Battlefield network

Battlefield Network
Speaker: Tal Be’ery
October 2015

Speaker Info – Tal Be’ery
• Senior Security Research Manager @Microsoft
• Former VP for Research @Aorato (Acquired by Microsoft)
• 15 years of security research
• Author of the TIME attack on SSL
• Regular speaker in Industry’s top conventions
• Named a “Facebook Whitehat”
• Twitter: @TalBeerySec

Agenda
• Intro
• Current state of affairs
• Why do we fail
• Know the enemy
• The modified Cyber Kill Chain
• Know thyself
• What is normal?
• Choose the right battlefield
• Network based detection of Reconnaissance and Lateral Movement

Current State of affairs
• 90% of large organizations and 74% of small businesses reporting a
security breach
• Data breach costs 2015: $6M on average, $65M max
• Average time to breach detection: eight months
• Most breaches are not detected internally

Test Case: The Dow Jones Breach
• Reported this month (October 9th 2015)
Reported by
others
Breached for 3
years
In other words:
We still don’t know
what happened

Why do We Fail?
• “If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If
you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you
will succumb in every battle.”
• We don’t know the enemy
• We don’t know ourselves
https://upload.wikimedia.org/wikipedia/commons/3/37/Enchoen27n3200.jpg

The Cyber Kill-Chain
• Presented by Lockheed Martin, 2010
• Main achievements
• Knowing the enemy: The first widely accepted model of
APT attackers
• Important insight: It’s a chain!
• The chain is only as strong as its weakest link
• Defenders get to choose where to break the chain

Modifying the Kill-Chain #1
• The original Kill-Chain puts too much emphasis on the initial infection
• LightCyber’s version:

Modifying the Kill-Chain #2
• The process is not linear
• Mandiant’s version:

The start: Initial Compromise & Foothold
• Attackers move from the Internet to
initial, arbitrary foothold in victim’s
network
• Through interfaces open to the internet:
• E-Mail:
• The most popular method
• phishing E-mail bearing a malware
• Web:
• Watering hole attack: malware “Drive-by
download” on relevant sites
• Enterprise Web App
• Using WebApp vulnerabilties

The Middle #1: Lateral Movement
• Attackers move from their arbitrary foothold in victim’s network to
their destination
• Using the Lateral Movement vehicle
• The engine: Stolen credentials
• The wheel: Data obtained in the Recon phase
• The Lateral Movement methods are standard:
• Steal credentials from infected computer
• Expand to other computers using these creds
• Steal other creds from the computer
• Repeat

The Middle #2: Recon
• The recon phase is the most non standard part, as every victim’s
network is different:
• Attacks destinations, networks’ topology, IT conventions
• Therefore it involves more manual work:
• More time
• Attackers’ mistakes
• Recon methods are standard
• Scan the vicinity: near-by (network-wise) computers
• Query central repositories: Active Directory, DNS

The End: Exfiltration
• Attackers move data to the internet
using standard open channels
• Mostly through web
• But also FTP or any other protocol

Learn What is Normal
• Per entity and containing groups
• Access patterns
• Logged-on Computers
• Accessed resources
• Working period
• Working days
• Working hours
• Physical location
• Where is the user’s home
• In case of travel, does it makes sense? http://seanheritage.com/blog/profiling-normal/

Time for another Sun Tzu Quote
• “...And therefore those skilled in war bring the
enemy to the field of battle and are not brought
there by him.“
• Remember this is a chain!
• We get to choose where to cut it!
• It’s not a binary decision:
• Prioritization
• Balance
https://upload.wikimedia.org/wikipedia/commons/3/37/Enchoen27n3200.jpg

It’s a Battle of Movement
• All phases involve movement
• Movement in IT = Network
• Therefore the battle must take
place over the network
• But we have a limited budget:
in which phase we should
invest more and in which we
should invest less?

Where to Invest Less
• Exfiltration – too late
• The information is already making its way out
• Infiltration – too much attack surface
• Too many users, end systems, 0-days vulnerabilities
• We had already invested a lot of budget there, mainly in anti-malware
• And both
• Very generic to the attacker, very similar for all victims
• The attackers are well trained there as they do it all the time
• Highly automated
• Very rapid, compared to the middle section
• Less mistakes

Where to Invest More
• In the middle part:
• Not generic: Attacker does not know internal network
• Intelligence gaps: Attacker does not what is normal within the internal
network
• Before any real damage has been done
• The longest of phases: Takes weeks or even months

Weapons #1: Monitoring Traffic
• Detect known attackers’ patterns
• Learn normal traffic patterns
• To identify anomalies
• Monitoring everything does not scale and we must prioritize
• Invest more in monitoring central repositories
• E.g. Active Directory, DNS, DHCP
• Invest more in monitoring sensitive servers
• E.g. relevant file servers, DataBase servers, Active Directory/Domain
Controllers

Weapons #2: Deception
• Confuse the attacker with deception
• Use network tripwires and landmines
• Deploy honeypots
• Fake servers
• Deploy honeytokens
• Fake entries in real servers
• Monitor access to honeypots and use of honeytokens over the
network

Putting it All Together
• We know ourselves
• We learn what is normal over the network
• We know the enemy
• We know what the attacker is doing and able to detect it
• We had chosen the right battlefield
• The middle of the attack: recon + lateral movement
• We have the right weapons:
• Network monitoring to detect known attackers’ patterns, anomalies and
deception tripwires and landmines
• Sun Tzu promises victory!

Battlefield network

Related slideshows

More Related Content

Battlefield network

Editor's Notes