BSidesIA 2017 Track1: Defense Wins Championships – Ben Schmitt

like introduce bench fit bandits the director of information security Wallace prior rolled been held position a global director I think security compliance at dawn fast group Don Foster den Fox den floss group responsible for network and application security including ERP systems the end as it was consummated which we don't hold against him daily from Manitowoc you got it Wisconsin PS she's watched making a merger tonight and it started him to occur with tds telecom in madison wisconsin carrying isp and enterprise security as its security art space thank you thank you very much thanks for being here appreciate it we're going to talk about defense today we hear a lot about offense a ton about how many shells that

i pop and what came out of the infiltrate con and that's great but i think defense is maybe missed a little bit so my goal is to make defense on really cool that's ultimately my goal will stick it to pen testers a little bit and i'll walk through different strategies on how to do that so whom I Greg just did a pretty good job introducing I'm Ben and I play defense I have the privilege of leading infosec at the wall here in Des Moines been there about two and a half years and it's been awesome so again I'll go through what I want to call it like a playbook this is not all the plays and a defensive

arsenal these are just plays I think show new design patterns different techniques we can use against adversaries or for that matter stop giving little hanging fruit to pen testers we can stop some of that stuff so my buddy Nate's uber is not here but he usually talks about offense and kind of sticks it to me so I'm going to stick it to Nate in a very nice way today about here's some cool defensive things because you can do defense and still kind of be a badass it's still possible to do that so let's kind of start with a story here actually before I start the story a couple things so we're not with defense I'm also a member of sexy sm so

the capture the flag is led by sec DSM that's another group here in Des Moines that meets monthly so if you have any interest in meeting monthly not just once a year please stop down go to sect DSM morgue we're also hiring at the wall on has put a quick shout out there come talk to me about that site reliability engineer sysadmin and some other roles happy to talk about how that those roles he'll play defense and what we do alright so I'm going to start with a story here so my dad's a retired firefighter and you're like I've been why is that important so I learned a bit about the evolution of the fire

service from him so I learned like back in the 70s and 80s they had metrics on well how many fires did I put out right the number of fires I put out two cool metric and actually like I don't know if it's the cool this metric because it's based on the number of fires not fast you got there and put them out and that's your effectiveness but shouldn't you prevent fires so fire the fire service has evolved into prevention and survival inspections building codes that reflect safe ways to make ingress and egress education right I think our kids have almost stop drop and roll means and if it still teach that careful design so these are things that are important to

prevent fires and I think that's how we play defense now it's not necessarily great like how many viruses I got this kind of a vanity metric but how many intrusions that I stop and prevent is a good indicator so we're going to talk about the fire service evolving how we evolve and that is actually from Manitowoc that is um that's a Pierce ladder truck they actually call it precious that's one of its nicknames so it's an important fire truck but again prevention is much more important so info SEC has this fascination of playing offense and just like every kid in my high school football team in freshman year I played football one year was too

small but I did play one year then you know didn't play anymore and the first day of tryouts what does every kid want to play running back running back running back and so guess what position I played defensive lineman because i'm a slow dude and that's what fit but i learned from that i play defense and defense really matters so let's think about infosec here and i totally get you can't play defense not knowing offense chen's on my team yes we can run nmap and metasploit and we can using that cat like we can do that stuff we understand the basics but we also don't walk around with flamethrowers making things more secure we want to play defense imma leavin

pentest your way to profitability but you can play really good defense and demonstrate to your customers hey this product has assurance versus I have the team of the greatest pen testers on earth that's important but playing defense i think is even more important alright so really busy slide but there's a lot to talk about so resumes come in and I review those resumes and some commits with little working experience and that's cool and like all of them mentioned Kali Linux all right nice that's in there I don't see anyone mentioned threat modeling maybe it says mr. robot thing but as far as kelly linux goes so i eventually get into a phone screen right i'm like great you've

used Kali Linux that's wonderful what you use it for now for analysis and scanning and I'm like what cool so let's talk about a theoretical here which may or may not help of cali but let's say i give you a 2 gigabyte text file just like straight up syslog from the server are you going to go through then get information like how many IPS attacked a trusted host like I going to get that out of there you can't serve two gigs in excels it's not going to happen I I'd use Kali Linux okay how would you use Kali Linux i use wireshark and like no we're not dealing with peak apps here like we're dealing with straight-up

syslog how are you going to go through that I'd use wireshark and it's just telling like frustrating it's like don't put kali linux on your resume to look from a vanity thing it's not cool unless you know what it means let's talk about how you can play defense so again breaking things pivoting around organization pillaging sis admins taking their credentials annex whole training data might be exciting but I think protecting the crown jewels is pretty damn important that's we're going to focus on today and I got to put this info SEC Maxim out there defense has to be right every time and often just be a right ones okay so what does that mean it means the fire service correlation

