s e c u r i t y k p i s
play

S E C U R I T Y K P I S by: steven aiello ver: 2.0.1 - PowerPoint PPT Presentation

S E C U R I T Y K P I S by: steven aiello ver: 2.0.1 Introduction. Steven Aiello Security & Compliance Solutions Principal SANS GCIH License 29615 Mentor Status CISA SANS GSEC License 353652 Mentor Status VCAP - DCA OSCP (In


  1. S E C U R I T Y K P I S by: steven aiello ver: 2.0.1

  2. Introduction. Steven Aiello Security & Compliance Solutions Principal SANS GCIH License 29615 – Mentor Status CISA SANS GSEC License 353652 – Mentor Status VCAP - DCA OSCP – (In Progress) VCAP - DCD CISSP VCP

  3. This is where I’ve been It’s been a long road… Endpoint Network Logging Systems Admin. Web Development Compliance I.R. A.D.

  4. Performance is the best way to shut people up. ” - Marcus Lemonis

  5. The Data What does the data say about our efforts in cyber security? 101.6 20 6 4 the money the results the activity the change $

  6. 2020 $101.6B “ In 2020, these organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research released Wednesday by the International Data Corporation. This equates to a 38% increase from the $73.7 billion that IDC projects 38 % 2016 organizations will spend on cybersecurity in 2016.” Oct 12 th 2016 fortune.com

  7. 2016 “disclosed by the affected customer or an external “ threat actor bragging or Employee notifications were the extorting their victims.” most common internal discovery method for the second straight year and there was also an uptick identification through internal financial audits, associated with business email compromise law (BEC). Third-party disclosure is up due to an increase in numbers of breaches disclosed by the affected customer or an external threat actor bragging or extorting their victims.” DBIR 2017 verizon

  8. How likely you are to be breached if you’ve had an event 100% Broken down by industry 90% 80% 70% Accommodation 93% 60% Healthcare 65% 50% Finance 47% 40% Manufacturing 20% 30% Information 16% Professional 4% 20% Public 1% 10% 0%

  9. Top attack vectors of known breaches Attack vectors of confirmed breaches: Email & Email Attachments 43% Backdoor or C2 (Hacking) 24% Web Application 19% Direct Install 6% LAN Access 4% Partner Facility 4% Backdoor or C2 (Hacking) Email & Email Attachments Web Application Direct Install LAN Access Partner Facility

  10. Top six actions by threat actors “ The top six threat action varieties that follow the well-traveled path of phishing users to install C2 and keylogging software in order to capture credentials that are used to authenticate into, and exfiltrate data out of, organizations.” DBIR 2017 verizon

  11. To recap what’s happening 81% of breaches leveraged weak or stolen passwords, this includes password hashes… Top 6 66% actions threat actors of malware was use involve valid installed via malicous passwords to move email attachments laterally through the network Top 6 24% actions threat actors use involve valid passwords to of breaches involved access data and exfiltrate backdoors or “hacking” it [within days] …

  12. Four security KPIs Confidence in account Minimization and monitoring validity of lateral movement What percentage of systems have What level of confidence does the unilateral access to other hosts? What organization have that user accounts policies and technologies can organizations authenticating to systems are being put in place to gain visibility? properly used? Confidence in system control Data monitored for anomalous access What are our patch times for operating systems, CotS applications, internally What data is important to the business? developed applications? How do we What are “normal” data access patterns reduce patching cycles? For systems by user account? How does the that cannot be patched, leverage organization monitor for changes in data application white listing. access patterns?

