Practical Defense

all right everybody I'm going to introduce our next speaker this Sean Whalen he's an information security engineer in the healthcare industry he's also founder of the InfoSec speakeasy he specializes in network intelligence and malware analysis he was previously worked as an intelligence analyst for the defense industry with me and his spare time Sean makes a cutting-edge open-source InfoSec software easier to adopt through code and documentation contributions and he's also a sci-fi fanatic and slightly paranoid like most of us John Whalen thank you today and I am I talking about a practical defense which is basically just taking the tool which we already have in your environment making sure that you're utilizing them to the fullest potential

and in the right places and at the right time in order to get some maximum benefit from those controls without necessarily having to go out in purchased new tools or completely reinvent the wheel or tap your infrastructure so just my standard disclaimer the opinions and views in this talk are my own and not those of my past present or post-apocalyptic employers so I'm sure most people in this room are aware of how incident response typically worse you know it's like oh oh crap we got this IDs alert we should probably block that dummy okay you get a half's okay I will put that in there in our ad system and and I will submit this to our threat feed along

with a five thousand other hashes and for good until they go in just repack it or just stand up a new domain or new IP so yeah I think that is the yeah attacker to change to change the indicators that you're using it takes them like 30 seconds it takes an organization depending on whether you've got automation or api's and a lot of organizations don't they may have to call it to another team to put in a block or to do something so depending on the organization it could take let's say 20 to 30 minutes to put in a walk for an individual indicator depending on the control with the attacker has like 30 seconds they can

spit out as many domains or hashes as they won they can write small scripts to do that with very little effort so not surprisingly there's been a whole market especially the past few years there's been an explosion of security startups with tons of inter capital funding that it claims to solve a lot of these issues that everyone in this room i sees from day to day so you see a lot of sales pitches and a lot of promises and a lot of our tool can do all kinds of things and and things like you know next next-gen ad and in some sales presentations certain vendors will do things like I install install McAfee but then one allowed to update just have

this ancient version akka because about all the stuff that we get to lay down it's like the I saw what you did um and and just stuff that when you're dealing with a very new company with a new start up get a new product to splashy's it's got this great marketing mostly most of you then new startups if you're an early adopter you become their q18 so you know you're essentially testing out their product for them and paying them tons of money or the privilege of doing so I mean you know there was only these new products and services they come out it seems like there's a new one every week when I've gotten quotes on them before

I'm like are you kidding me for that kind of money if they're talking you know hundreds of thousands of dollars or something like that or you know there's been certain vendors it's been up to literally a million dollars a year it's like but I kind of money I did you know just give me the headcount for a tall person I'll build exactly what I want and it will be exactly what I want and how I expect it to work are you kidding me but you know most organizations don't have that kind of money to spend on and unknown and untested a new product this is what I thought it to like so you know when

you're thinking about what controls to put in place and win and why it's often really important go back and think about attacker motivations which they seem pretty basic for most people in this room but there are some people who are new to the industry whereas most of your attackers highly opportunistic they're only interested in making a quick buck or they're interested in taking arbitrary infrastructure whatever they can find their way into an exploit your ancient version of WordPress is a favorite example and use that to host malware because you've got an existing domain and it has a good history it's going to get past web filters will be for their initial wave of attacks or

they just interested in wreaking havoc I doing a DDoS or you happen to be Sony Pictures and then at the very top and the rarest of cases they are interested in you specifically because of something that you have that they want maybe your defense company maybe you're a government maybe you're just a competitor with some super secret sauce they want to get ahold of I'm the best majority of the techs are just interested in making as much money with as little effort as possible so to that end if you're starting out and you're thinking about where should I be putting controls you should be thinking about what controls can I put in place that will stop the vast majority of attacks

they're out there because if you make it more difficult for the attacker they're just going to move on to something else if their script doesn't work or their predefined favorite vulnerabilities don't work they're going to move on to the next random IP space they can find and there's a lot of effort that's focused on a PC and thread humming and you know finding that super-secret malware that's been hiding in your system for ages but if you can't properly defend against opportunistic attacks and you're spending your time chasing down honing infection for example or even just the adware crap that people install because somebody thought it would be a great idea to put a free coupon printer on their work

asset if those are the kinds of alerts that you're chasing down all the time you're not going to have the bandwidth to do threads hunting and do apt and all this stuff that on this that tends to get a lot of the focus in marketing and media attention so basically your goal is to make your attacker say this as you and of course the one exception that is legitimate apt group we're interested in you because you are you because they have something you want or that they want or or you have access to another entity that maybe you're the weaker link there than their final target so those folks are not going to give up easily so

