Battlefield network
- 2. Speaker Info – Tal Be’ery
• Senior Security Research Manager @Microsoft
• Former VP for Research @Aorato (Acquired by Microsoft)
• 15 years of security research
• Author of the TIME attack on SSL
• Regular speaker in Industry’s top conventions
• Named a “Facebook Whitehat”
• Twitter: @TalBeerySec
- 3. Agenda
• Intro
• Current state of affairs
• Why do we fail
• Know the enemy
• The modified Cyber Kill Chain
• Know thyself
• What is normal?
• Choose the right battlefield
• Network based detection of Reconnaissance and Lateral Movement
- 4. Current State of affairs
• 90% of large organizations and 74% of small businesses reporting a
security breach
• Data breach costs 2015: $6M on average, $65M max
• Average time to breach detection: eight months
• Most breaches are not detected internally
- 5. Test Case: The Dow Jones Breach
• Reported this month (October 9th 2015)
Reported by
others
Breached for 3
years
In other words:
We still don’t know
what happened
- 6. Why do We Fail?
• “If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If
you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you
will succumb in every battle.”
• We don’t know the enemy
• We don’t know ourselves
https://upload.wikimedia.org/wikipedia/commons/3/37/Enchoen27n3200.jpg
- 8. The Cyber Kill-Chain
• Presented by Lockheed Martin, 2010
• Main achievements
• Knowing the enemy: The first widely accepted model of
APT attackers
• Important insight: It’s a chain!
• The chain is only as strong as its weakest link
• Defenders get to choose where to break the chain
- 9. Modifying the Kill-Chain #1
• The original Kill-Chain puts too much emphasis on the initial infection
• LightCyber’s version:
- 11. The start: Initial Compromise & Foothold
• Attackers move from the Internet to
initial, arbitrary foothold in victim’s
network
• Through interfaces open to the internet:
• E-Mail:
• The most popular method
• phishing E-mail bearing a malware
• Web:
• Watering hole attack: malware “Drive-by
download” on relevant sites
• Enterprise Web App
• Using WebApp vulnerabilties
- 12. The Middle #1: Lateral Movement
• Attackers move from their arbitrary foothold in victim’s network to
their destination
• Using the Lateral Movement vehicle
• The engine: Stolen credentials
• The wheel: Data obtained in the Recon phase
• The Lateral Movement methods are standard:
• Steal credentials from infected computer
• Expand to other computers using these creds
• Steal other creds from the computer
• Repeat
- 13. The Middle #2: Recon
• The recon phase is the most non standard part, as every victim’s
network is different:
• Attacks destinations, networks’ topology, IT conventions
• Therefore it involves more manual work:
• More time
• Attackers’ mistakes
• Recon methods are standard
• Scan the vicinity: near-by (network-wise) computers
• Query central repositories: Active Directory, DNS
- 14. The End: Exfiltration
• Attackers move data to the internet
using standard open channels
• Mostly through web
• But also FTP or any other protocol
- 16. Learn What is Normal
• Per entity and containing groups
• Access patterns
• Logged-on Computers
• Accessed resources
• Working period
• Working days
• Working hours
• Physical location
• Where is the user’s home
• In case of travel, does it makes sense? http://seanheritage.com/blog/profiling-normal/
- 18. Time for another Sun Tzu Quote
• “...And therefore those skilled in war bring the
enemy to the field of battle and are not brought
there by him.“
• Remember this is a chain!
• We get to choose where to cut it!
• It’s not a binary decision:
• Prioritization
• Balance
https://upload.wikimedia.org/wikipedia/commons/3/37/Enchoen27n3200.jpg
- 19. It’s a Battle of Movement
• All phases involve movement
• Movement in IT = Network
• Therefore the battle must take
place over the network
• But we have a limited budget:
in which phase we should
invest more and in which we
should invest less?
- 20. Where to Invest Less
• Exfiltration – too late
• The information is already making its way out
• Infiltration – too much attack surface
• Too many users, end systems, 0-days vulnerabilities
• We had already invested a lot of budget there, mainly in anti-malware
• And both
• Very generic to the attacker, very similar for all victims
• The attackers are well trained there as they do it all the time
• Highly automated
• Very rapid, compared to the middle section
• Less mistakes
- 21. Where to Invest More
• In the middle part:
• Not generic: Attacker does not know internal network
• Intelligence gaps: Attacker does not what is normal within the internal
network
• Before any real damage has been done
• The longest of phases: Takes weeks or even months
- 22. Weapons #1: Monitoring Traffic
• Detect known attackers’ patterns
• Learn normal traffic patterns
• To identify anomalies
• Monitoring everything does not scale and we must prioritize
• Invest more in monitoring central repositories
• E.g. Active Directory, DNS, DHCP
• Invest more in monitoring sensitive servers
• E.g. relevant file servers, DataBase servers, Active Directory/Domain
Controllers
- 23. Weapons #2: Deception
• Confuse the attacker with deception
• Use network tripwires and landmines
• Deploy honeypots
• Fake servers
• Deploy honeytokens
• Fake entries in real servers
• Monitor access to honeypots and use of honeytokens over the
network
- 24. Putting it All Together
• We know ourselves
• We learn what is normal over the network
• We know the enemy
• We know what the attacker is doing and able to detect it
• We had chosen the right battlefield
• The middle of the attack: recon + lateral movement
• We have the right weapons:
• Network monitoring to detect known attackers’ patterns, anomalies and
deception tripwires and landmines
• Sun Tzu promises victory!
Editor's Notes
- Source:
https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf
http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/2015-Cost-of-Cyber-Crime-study-The-average-cost-of-cybercrime/ba-p/6802367#.ViNnwfnyuUk
http://www.out-law.com/en/articles/2015/june/cost-of-data-breach-incidents-to-business-soars-finds-uk-government-study/
- http://s.wsj.net/message/dowjonesletter-20151009.pdf
- http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
http://cdn2.hubspot.net/hub/91979/hubfs/social-suggested-images/cyber-kill-chain.jpg
- http://core0.staticworld.net/images/idge/imported/article/nww/2011/08/082611-rsa-email-100271913-orig.jpg