think like a hacker: using network analytics and attack simulation to find and fix security gaps
DESCRIPTION
If you’re tasked with keeping your enterprise network infrastructure secure against cyber attacks, then you’d better start thinking like a hacker. Do you know what your network looks like? Where are all the access points? Can you create a short list of the most vital vulnerabilities a hacker could exploit? And how long does it take you to get this info? Days? Weeks? Never? In this webcast, we will discuss a practical game plan to continuously monitor your cyber security status and proactively fix concerns before they become a data breach or attack. Learn how to minimize risks by combining a detailed understanding of your network topology, cyber threats, and likely attack scenarios with everyday security management processes. This webcast is appropriate for firewall and network administrators, IT security managers, and CISOs in medium to large business and government agencies. We will examine: • Network mapping – How to create a virtual network model to use for security architecture planning and policy compliance checks • Access analysis – Ways to identify all network access routes , to block unauthorized access and quickly troubleshoot network availability issues • Securing the perimeter – Enable daily checks of firewalls and network devices to keep them configured securely • Attack simulation – Find and fix the vulnerabilities most likely to be used in an attack – every dayTRANSCRIPT
Think Like a Hacker:
Using Network Analytics and Attack
Simulation to Find and Fix Security Gaps
• Michelle Johnson Cobb
• VP, Marketing and BD
• March 15, 2012
• SANS webcast
© 2012 Skybox Security
Skybox Security Overview
© 2012 Skybox Security
• Network Modeling
• Access Path Analysis
• Attack Simulation
Unique, High-Performance Technology
• 6 of the top 10 banks, 5 of the 10 largest NATO members
• Financial Services, Retail, Energy, Government, Defense, Retail, Telecommunications, Manufacturing, Technology
Proven in Demanding Network Environments
2
• Automated Firewall Management
• Continuous Network Compliance
• Risk and Vulnerability Management
Leading Security Risk Management Solutions
Preventing Attacks is not Trivial
• 300 firewalls
• 25,000 rules
• 250 routers/gateways
• 55,000 nodes
• 65 daily network changes
• 10,000 daily reported
vulnerabilities
• Infrastructure spanning
three continents
© 2012 Skybox Security 3
Security Manager
toolkit:
First… Think Like a Hacker
Pre-Attack
Reconnaissance?
© 2012 Skybox Security 4
Gather info on
network topology
Find access paths
Find exploitable
vulnerabilities
Try out attack
scenarios
Or Find and Fix to
Prevent Attack?
Hacker toolkit:
Wireshark, nmap,
Nessus, netcat,
Snort, Google, John
the Ripper, etc.
Building a Network Model
© 2012 Skybox Security 5
Firewall Load Balancer
Router IPS Vulnerability Scanner
Patch
Automatically import data from
network devices, management systems
Gather info on
network topology
Feeding the Network Model
© 2012 Skybox Security 6
Must be imported, normalized, correlated
Gather info on
network topology
How is the Model Created?
© 2012 Skybox Security 7
• Import topology data
• Device configs
• Routing tables
• Automatically create a
hierarchical model tree,
grouping hosts by
TCP/IP network
• Add function,
location, type
• Analyze model to detect
missing info – hosts, ACLs,
routing rules for gateways
Gather info on
network topology
Comprehensive Network Model
© 2012 Skybox Security
• Normalized view of the
network security situation
• Visualize entire network
• Updated continuously
• 3 models: Live, Forensic,
and What-if
Gather info on
network topology
Virtual “Sandbox” for Complex
Security Analysis
© 2012 Skybox Security
Prioritize exposed
vulnerabilities
Find device
misconfigurations
Analyze access paths
Now - Check the Firewalls!
• Analyze firewall rule base
against policies/best
practices (NIST, PCI…)
• Identify risky rules
• Uniform policy for all
firewalls
Find access
paths
Access Analyzer Finds all Paths
• Complete End-to-
End path analysis
• Highlighting
ACL’s and routing
rules
• Supports NAT,
VPN, Dynamic
Routing and
Authenticated
rules
Find access
paths
Determine Rules Allowing Access
• Find blocking
or allowing
devices
• Show rules
involved
• View routes
Find access
paths
Check for Access Policy Violations
• Define what is
allowed, limited
and denied
between
Security Zones
• Compliance
Metrics
• Violating Rules
• Exceptions
• Multiple policies
• Dashboard
Find access
paths
Exploitable Vulnerabilities?