it's even more important to spend your time money and other resources prudently um to give a non cybersecurity analogy cameras seismic sensors an AI to detect those things would work a lot better than a 30-foot mortar wall because the very first thing people going to do is tunnel underneath them as you know ADT works almost the exact same way you got this really nice expensive next-gen firewall but they're just going to you know find ways to give it out over DNS or something like that so focus on what makes the most sense versus what's flashing because then you could find yourself if you don't if you focus on what flashy was new what's expensive you

can end up in a situation like this yes that is a real headline so some us-ally used a multi-million dollar patriot missile to shoot down a freaking drone and that's because the terrorist organizations have turned to using drones as kind of anomaly flying surveillance but aerial bums but ok if I'm a terrorist or wherever or somebody who's using that kind of delivering mechanism it sounds like it oh I can make these guys wait millions of dollars and their resources and all I have to stand there's a couple hundred bucks per drums maybe even less than that if I get the cheap stuff Otto's you know um so that's a there's a monetary value being prudent that I think your management can

really understand when you are when you're trying to pitch certain controls versus the new shiny because sometimes you shinies easier to teach to management because got that nice glossy marketing material but being able to pitch cost savings by tuning existing controls and doing that stuff it can also speak to management well I cost airing them when they get to how you can do that later in this talk so I already touched on this a little bit but uh PvP tactics techniques and procedures how attackers do what they do what their process is how they go about their recon what kind of fact they like to use or do they leverage PowerShell are much much more important what organizations do

they go after and why are much much much more important in individual hashes and these atomic indicators that are extremely ephemeral that can change every 30 seconds and you're getting this in a threat team from maybe your Isacc or something with almost zero contacts it basically just says this is bad because I said it is and sometimes you don't even know who said it was bad okay okay great what do I do with this alert now whereas if I know for example that the attacker likes to leverage PowerShell I might start making sure that I turn on PowerShell logging that I have a an in point supporting application or that I leverage the PowerShell a restricted mode that

prevents a PowerShell using things like code injections and stuff like that so that is a lot more effective and just trying to block the individual domain of a individual email addresses that may be sending those things that eventually trigger PowerShell or in taking those one-off things that won't be a word macro and then execute power shell so thinking about the cyber kill chain and thinking about how attackers do what they do in the process they do what they do and putting in blocks and every single layer that you can within reason is lot more effective than sitting down it was one to two bees so I already touched on this are you using your your

controls to their fullest and so you might not need as much tiny as you think so let's think about the ways that attackers I do what they do especially today more recently but that's so harvesting is one of the most popular ways for both pen testers and your average attacker to get into a business because it's so easy to do I just stand up okay web form as people becoming friends and people give you credit and it happens all over the place from general spammers collecting friends to stand out to use your email gateways is to spam out of the organization friends cloud of repeat and recursive backs or it can be used for more apt

style attacks like what happened with the Democratic National Committee during the last election and what's crazy about this it doesn't even need to be particularly tested that screenshot that I have up there that looks like it was designed in front page is an actual fish that was hosted on one of these free hosting services like wakes Jimdo we hear that tripod still around and what these attackers will often do is purposing this double word like very password so it's great for international Talk Like a Pirate Day your prosthetic a purposely misspelled the word password or username because they know the free hosting services were looking for the fishing forms but most of your users aren't going to notice that typo if

they're going to fill in this form and they've just got their creds know to them if you've got single factor uh they can now get into your webmail or your VPN or whatever else do you have accessible on your editor and they've extended almost no effort haven't even bothered scraping your your your when mail form to make to make a KO know that they can just do something like this in two minutes and get almost it's not better results I've actually talked with with some security awareness folks and it's almost a joke and that side of our industry which is the crappier the form looks the more likely it is successful like I I'm kidding but I'm not if you

know what in more detail to make this highly sophisticated official-looking sane and for whatever reason people are more suspicious of bad and things like this so different control that so much everybody could and should be doing with their existing email gateways another email security structure is them he beats one gentleman as far as not impacting mail flow so much and not potentially disrupting business which is what the business in your email I meant always concerned about is tagging external email it's coming a feature where it will change the body just say hey just so you know this external email didn't come from our servers be careful with this that way if someone if you don't have SPF enabled vs burden able

and people can still spoof your CEO things like that they're gonna at least get the heads-up where hey this didn't come from us you should be suspicious making them including an email address for consent fishing although often times in that for every one person who sends you a legitimate business often that's some of the best detection you can get is your own employees for every one person that sends you a good fish will get five more people who send you spam and the company's internal newsletter into your fishing mailbox but but it is still really important to have good user awareness and that something like that so one keep kind of progressed from that having an external email tagging and

