365 days since sangfor launched cyber incident response
Post on 05-Apr-2022
4 Views
Preview:
TRANSCRIPT
www.sangfor.com Sangfor Technologies Inc.
365 Days Since Sangfor Launched Cyber Incident Response ServiceJEFFREY LEE | CYBER SECURITY CONSULTANTCREST Registered Tester (CRT),
Offensive Security Certified Professional (OSCP),
CompTIA Pentest+ (Pentest+),
Certified Ethical Hacker (CEH)
PART1
PART2
PART3
PART4
Sangfor Technologies CONFIDENTIAL Page 1
Agenda
Cyber Incident Response Statistics
Case StudiesHow Easy is it to Find &
Attack Victims
Summary & Key Takeaways
Sangfor Technologies CONFIDENTIAL Page 2
Why Did Sangfor Launch CIR Service?
• Increased Demand
• Increase Market Security Awareness
• Reduce Number of Attacks
• Sangfor à Trusted Security Advisor
Sangfor Technologies CONFIDENTIAL Page 3
Cyber Incident Response Statistics
Malware
80%
Web Defacement
11%
Phishing Email
6%
Others
3%
Malware Web Defacement Phishing Email Others
Types # of Cases
Malware 68
Web Defacement 9
Phishing Email 5
Others 3
Data From Nov 2019 – Oct 2020
Cyber Incident Response statistics
Sangfor Technologies CONFIDENTIAL Page 4
Details on Malware Case
Malware
Ransomware
Cryptominer
Botnet
# of cases: 51 (75%)
# of cases: 7 (10%)
# of cases: 10 (15%)
# of cases: 68
Data From Nov 2019 – Oct 2020
Sangfor Technologies CONFIDENTIAL Page 5
Details on Malware Case – Ransomware
Ransomware
Lack of Gateway Protection Mechanisms # of cases: 8 (16%)
# of cases: 14 (27%)Lack of Endpoint Protection Mechanisms
# of cases: 51
Data From Nov 2019 – Oct 2020
Sangfor Technologies CONFIDENTIAL Page 6
Details on Malware Case
Ransomware
High Risk Ports Exposed
Malicious Download
Others
# of cases: 42 (82%)
# of cases: 6 (12%)
# of cases: 3 (6%)
# of cases: 51
Data From Nov 2019 – Oct 2020
Sangfor Technologies CONFIDENTIAL Page 9
It’s Easy To Find Victims – Transmission Method
Malicious code embedded in attachment (E.g.: Locky, Petya Variant)
Personal PC
Worms
Exploit Kit
Brute Force
Phishing Email
Brute force RDP/SSH/SMB/DB services (E.g.: .java, Globelmposter variant)
Servers with Remote Access
Vulnerability & Command Exploitation (E.g.: WannaCry, Petya Variant)Vulnerable Server
Backlink, iframe & drive-by download (E.g.: Cerber)Vulnerable Workstation
Malware Transmission Method
Sangfor Technologies CONFIDENTIAL Page 10
It’s Easy To Find Victims – Locate Random Victim
Hacker Search Engine
Shodan
Sangfor Technologies CONFIDENTIAL Page 11
It’s Easy To Find Victims – Locate Random Victim
Hackers’ Search Engine
Sangfor Technologies CONFIDENTIAL Page 12
It’s Easy To Find Victims – Locate Random Victim
Hackers’ Tools
IP Scanning Tools
Sangfor Technologies CONFIDENTIAL Page 17
It’s Easy To Find Victims – Google Dorks
Google Hacking Database (GHDB)
- Google Dorks
- E.g.:
• Inurl:”/index.php”
• Intitle:”login page”
• filetype:”.pdf”
• etc…
Sangfor Technologies CONFIDENTIAL Page 24
Ask yourself....
How Easy is it to Find a Random Victim?
&
How Easy is it to Launch an Attack?
