are you ready for a cyber tsunami?...are you ready for a cyber tsunami? harman singh @digitalamli...
Post on 06-Jun-2020
2 Views
Preview:
TRANSCRIPT
www.defendza.com @defendzaltd
A Practical Approach to Threats & Detection
Are you ready for a Cyber Tsunami?
Harman Singh@digitalamli
www.defendza.com @defendzaltd
What is the best place to hide a dead body?
Page 2 of Google
Search results
www.defendza.com @defendzaltd
Plan Calculus
First programming language
that used algorithms
1945
US ARPA
First Network to implement
TCP/IP Suite
1967
Personal Computers Invented
Kenbak-1 for 750$, sold 40
units. Micral N used
microprocessor
1970s
Alto Personal Computer
Xerox PARC developed Alto.
Bitmapped screen, and
demonstrated GUI
1973
WWW
Tim Berners-Lee created
World wide web at a swiss
laboratory
1990
Evolution of the field of computer science
reference: www.bestchoiceschools.com
www.defendza.com @defendzaltd
SCADA
DCS
CNC Systems
Systems for monitoring & controlling
ICS
PLCs
RTUs
OT
Operational Technology
www.defendza.com @defendzaltd
IT + OT Factories of future
Industrial Internet
CYBER SECURITY VIEW“Love is a temporary insanity curable by marriage.”
www.defendza.com @defendzaltd
Make of that what you will…
www.defendza.com @defendzaltd
tactics, techniques & procedures
www.defendza.com @defendzaltd
• Basics - Circumvent censorship restrictions
Domain Fronting – Real World
www.defendza.com @defendzaltd
❑ Straightforward process to setup domain front:o Define C2 in CDN distributions o Payload calls back to the CDNo CDN redirects C2 traffic to C2 servero Our payload will call back the ‘good’ CDN host,
that will redirect to C2 server
❑ Cloud providers say it’s ‘disabled’, it works.
Domain Fronting - Red Teaming Use Case
www.defendza.com @defendzaltd
Single Factor
Two Factor
Multi-Factor
Something you know
Something you have
Something you are
Other flaws factors
Multi-Factor Authentication - Concepts
auth
In-Band Auth Out-of-Band Auth
www.defendza.com @defendzaltd
Multi-Factor Authentication - Attacks
Social EngineeringUsing spear-phishing campaigns, for instance spoofed LinkedIn domain-based
phishing01Technology AttacksUnderlying technology in use for MFA factors such as SIM Swapping, SS7
attacks to capture SMS codes02
Endpoint AttacksUsing malicious software to steal the info such as codes, or stealing
cookies after authentication04Compromised 2FA SoftwareMore specialized technique using rogue software installation such as
drivers, smartcard-related software, by which it can manipulate or
replace the legit software.05
Integrated AssetsActive directory /smartcard , email hijacks06
Man-in-the-middle AttacksBy tricking the user into visiting a rogue website setup by an
attacker, and then stealing non-2FA token. 03
www.defendza.com @defendzaltd
Phishing Attack Lifecycle
EMAILPhishing email containing link to
the spoofed page
MAGIC HAPPENSUser selects the file to run,.
LOGINUser is redirected to spoofed login
page to submit creds
C2 ESTABLISHEDConnected established with C2
servers
HARVESTCredentials are captured and sent
to the server.
User redirected to file download
prompt ‘Do you want to run
SSOLogin?’
www.defendza.com @defendzaltd
Red Team Attack Overview
CS-2 [DNS] Internet
Attack Infra (Cloud) Target Organization
TS1 TS2
RSP Phish
C2-1 [CDN]CDN
Command Control Traffic
Phishing Link
Responder
TS1 , TS2 – AttackTeam serversC2-1 C2 using CDNC2-2 C2 using DNSPhish – Phish ServerRSP – Responder
www.defendza.com @defendzaltd
security problems
www.defendza.com @defendzaltd
No frills…
www.defendza.com @defendzaltd
Business Side
➢Compliant but not secure▪ Do the ground work, no shortcuts will work.
➢ Tick Box Exercises▪ Understand business objectives and map to requirements
➢Golf Course Deals▪ Decision making to consider technical product evaluations▪ Examples
www.defendza.com @defendzaltd
Example - Red Teaming isn’t for everyone. STOPwasting your budgets.
Golf course deals - Example
www.defendza.com @defendzaltd
www.defendza.com @defendzaltd
Business Side
➢ Lack of …▪ Stop cribbing, build a business case. If it’s management’s accountability, let
them own it. If it’s yours you must do it right.