matters we have to focus on prevention not successful exploitation so Wendy neethu have never met her but she works at duo security had this tweet i really liked wish we had more info SEC firefighters rather than so many standing around with lighters hoping helpfully pointing out flammables so it's all coming together the football teams there firefighter themes there so what change is happening well I think there's a renaissance here in playing defense so there's two conferences that are really good examples one of the O'Reilly security conference and that's kind of their tagline they provide advice but it's focused almost purely in playing defense it's their second year it's in New York and it's to make sure

defense has a conference where you can network and collaborate not have to talk about metasploit or these other wonderful tools not trying to dig in those tools but talk about creative ways of playing defense there's another one that just happened a couple months ago in Austin Texas called art into science again purely defensive conference and not just like how to do firewall rules and play defense like really elegant design patterns and these design patterns what are some examples deception technology which is a fancy term for honey pots and honey tokens and putting bread crumbs around your network to detect adversaries your adversaries kind of thinking like an API they're going to crawl around under your gooey

so you can plant things on your network like a fake network attached storage device something you wouldn't normally use unless you're an adversary there's really neat design patterns lack is doing where they ship their logs centrally and really good logs from oddity or their own tool called go audit so kernel level really robust logs ship them centrally audit those and then from that they have box or a statistical model that will use slack to say hey miss why are you running DTrace at three in the morning you've never done that before send a push to your phone true or false you know is that you yes or no yes what could you update the model now you

use DTrace at three in the morning if that wasn't you and you tap known your phone that's a security event then we can respond to really quickly I think that's really elegant design platter pattern how to play really good defense not dealing with signatures and thresholds you're dealing with math and using your phone as a multi as a secondary factor that's trusted to then acknowledged yes or no it was you if an adversary has your credentials they probably have access to lacked and they'll just say of course it was me I'm really busy go away but if they send some to your phone and I sleep next to mine you're probably going to acknowledge that and if you don't over a

period of time you can escalate so that's one example immutable architecture anyone deal with this this one's pretty neat kind of you're born in the cloud but i think the the concept makes sense when we deploy my company servers or images we treat them like cattle not like pets we knock those things over and we spawn new ones we do not patch them yes we have a handful of long-lived instances but when we deploy a service and deploy servers they're virtualized right and they have a root of trust we sign them they come from a good place we don't patch them there's a vulnerability we just knock those things over bring up a new am i or image from

amazon and it's fully patched so that's how vulnerability management is changing that's pretty neat instead of ssh again or connecting via rdp you're running wsus or SCCM or whatever you have your enterprise patching button that like these things will automatically patch when they come up and that's a pretty neat way so to do security and so two tweets I put Wendy's in before so I haven't here twice because I really liked it but haroon mere is from a company called think stand they build a canary which is a hardware device that's a honeypot you plug it into your network you say I want this to be a skater device I want it to be an as I want it

to be whatever you might want you put that thing on a back-end protected or segmented network and it goes off you've got a pen tester on your hands if you catch them that goes in your report that's really good there's not a pen tester you're a bigger problem then you got to squash that issue you turn that intrusion into a security event don't let it become a breach and so that this tweet that slack is really interesting what they do with their linux auditing all right so my wife and I were driving back from st. Louis and she was taking notes I'm like all right I'm going to throw a bunch of different offensive tactics out in the table so she's like

taking notes and then we're going to talk about defense and there's a lot of them so we're not going to go through all these and this is not an exhaustive list right this is just a list of ones I thought were interesting for the talk so we're going to go ahead and see how can defense keep points off the board maybe even trying to fumble into an opportunity because defense matters and it wins championships so we're gonna glorified defenders out here and go through a playbook there's a link at the bottom mitre has a wonderful and much more in-depth listing of different tactic so definitely check that link out we're going to go through a subset of

these and I've been appendix if we have time we'll go through the appendix but we'll probably not have the time but maybe we will so let's go through some of these and kind of go through a playbook how do we make pen testers lives harder or make our adversaries lives hard so first alone is man in the middle we've got Alice Bob and Eve if you ever done crypto you're gonna hear those names a lot two parties have to exchange information across potentially an untrusted networks oh you got to use some crypto so one of the variation of this and this one's for real and I recommend you check out that link to learn from problems that happen so in

this case there's a bank called n 26 in Europe and that bank has an API that is used for their mobile app someone now in the middle of the API and it's very verbose API which gives you a lot of information and the information was used creatively to do things that could allow that application to be abused so I won't talk too much about that but definitely check out that link from the Chaos Computer Congress but man in the middle is no no joke this stuff really happens so what can defense do a man-in-the-middle thing and yeah we can do VPNs and all kinds of stuff but let's just talk about the edge of your network

