threats that matter - murray state university 2017
TRANSCRIPT
Threats That
Matter
MSU 2017
Chris Sanders
Copyright © 2017 Chris Sanders
CHRIS SANDERSTwitter: @chrissanders88 | Mail: [email protected]
MPS, Penn State | BS, Murray State | SANS GSE #64
Copyright © 2017 Chris Sanders
Rural Technology Fund
We Provide:
Education
resources
Scholarships
Book donations
Advocacy
Students
Impacted:
10,000 in 2016
25,000 in 2017
COGNITIVE
CRISIS
NASCAR Innovation
ModelFortune 500 + Gov/Mil + Open
SourceSmall Business & Consumer
Protection
Copyright © 2017 Chris Sanders
The Security Product
Landscape
Copyright © 2017 Chris Sanders
Ethnography of the SOC
“An analyst’s job is highly
dynamic and requires dealing
with constantly evolving threats.
Doing the job is more art than
science. Ad hoc, on-the-job
training for new analysts is the
norm."
Copyright © 2017 Chris Sanders
Ethnography of the SOC
“The profession [security] is so
nascent that the how-tos have
not been fully realized even by
the people who have the
knowledge…the process
required to connect the dots is
unclear even to analysts.
Copyright © 2017 Chris Sanders
Symptoms of a Cognitive Crisis
1. Demand for expertise greatly outweights
supply
2. Most information cannot be trusted or
validated
3. Inability to mobilize and tackle big systemic
issues
FRAMIN
G
Copyright © 2017 Chris Sanders
Economics of Security
“If you want to understand the world of nature,
master physics. If you want to understand the
world of man, master economics.”
Adversary Cost to Attack
Likelihood of Attack
Copyright © 2017 Chris Sanders
Classification of Threats
UnstructuredStructured
OpportunisticTargeted
High Cost to Defend
Low Cost to Defend
USERS
Copyright © 2017 Chris Sanders
The Human Factor
How do attackers access systems? Code execution via vulnerability
Code execution via user
Users: Click links
Open e-mails
Go to websites
External Penetration Test Engagement Success Users out of Scope: ~15%
Users in Scope: 100%
Opportunistic/Targeted Unstructured/Structured
Copyright © 2017 Chris Sanders
Pew Study on User
Understanding
What percent of user can identify…
What a phishing attack is?
That email is not encrypted by default?
That public wifi is not a safe place for sensitive
activities?
That HTTPS in a URL means browsing is
encrypted?
Can identify an example of multi factor
authentication?
73%
54%
46%
33%
10%
RANSOMWAR
E
Copyright © 2017 Chris Sanders
Evolution of Ransom
Copyright © 2017 Chris Sanders
Evolution of Ransom
Copyright © 2017 Chris Sanders
How much would you pay…
…to get all your work files back?
…to get all your family photos back?
…to keep someone from posting all your
personal data on the Internet?
…to keep someone from sending copies of all
your text messages to everyone in your
address book?
…to keep someone from sending photos they
took on your webcam to everyone in your
address book?
Copyright © 2017 Chris Sanders
What is your data worth?
Ransomware will be
a $1B industry in
2017
Opportunistic Structured/Unstructured
$372.00 $294.00
$679.00
2014 2015 2016
AVERAGE RANSOM AMOUNT
Copyright © 2017 Chris Sanders
Ransomware Growth
Exploit Kit Payloads
Copyright © 2017 Chris Sanders
Ransomware Delivery
3%
4%
10%
24%
28%
31%
0% 5% 10% 15% 20% 25% 30% 35%
USB DRIVE
SOCIAL MEDIA
UNKNOWN
INFECTED WEBSITE
E-MAIL ATTACHMENT
E-MAIL LINK
Infection Vector
Infection Vector
ESPIONAGE
Copyright © 2017 Chris Sanders
Is espionage a threat that
matters?
China, Russia, USA, Iran,
Israel, North Korea, etc.
They want to steal useful
information
Asymmetric by nature
You are defending against
a literal army
Targeted Structured
5 THINGS
TO DO
NOW
Copyright © 2017 Chris Sanders
Don’t Let Users Run Unapproved
Code
Limit Admin Access
Block Office Macros
Application Whitelisting
AppLocker
Limit browser plugins Flash
Silverlight
Java
Copyright © 2017 Chris Sanders
Deploy Centralized Logging
Host:
Log these things:
Process execution
and connections
Drivers
File system changes
Registry changes
Do it with Sysmon
Network:
Log these things:
Network
connections
HTTP requests
Files transferred
DNS queries
Do it with Security
Onion
Copyright © 2017 Chris Sanders
Two-Factor Authentication
Factors (Choose 2): Something you know
Something you have
Something you are
Focus on publicly accessible things: VPN Connectivity
Web Applications
E-Mail Portals
Cloud Services
Do it with: Google Authenticator
Copyright © 2017 Chris Sanders
Test Your Users
Phishing is the #1
most effective
technique for
gaining an initial
foothold on the
network
Conduct periodic
phishing
assessments
GoPhish
Framework
Copyright © 2017 Chris Sanders
Limit Ad Network Participation
Malware distribution:
Jan ’16 ReadersDigest.com: 210K Exposed
Dec ‘15 DailyMotion.com: 128 Million Exposed
July ‘15 Yahoo.com: 6.9 Billion Exposed
Do it with:
Adblock browser plugin
Thank You!
Mail: [email protected]
Twitter: @chrissanders88
Blog: chrissanders.org
Training: chrissanders.org/training
Slides: slideshare.net/chrissanders88