people are more comfortable with the changes that you make you know maybe then you advance to more things like adding SPF in decamping things that can prevent email spoofing that can be a little difficult especially in large organizations that use SAS providers that legitimately spoof so that involves some you have to put SPF in water Simone that's why it exists to put SPF in dating a monitor mode and kind of see what spoofing in your environment because chances are if it's legitimate it's going to happen for your vigor light and then you can just work with those providers and adjust your spspt accordingly so that way when you do flip the switch from a Softail to

a hard field you have confidence and you can inform your leadership didn't it's not what the impacted this because because we tested it and one of the other really simple things you can do is Microsoft published the list which I've linked here and I've already put all my slides on flight services Google my name is talk and I need come up - I was already post a link along being high risk file extensions that basically should not allow arab tape this is specifically what for they just call them high risk attachment types but these are things that you should not allow in your email environment there is no legitimate business reason that somebody should be receiving a dot SCR

screen saver file in their email so why the heck are you processing gateway at all you know this is that just reduces load on your gateway to its ending virus scanning and stuff as much just dropping that right out of the gate so this isn't main email control and that image I just googled secure mailbox and I had no idea such things this is business I mean that looks like it would just make neighborhood gets a challenge accepted [Laughter] moving on from email to your firewalls with your perimeter again on next-generation firewall the little bit here those are great for identifying things like you know in with out of 443 really HTTPS but if you've got the stamp team

next-generation firewall and you allow traffic out of any arbitrary port or any arbitrary connection SSH tunneling things like that having a fancy web proxy isn't going to do much good it's against us at practice but a lot of organizations don't follow it where you should only things that should be able to talk out your network or the services that you host on the TV that are that are legit services and people actor so your websites work email gateways and then of course your browsing proxies going out there should be the only things that should be able to communicate from your network and on this to support with the matching verticals because next generation firewalls can do that otherwise your

next-generation firewall isn't providing you with real security is what does security theater analogy that I came up with this can you imagine it's an automobile manufacturer you came up in court and said well airbags were installed they were just only configured to deploy me had been in a head-on collision how well that would that would I go over in court that's the same thing one where always it would have been a blacklist who would have we would have blocked it or our proxy would have considered it suspicious the block there is thinking off to some arbitrary order do an SSH tunnel it would have blocked it if you have the capability it's not going to

impact business which it really should use it and then also make sure you're using multi-factor authentication because like I said earlier it's just way too easy to collect credentials and then they have access to everything you read your users access to on the printer with that's webmail or something else and you might think the exam or your management might last might think big deal if you're gonna mail have access particularly tempting your information who cares well even if they the attacker is an interesting family meal or I'm sorry isn't interested in spying on you here if they're just using your gateways as just a scripted spam engine they or even care who they told or why that looks bad

for your business because you're sending spam or phishing email out that's coming from your domain so even if they are targeting your customers directly if you've got a large enough customer base there's a chance that one of your customers might seem oh crap ACK Nico is coupon is yeah that just doesn't look good now I learn from this turkey arm start to the side definitely not good for medicinal effects perspective but that's just another thing you can raise with demands in the queue if you need to have that conversation as to you know why you're making a suggestion of doing the things you're doing because I know if my dove is a defender if I be you know like a

university or a hospital or a school or some other organization that's really large and has no single factor webmail and as a person or you stammers I'll just send out a quick fYI to whoever they're abuse email is or I'll track down the abuse for that IP address the mail person to say hey fYI are you aware that this email counts been compromised you call me this those credential that's just why we try it trying to just help out but you know maybe for a k12 school it's not a big deal if you're a fortune 500 yes that's a really big deal with me what's required so then he's not dead I already touched on that to next

generation maybe a little bit but with most of your found major a vendor they've got features that are actually pretty nice and do a pretty good job of course maybe is not going to catch everything but again you make the most of what you have and gray need not really miss to catch the super crafty apt style the after singing the talking to the point where they're they're trying to execute code on your asset I think you've got a bigger problem but they're also really good at you know detecting that commodity malware they can stop adware a lot of times if you eject to turn that on well time to turn off by default for some inexplicable

reason but that can happen if you turn those kinds of heuristics and protections on and prevent people from getting that crap adware in the first place the only is that that makes your employees might be did business more efficient to just before as dealing with add pop-ups all the time it's going to decrease your noise because you can focus on boards to create alerts and some vendors perspective it's also going to decrease the number of reimagines if you need because somebody got pune others they just got unsynced adware things it's like oh god just to kill it with fire so that set that having that reduced 3d image can also produce business cost as well as mother

controlled that that we may not be aware of is the Center for Internet Security hates different security benchmark standards like wedding this comes up with and like what this comes up with with their Stig's and then kind of turns them into more of a general benchmarks to benchmarking baseline for our people to use the base prize themselves are free and you can get to be up supply on the website I linked directly to it they do charge for a tool that will scan those and we'll kind of validate and your system match at magically standard but as cards are all the information that you need to be able to build with the point gpo's or images that's all the