because everyone here probably website maybe a web app maybe internal web apps so the first thing is TLS 1 dot 3 is on its way it's basically here I will talk about in a second you should make sure that edge is appropriately configured if you're doing older versions of TLS and if you're doing ssl that's naughty you shouldn't be doing SS all right ok I'm going to talk about it ever again but one destry's on its way and it makes some really cool decisions for you so I won't go down a TLS rabbit hole but one day three does some cool stuff really fast session set up the handshakes been reduced it's not two round-trips it's

one or zero because if you have existing key material can be reused to reestablish a connection to a trusted site in there using really good site for sweets you're not going to use some of the garbage like our c4 can't do it yours not going to able to do that stuff they took it for you we'll talk about a syndicated encryption associated data Cyprus a bit later but there's only two right now until s13 you can use against AES GCM an elliptical curve keys or you can use chacha 20 poly 1305 which is from the NaCl sweet that's it both of those are authenticated encryption with associated data ultimately means it's confidentiality and integrity so I won't

go too deep here but if you're using AES you've heard of CBC mode cipher block chaining it's fine it's not not that weak but it does not provide integrity purely confidentiality so if you do a forgery or something it may not get detective you're messing with the blocks whereas GCM Oda stands for Galloway counter mode it has a mac in between each block based on a counter that allows you to provide confidentiality and integrity that's pretty important we were doing TLS one of the CTF exercises for heartbleed and this is a mitigation for that threat so T less 123 is there when I say there it's pretty hard to see but that's a screenshot from Wireshark

not for log analysis like those who are applying for jobs it's actual TLS one about three traffic Chen and I we're making sure we could show you like this is real stuff so TLS 13 works that is what Chen and I were doing from my laptop out to cloud player zedge cloud clears an early adopter of one that's three there on IETF and it helped a lot with it being defined as a standard so when dot 3 is there there's also stiphu cat pinning an HST s helps her man-in-the-middle inc so you're going to run verb sweet or something HST else and they get a little harder for people to screw around and proxy another thing is

signing is totally something that we should do more of SMB signing something of use windows you probably turned on but signing is providing assurance data and by manipulated and so I take signing really seriously Chen and I do a lot of signing right Jen it's really important to make sure stuff is not tampered with all right password cracking so the goal is not to store these right you should have a trusted identity provider and use that if you have store passwords you have to use a key derivation based protection solution key derivation functions are slow and painful for all the right reasons vs I'm going to do naked sha-1 or shot 256 that's really fast the shop family is

meant to be fast k their key derivation functions are meant to be slow slow so that if you lose your password database and an adversary gets it I want them to have a very bad time it says defense sticking it to them so we're not worried about rainbow tables and all these things if you're doing some of these the right way so I'll give some examples here these are all not meant to be faster performance for the right reason so once called argon two there's two variants of argon too but this is a really new passer based hashing solution and it's both memory and CPU hard so you can't just throw use an ASIC Satya to

throw ridiculous amounts of memory at it too so it's really difficult way of trying to brute force the resultant output of our gun to Oregon to I it also has protections for side-channel attacks based on timing it's really nice s crypt another one these are recommended work factors based on parallelization number around etc s crypts not super popular but it's been out for a while and it's pretty pretty strong bcrypt is probably the most popular one a lot of the frameworks have this built-in it's based on Blowfish underneath and it is pretty expensive and there's PB KD of two password-based key derivation function to that then this standard it's recommended if you do it eighty-six

thousand or more iterations and why do we do this to make a pen testers job or an adversary job harder so if you're gonna store passwords you got to do this stuff using naked shaw's a bad idea it's just a matter of them figuring it out if you have a global salt they're probably sitting somewhere in the data store they're gonna get that too all right message forgeries we're going to touch on signing that we talked about crypto a little bit of TLS talk about message forgery so your messages are pretty important even some log stuff because they may have to go into an investigation or in the legal system and you have to prove they have integrity

it's deals repudiation issues what do we do here we can sign log file sign messages to prove they have integrity because you want to make sure if you have a message from a trusted entity it's not been manipulated okay so up on the right now that's really hard to see I apologize but it's something Chen and I were doing there is a suite of cryptographic solutions is called nacl it's not mr. crypto but it is very strong a lot of academia and it's gaining quite a bit in Europe but nacl has pretty safe variations of crypto you can use that are strong and performant and they kind of make it difficult for you to screw it up based on their API or

interface so this is a little something we did in Python but we signed besides Iowa printed the signing of verification keys out and proved that it worked so that was a nice example of using signing and this signing is done not with a symmetric key it's a symmetric key so you sign with one key and you verify what the other so it's really nice and strong for distributed scenarios so what can we do here so i talked about authenticating encryption associated data or cryptographic signing and there's also something called a key to Mac so you've heard of H Mac before so let's say you have web hooks and you want to omit messages to your clients

