain in network for longperiod • Don’t destroysystems • Don’t interrunpt normaloperation • Usually sponsored by nations or very largeorganizations • Motivation: financial gain or politicalespionage • Final Goal: steal government or industrialsecrets Ravr @Ravro_ir

  9. APTExample • CloudLook • Inception Framework(2014) • Sykipot(2006) • GhostNet(2009) • STUXNET (2010) • Red October(2012) • APTs Ravr @Ravro_ir

  10. Adversaries Are already in yournetwork Ravr @Ravro_ir

  11. DwellTime

  12. DwellTime Based onRegions 175 Days 106 Days 498 Days 172 Days 9975.5 Days Days 2016 2017 Ravr @Ravro_ir

  13. Dwell Time In TheWorld Ravr @Ravro_ir

  14. DwellTime 450 416 400 350 300 243 250 229 205 200 146 150 101 99 100 50 Ravr 0 2011 2012 2013 2014 2015 2016 2017 @Ravro_ir

  15. 36 Incident ResponseTimeline 66 Days Occurrencr toDiscovery 3 Days Discovery toContainment 38 Days Discovery toNotification Days Time to Complete ForensicInvestigation

  16. Cyber DefenceEvolution

  17. Evolution Hunt Teams Find unknown threats, understand newadversary TTPs SIEM/SOC Real-time monitoring of knownthreats Log Mgmt Centralized monitoring 1995 2000 2003 2006 2013 Threat Intel Trackknown adversary IOCs,TTPs, intent PointSolution monitoring per device console Ravr روار @Ravro_ir

  18. Goal • Prevent Attackers From Achieving TheirGoal • Reduce Attack DwellTime • ChangeMindset Ravr روار @Ravro_ir

  19. NG Cyber SecuritySolutions Oldsolutions Next generationsolutions Firewall IPS EDR SIEM AI AV WAF Ravr Focused on threatprevention Focused on threatHunting @Ravro_ir

  20. Reactive Security VS Proactive CyberDefence Ravr @Ravro_ir

  21. Traditional vs ModernDefense • ModernDefense • Prevention is ideal but Detection&ResponseisCrucial • Everywhere is yourPerimeter • Proactive ThreatHunting • TraditionalDefense • Prevention isCore • PerimeterFocused • MainlyReactive SIEM is Dead! John Linkous2012 Ravr @Ravro_ir

  22. Why Traditional Solution Can’t StopHackers • Government support from hackingteams • Hacking as a full-timejob • Government hackers have a high degree ofexpertise • Hacking teams have high financialsupport Ravr @Ravro_ir

  23. Focus Area To Reduce DwellTime • Fundamental securitycontrols • Granular visibility and correlatedintelligence • Continuous endpointmonitoring • Actionable prediction of humanbehavior • User awareness (user behavioranalysis) Ravr @Ravro_ir

  24. ThreatHunting

  25. WhyHunting • one of the hot topics at RSA2018 • Rather than waiting for the inevitable data breach tohappen, • proactively scout around for and huntdown • bad actors and malicious activity on yournetworks. • Threat hunting combines the use of threat intelligence, analytics, and automated security tools with humansmarts. • Hunting consists of manual or machine-assistedtechniques • as opposed to relying only on automated systems likeSIEMs Ravr @Ravro_ir

  26. Goals of ThreatHunting • Gaining better visibility into the organization’sweaknesses • Provide early and accuratedetection • Control and reduce impact and damage with fasterresponse • Improve defenses to make successful attacks increasinglydifficult • Tracking activity and looking foranomalies Ravr @Ravro_ir

  27. Definition Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule or signature-based security solutions. Ravr @Ravro_ir

  28. ThreatHunting • KnownBad • SuspiciousBehavior • UnknownBad Ravr @Ravro_ir

  29. Keys to SuccessfulHunt Planing, preparing, proccesing skill, experience, efficiency Tools, procedures, tech HuntrsSkillsets • DataScience • DataManagement • DataVisualization • Statistics • Programming • Mindset • Desire tolearn • Creative • Analytical • Redteam • CyberSecurity • IntrusionAnalysis • MalwareAnalysis • ThreatIntelligence Ravr @Ravro_ir

