Taking the Attacker Eviction Red Pill

Information about Taking the Attacker Eviction Red Pill

Published on November 11, 2017

Author: FrodeHommedal

Source: slideshare.net

Content

1. Taking the Attacker Eviction RED PILL

2. Taking the Attacker Eviction RED PILL Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017

3. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Or how to structure your thinking when countering espionage and sabotage from “APT”

4. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 In this talk we will look at the attempted eviction of a mission driven and well organized adversary

5. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Beware that this is work in progress and still a bit rough around the edges

6. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network

7. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network

8. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Turns out there’s a lot of uncertainty to deal with when responding to a targeted and advanced “APT breach”

9. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.

10. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.

11. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 It turns out “acting too soon” is a thing when responding to an APT threat

12. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 If you want to respond effectively you need to reduce the uncertainty and understand when it’s the right time to act

13. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Understanding common APT patterns

14. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.

15. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.

16. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.

17. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.

18. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.

19. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.

20. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.

21. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.

22. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.

23. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Providing Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Observing Collection: What you are observing though is only the collection part of a much bigger process.

24. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intermission

25. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The IR and eviction process should not really be about evicting the attackers but rather keeping them out and preventing them from effortlessly re-entering

26. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 It also shouldn’t be about cleaning networks but rather mitigating risk as effectively as possible

27. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 And sometimes this actually means leaving your network compromised while covertly containing the most important risks by using what you learn from the attackers

28. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 So how do we make that decision?

29. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 By structured analytical thinking using analytical models

30. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.

31. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.

32. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of APT threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.

33. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure

34. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure

35. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure

36. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation

37. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation

38. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation

39. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

40. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

41. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

42. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

43. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

44. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

45. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move

46. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Threat Metrics to help you navigate CTI Matric: Identifying knowledge gaps. ThreatType Matric: Identifying type of threat. RiskType Matric: Identifying type of risk. Intrusion Pattern: Identifying type of infiltration. DwellTime: Identifying length of infiltration.

47. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 With these models in mind we will look at some response patterns

48. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.

49. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.

50. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.

51. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.

52. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Wrap up

53. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 So what truth is THE RED PILL of attacker eviction exposing? A way more complex and adversarial incident response reality than most responders are ready to acknowledge

54. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Yet the key takeaway is that if you understand your attacker you will be able to improve your response significantly

55. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Then you can apply the right response pattern to the identified intrusion pattern and the identified threat and risk types

56. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Always outnumbered. Never outgunned! @FrodeHommedal no.linkedin.com/in/hommedal frodehommedal.no

Related presentations


Other presentations created by FrodeHommedal