you're probably going a sign that was using like an H Mac and then a key so these are methods of signing things so the message can't be forged a couple things about crypto and again I've got one more slide and I'll stop in the crypt we can talk more later RSA is getting a little long in the tooth I'm not a cryptographer but it's not my favorite elliptical curve seems to be taking its place at least for the near term I won't go into quantum computing they talk about that too let's just say ECC safe for now but don't be afraid of non Ness standards I stick with a lot of missed but there's a little there

earlier times none the standard like ed 25 519 makes sense that's part of nacl we like that one and then an H Mac is a keyed Mac it's a pretty leading solution you're going to see that a lot and I'm warming up to see Mac Chen and I've been testing that one quite a bit very fast whenever something's really fast it could be dangerous so we're checking into that but message forgery is a big deal it's also not just messages right you may get software if you pull soft noun from a repository you probably know check that it's signed not just pull it down and trust that it's cool so sign all the things this is like to me I

think it's a trend we're going to see more and more signing to sell a true to trust and make sure things are are authentic not been forged all right little sidebar and crypto and then i will stop I promise that's Pluto I don't know if it's still a planet NOW or a dwarf plan or ever they call it but think of the following problem what if I said draw a line from the Sun to Pluto and that is the radius of a sphere and then tell me how many grains of rice you could fit inside of that sphere can you solve that problem with reasonable precision the answer is no it's an intractable problem that's like super

hard I wouldn't even begin to know how to do that so this is one of those times crypto should be that hard for an adversary to break its implemented correctly it might be one of the few times that give defenders the upper hand because if cryptos done properly we trust it it makes the problem of breaking and intractable all right so a couple tidbits on Krypto and then we'll stop but I can go down a rabbit hole more if you want to later so TLS 12 and 13 just do it if your PCI compliant your 1 dot 2 and above anyways and we've been analyzing the edge and that's something that we think is very doable and one de

three is cool like please check it out cloud plays blog a lot about it I mentioned GCM already acenta catered encryption the other cool thing about GCM is that since it's a counter mode it can be parallelized so can be really fast crypto cbc cannot be parallelized so that's kind of neat initialization vectors matter that's randomness that's an input into a computation so if you encrypt my last name with your Schmidt you should get a result of ciphertext encrypt it again you should get a different ciphertext they shouldn't repeat initialization vectors handle that you need good randomness to create those things so please use dev you random for getting your randomness w afraid elliptical curves you're using

hashes you guys all heard sha-1 has effectively broken right google demonstrated that to PDF same sha-1 signature when i'm going to say md5 like we're not even going to say ssh or SSL I mean but the shot two or shot three family please check them out use those things don't put your keys in your code can you rotate your keys do a forward secrecy base and key exchange these are things you should ask your vendor if they say they have wonderful implementations of cryptic ask this stuff how do you rotate your keys better have an answer for that one and I said before NIST standards are great any CL standards are great for the wind so

check those two out and I put a link to one my favorite people that Socrates Thom Kozik and that's a linked is just he called a cryptographic right answer that gives really good guidance called the CliffsNotes of crypto so I'll get off of my little crypto soapbox but it puts defenders in I think a driver's seat all right credentials stealing okay so I've got my friend Nate pentesting right and so Nate somehow gets credentials I'll see guest amor sniff whatever Nate's got credentials all right great then you want to do some evil so I want to stick it to Nate with some multi factor auth right we all like multi-factor often so you can use UV

keys I've got one on my laptop now you can use duo security so when my buddy made besides the Archangel box I want him to see that I wanted to be like damn I'm sure you can get past it creatively and i hope to monitor and catch him but I want him to see that before he logs into windows box I want Nate to know this pops up on my phone and I can see that there was a login request I obscured while which hosts its too but that's actually comes to my phone and I tap yes or no if it's no it's a security event if it's yes it's me because this is my phone and it's in my pocket at all

times it could be I want to use you be key to multi factor into lastpass so you got to have access to my laptop have my yubikey no matter long master passphrase that's probably not going to happen so multi factor is really important start with your highest risk users sis admins executives role that stuff out I don't work for duo but I love their stuff really neat stuff and what's really neat about duo for two reasons or push notifications one of the trusted channel so that push notifications out of the band number i said that adversary fav your credentials they're gonna hop in slack or hipchat link or whatever you use and say yeah that's me but they're probably not going

to take your phone man in the Middle's Apple push notification be able to use the private key on the phone and duo's back in to obscure it but it's just not going to happen unless you're dealing with a nation state actor here so really nice trusted channel now the other thing is multi factor D values a password so passwords you to be the gold Saint you get that you can get in if I use multi factor and the password the value of that password goes way down which is really nice devaluing data is a key defensive tactic our persistence so an adversary wants to gain a foothold and environment if I want to come back you

