Top Banner
USING EFFECTIVE CONFIGURATION MANAGEMENT TO DETECT AND RESPOND TO ZERO-DAY AND APT ATTACKS
34

Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Jun 21, 2015

Download

Technology

Anitian

As malware becomes more sophisticated and insider threats more persistent, the need to closely monitor systems is more important than ever. Good configuration
management can provide vital insight into potentially dangerous changes in your
environment.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

USING EFFECTIVE CONFIGURATION MANAGEMENT TO DETECT AND RESPOND

TO ZERO-DAY AND APT ATTACKS

Page 2: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Presentation Overview

• Magic Trick• The Problem • Anatomy of an Attack• Manage Change, Protect Systems

Page 3: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Speakers

Andrew PlatoPresident / CEOAnitian Enterprise Security

Mark KerrisonCEONNT Workplace Solutions

Page 4: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

MAGIC!

Configuration Management

Page 5: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

A Little Magic

Page 6: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Pick a Card – Any Card

Page 7: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Do you have it…Now watch in

amazement as I make your card

disappear!!!!

Page 8: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

TAH DAH!

Tah Dah!

Page 9: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

THE PROBLEM

Configuration Management

Page 10: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Current Defences are Inadequate

• Firewall & IPS – Zero day and APT style attacks can bypass signatures or hide inside encrypted tunnels

• Web & Email Filters – Rely on signatures and interception, which also can be bypassed

• Anti-virus – Even the base AV products are only about 90% effective

• Encryption – Can actually hide threats inside encrypted areas• None of these can stop the most sinister threat – complacency • “We’ve got security in place so we are secure...right?”

Page 11: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

NSS Labs Correlation of Detection Failures

• http://bit.ly/nss-did• 606 unique combination

of devices • NGFW+IPS, IPS+endpoint,

NGFW+endpoint, etc.• Only 3% (19 combinations)

could block all exploits• Bypassed exploits were

all vulnerabilities to common applications • The message is clear, current defense in depth methods are

flawed• This is why APT-style attacks are successful

Page 12: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

ANATOMY OF AN ATTACK

Configuration Management

Page 13: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Anatomy of a Hack

Step 1 – Gone Phishing – could be random spam, could be targeted ‘spear phishing’ attack on identified user

IPS

Page 14: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Anatomy of a Hack

This looks interesting – I’ll click on the link...

Step 2 – Sucker! – user welcomes in malware and as an ‘authorized’ download the malware gets in

IPS

Page 15: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Anatomy of a Hack

Step 3 – Infiltrated and Infected and In Trouble – At worst a root kit infection provides a platform to which other malware can be introduced and protected from detection and removal

IPS

Page 16: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

*PRIVATE*

Anatomy of a Hack

Step 4 – A Victim of Crime – malware can spread itself to data stores and send back personal information, card data, intellectual property, financial data...

IPS

Page 17: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Anatomy of a HackAlternatively - Inside Man abuses Sys Admin rights to install malware or open up systems to infection...

IPS

Page 18: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Anatomy of a Hack...or simply steals data directly

*PRIVATE*

IPS

Page 19: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

The Art of Layered Security

We need threats to follow the script...

Page 20: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

The Art of Layered Security

When they don’t, we’re exposed!

Insider attacks, zero day and APT can bypass security controls

Insider Threats APT Zero Day

Page 21: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

MANAGE CHANGE, PROTECT SYSTEMS

Configuration Management

Page 22: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

You never know how they might get you!

• You have to Know what good looks like first

What does good look like in our environment?

Spot the difference

Page 23: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Get Systems into a Known-Good State

Page 24: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Then Keep Them There!

Right...nobody move!

Page 25: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Monitor for Changes

Page 26: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Investigate Change

Page 27: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Review the Change

Page 28: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Pinpoint What Changed, When and by Whom

Page 29: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Gotcha!

• Now that you know what changed, you can change it back• You also have data, valuable data on what really happened• There is no guessing or conjecture, you know what changed,

where, when, and who did it.• You can also correlate this data with firewall, IDS/IPS, web filter,

and AV logs to see if there are related events• Armed with real data, you can make a real decision about

security

Page 30: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Let’s plan changes – so we know about them

Wait for my instructions via email

Page 31: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Closed Loop Change Management!

• Planned changes are happy changes• We did what we said we would do

Page 32: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Take-Aways

• Get IT systems into a known, good state (which is also a compliant state!)

• When you know what looks good, then it become easier to spot something bad

• Disclose monitoring practices to everybody to discourage insider attacks

• Reject unplanned changes• Combine Change & Configuration Management, File Integrity

Monitoring and System Hardening to detect all moving parts• Add context with a Compliance Dashboard

Page 33: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

QUESTIONS

?

Page 34: Using Effective Configuration Management to Detect & Respond to Zero-Day and APT Attacks

Thank YouWEB: www.newnettechnologies.com

www.anitian.comSLIDES: [email protected] for a

copy of the presentation or visitwww.slideshare.net/andrewplato

BLOG: blog.anitian.com