bsides 2016 presentation
TRANSCRIPT
Defending Against APT’s(Advanced Persistent Threats)
Presented By: Angelo Rago
Twitter: @arrago2
E-mail: [email protected]
@ARRAGO2
Disclaimer
• Please note that all opinions shared during today’s presentation are solely my own, and do not reflect those of my employer, past or future employers or my clients.
@ARRAGO2
Learning Objectives
Understand Best Practices for Defending Against Advanced Persistent Threats
Identify and Understand Common Trends and Challenges within Infosec for 2016
Mitigation of APT’s
@ARRAGO2
Who Am I?
• 10 Years of experience within the Infosec Industry
Fortune 500’s SMB’s Telecom Healthcare
@ARRAGO2
What is Blue Team
Definition:
The group responsible for defending an enterprise, and maintaining its security posture against red team and actual attacks.
@ARRAGO2
Common Challenges in Corporations
• Allocation of Resources
• Allocation of Funding
• Time Management
• Skill Shortage
@ARRAGO2
Story Time!
A Tale of Two Clients…
• Client 1: A Ransomware Attack Gone WRONG
• Client 2: A Ransomware Attack PREVENTED
@ARRAGO2
Look for Executables
Sniff Traffic
Analyze Logs
Identify Patterns
Identify Rogue Processes, Connections, Services, Users, Scheduled Tasks
What We Do (Defenders)
Minimize the amount of recognizable changes
Generate Minimal Traffic
Install Multiple avenues of Persistence
Continue to pervade a system and obtain persistence again if discovered
What They Do(Attackers)
@ARRAGO2
The Technical Issues…
Passwords
Securing the Environment
Understanding the Attacker’s Goal
@ARRAGO2
Passwords(aka where most problems stem from)
• Easy to Guess Passwords
• No Real Enforcement
• No Second Level Authentication
• Enforced Policies
@ARRAGO2
Forget It…We’re Lazy!(aka Headaches)
• Easy To Remember
• Reuse Old Password
• Based on easily Identifiable information
• Reuse same passwords multiple places
• We Never Learn!
@ARRAGO2
Securing the Environment(The Basics…)
Patching
Hardening
TestingLogging
Aggregate Data
Build Situational Awareness
@ARRAGO2
• Persistence
• Data exploitation
• Find default / weak passwords
• Compromise as many systems as possible
The Attacker’s Goal
@ARRAGO2
Lock down workstations by Group Policies
Limit network traffic
Restrict Remote SAM calls from PC’s
Disable Java
Disable Macros
Whitelist good extensions
Monitor for odd patterns or behaviors
What We Can Do Backups
@ARRAGO2
In addition, Organizations such as NIST recommend the following to mitigate threats:
Apply Industry Best Practices
Vulnerability Scan
Use Emet
Disable Telnet
Disable HTTP
Ensure no Clear Text Passwords are used
No open WiFi
Use SSL Version 3
NIST- National Institute of Standards and Technology
@ARRAGO2
Option 1: Minimal End User Impact
Option 2: Balanced End User Impact
Option 3: Hardened Environment (This also brings with it overhead and complexity)
Group Policies
@ARRAGO2
A Look Back at 2016• Ransomware attacks primarily targeted Healthcare, Government,
and Educational Institutions
• Ransomware Variants: Crysis Locky Odin Cerber
@ARRAGO2
A Look Back at 2016(Continued)
• State Sponsored Leaks
• State Sponsored Tools being sold i.e. Equation Group
@ARRAGO2
A Look Back at 2016(Continued)
• DDOS AttacksAttackers / National States
The Good Guys
@ARRAGO2
Where Do We Go From Here?• Ignore Everything We’ve Learned
OR• Use the Knowledge we have in front of us to create change, and
secure our environment
@ARRAGO2
Questions?