probably want to do all that work again they want to be quiet and silent don't have some persistence and get back to where they worth it as an eruption so one defensive play is will throw some flux at them so flux and immutable architecture something you could throw at them so there's a metric and netflix has a pretty neat one they follow this immutable architecture design they can run a command to see how long their instances or servers have been up and we're talking days like across their platform maybe weeks i forgot the last metric i should have looked it up but their servers don't live that long they simply roll new ones all the time you

have a stateless microservice that load balance went awesome not good sir will bring one up not the silver or bring one up and you as the consumer don't know that the backend just happens so persistence in an environment that has a mutable architecture and that rolls the server's not from a trusted root of from root of trust and rolled them often that's pretty neat pretty hard have persistence there that's kind of a laboratory thing but i think it's a neat tactic you have to have all the basics to i'm not saying immutable architectures the solution but it's a nice additive layer right continuous security monitoring etc and there's a bonus here immutable architecture shouldn't change right it's going to

connect back to a data store but you're not going to install GCC in an immutable architecture environment you're not going to do that so if anything you're in middle architecture changes that's rogue either sysadmin screwing around or you have an incident your hands it could you can loosely say it turns your whole architecture into a honeypot so I think that's a pretty neat defensive play ah design flaw so I mentioned threat modeling before I love this stuff we can talk later about threat modeling if you want but how do you build security into a solution what you should do it at design time so you've all heard it's really difficult to bolt security on each eyes bake it in so a robust threat

model can improve security design drive testing a reduced cost that's a nice political statement what does it mean it means you don't make bad design decisions if you can prevent them early like that's a really bad design decision I don't know how that happened I don't even know if the guys in the CTF room could pick that lock I mean that's pretty nuts maybe it's a joke kind of not found on the internet but we want to prevent design decisions or choices as early as possible as far left in the development cycle left meaning when I'm actually designing or authoring code versus its own production so threat modeling is way to do this the one that

we use when we like is called stride through Microsoft stands for spoofing tampering repudiation information disclosure denial of service and elevation of privilege I've done this one a lot we can do it again later if you want to talk about that but those are different types of threats you can apply to a decomposed application so you're like tell me more all right you have a solution a web app I don't know what it is let's say it's a solution that stores legal documents cool so what's the applications decomposed where does the data live has a data store somewhere all right well what other assets are important in just the data store there other assets that are key to

the scenario images I don't know or do the external enemies who's using it is it purely internal are the people VPN a game is it exposed via citrix as a proxy who are the external entities we're to the trust boundaries basically is it in a server cage is in a trusted data center is it spread across multiple data centers is it inside of a DMZ like where are the boundaries physically and logically for this thing what are the entry and exit points basically like using zero trust networking and you're tagging applying policy based on trust you have your narrow firewall rules defined are you making sure ipv6 is blocked as well as before stuff like this and then what are the key

technologies if it's written in really old PHP like that's probably not okay PHP be perfectly secured look at that they do it so let's Facebook for that matter but your technology choices matter and then who are the threat agents what are you dealing with here so that's like a mental model of decomposing an application you can make that model on paper where the data stores where the trust boundaries where the external entities and then wherever data crosses a trust bhandary like that's where you should look at the threats so then how can I do spoofing how can I do tampering repudiation information disclosure denial of service and privilege escalation it's chris collation of privilege so it's a really

good way to live your application apply stride against it and should be done in teams and then from that you can see how you mitigate or perhaps of them going to get your design those different threats so what's an example if I know that messages can be tampered somewhere I want to sign those you hear me say cryptographic signing earlier that's a good example of mitigation of threat model so there's a pretty example of a threat model in a graphic but if you want to know more about this pull me aside I'll walk through some with you and show you them a little bit more graphically if you'd like buffer overflows so adversaries may leverage

non memory safe languages overflow buffer so we're talking like C C++ kind of stuff here it can also happen without an adversary forcing the issue and I'll talk about that in a second so you know there's another old computer saying and I've talked about earlier it's got to be fast it's probably dangerous and C and C++ is a good example of that if you're not using memory safe allocations like you can overflow buffer really easily and this just happened happened at CloudFlare a couple months ago where they had a legacy component that was written in C there was a buffer issue and they were exposing in some of the responses to clients other areas of

memory that may have contained tokens and other stuff it's bad they did a wonderful job cleaning up and responding to it I'm sure their code audits and response make them extremely secure right now but this is a big deal like this stuff still happens and buffer overflows I've been here in the bottom since I was in my teens I think so what do you do what's the defensive play here what's out of the PlayBook here use memory safe languages or really good protection I first just had memory safe languages in Chen said now been people still need to use this stuff so they should be using protections if they're writing stuff in non memory safe language is closer to

