psychology and security
play

Psychology and Security Demotivating Persistent Attackers Jarrod - PowerPoint PPT Presentation

Psychology and Security Demotivating Persistent Attackers Jarrod Overson - @jsoverson Director of Engineering, Shape Security QConSF 2018 HOW DO YOU ENGAGE WITH ATTACKERS WHILE WHILE UNDER ATTACK? HOW DO YOU KNOW YOU ARE UNDER ATTACK?


  1. Psychology and Security Demotivating Persistent Attackers Jarrod Overson - @jsoverson Director of Engineering, Shape Security QConSF 2018

  2. HOW DO YOU ENGAGE WITH ATTACKERS 
 WHILE WHILE UNDER ATTACK?

  3. HOW DO YOU KNOW YOU ARE UNDER ATTACK? ATTACK IN THE FIRST PLACE?

  4. 0 Imitation attacks and attacker sophistication 1 The economics of attacks 2 Flipping the economics in your favor 3 Case Studies

  5. IN THE BEGINNING, ACCESS WAS GIVEN TO EVERYONE & EVERYTHING

  6. THE MORE WALLS WE PUT UP THE HARDER IT BECAME TO TELL HUMANS AND ATTACKERS APART

  7. TO AFFECT BEHAVIOR, YOU NEED TO 
 REMOVE THE 
 INCENTIVES. INCENTIVE

  8. MANUAL ATTACKS AUTOMATED ATTACKS Sufficient when Sufficient when value is high value is low Can’t scale when value Can’t scale when cost per attack is reduced per attack is increased

  9. THE SECRET TO DEFEATING ATTACKERS Decrease value Increase cost

  10. THE SECRET TO HAPPY USERS Increase value Decrease cost

  11. 0 Attacker sophistication & where we are 1 The economics of attacks 2 Flipping the economics in your favor 3 Case Studies

  12. Attack Detail: Credential Stuffing

  13. FROM DATA BREACH TO DAMAGE Data Credential Credential Account Fraud Breach Spill Stuffing Takeover

  14. Outside your control Data Credential Credential Account Fraud Breach Spill Stuffing Takeover

  15. Within your control Data Credential Credential Account Fraud Breach Spill Stuffing Takeover

  16. Your web applications and APIs are the battlefield.

  17. CREDENTIAL STUFFING A STEP BY STEP GUIDE Get Credentials 1 cre·den·\al stuff·ing /krəˈden(t)SHəl ˈstəfiNG/ Automate Login 2 The automated replay of breached username/password pairs across many sites Defeat Automation Defenses in order to take over accounts where 3 passwords have been reused. Distribute Globally 4

  18. CREDENTIAL STUFFING 1 1. Get Credentials

  19. CREDENTIAL STUFFING 2 1. Get Credentials 2. Automate Login

  20. CREDENTIAL STUFFING 2 1. Get Credentials 2. Automate Login

  21. CREDENTIAL STUFFING 2 1. Get Credentials 2. Automate Login

  22. CREDENTIAL STUFFING 3 1. Get Credentials 2. Automate Login 3. Defeat Defenses

  23. CREDENTIAL STUFFING 3 1. Get Credentials 2. Automate Login 3. Defeat Defenses

  24. CREDENTIAL STUFFING 3 1. Get Credentials 2. Automate Login 3. Defeat Defenses

  25. CREDENTIAL STUFFING 3 1. Get Credentials 2. Automate Login 3. Defeat Defenses

  26. CREDENTIAL STUFFING 4 1. Get Credentials 2. Automate Login 3. Defeat Defenses 4. Distribute

  27. CREDENTIAL STUFFING $2 for 1000 global IPs } 1 Combolists starting at $0 2 $50 per site configuration Less than $200 for 100,000 ATO 3 $1.39 per 1000 CAPTCHAs attempts 4

  28. 0 Attacker sophistication & where we are 1 The economics of attacks 2 Flipping the economics in your favor 3 Case Studies

  29. vs DETECTION MITIGATION

  30. Have multiple ways to detect bad actors

  31. Also have ways to detect when they’ve started to pry open your systems

  32. TARGET WHAT HURTS THE MOST It’s not as simple as blocking a baddie. You need to target what will hurt the most.

  33. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning What tools work, what don’t? What URLs need to be targeted? What dark web data do I need?

  34. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning Development Investment in a framework of choice. Custom development against a site. Building in proxy/botnet hooks.

  35. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning Development Testing Does it bypass protections? 
 Does it handle edge case responses? Does it consume breach data properly?

  36. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning Development Testing Integration Check integration with botnets. Ensure health checks work. Deploy to cloud services.

  37. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning Development Testing Integration Release Initiate Attack

  38. THE SOFTWARE DEVELOPMENT LIFECYCLE Planning Development Testing Integration Release Cost incurring Value generation stages stage

  39. 0 Attacker sophistication & where we are 1 The economics of attacks 2 Flipping the economics in your favor 3 Case Studies

  40. Case Study 1 Damaging Reputation

  41. Scenario vs Well funded Big US Bank scraper

  42. The actor cycled through the softest targets

  43. Finally committed to one to dive deeper The threat found prolonged success on iOS due to version lag

  44. Got around defenses regularly, though not durably

  45. Recognizing patterns in behavior Sun Mon Tues Weds Thurs Fri Sat

  46. 1 Regular working schedule 2 Actor’s consumers were notified upon success Analysis 3 Failure was met with downstream frustration 4 Prolonged failure provoked distress

  47. 1 Target defense out of working schedule 2 Turn on defenses when damage would be highest Plan of action 3 Turn off primary mitigation during working schedule 4 Cycle through defenses even when still working

  48. Case Study 2 Github Kiddies

  49. Scenario vs Credential Stuffer Big US Retailer and Account taker-overer

  50. We were down to a fraction of our normal ability to detect We needed more data

  51. We had enough of a grip to deliver a targeted payload

  52. This allowed us to inspect the retooling effort in real time

  53. What we learned

  54. 1 Actor was a competent developer 2 Still relied on community to get around problems Analysis 3 Bypassed defenses via trial and error 4 Actor was been lucky, not wildly skilled

  55. 1 Build up defenses based on the tool he was using 2 Provide variable feedback during retooling phase Plan of action 3 Turn on just enough to be infuriating. No more, no less 4 Create new countermeasures that act differently during retooling phase

  56. 1 Treat detection and mitigation separately. 2 Protect the data used to detect. Recap 3 Understand what is incentivizing your attackers. 4 Work with product to build app-level defenses.

  57. TacDcs is knowing what to do when there is something to do. Strategy is knowing what to do when there is nothing to do. - Savielly Tartakower

  58. Psychology and Security Demotivating Persistent Attackers Jarrod Overson - @jsoverson Director of Engineering, Shape Security QConSF 2018

Recommend


More recommend