a call to arms: using a working model of the attack surface to improve incident response
Embed Size (px)
TRANSCRIPT
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response
Gidi Cohen | CEO & Founder | Skybox Security
Sources: Spending-IDC & Gartner; Costs – Center for Strategic and Interational Studies; Chart - 2015 Verizon Data Breach Investigations Report
The Defender Deficit
£260B annual cost of cyber crime £45B annual
spend on solutions
NO CHANGE in “defender gap”
In 10 years!
80% of AttackersCompromise Network in Days
25% of DefendersDiscover Attacks in Days
Peacetime
From Peacetime to Wartime Mindset
Process Focused
Advanced Planning
Compliance Driven
Battlefield View
Attack Detection
Jump Teams
Wartime
What’s your Incident Response Time?
Sources: ISACA.org for Incident Response process, Ponemon 2014 Cost of Cyber Crime Study for IR times
+45 days to resolve
170 days to detect
Incident Response Process
Insert graph
What Takes So Long?
Potential ExfiltrationSuspicious outbound data Shut down unnecessary ports
• Does this event match a possible attack vector?
• What assets are exposed through that access path?
• Which security controls can we leverage?
• Will a firewall change disrupt necessary services?
Ongoing Visibility of the Battlefield
Security ControlsFirewalls
IPSVPNs
Ongoing Visibility of the Battlefield
Security ControlsFirewalls
IPSVPNs
Network TopologyRouters
Load BalancersSwitches
Ongoing Visibility of the Battlefield
Security ControlsFirewalls
IPSVPNs
Network TopologyRouters
Load BalancersSwitches
AssetsServers
WorkstationsNetworks
Ongoing Visibility of the Battlefield
Security ControlsFirewalls
IPSVPNs
Network TopologyRouters
Load BalancersSwitches
AssetsServers
WorkstationsNetworks
VulnerabilitiesLocationCriticality
Ongoing Visibility of the Battlefield
Network TopologyRouters
Load BalancersSwitches
AssetsServers
WorkstationsNetworks
VulnerabilitiesLocationCriticality
Threat ActorsHackersInsidersWorms
Security ControlsFirewalls
IPSVPNs
Ongoing Visibility of the Battlefield
Security ControlsFirewalls
IPSVPNs
Network TopologyRouters
Load BalancersSwitches
AssetsServers
WorkstationsNetworks
VulnerabilitiesLocationCriticality
Threat ActorsHackersInsidersWorms
The attack surface is the sum of all reachable and
exploitable attack vectors against an organization.
Apply Understanding of the Attack Surface
With Knowledge of the Attack Surface
Improve planning
Reduce mean time to detect
Speed containment actions
Verify resolution
Preparation: Reduce Attack Vectors
• Target concentrations of vulnerabilities
• Address zoning violations
• Fix risky firewall rules
Preparation: Optimise SIEM Monitoring
SIEMCreate a SIEM watch list
• Watch specific servers with known vulnerabilities
• Monitor access paths to high-value assets
• Look for services usedin recent threats
High volume to review
False positives
Detection: Confirm Real Attacks Fast
Attack Detection
SIEM Level 1SOC Analysts
Level 2 IR Team
BEFORE
High volume to review
False positives
Detection: Confirm Real Attacks Fast
Attack Detection
SIEM Level 1SOC Analysts
Level 2 IR TeamBEFOREAFTER
Get attack contextAssets at riskPrioritisation
Analysis: Triage Based on Impact to Assets
Analysis: Triage Based on Impact to Assets
Analysis: Triage Based on Impact to Assets
Flag high-risk vector
Alert: anomalous
behavior
Low risk
Alert: unexpected
router change
Multiple ways to compromise
finance server
Contain: Fast Zero-Day Response
Source: ISACA.org
Attack Surface Model
New Vulnerability Identified!
CVE-2015-01234
• Which systems have the vulnerability?
• Are they part of an attack vector?
• Triage responseThreat
Vulnerability
Asset
Contain: Understand Scope, Exfiltration Paths
Exfiltration Path
Contain: Understand Scope, Exfiltration Paths
Exfiltration Path
Contain: Understand Scope, Exfiltration Paths
Recommended Actions• Generate firewall
change requests to block exfil route
• Switch advanced malware to block mode
• Enable IPS signature
Exfiltration Path
Post-Incident Activity
Attack Surface Model
Long term architectural changesNetwork segmentation
Use of advanced controlsVerify risk elimination
Summary: Using Attack Surface for IR
Incident Response Process
Incorporate broad set of data sources
for full attack surface view
Arm the IR teamTools to correlate, query,
and monitor attack surfaceSpeed detection and
analysis
Use contextual info on likely next stepsContain attacks and
limit damage
Visit Skybox Security at Infosec
• Powerful platform for visibility of the attack surface• Vulnerability and threat management• Firewall management• Network visibility and compliance
Risk Analytics for Cyber Security
Thank you