C-SEC|2016 Session 2 The Security Game : You Failed at the Beginning By Incognito Lab a Division of ACinfotec
- 1. 1 incognitolab incognitolab.com C-SEC2016 THE SECURITY GAME: YOU FAILED AT THE BEGINNING Presented by Incognito Lab, a division of ACinfotec
- 3. 3 incognitolab incognitolab.com About me Mr.Nuttakorn Dhiraprayudti • @misterdonut • CISSP, CISA, CISM
- 4. 4 incognitolab incognitolab.com For some reason, we failed History repeats itself Stay calm and pay
- 5. 5 incognitolab incognitolab.com Cybersecurity Economics A wrong mindset A failed approach For some reason, we failed
- 6. 6 incognitolab incognitolab.com Lacks of incentive at global scale • Security software • Undergroundeconomy • Bug • Cybercrime Cybersecurity Economics Ref: DelftX: Secon101x Cyber Security Economics [edX]
- 7. 7 incognitolab incognitolab.com A WRONGMINDSET "Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” -Bruce Schneier- A wrong mindset Ref: https://www.schneier.com/crypto-gram/
- 9. 9 incognitolab incognitolab.com If I know how to hack, then I can defend myself.
- 10. 10 incognitolab incognitolab.com I do not agree!!! Strong foundation is more important
- 11. 11 incognitolab incognitolab.com A failed approach Ref: https://blogs.technet.microsoft.com/johnla/2015/04/26 /defenders-think-in-lists-attackers-think-in-graphs- as-long-as-this-is-true-attackers-win/ “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” -John Lambert-
- 12. 12 incognitolab incognitolab.com INFORMATION SECURITY IS ALL ABOUT RISK MANAGEMENT *
- 14. 14 incognitolab incognitolab.com Vertex 1 Vertex 2 Edge GRAPH THEORY
- 15. 15 incognitolab incognitolab.com GRAPH THEORY Vertex 1 Vertex 2 Vertex 3 Vertex 4 Vertex 5 Vertex 6 Vertex 7 Vertex 8
- 16. 16 incognitolab incognitolab.com FILESHARE SERVER ERP Server 1 DOMAIN CONTROLLER ERP Server 2 ERP Server 3 GRAPH THEORY
- 17. 17 incognitolab incognitolab.com Extra reading: DEFCON24: Six Degrees of Domain Admin User: Eve FILESHARE SERVER Group: Local Admin ERP Server 1 User: ITadmin User: ERPadmin Group: Domain Admins DOMAIN CONTROLLER Can access to Member of Admin to Has Member of Has session Can access to ERP Server 2 ERP Server 3 Can access to GRAPH THEORY
- 18. 18 incognitolab incognitolab.com BloodHound Extra reading: DEFCON24: Six Degrees of Domain Admin
- 20. 20 incognitolab incognitolab.com OSINT OSINT = OpenSource INTelligence osintframework.com
- 21. 21 incognitolab incognitolab.com OSINT OSINT = OpenSource INTelligence Now bad guy knows username format, Can you change it?
- 23. 23 incognitolab incognitolab.com Privilege Escalation Protect against mimikatz •Disable cleartext password in memory Set DWORD value = 0 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet /Control/SecurityProviders/WDigest/UseLogonCredential • LSASS.exe protected mode Set DWORD value = 1 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet /Control/Lsa • Protect your privilege account Use LAPS (Microsoft’s Local Administrator Password Service)
- 24. 24 incognitolab incognitolab.com Keep calm and pay • Turn your list into graph • Manage your graph • Spend your money wisely
- 25. 25 incognitolab incognitolab.com What should I pay? Reference: SANS:IT SECURITY SPENDING TREND • Firewall to segregateyour internal network • 2 Factors authentication for administrative accounts and remote access • Local privileged account management
- 26. 26 incognitolab incognitolab.com MONEY WITHOUT BRAINS IS ALWAYS DANGEROUS -Napoleon Hill- • Spend more money on your people, otherwise let professional do it for you. • Consulting companies also spend money on marketing, select them wisely