  30. Threat HuntingActivities • Understanding thethreats • Identifying critical data and business processes utilizing thatdata • Intuition, hunches andhypotheses • Behavioralanalytics • Complete SituationalAwareness • Analyzing alldata • Looking foranomalies Ravr @Ravro_ir

  31. Data Collection &Analysis Ravr @Ravro_ir

  32. Cyber KillChain The Seven Phases of a CyberAttack • Reconnaissance • Harvesting email addresses, conference information,... • Weaponization • Coupling exploit with backdoor into deliverablepayload • Delivery • Delivering weaponized bundle to the victim via email, web, USB,... • Exploitation • Exploiting avulnerability to execute code on vitim'ssystem • Installation • Installing malware on theasset • COMMAND &CONTROL • Command channel for the remote manipulation ofvictim • Actions &Objectives • Intruders accomplish their originalgoals Ravr @Ravro_ir

  33. recon weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CK Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery LateralMovement Collection Exfiltration PRE-ATT&CK Priority Definition Planing,Direction TargetSelection Information Gathering Technical, People, Organizational WeaknessIdentification Technical, People,Organizational AdversaryOpSec Establish & Maintain Infrastructure PersonaDevelopment BiuldCapabilities TestCapabilities Ravr Comand &Control StageCapabilities @Ravro_ir

  34. Ravr @Ravro_ir

  35. Ravr @Ravro_ir

  36. Cyber KillChain CaseStudy DELIVERY & EXPLOITATION Delivery of SQL injection vHiaavijtool & Exploitation of injectionattack 53 RECONNAISSANCE Recon, PHP andSQL fingerprinting Command &Control Establish and maintain C2 58 46 0 51 55 65 Ravr 0 59 روار 60 @Ravro_ir

  37. The Pyramid ofPain Tough TTPs challenging Tools Annoying Network/ HostArtifats Simple Easy DomainNames IPAddress Trivial HashValus Ravr @Ravro_ir

  38. The HuntingLoop Ravr @Ravro_ir

  39. The Hunting MaturityModel • The quantity and quality of the data theycollect • In what ways they can visualize and analyze various types ofdata • What kinds of automated analytic they canapply • to data to enhance analystinsights Ravr @Ravro_ir

  40. Why Hunting isdifficult • Incidents arenon-linear • adversaries continue to change theirpatterns • Targeted intrusions often begin with opportunisticcompromises • Attackers can be erratic &unpredictable • Evidence is often incomplete orinsufficient • Adapt to changes inbehaviors • learn how the adversaryworks • Watch all behaviors of theadversary • Large environments = more noise = more falsepositives Ravr @Ravro_ir

  41. Sharing • My detection becomes yourprevention • We need to close the gap between sharing speed and attackspeed • 75% of attacks spread from Victim 0 to Victim 1 within one day (24hours). Ravr @Ravro_ir

  42. ThreatIntelligence Evolving Security From Reaction ToPrediction Ravr @Ravro_ir

  43. Demo Ravr @Ravro_ir

  44. RedTeaming

  45. RedTeaming • Provides more value than a PenetrationTest • Should be implemented into a regularschedule • Helps train securitypersonnel • Helps make sure your boxes aretuned • Using Weaknesses to find what is mostvaluable • GoalOriented • Reviewattack • Test how teams use services and how they aremanaged Ravr @Ravro_ir

  46. Red TeamingGoals • Model recent threats andtrends • Longerterm • Highlight Gaps in Security Controls,detection,… • Escape and Evade forPersistence Ravr @Ravro_ir

  47. Blue TeamingGoals • Detect Attack • Respond andRecover • Produce ActionableIntelligence • Identify Gaps and investmentneeds Ravr @Ravro_ir

  48. TeamMembers MohammadAminKariman Kazem Fallahi mk.fallahi@gmail.com @mkf OmidPalvayeh O.Palvayeh@gmail.com @OmidPalvayeh kariman.mohammadamin@gmail.com @Ma_kariman Ravr @Ravro_ir

  49. Ravr @Ravro_ir

More Related