the metal so address basically a randomization dep for memory execution my protection etc well you can use memory safe languages and they're really good they're getting really fast so you're dotnet stuff they check the memory Java's been doing it for a long time Python go goal might be one of the fastest I touched on clouds clear a lot if not almost all of their stuff is written and go weird language from google and it is super fast and performance and is memory safe all right cool reconnaissance so adversaries need to learn about research identification or selection of your targets like they have to enumerate your attack surface and do investigation well you should have really robust monitoring and maybe

even some deception techniques so a good example is on the edge of my platform if you're using some crappy bots and it doesn't do full on JavaScript like you would have in a normal Chrome browser we're probably gonna look at the user agent probably look at your IP address we're probably not challenged it in some interstitial pages and challenges doing JavaScript puzzles if you don't solve those quickly you're probably a bot and then we're going to go ahead and deal with it so like we can have really good monitoring and then take actions on those monitoring things quickly at the edge I'm a big believer in network security monitoring and you guys know who Richard bait look is he used to lead

a bunch of security actually at mandiant or fire i but he is wonderful reading a wonderful stories about out-of-band monitoring and network security monitoring but I think of someone doing recon we can probably get some information back so this honey pot honey tokens I mentioned thanks to canary there's another set of campaigns or tools in symetra that's really interesting but you can put certain elements in your environment that no one should ever connect to you can put them inside a word docs even and if someone's opening these word docs are looking at these tokens someone's doing reconnaissance you should probably figure out what's going on have adaptive defense and then deal with it so I

mentioned a fake nads in a protected segment you shouldn't touch that thing it's a very high value alert I think we all get low value alerts in our inbox that's just noisy that's one of those alerts that should never go off and you should have those alerts in your environment and if it goes off you got a problem and I put a link this is from the NSA and they were pretty transparent saying here's how you keep us out of your environment and one of the ways is not letting them learn about your network the gentleman from the NSA basically said I'm going to know your network better than you by the time we want to do something well stop the

reconnaissance that's a good defensive play here anyone know what airplane that is by the way extra credit you two exactly sr-71 Stu easy sweets put the u2 in there all right this is pivoting and lateral movement letter adversaries powers combined so we've done some reconnaissance we stole some credentials you've elevated privilege and we're going to try and walk around your network pivot from a segment two segments zone to zone so we're going to let the defensive powers combined strong authentication containment and monitoring so there's some usual usual suspects your step you should be doing already right continuous security monitoring really good segmentation with choke points areas where traffic has to follow through a strong authentication

no legacy or garbage protocols you can get that out of the environment but what's a leading practice and so I talked a little bit go at slacks doing and I try to show different examples of how you can combine certain things to do really good defense against lateral movement i'm slackin eps here two of the groups that do fantastic defense against lateral movement so pick your low correlation engine of choice those are two examples I don't work for either want to advocate either 11 just more expensive right so if i send all of our logs two elastics back and you can do this either in real-time using audit d or you could use go audit which came

from slack you're going to stream the log there in real time and you can get it off of your environment into like a your v pc or your own secure cloud which is a nice leading practice and then from that you get data from agents so go on it's one carbon blacks another one or friends over outside there at cyber reason have 10 s queries another one that came from facebook that would doesn't necessarily stream data but it answers questions quickly about what's going on file integrity monitoring what kernel modules are loaded etc and then from that you can have some special sauce that you'd right call it a bot call it statistical analysis I promised

I wouldn't say machine learning today so I won't say anymore but you would essentially mine that data and then you'd want to find out what's going on distribute your security problem across the org security is not only done by the security everyone defends a date at your company and if you have push notifications or phones which a lot of us have phones you can send them a question did you login you mean to do that yes or no if they tap no its security event so let your powers combined to stop lateral movement that's a good defensive play alright bot abuse exercise for the audience can everyone see what is inside of the lower right

hand corner that's in the courier font what looks bad about that that user agent tell me what looks wrong with that

anything with the versions of the components that are in there look funny to you it could be it could lie to me this client could certainly lie but they're doing something to throw the defender off what are they doing with the versions look at the version of Chrome 47 dot 0 dot 49 and then what's happening after that why are their letters where integers should be you know they're being clowns they're randomizing the versions of throw off machine learning statistics so like this a real I saw this and I'm like clowns that's not cool like why would you do that like everything else was static by the way except for the versions I'm like well you're not a very good adversarial

like you can do better and so we're looking through the logs or like all right that's a regex solution to that problem what we did but like you have to monitor what's happening to your edge because people are going to use adversary like that box to abuse forms could be log entry registration they may be want to steal your content spider your resources take it waste your bandwidth and that's like a problem but you also can't be so aggressive with your box that you stop them from spider in your site googlebot is nice bing bot is nice linkedin bot is nice craft asked about is not nice so like what do you do there you have to do a combination of

