540 likes | 626 Views
Proactive Cyber Defence Solutions. Whoami. m k . f alla h i@gmail.c o m mk_fallahi MKF. Kazem Fallahi. R a vr. A g enda. Attack History Dwell Time Cyber Defence Evolution Threat Hunting Red Teaming. R a vr. H i s t o r y. Evolution. APT Insider Threats Mobile IoT.
E N D
Whoami mk.fallahi@gmail.com mk_fallahi MKF • KazemFallahi Ravr @Ravro_ir
Agenda • AttackHistory • DwellTime • Cyber DefenceEvolution • Threat Hunting • RedTeaming Ravr @Ravro_ir
Evolution APT InsiderThreats Mobile IoT Spam Botnet DoS IdentityTheft Phishing Web Attack 2004 2007 2010 2013 now DDoS SocialEngineering Ransomware Virus Worm Trojan Ravr @Ravro_ir
Data is the newoil Ravr @Ravro_ir
APT Silent butEVIL Ravr @Ravro_ir
APT • Advanced • Complex • Remain in network for longperiod • Don’t destroysystems • Don’t interrunpt normaloperation • Usually sponsored by nations or very largeorganizations • Motivation: financial gain or politicalespionage • Final Goal: steal government or industrialsecrets Ravr @Ravro_ir
APTExample • CloudLook • Inception Framework(2014) • Sykipot(2006) • GhostNet(2009) • STUXNET (2010) • Red October(2012) • APTs Ravr @Ravro_ir
Adversaries Are already in yournetwork Ravr @Ravro_ir
DwellTime Based onRegions 175 Days 106 Days 498 Days 172 Days 9975.5 Days Days 2016 2017 Ravr @Ravro_ir
Dwell Time In TheWorld Ravr @Ravro_ir
DwellTime 450 416 400 350 300 243 250 229 205 200 146 150 101 99 100 50 Ravr 0 2011 2012 2013 2014 2015 2016 2017 @Ravro_ir
36 Incident ResponseTimeline 66 Days Occurrencr toDiscovery 3 Days Discovery toContainment 38 Days Discovery toNotification Days Time to Complete ForensicInvestigation
Evolution Hunt Teams Find unknown threats, understand newadversary TTPs SIEM/SOC Real-time monitoring of knownthreats Log Mgmt Centralized monitoring 1995 2000 2003 2006 2013 Threat Intel Trackknown adversary IOCs,TTPs, intent PointSolution monitoring per device console Ravr روار @Ravro_ir
Goal • Prevent Attackers From Achieving TheirGoal • Reduce Attack DwellTime • ChangeMindset Ravr روار @Ravro_ir
NG Cyber SecuritySolutions Oldsolutions Next generationsolutions Firewall IPS EDR SIEM AI AV WAF Ravr Focused on threatprevention Focused on threatHunting @Ravro_ir
Reactive Security VS Proactive CyberDefence Ravr @Ravro_ir
Traditional vs ModernDefense • ModernDefense • Prevention is ideal but Detection&ResponseisCrucial • Everywhere is yourPerimeter • Proactive ThreatHunting • TraditionalDefense • Prevention isCore • PerimeterFocused • MainlyReactive SIEM is Dead! John Linkous2012 Ravr @Ravro_ir
Why Traditional Solution Can’t StopHackers • Government support from hackingteams • Hacking as a full-timejob • Government hackers have a high degree ofexpertise • Hacking teams have high financialsupport Ravr @Ravro_ir
Focus Area To Reduce DwellTime • Fundamental securitycontrols • Granular visibility and correlatedintelligence • Continuous endpointmonitoring • Actionable prediction of humanbehavior • User awareness (user behavioranalysis) Ravr @Ravro_ir
WhyHunting • one of the hot topics at RSA2018 • Rather than waiting for the inevitable data breach tohappen, • proactively scout around for and huntdown • bad actors and malicious activity on yournetworks. • Threat hunting combines the use of threat intelligence, analytics, and automated security tools with humansmarts. • Hunting consists of manual or machine-assistedtechniques • as opposed to relying only on automated systems likeSIEMs Ravr @Ravro_ir
Goals of ThreatHunting • Gaining better visibility into the organization’sweaknesses • Provide early and accuratedetection • Control and reduce impact and damage with fasterresponse • Improve defenses to make successful attacks increasinglydifficult • Tracking activity and looking foranomalies Ravr @Ravro_ir
Definition Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule or signature-based security solutions. Ravr @Ravro_ir
ThreatHunting • KnownBad • SuspiciousBehavior • UnknownBad Ravr @Ravro_ir
