threats that matter - murray state university 2017

Threats That

Matter

MSU 2017

Chris Sanders

Copyright © 2017 Chris Sanders

CHRIS SANDERSTwitter: @chrissanders88 | Mail: [email protected]

MPS, Penn State | BS, Murray State | SANS GSE #64


Rural Technology Fund

We Provide:

Education

resources

Scholarships

Book donations

Advocacy

Students

Impacted:

10,000 in 2016

25,000 in 2017

COGNITIVE

CRISIS

NASCAR Innovation

ModelFortune 500 + Gov/Mil + Open

SourceSmall Business & Consumer

Protection


The Security Product

Landscape


Ethnography of the SOC

“An analyst’s job is highly

dynamic and requires dealing

with constantly evolving threats.

Doing the job is more art than

science. Ad hoc, on-the-job

training for new analysts is the

norm."


Ethnography of the SOC

“The profession [security] is so

nascent that the how-tos have

not been fully realized even by

the people who have the

knowledge…the process

required to connect the dots is

unclear even to analysts.


Symptoms of a Cognitive Crisis

1. Demand for expertise greatly outweights

supply

2. Most information cannot be trusted or

validated

3. Inability to mobilize and tackle big systemic

issues

FRAMIN

G


Economics of Security

“If you want to understand the world of nature,

master physics. If you want to understand the

world of man, master economics.”

Adversary Cost to Attack

Likelihood of Attack


Classification of Threats

UnstructuredStructured

OpportunisticTargeted

High Cost to Defend

Low Cost to Defend


The Human Factor

How do attackers access systems? Code execution via vulnerability

Code execution via user

Users: Click links

Open e-mails

Go to websites

External Penetration Test Engagement Success Users out of Scope: ~15%

Users in Scope: 100%

Opportunistic/Targeted Unstructured/Structured


Pew Study on User

Understanding

What percent of user can identify…

What a phishing attack is?

That email is not encrypted by default?

That public wifi is not a safe place for sensitive

activities?

That HTTPS in a URL means browsing is

encrypted?

Can identify an example of multi factor

authentication?

73%

54%

46%

33%

10%

RANSOMWAR

E


Evolution of Ransom


How much would you pay…

…to get all your work files back?

…to get all your family photos back?

…to keep someone from posting all your

personal data on the Internet?

…to keep someone from sending copies of all

your text messages to everyone in your

address book?

…to keep someone from sending photos they

took on your webcam to everyone in your

address book?


What is your data worth?

Ransomware will be

a $1B industry in

2017

Opportunistic Structured/Unstructured

$372.00 $294.00

$679.00

2014 2015 2016

AVERAGE RANSOM AMOUNT


Ransomware Growth

Exploit Kit Payloads


Ransomware Delivery

3%

4%

10%

24%

28%

31%

0% 5% 10% 15% 20% 25% 30% 35%

USB DRIVE

SOCIAL MEDIA

UNKNOWN

INFECTED WEBSITE

E-MAIL ATTACHMENT

E-MAIL LINK

Infection Vector

Infection Vector

ESPIONAGE


Is espionage a threat that

matters?

China, Russia, USA, Iran,

Israel, North Korea, etc.

They want to steal useful

information

Asymmetric by nature

You are defending against

a literal army

Targeted Structured

5 THINGS

TO DO

NOW


Don’t Let Users Run Unapproved

Code

Limit Admin Access

Block Office Macros

Application Whitelisting

AppLocker

Limit browser plugins Flash

Silverlight

Java


Deploy Centralized Logging

Host:

Log these things:

Process execution

and connections

Drivers

File system changes

Registry changes

Do it with Sysmon

Network:

Log these things:

Network

connections

HTTP requests

Files transferred

DNS queries

Do it with Security

Onion


Two-Factor Authentication

Factors (Choose 2): Something you know

Something you have

Something you are

Focus on publicly accessible things: VPN Connectivity

Web Applications

E-Mail Portals

Cloud Services

Do it with: Google Authenticator


Test Your Users

Phishing is the #1

most effective

technique for

gaining an initial

foothold on the

network

Conduct periodic

phishing

assessments

GoPhish

Framework


Limit Ad Network Participation

Malware distribution:

Jan ’16 ReadersDigest.com: 210K Exposed

Dec ‘15 DailyMotion.com: 128 Million Exposed

July ‘15 Yahoo.com: 6.9 Billion Exposed

Do it with:

Adblock browser plugin

Thank You!

Mail: [email protected]

Twitter: @chrissanders88

Blog: chrissanders.org

Training: chrissanders.org/training

Slides: slideshare.net/chrissanders88