the infosec crossroads - 44con 2016

#44CON 2016 NETSQUARE

2016: THE INFOSEC crossroads >

SAUMIL SHAH - CEO,NET-SQUARE 44CON 2016


About Me

@therealsaumil

saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999

Saumil Shah CEO, Net-Square


Today's attacks succeed

because the defense is REACTIVE


The Evolution of Attacks


Servers Applications

Desktops Browsers

Pockets

How Have Targets Shifted?


Perimeter Security Web Apps Broadband

Networks

WiFi Social Networks

Cellular Data

The Game Changers


Attacks Follow The Money

Defacement DDoS Phishing

ID Theft Financial

Transactions Targeted

APT


Today's Fashion: Breaches


Firewalls

IDS/IPS

Antivirus

WAF

Endpoint Security

ASLR, DEP

Sandbox

One-way Hacking

Packet Fragmentation

Obfuscation

Character Encoding

DNS Exfiltration

Return Oriented Programming

Jailbreak


Latest Example: Stegosploit

IMAJS STEGO-

DECODER JAVASCRIPT

TARGET BROWSER POLYGLOT

PIXEL ENCODER

EXPLOIT CODE

IMAGE

ENCODED IMAGE


"Nakatomi space", wherein buildings reveal near-infinite interiors, capable of being traversed through all manner of non-architectural means

http://www.bldgblog.com/2010/01/nakatomi-space/


It was different 12 years ago!

Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the fame. lols."


Today...

Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION.


Haroon Meer

"For a few hundred K, could you put together

a team that would break-in just about

anywhere?"

CCDCOE Conference on Cyber Conflict - 2010


$100k – 500k


Attacking is (much) cheaper than defence.

Attacker toolchains

are far more complex than the public

demonstrations we have seen so far.


The defenders tried to buy back their

bugs...


Bug Bounties: high stakes game

Chris Evans – Pwnium: Element 1337


Bug Bounties tried to fill a

reactive need.


Bug Bounties: backfiring?


The (d)evolution of Users

#44CON 2016 NETSQUARE Advanced Technology Is...Advanced


Technology in the hands of users


The user's going to pick dancing pigs over security every time.

Bruce Schneier


The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.

Doctor Who, "Pirate Planet"

XKCD 358 "Security"


The Wrong Approach to defense


Compliance != Security


Who are you more scared of?

Attackers or Auditors?


Attackers don't follow

standards and certifications.


Today's Infosec Defence?

Rules Signatures Updates

Machine Learning


Existing strategies

do not match attacker tactics.


UNREALISTIC TESTING SCENARIOS

•  Wait for new production release

•  Don't test on production

•  Don't perform intrusive testing

•  X is out of scope

•  Test during off-peak hours


Intelligence Driven Security

net-square

From REACTIVE to PROACTIVE


Security Data

Warehouse

ANALYSIS AND INTELLIGENCE GATHERING

Collectors SENSORS Actions

Applications Internal Users

External Users

Perimeter Activity


We already have all the

information needed to defend our organization.


PROACTIVE Security Testing


@therealsaumil's

SEVEN AXIOMS of Security


Collect EVERYTHING!

THE SEVEN AXIOMS OF SECURITY


Can't MEASURE? Can't Use.



Test like an attacker

RED TEAM.



User RATINGS!



Set BOOBY TRAPS.



ANALYSIS decide Actions.



BUY-IN FROM THE TOP

And the 7th...


Is your infosec team doing something creative

every day?


THANK YOU >

saumil shah www. net-square. com

the infosec crossroads - 44con 2016

Data & Analytics