Keys to SuccessfulHunt Planing, preparing, proccesing skill, experience, efficiency Tools, procedures, tech HuntrsSkillsets • DataScience • DataManagement • DataVisualization • Statistics • Programming • Mindset • Desire tolearn • Creative • Analytical • Redteam • CyberSecurity • IntrusionAnalysis • MalwareAnalysis • ThreatIntelligence Ravr @Ravro_ir
Threat HuntingActivities • Understanding thethreats • Identifying critical data and business processes utilizing thatdata • Intuition, hunches andhypotheses • Behavioralanalytics • Complete SituationalAwareness • Analyzing alldata • Looking foranomalies Ravr @Ravro_ir
Data Collection &Analysis Ravr @Ravro_ir
Cyber KillChain The Seven Phases of a CyberAttack • Reconnaissance • Harvesting email addresses, conference information,... • Weaponization • Coupling exploit with backdoor into deliverablepayload • Delivery • Delivering weaponized bundle to the victim via email, web, USB,... • Exploitation • Exploiting avulnerability to execute code on vitim'ssystem • Installation • Installing malware on theasset • COMMAND &CONTROL • Command channel for the remote manipulation ofvictim • Actions &Objectives • Intruders accomplish their originalgoals Ravr @Ravro_ir
recon weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CK Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery LateralMovement Collection Exfiltration PRE-ATT&CK Priority Definition Planing,Direction TargetSelection Information Gathering Technical, People, Organizational WeaknessIdentification Technical, People,Organizational AdversaryOpSec Establish & Maintain Infrastructure PersonaDevelopment BiuldCapabilities TestCapabilities Ravr Comand &Control StageCapabilities @Ravro_ir
Ravr @Ravro_ir
Ravr @Ravro_ir
Cyber KillChain CaseStudy DELIVERY & EXPLOITATION Delivery of SQL injection vHiaavijtool & Exploitation of injectionattack 53 RECONNAISSANCE Recon, PHP andSQL fingerprinting Command &Control Establish and maintain C2 58 46 0 51 55 65 Ravr 0 59 روار 60 @Ravro_ir
The Pyramid ofPain Tough TTPs challenging Tools Annoying Network/ HostArtifats Simple Easy DomainNames IPAddress Trivial HashValus Ravr @Ravro_ir
The HuntingLoop Ravr @Ravro_ir
The Hunting MaturityModel • The quantity and quality of the data theycollect • In what ways they can visualize and analyze various types ofdata • What kinds of automated analytic they canapply • to data to enhance analystinsights Ravr @Ravro_ir
Why Hunting isdifficult • Incidents arenon-linear • adversaries continue to change theirpatterns • Targeted intrusions often begin with opportunisticcompromises • Attackers can be erratic &unpredictable • Evidence is often incomplete orinsufficient • Adapt to changes inbehaviors • learn how the adversaryworks • Watch all behaviors of theadversary • Large environments = more noise = more falsepositives Ravr @Ravro_ir
Sharing • My detection becomes yourprevention • We need to close the gap between sharing speed and attackspeed • 75% of attacks spread from Victim 0 to Victim 1 within one day (24hours). Ravr @Ravro_ir
ThreatIntelligence Evolving Security From Reaction ToPrediction Ravr @Ravro_ir
Demo Ravr @Ravro_ir
RedTeaming • Provides more value than a PenetrationTest • Should be implemented into a regularschedule • Helps train securitypersonnel • Helps make sure your boxes aretuned • Using Weaknesses to find what is mostvaluable • GoalOriented • Reviewattack • Test how teams use services and how they aremanaged Ravr @Ravro_ir
Red TeamingGoals • Model recent threats andtrends • Longerterm • Highlight Gaps in Security Controls,detection,… • Escape and Evade forPersistence Ravr @Ravro_ir
Blue TeamingGoals • Detect Attack • Respond andRecover • Produce ActionableIntelligence • Identify Gaps and investmentneeds Ravr @Ravro_ir
TeamMembers MohammadAminKariman Kazem Fallahi mk.fallahi@gmail.com @mkf OmidPalvayeh O.Palvayeh@gmail.com @OmidPalvayeh kariman.mohammadamin@gmail.com @Ma_kariman Ravr @Ravro_ir
Ravr @Ravro_ir