  13. Four security KPIs KPI number one: Confidence in account validity Account validity is possibly the most difficult KPI to score well in. No, your two factor authentication will not protect you … Protection from Kerberos Golden Ticket Mitigating pass the ticket on Active Directory CERT-EU Security 2014-07

  14. KPI one: confidence in account validity 01 02 03 2FA == local logon only SMB is the problem Kerberos is the problem Two-factor authentication only Protection from PTH attacks Creating the Golden Ticket protects user logon attempts from • psexec bypasses 2FA • KRBTGT password hash the Windows console or RDP • Domain admin. username • Domain name • Domain SID

  15. KPI one: confidence in account validity 01 02 03 Disable cached creds If not possible… Kerberos is still the problem Within Active Directory Group For mobile users: Protection from the Golden Ticket Policy: \Security Settings • KRBTGT password hash \Computer Configuration \Local Policies • Domain admin. username \Windows Settings \Security Options • Domain name \Security Settings Interactive Logon: Number of • Domain SID \Local Policies previous logons to cache (in case If a golden ticket is created the \Security Options domain controller is not available) only way to invalidate the ticket is Do not allow storage of passwords to reset the KRBTGT two times and credentials for network authentication

  16. Four security KPIs Confidence in system control 1 Document patch cycles Not all systems can be patched, however, you should understand what those limitations are and seek to improve on them 2 Whitelist what you can’t rapidly patch If systems are so sensitive they cannot be patched, by that merit they should not change. Application whitelisting should be used on systems that change infrequently 3 Isolate what you can’t patch or whitelist

  17. KPI two: confidence in system control 2017 2018 2019 2020 “You can't manage what Are you patching your If your application vendors Understanding your you can't measure." applications as fast as wont let you patch, whitelist. current state and making Peter Drucker. you patch your OS? Use it where needed – don’t progress towards your overextend. goal is key 90% 3/5 Measure your Whitelist fixed progress use systems Can you patch 90% in 30 days?

  18. KPI two: confidence in system control Sometimes Apache Struts 2 is the perfect isolation is your example… only option… https://arstechnica.com/information-technology/2017/09/exploit- goes-public-for-severe-bug-affecting-high-impact-sites/ Patch: step 1 Rebuild web applications: step 2 Potentially change code that calls Struts: step 3 Before someone with Metasploit attacks… https://github.com/rapid7/metasploit-framework/pull/8924

  19. Four security KPIs Minimize [and monitor] lateral movement Minimizing lateral movement includes defining normal traffic patterns in the user LAN segment, and monitoring for policy violations.

  20. KPI three: minimize and monitor lateral movement 66% 81% 100% Attacking the User Harvesting Credentials Lateral Movement Users WILL open office If you implement the The user will have to move documents, it’s part of their job. recommendations from KPI 1, across the network, this is your Security needs to protect users the amount of credentials opportunity to discover their while they are doing their job. available will be greatly limited. actions. Understanding valid network traffic is critical. First Second Third

  21. KPI three: minimize and monitor lateral movement PING scans Policy: don’t allow it on user LANs Attacks WILL come TCP/UDP port scans from the user LAN Policy: don’t allow it on user The brunt of attacks will be LANs focused on your users; this ends up being a “good thing” No SMB shares because it makes lateral All file sharing should go back movement easier to detect… to the datacenter John Doe Users should know company policy…

  22. KPI three: minimize and monitor lateral movement Every company I’ve pVLANs & ACLs Our starting point worked for has used pVLANs with post ACLs require zero capital investment as long as pVLANs your switches are sized properly I was shocked when I realized most Netflow monitoring Visibility is key companies were NOT using pVLANs in their user LANs. There are open source and commercially available packages ADP 2003 for netflow monitoring; select SaaS Provider one and master it. LAN & data center Investment required OnlineTech micro-segmentation 2012 Iaas Provider If you’re operating at a larger scale, you may require an investment in software to help you manage micro-segmentation

  23. Four security KPIs Data monitored for anomalous access “ Data is the new gold” Mark Cuban

  24. KPI four: data monitored for anomalous access 90% of focus should Good security be applied here! doesn’t protect bad data… some... data is gold Understanding what data you most data is pyrite have, where it lives, and who [fool’s gold] can access it will be critical to successful GDPR compliance 90% Focus is what you say no to, let the 90% go … [most] of your data is probably fool’s gold 10%

  25. The effort To do this well you will most likely need a commercial product [unfortunately]…

Recommend


More recommend