things to make sure the bots stay away so DDoS mitigation aside which we should all be doing what do you do you can check the browser for integrity if they're a good bot they're going to respond in a certain way if they're bad but they're probably not going to solve your challenges the IP reputation we looked at I'm kind of so-so on that because IP changed so much but you can issue challenges and you should be careful about that but a captcha we've all seen Google captures right recaptures awesome doesn't work for API so else you got to be careful with how you're responding you should respond for JSON and API infrasonic the HTML HTML

you should leave their a parity but you should be able to challenge your browser's a full Chrome browser can solve JavaScript a lot faster than a bot and that's a good thing so with the defensive play for BOTS the whole dee da stuff should load balance you should make sure if you have up if you're big enough target use some like Akamai or cloud player but I'm more worried about abuse now the whole DDoS thing it's not totally solved but I'm worried about abuse so you should be able to find those BOTS and you know if they're doing silly stuff like Reggie Jackson if you don't have those logs that's a problem but if you have the log fuel to notice

that like that's interesting if the user agents are that widely distributed statistically there's something going on alright remote access if the adversary is not an insider they need some kind of remote access so what do you do so we all have VPNs here I'm assuming we do multi-factor that stuff like at least a certificate that you trust as individual plus and credentials what you can do do all not push notifications you can also do neat stuff like geofencing so I live in Ames I can meet down to Des Moines and I go back to ames I go to Des Moines I go to ames and I do that all the time so by doing that I have a pretty

predictable pattern where my IP addresses where I source my connections are going to be from and yeah I travel and do other stuff but I'm a pretty predictable pattern so you could look at those log and say alright Ben Schmidt probably is not going to be pnn from from Denmark 30 minutes after VPN dinner in Des Moines like that doesn't happen right that's a problem so you can apply geofencing use math to do that don't just do it but you can apply geofencing look at patterns of connectivity make sure it matches what you'd expect things that are plausible and if they're not plausible and I'll push notification what's going on and then you can figure

that out okay vulnerability discovery this one's cool so if an adversary can detect your weaknesses they can exploit them for fun and profit so you remover mitigate them and every bit of code probably has vulnerabilities in it all right so what do you do so there's common stuff limit your attack surface and scan yourself continuously scan your build Eric Johnson is talking here today I think give a really good talk about moving security as far the development pipeline as you can not scan once it's in production skin and thus far too like the build it's not down to the IDE as you can remove the low-hanging throat don't leave those stuff out there but you can also do more

stuff a private bug bounty programs a good example because you want to responsibly to disclose vulnerabilities and deal with those and reward the researcher that's all cool but I think one thing that's really neat leading practice is some that fc's been doing they log everything if it moves they log it and if they can log it they measure it great they've even been publicly talking a little bit about in the past they can see from their logging pen testers trying different things if they see what the pen tester adversary is doing quickly they might know about the exploit before the pen tester has exploited it and if that's the case and they can fix that bug before it's fully

exploited and get your bugs for free if you monitor cool well enough and that's like a really neat place to be so that's like the zenith of playing application defenses your edge supply chain exploitation so we all need third parties do you trust them he trusts a third party of a third party of a third party well how do you how do you get your arms around that so you don't just add them we only nearly eat a vendor management process does not to be super owners but you should make sure you trust your vendors how do you gain trust you need some kind of process and it may not be give me your sock to report it

might be show me some realized pen test fill out this form how do you gain that your vendors are doing the right things and then based on that you I put them in a portfolio based on the data they access and the materiality your business rank them in an overtime perform a review or based on an event you perform review so a good event say so the cloud player thing that would be an event where I'd want to get some comfort like okay so you had this bug you fixed it quickly cleaned up the Internet in the week it's commendable what have you done to make sure that you've managed that going forward and that's something your

vendor management process you can then document and then have as a continuous thing you do to evaluate your vendors and then you should make sure your vendors don't have full time access to your environment given principal least privilege again what they need nothing more it's work at a phone company and vendors would have acted back when modems are on anyone working modems am i dating myself like we don't have those anymore right we're dialing is pretty probably still around I don't Ward Allen still works but you don't give your vendors unfettered access give him a VPN but they should schedule when they need to use it or have a really secure way of getting in your network to help you they

shouldn't have unfettered access to your environment this is not cool anymore that you guys have all heard about target right they responded well but not soon enough to a big problem and that came from a third-party portal that a vendor used an HVAC vendor and then from the day pivoted and got in and did stuff so this is like a big deal this is not just normal compliance work if stuff you have to do so if defense fails how do you respond and I think there was a talked earlier about if there's a data breach what do you do I think that was given by you I missed that I was in the CTF I apologize but I'll watch it so

what do you do no network is intrusion proof that's a little defeatist to say that but it's the truth you need to respond quickly to a security event so it doesn't become a breach so what do you do you adapt your defense defense is not static it has to change has to evolve just like your adversaries evolved and you got to find the evil so I'm definitely not speaking the legal and speaking like what are the defensive-minded security team do to support the organization an illegal you to hunt isolate manage the threat according to a process a critical of security and send response process and you need some training or resources either you can call that are trusted and