Last but not the least, Remember that:
LESS IS MORERobert Browning’s ‘Andrea del Sarto’
www.defendza.com @defendzaltd
Stop selling FUD. Sometimes it sells,
sometimes it doesn’t.
Vendor Side
www.defendza.com @defendzaltd
A lame attempt at Indexing endless breaches….
AAdobe - 38 million worldwideApple - 225,000 users worldwide
BBritish Airways - 380,000 TransactionsButlin’s - 34,000 guest recordsBupa - 547,000 customers worldwide, 43,000 in UKBethesda- Unknown
CCash Converters 2 - Number affected was not revealedCathay Pacific - 9.4 million people
DDixons Carphone 2 - 10 million customers dataDeloitte
www.defendza.com @defendzaltd
EEquifax - 15.2millionEvernote
FFacebook - 50 million worldwideFortnum and Mason - 23,000
GThe Government - 25 million child benefit recordUniversity of Greenwich - exposed the personal data around 20,000 students
HHSBC - undisclosed number of mortgage customersHSBC - Online Banking (USA So far)Heathrow Airport
…. So on
Source : https://community.monzo.com/t/the-hack-list/46880
www.defendza.com @defendzaltd
the practical 10 pointer
www.defendza.com @defendzaltd
Practical 10 Pointer Approach – 1/4
Essential component for a proactive web application
security conscious asset
THREAT MODELLING
Segregation is a must at code, network and privilege
level
SEGREGATION
Important to detect and prevent insecure coding
practices
SECURE CODING
Loads and loads of SME’s are in this bracket –
threat modelling should be integrative and agile
involving collaboration between security,
development, and operations teams
OWASP Thread Modelling is a good start
Deploy secure coding approaches that focus on
detecting unsafe and insecure coding practices
Secure coding should be integrated into the
development process regardless of the device,
or environment used while programming
Network level segregation b/w production and
corporate
Segregation where code is deployed and
staging environments
www.defendza.com @defendzaltd
Practical 10 Pointer Approach – 2/4
Secure hardening configuration , validation using
penetration testing and red teaming style exercises
SECURE INFRASTRUCTURE
Trusted partners of your business must be trusted
using technical controls
SUPPLY CHAIN
Privilege access management restricts access in a
number of scenarios such as stolen credentials, or
inside attackers
ACCESS MANAGEMENT
Penetration Testing for validation purposes. Eg,
AD based protection choices are massive now
Secure Hardening practices across end points,
server segments, networks, perimeter, etc.
Makes it easier before going live or enrolling
devices into production environment.
Privileged accounts should be more restrictive,
practice what you preach for IT teams
Least privilege principle along with defense in
depth approach
Third Party Supply Chain hacks are everywhere
No tick in the box please!
Enforce it via SLA’s.
www.defendza.com @defendzaltd
Practical 10 Pointer Approach – 3/4
Establish anti-malware defences at perimeter (if
there is one) and endpoint level
MALWARE PROTECTION
Having incident management plans along with
periodic testing during testing times
INCIDENT MANAGEMENT
Awareness of cyber risks would help improving the
weakest link in cyber kill chain
SECURITY AWARENESS
Producing relevant policies and establishing
anti-malware protections across the estates
Peripheral device usage restrictions
Go less on shopping, more solutions like
Applocker
Probably the weakest link in the cyber kill
chain?
Maintain continuous awareness and validation
to review your ongoing projects
Ensure ground level support by widening your
approach from senior management buyouts
Establish incident response and disaster
recovery /backup capability
TEST. TEST. TEST!
Provide trainings to the staff and report
criminal incidents to authorities. Don’t pay
ranoms
www.defendza.com @defendzaltd
Practical 10 Pointer Approach – 4/4
Logging relevant events and monitoring for
anomalies to help reduce the reaction time
LOGGING & MONITORING
Logging what you need, not what seems right.
Ensure it’s centralised or on separate
segments/devices than primary assets.
Monitoring is possible with good logging
combined with analysis job, to ensure
anomalies are caught in time. CONTINUOUSLY!
www.defendza.com @defendzaltd
The following useful guides are available for free. ✓ Buyer’s guide to security✓ 10 Pointer Risk Management✓ Security Awareness Image Quotes
Drop an email to the below address:
connect@defendza.comADDRESSSalford Innovation Forum,
51 Frederick Road
Salford M6 6FP
PHONE+ 0203 916 5444
+ 161 743 3495-97
EMAIL/TWITTERconnect@defendza.com
@defendzaltd
WEBwww.defendza.com
(under construction )
top related