PDF and that's you suggesting admin right another one that's kind of obvious but can be a little difficult in practice because there's a legacy applications to just assume that people are local admins of this application is going to run and it's one product I'm aware of the health community the public mother's I just connect endpoint which can you can set policy and say these particular users are allowed to execute these applications and they do so these applications are going to have elevated privileges with the users themselves do not so look like it's the application has been fair price in that way is now where does government system when they're installing applications theoretically only that I sex their user

profile instead of allowing some when you start steaming session token' Tiffany nail under network and making heaven in the are having your employee data reporting in place and absolutely critical it's really really nice just to be able to have that repository where all their agents are sending logs to and I can just query instead of having to do a sweep and hope to god standpoint that I'm looking forward online I can do a sweep of like a spunk Prairie or something like that and and figure out whether this particular application install whether this particular indicator exists and of course I can get over 20 system detects something funny like a PowerShell basics before a man

runs and things like that in your your traditional AV might not pick up on I can go into that way and carbon black is and most well-known one been around for poppy belong this god punch Frankie I'm pretty smooth I like the amount of data data collection the fact that it's got a spunk based of port along the clouds because familiar with funny frumpy juniors that were very little watery this girls translate over very low and then if you'd rather go for something open-source I did for security or confidence that is a really cool project out call volume the Charlie that you give you a lot of the statement points and details I don't think it does

the same levels of detection of such behavior are legs in one line all done but if we could do that in recording capability pretty low cause you're just standing at the infrastructure somewhere in the cloud or negated so moving from the technical side to to the more human side political side business side of things I often think that in a lot of businesses a lot of organization this is what people think we do

you know it's like that's not it that is going to old that bridgestone people Bowl commercials are pathetic I you know if I have the time when working other words when we're chasing down alerting and it's not going to be for this time of like we're gonna read one you get a B image it away everything you'll get away with everybody get to be in this and you know that's a highly disruptive people work and they are crap the security guy what did I do wrong this time or you know the business has got this great new idea you know we're just going to throw everything up a native us and it's super secure our box

right it's the cloud like wow slow down there but organization sometimes not undeservedly we get this reputation of the people who saying that or the people who catch your computer from you and end up just building your day or week um but I'm

we're not in there we really need to build your support as information security professional with the rest of our IT organization I need to build those bridges build that understanding and kind of communicate is when security works well it should make their job easier I need to test the hell out of thing before you go deploying them because that can tarnish I teach reputation in general with your teams and I see more resistant to different requests that you have in the future and understandably because you know the chicken professionals we're not the ones getting directly yelled at by your end-users by whether it be a random employee or some VP or Bob or something then we call them the helpdesk and then

their management thing you know what the hell and the helpdesk buys out this new security control in place that's just going to put a rift between you and the edge of where you need to have a really good understanding you're kind of pulse on what they're doing and what their plans are and how the deployment is is plan from the get-go so that way instead of saying you know no oh my God why did you do that are you can you can you now say ok why do you want to do I'm going to do this or you want to migrate to office - 6065 well since we're doing that anyway can you make sure you do

that the multi-factor authentication that comes with that is turned on I mean that's a wish limb because I achieve gain they're produced infrastructure without five and you're getting improved security because now if somebody does that credential fishing with password you're you're not they're not logging into your webmail anymore and that reduces the amount of emergency password resets that you have to do which in turn reduces the amount of helpdesk all with people why can't I get into my counts because security because your credentials or why'd they do that oh I don't know why they would have done that um Brian that and so it really helps helped out everybody across the business when security works well but

you've got to communicate that message and build those bridges and those relationships people across both IT business kind of thing in a way that makes sense for everybody and part of it and I key part about it is documenting everything when we just suspected breach occurred these are the questions that has something to ask you and almost in the order they're going to ask you again very first thing say what did we leave if anything how did it happen could we have prevented it what do we do to deliver in the future how should we communicate this you know all that stuff so completely is a good practice to just get the practice of documenting as much as possible because

that can help you figure out okay here's what controls of consumer complaints to prevent this or even if something did get prevented you're like whoo that was a close one we only use this because we have one of our solutions happen to have a few choices it's going to vary it but we should have stopped them further up to coaching here make note of that and mix and that gives you good ammunition for why you want to make these adjustments to your control in the first place because you have historical data of actual events yes they were blocked by something else you can say well that was only bust because in this base to the big instance X happens which might

will probably not happen again so we need to also so the controls which can help you prevent a whole classes of attacks might email scooping presenter harvesting and stuff like that so grabs the things that can affect entire classes of attack versus just one particular threat actors infrastructures and

any questions