anatomy of an attack - afp online€¦ · anatomy of an attack lessons learned from the rsa breach...
TRANSCRIPT
![Page 1: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/1.jpg)
Anatomy of an Attack
Lessons Learned From the RSA Breach
Kevin Flanagan, CISSP, CISA
Director, North American Technical Consulting
RSA, The Security Division of EMC
![Page 2: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/2.jpg)
![Page 3: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/3.jpg)
• An Overview: What Happened?
• What We Learned
• How You Can Help
![Page 4: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/4.jpg)
1
2 phishing emails
![Page 5: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/5.jpg)
2
launch zero-day
![Page 6: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/6.jpg)
lateral movement
from low value to higher
value targets with a focus
on VPN compromise
3
● ● ● ● ● ● ● ●
PASSWORD
● ● ● ● ● ● ● ●
PASSWORD
● ● ● ● ● ● ● ●
PASSWORD
![Page 7: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/7.jpg)
initiates separate network
attacker initiates separate network using
obtained credentials
4
● ● ● ● ● ● ● ●
PASSWORD
![Page 8: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/8.jpg)
demonstrated knowledge
of internal architecture
5
![Page 9: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/9.jpg)
encrypt and transfer
6
![Page 10: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/10.jpg)
resilient and resourceful
exploited people, switched
connection techniques, changed
tools, and disguised origin
7
![Page 11: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/11.jpg)
What makes you a target?
What kind of information?
What about partners and supply chain?
How vulnerable are you?
Reconsider
your risk
![Page 12: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/12.jpg)
What makes you a target?
What kind of information?
What about partners and supply chain?
How vulnerable are you?
Reconsider
your risk
![Page 13: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/13.jpg)
Anti-Virus is
Ineffective
Don’t rely solely on signature-based detection
Set realistic goals
People are the weakness
![Page 14: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/14.jpg)
Attack Begins
Reconnaissance
Exfiltration Actions on Objectives
Delivery
Weaponization
TIME
Exploitation
Command and Control
Maintain foothold
Attack Forecast
Physical Security
Containment & Eradication
System Reaction
Damage Identification
Recovery
Defender Discovery
Monitoring & Controls
Impact Analysis
Response
Threat Analysis
Attack
Identified
Incident Reporting
The Kill Chain
DWELL TIME
TIME
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
![Page 15: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/15.jpg)
Attack Begins
TIME
Exploitation
Reality: Two Windows
Exfiltration Actions on Objectives
Compromise (Days)
Attack
Identified
Detection (Weeks)
Add Friction
(Preventative Controls)
Increase Visibility
(Detective Controls)
![Page 16: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/16.jpg)
Attack Begins
TIME
Exploitation
Solution Is Simple Balance Detective and Preventative Controls
Exfiltration Actions on Objectives
Compromise (Weeks)
Attack
Identified
Detection (Days)
Add Friction
(Preventative Controls)
Increase Visibility
(Detective Controls)
![Page 17: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/17.jpg)
Resource Shift: Budgets and People
Today’s Priorities
Prevention 80%
Monitoring 15%
Response 5%
Prevention 80%
Monitoring 15%
Response 5%
Prevention 33%
Intelligence-Driven Security
Monitoring 33%
Response 33%
![Page 18: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/18.jpg)
Get into board-level conversations
End-user awareness
Limit social media
Block high-risk sites
Educate, Educate,
Educate
high-risk sites
![Page 19: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/19.jpg)
4 Guiding Principles
Security is not black and white “Can you get some security on my PC?”
Security needs to balance business requirements
“The best firewall is a pair of wire cutters”
Understanding the threat is the best defense
“If you know the enemy and know yourself, you need not fear…”
Don’t underestimate the power of people
This is not computers attacking computers, it’s people attacking people
![Page 20: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/20.jpg)
trust in the digital world
Kevin Flanagan, CISSP, CISA
Director, North American Presales
![Page 21: Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The](https://reader036.vdocuments.us/reader036/viewer/2022070805/5f039f4d7e708231d409f5f1/html5/thumbnails/21.jpg)
Security Practices – Critical Checklist Business Risk Assessment – Critical Asset Protection
Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring
activities
Active Directory and Exchange Hardening
Minimize number of admins
Monitoring and alerting (Windows Event ID #566)
Two factor admin access from hardened VDI
platform
Executable whitelisting on hardened DCs
Disable default account and rename key accounts
Complex passwords (9 & 15 Char)
Infrastructure & Logging
Full and detailed logging & analysis
Tighten VPN controls
Increase controls on crypto keys
Full packet capture at strategic network locations
Network segmentation
Team trained and focused on APT activity
Service Accounts
Review accounts for privilege creep
Change passwords frequently
Do not embed credentials into scripts
Minimize interactive login
Restrict login only from required hosts
Web Access
Block access to high risk and web filter categories
Click through on medium risk websites
Black hole dynamic DNS domains
Authenticated internet access
DNS traffic analysis
User Education
Increase security training for IT
Launch security improvement initiative
Regular education of users on phishing attacks
Regular education on social engineering
Increase mail filtering controls
User Machine Hardening
Limit local admin and randomize PW- change often
Increase patching regime
Enable security controls in applications
Deep visibility to identify lateral movement
Limit use of non-authorized and unapproved
software