the other side of the fence. dealing with hackers and malware

The Other Side of the Fence .Dealing with Malware *Hackers

Prasanna Vhttp://vprasanna.com

We generally hear about hackers& malware, the damage they create,the money & data they steal.

How's it to be on The Other Side?

We generally hear about hackers& malware, the damage they create,the money & data they steal.

How's it to be on The Other Side?

Episode 1: The Conficker Strikes

Somewhere during November 2008, an enterprisehaving thousands of systems spread acrossthe world

Holiday season, most of team were on leave

Complaints of network congestion, Domain controller was slow

We saw unprecedented network traffic, within LAN & Outbound to unusual IP addresses!

Rapid replication of suspicious system behavior across the globe

Antivirus on the systems were generally up-to-date with definitions

Our Network IDS was detecting traffic destined to random global IP addresses on destination ports 445

Turns out that the infected machines were missing patches, most importantly MS08-67

Apparently, these systems were also missing OS hardening that was put in place

We had Failed!

Effective logging and monitoring are like

torchlight

Layered defense mechanism andthe role of Security Information & Event Management (SIEM)

Security information from hosts & network logs helped identify the infected machines

Patch the systems or disable network access

Pivot!Being good in spreadsheet helps the admins

Anti-Virus and Firewall are not the ultimate solutionsto today’s sophisticated threats.

Foolproof security ?

There is Reasonable Security

14

……And it is achieved in layers

Episode DHCP Server Goes 2 -Rogue

An admin s worst nightmare’

Catastrophe Strikes!

1. Logged to gateway / router. Internet is fine.2. Logged into UTM, sessions have doubled.3. No malwares reported in the AV manager!

Wireshark is an Admin’s best friend!

“Documentation is your life savior”

Was able to identify the offending machine based on a list I had generated earlier

Turns out that a user had set up a server and

did not know to disable DHCP functionality!

People are the weakest link

Learning's:

• Internal users can cause as much trouble as hackers and malware

22

Information Security is about People, Process & Technology

Prx

Disclaimer

All opinions mentioned here are my personal and not necessarily

of my employer, current or previous.

Thank You

Prasanna V

Cofounder @PacketVerify

http://vprasanna.com

@terminalfix