Start with the scan…
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Find exploitable
vulnerabilities
Add Skybox Vulnerability
Dictionary Content
• Collects vulnerability data from multiple sources
(scanners, published repositories, threat feeds)
• Represent vulnerabilities in standard format
• Adds severity, degree of difficulty, commonality of
exploit and attack impact (CIA)
• Models pre-conditions for exploitation – used in
attack simulation
© 2012 Skybox Security 15
Find exploitable
vulnerabilities
Look at Potential Threat Origins
Rogue Admin
Internet
Hacker
Compromised
Partner
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Find exploitable
vulnerabilities
Simulate all Possible Attacks
Compromised
Partner
Attack
Simulations
Rogue Admin
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Find exploitable
vulnerabilities
Internet
Hacker
How Attack Simulation Works
© 2012 Skybox Security
Probable attack vector to Finance servers asset group This attack is a “multi-step”
attack, crossing several network zones
Connectivity Path
Business Impact Attack Vector
How to Block
Potential
Attack?
Quantify and Prioritize Risks
Vulnerability (CVSS Score & CIA Impact)
+
Exposure (Threat Origins & Network)
+
Business Impact (CIA Impact and Asset Importance)
{Attack Simulation}
Risk
Plan Defensive Strategy
© 2012 Skybox Security
Most Critical
Actions
Vulnerabilities
Threats
Skybox Security Portfolio
© 2012 Skybox Security 21
Firewall Assurance
Automated firewall
analysis and audits
Change Manager
Complete firewall
change workflow
Network Assurance
Network compliance and
access path analysis
Risk Control
Identify exposed
vulnerabilities
Threat Manager
Workflow to address
new threats
Remote Buffer Overflow Attack
Steps
1. Buffer overflow vulnerability
MS11-004 on FTP server in
DMZ
2. Exploit to gain root control
on the FTP server
3. FTP server trust relations with
DNS server in core network
4. DNS server running Free BSD
has BIND vulnerability -
enables control of DNS server
5. Finance server compromised.
Significant damage or data
loss
Prevent a Buffer Overflow Attack
• Skybox Risk Control identifies attack paths
• Attack simulation reveals a small number of exposed vulnerabilities
• Skybox issues urgent ticket request to patch the FTP server
• Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise
© 2012 Skybox Security 23
Buffer Overflow Attack
Firewall Bypass Attack Steps
1. DMZ firewall allowed access
through TCP port
443 to internal network
(which might be okay)
2. A misconfigured load
balancer rule performed
NAT to TCP port 80
3. Allowing port 80 access to
the development network –
a very risky situation
© 2012 Skybox Security 24
Firewall Bypass
Preventing the Firewall Bypass Attack
• Skybox Firewall Assurance automatically finds risky rules and configs in firewalls
• Skybox Network Assurance creates up-to-date network model and checks rest of layer 3 devices - load balancers, switches, routers
• Skybox checks policy rules such as: “No access from Internet to Internal except …”
• End-to-end access path analysis – every possible path
• Skybox issues tickets to address violations reported
Client-Side Attack Steps
Malware enables attacker
to collect data from
machine, continue attack
within the network, and
send data back to attacker
A vulnerability or misconfig
on desktops is exploited
and malware is installed
User opens infected email
attachment or clicks link to a
malicious or hacked website
Source: SANS Tutorial: HTTP Client-side Exploit
Preventing a Client-Side Attack
EMEA region at highest risk
Retrieve exact list of vulnerable hosts
Remediate in order of risk impact
Adobe Reader 9.x and 8.x contribute the
majority of the risk (76%)
Best Practices to Prevent Attacks
© 2012 Skybox Security
Automate security
processes
Get the comprehensive
network view
Find security gaps
every day
Validate changes
in advance
28
Prioritize by
risk level
Time for Questions
Thank You!
www.skyboxsecurity.com
© 2012 Skybox Security