Sangfor Technologies CONFIDENTIAL Page 26
Case Studies
Brute Force Attack
• External Attack
• Firewall Not Well Configured
• Antivirus Software Installed
Vulnerability
• Internal Attack
• Firewall Well Configured
• Antivirus Software Installed
Company-X Background Company-Y Background
Sangfor Technologies CONFIDENTIAL Page 27
Case Study 1 – Company-X
Company-X Background
Industry: Tech Hardware & Semiconductors
Company Size: +10,000
Revenue: +130M USD per year
Malware Family: GlobeImposter2.0
Existing Products: P-Firewall + K-Antivirus Software
Sangfor Technologies CONFIDENTIAL Page 31
Case Study 1 – Company-XInternal East-West Brute Force Attack
Sangfor Technologies CONFIDENTIAL Page 35
Case Study 1 – Company-X Summary
SSLVPN
Exposed High Risk Ports
Lack of Security Awareness
Weak Password In Use
Incompetent Antivirus software
Insufficient Detection Mechanism
Improper Firewall Configuration
TIARA Service+
IR Service+
Consultation Service+
Sangfor Products
No High Risk Ports Ransomware
Sangfor Technologies CONFIDENTIAL Page 36
Case Study 2
Company-Y Background
Industry: Telecommunications Equipment
Company Size: +40,000
Revenue: +245M per year
Malware Family: Sodinokibi
Existing Products: P-Firewall + S-Antivirus Software
Sangfor Technologies CONFIDENTIAL Page 40
Case Study 2 – Company-YEmail From S-antivirus Software Vendor
Sangfor Technologies CONFIDENTIAL Page 43
Case Study 2 – Company-YPatient Zero Determination
Machine C
Sangfor Technologies CONFIDENTIAL Page 44
Case Study 2 – Company-YPatient Zero Determination
Machine D
Sangfor Technologies CONFIDENTIAL Page 45
Case Study 2 – Company-YPatient Zero Determination
Machine FMachine E
Sangfor Technologies CONFIDENTIAL Page 46
Case Study 2 – Company-YPatient Zero Determination
Machine G Machine H
Sangfor Technologies CONFIDENTIAL Page 47
Case Study 2 – Company-Y Summary
SSLVPN
Improper Daily Practice
Lack of Security Awareness
Weak Password In Use
Incompetent Antivirus software
Insufficient Detection Mechanism
No Regular Security Patching
TIARA Service+
IR Service+
Consultation Service+
Vulnerability Assessment+
Sangfor Products
No High Risk Ports Ransomware
Sangfor Technologies CONFIDENTIAL Page 50
Preparation is KEY
AFTER ATTACK
DURING ATTACK
BEFORE ATTACK
-Are we prepare enough? -
Sangfor Technologies CONFIDENTIAL Page 51
What Should We Do?
Always Review Your Security Posture
External Attack Surfaces Defense-in-Depth Security Controls
external internal
EASY: External Attack Surface Identification
VAPT: Vulnerability Assessment & Penetration Testing TIARA: Threat Identification, Analysis and Risk Assessment
Interview Consultation Service
EASY VAPT TIARA
Sangfor Technologies CONFIDENTIAL Page 52
Key Takeaways
Always review and
assess security controls
regularly
Can’t afford to suffer the
consequences of
unpreparedness
Prevention is better than Reaction
Failing businesses wait for mistakes and react. Successful businesses avoid mistakes proactively.
Defense
Sangfor Technologies CONFIDENTIAL Page 53
Next Weekly Security Webinar
Network Detection & Response: The Key ToolAvoiding Security Breaches
Network Detection & Response: The key tool avoiding securitybreaches
Prevention does not stop attacks!!! According to AV-TEST,there are over 350,000 new variants of malware detectedevery day. Even if your security system is able to block 99%,hundreds of new malware are stilll able to bypass yoursecurity controls.
Therefore, your security team should detect and investigatequickly for anything they are not able to prevent and finally,remove the security event before it becomes a breach.
Network Detection and Response is the perfect tool to helpyou detect faster, and respond smarter to the threats in yournetwork. Join Sangfor experts on December 8th at [TIME] todiscuss the ins and outs of NDR, it's capabilities and why it's soimportant to an enterprise.
8th December 2020 16:00 (GMT +8)
top related