SANS Webinar: Why Defense, Why Now

The webinar "Why Defense, Why Now" was given on May 30, 2013.  I watched it on July 10, 2013.  These notes are my evidence that I watched it in case of audit as I submit this for CPE credit.

Notes

"A" in APT is not for advanced threat, but rather an advanced adversary.

APTs almost always come in via email using one of these four vectors:

1. attached executable 
2. macros (office)
3. active scripting
4. html embedded content

So, do we really need these to come in via email?  Almost never, so disable these to significantly reduce risk from APTs.

Malware usually does these things

1. Upload code
2. Start a process
3. Establish connection
4. Modify startup or sytem files

So, we should focus our energy on detecting things that modify system files and make outbound connections.  This is where he pitches Tripwire.

Can use an outbound proxy.  It will break most command and control connections.

Organizations aren't detecting attacks.  Need to shift mentality to one that assumes we are going to get compromised, so figure out how to detect and neutralize compromises. 

Much like the APT webinar, he suggests looking at your network diagram and identifying all of the preventative devices and the detective devices.  The average is 88% preventive.  All the effort is on prevention and little to none on detection.  Need to start focusing more on detection.  Also 95% of the prevention is on inbound.

Prevention is ideal, but detection is a must!

Suggestions

1. Know your systems
1. up-to-date network diagram
2. network visibility map
3. cm and change control
2. Defense in depth
1. inbound prevention
2. outbound detection
3. log correlation
4. anomaly detection
3. Common metrics
1. utilize the critical controls
1. security defines the metrics
2. IT implements the metrics
3. audit validates the metrics
4. executives track the metrics

SANS Webinar: Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career

I'm watching webinars for continuing eduation and CPE credit.  This webinar is "Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career."  Who doesn't want to build their career?

Overview

Discuss ways to develop information security skills.  Behind the scenes of Capture the Flag games and other challenges.  Tips on what makes a good security challenge.  Point out places with security challenges.

Notes

Use gamification to measure skill, identify talent, train, and provide motivation.  When confronting a problem, assume that it can be solved.

Types of challenges

• Offense - attack targets, pen test
• Defense - stock attackers
• Offense and Defense - exciting, but more work to implement.  Need to enforce minimal attach surfaces - i.e. a scorebot.
• Analysis - packets, files, malware
• Other - bot-net control, cloud resources, etc.

Flat vs. depth

• flat - all challenges accessible from anywhere
• depth - need to solve earlier challenges to get to the later ones

When creating challenges, don't put in red herrings.  There will already be patterns and diversions in the challenges; don't make it more difficult.  Don't make puzzles for puzzles sake - i.e. needle in a haystack.  They won't lead to real world skills.  Have multiple methods to solve problems.

Free Challenges

Damn Vulnerable Web App
http://www.dvwa.co.uk

Iron Geek’s Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Metasploitable
https://community.rapid7.com/community/metasploit/blog/2010/05/19/introducing -metasploitable

Damn Vulnerable Linux: Currently being rebuilt, but you can find older versions
http://www.damnvulnerablelinux.org/


Huge archive of challenges from
2009 to 2012 here:
http://capture.thefl.ag

Multi-leveled exploit development
environment
http://exploit-exercises.com

www.counterhack.net

Conclusion

Interesting webinar.  Need to check out some of the challenges!

SANS Webinar: APT: It is Time to Act

This is the 2nd SANs webinar that I've watched.  The title is "APT: It is Time to Act."  It looked interesting because I've seen APT a few times and wasn't sure what it meant.  APT is Advanced Persistent Threat.  These notes are for my reference and for audit purposes as I log this for CPEs for CISSP.

Overview

APT is like cancer vs. the common cold threat of a few years ago.  Should think in terms of you are already infected, now go find it.  Despite best efforts, we will still get infected.

Advanced = advanced adversary.  Another interpretation of APT = average phishing technique.  Adversaries are going to used the easiest method that they can to break in.  I.e. phishing.  Usually buried in an attachment so you get compromised without even knowing.  That is the persistent part.

Too much focus on presentation and not enough on detection.

Solutions

Most dangerous applications are web browsers and email clients.  So sandbox/VM those applications.

3 Primary vectors

1. Executable content in email
2. Macros in an office document
3. Executable code in embedded HTML in the email

So disable executable content, macros, and executable HTML in email.

Prevention vs. Detection

Prevention will eventually fail, so need to also have detection.  This will allow you to detect a breach after it gets through prevention and then stop it. Organizations have to focus more on detection.  Most security is preventative (85%) vs. detective (15%), and most of it is on inbound vs. outbound.  Need to examine outbound traffic to spot unusual activity.

Encrypted outbound traffic can sneak past detection.  Need to load crypto modules to decrypt, but if adversary controls keys, then that won't work.  Solution - create crypto free zones.  That is from understanding adversary and their strength, then turning it into a weakness.

5 Steps to Secure Future

1. Identify Critical Data - can't protect what you don't know.  Determine your most important assets, biggest threats, and biggest vulnerabilities.  Get a unified focus from everyone.  Risk Based Thinking improves results.  Questions to ask:
1. What is the risk?
2. Is it the highest priority?
3. Is it the most cost effective way to reduce risk?
2. Align the defense with the offense.  Most attacks follow these five steps.  Most effort is spent defending steps 3 and 4.  If you do enough reconnaissance and scanning, then exploitation is fairly easy.
1. Reconnaissance
2. Scanning
3. Exploitation
4. Create backdoors
5. Cover tracks
3. Know your organization.  If offense knows more than defense, then they will win.  You need to have:
1. Accurate network diagram - can't protect what you don't know about
2. Network visibility map
3. CM and change control
4. Defense in depth.  There is no unstoppable adversary.  
1. Inbound protection
2. Outbound detection
3. Log correlation - look at IP address destination countries
4. Anomaly detection
5. Common Metrics.  Use the critical controls
1. Offense informing the defense
2. Automation and continuous monitoring of security
3. metrics to drive measurement and compliance

Conclusion

Need to focus on outbound detection - no prevention is perfect.  Use automation, current security devices, and a common focus.  Understand your assets and the adversary.