have gone through your vendor risk management process or people in house that can help isolate the threat so if you're doing the capture the flag I'm not trying to give hints but volatility might be a useful tool to use in the capture the flag that's a framework to go through memory if you're dealing with an advanced threat they're probably not going to write a lot to disk like that's old-school they're going to put stuff in memory and have a memory-based exploit so you probably need to image the memory and go through and find out what processes are running what processes are no longer running but still are reflected in memory what's happening on this host

what's the last what are the kernel modules running you need that stuff from memory so you need to hunt that threatened deal with it and deal with it probably by doing really good forensic data acquisition following best evidence and chain of container custody but also being able to go into the memory going through disks and looking at your Mac times that's old school you do a lot more I don't know if I have time for war stories talk to me later actually i'll tell you one the lockouts is the most embarrassing piece of code of our written in my life at a different company not the one I work at now I got a cause really sick do I got a call like

nine at night and get in here accounts are locking out that are important to production like all right so I get in there we're dealing with an old-school worm this is a long time ago and we had to keep production up and so I wrote a tool endless loop I didn't a vbscript so old it was that would automatically detect the count lockouts unlock them and log it to a file so we could deal with instant response and these vb script wasn't fast enough then i wrote in powershell which is a lot faster to automatically unlock accounts that are being automatically locked log them to a file so we could keep production up but do instant response if i played like out

of the book defense alright shut the network down like that is an issue we looked at the threat and so this is automated from the inside let's mitigate in a different way so i wrote anti security software to keep production up but i wrote a really good logging system make sure i knew exactly was happening and use those logs to isolate the threat which is commodity malware we'll talk about proxy abuse and bots another time so I'm kind of getting to my last slide here and I want to leave a little time for questions but defense wins championships big fan of JJ Watt he makes a massive difference and I don't you ever notice but the dude catches

passes and does some offense once in a while just like defenders ought to do on a networker environment we play a lot of defense but we can go ahead and put points on the board we can kick our adversaries out and we can scrimmage with them that's what a capture the flag is Reggie White awesome the minister of defense and then Khalil Mack he's just a terror on the Raiders any put ray lewis in here but you get the point these are defenders that materially change the game so defense is evolving and I think it's really exciting i'm proud to play defense with my team so what all right Ben what are these new design pattern give me like a

summary here why is defense cool we're not talking about popping shells and SuperDuper kernel-mode rootkits stuff pentester stuff give me some cool defensive stuff 0 tough snap trust networking with sidecars that can handle connections across mesh networks and do signing and security for you Canaries and honey pots are getting a lot more um one more popular these days and this is older stuff been around for a while 15-20 years control flow integrity of control flow guard these are compiled time settings to stop the Kali Linux kids from doing return oriented programming on you push notifications I think I've hit that one an awful stop quantum resistant cryptography doing really good choices on public key crypto

some point I mentioned our essays a little long in the tooth elliptical curve I like a little more they're going to evolve more in public e private key were generally cool the only real quantum issue there's Grover's algorithm which is exhaustive t-shirt key search being much faster AES is good for a while just use GCM if you can't properly layer seven logging so great you get bugs for free i think that is awesome moving left that's security testing in your build or development process like way left is this way to you way over here inside of your IDE should be fixing bugs not when it's done production we talked about geofencing talked about statistical analysis of data I won't use

the EML term I want sprinkle that on top for fun mutable architecture detonation chamber that's a safe place to put malware and see what it's doing to figure out what you want to respond to without causing an issue TLS 13 awesome stuff please use it and then adaptive defense a defense is not static it has to evolve based on the threat it should scrimmage but still defenses awesome i'm proud to play defense and i work with pen testers they're fun too but it's not my jam so i've got five minutes left I didn't get the fist pound here but five minutes why don't I stop I haven't all appendix we're not going to go through

it but when I stopped for a couple questions no questions sir so it's very much a leading practice or emerging praxis not super common if you have legacy infrastructure so you know I talked earlier about an old manufacturing selling how does that become immutable the answer they really can't you segment that often deal with it this for greenfield deployments can you retrofitted sure if you're using docker and you're using really good virtualization you can apply the principles but it is harder to do if you don't have microservices load balancers docker in kind of a green field environment so it is a little aspirational I have to be honest there but as your vendors give you solutions

ask them can you do this in a beautiful architecture make your vendor answer that for you or if you're green fielding a nap try and do that use it as a design pattern that you're stretching to achieve it is hard to retrofit on the windows NT that's sitting around in an old company but that's why you segment that off so it's a leading practice if you have technical debt or you weren't born in the cloud then it's going to be hard to do

no more questions all right thanks a lot for coming I appreciate it guys [Applause]