Beruflich Dokumente
Kultur Dokumente
Methodology
1
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Agenda
2
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Threat Strategy
3
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Security Strategy Development
4
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Threat Strategy Methodology Monitor
and
Repeat
Positioning 6
5
Counter-
measure
4 1 Determine
Assets
mapping 3 2
Kill Chain Develop Understand
Actors &
Threat
Vectors
Model
5
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Kill Chain Components
6
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
F2T2EA Kill Chain
http://www.military-dictionary.org/F2T2EA
7
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Traditional Kill Chain Model
Gather data and Craft Payload sent Compromise Install malware, Navigate internal Ultimate goals
intelligence on malicious to target system obtain network and achieved
target payload, use (phishing) credentials and setup command
organization exploits for establish and control
vulnerabilities backdoors.
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
8
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Reconnaissance
Initial Planning Phase
• Threat perpetrator or actor researches target
• Analyze online activities and public presence
• Observe websites visited and social media networks used
• Harvest email addresses
• Collect publically available news
• Discover scanning for internet facing systems and applications
• Build a profile
9
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Weaponization
Preparing and Staging the Attack
• Select appropriate malware payload based on research
• Reuse existing malware families – create slight variant
• Build the phishing email campaign
• Leverage exploit kits and botnets
https://blog.barkly.com/how-exploit-kits-work
10
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Delivery
Launching the Attack
• Go live of the compromised website
“watering hole”
• Delivery of the phishing email
• Phishing is the most common attack
vector especially for the US
• Distribution of infected USB sticks
• Execution of attack tools against servers
and applications
11
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Exploitation
Gain Access to Victim
• Exploited a hardware or software vulnerability
• Zero days are rare
• Most vulnerabilities exploited have known patches available
• Tricked a human being into providing access
http://inkotech.co.id/what-is-web-based-malware-also-known-as-web-shell/
13
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Command and Control (C2)
Establish Remote Control
• Use a two-way communication channel for remote control
• Common channels are web, email and DNS
• Often look to escalate privileges
• Move laterally internally
• Employ obfuscation (anti-forensics)
techniques
https://logrhythm.com/blog/catching-beaconing-malware/
14
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Actions and Objectives
Achieve the Goals of the Mission
• Successfully complete their end goal
• Steal data (IP, PII, $$$)
• Corrupt, modify, destroy systems or data
• Use as a launching point to attack another
15
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Use Cases
16
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Controls Mapping
17
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Effectiveness Scorecard
Seven ways to apply the cyber kill chain with a threat intelligence platform – LM
18
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Education and Awareness
INTERNET
Social Media, P2P,
Drive-By Download Lure End-User to
Download Exploit or Exploit
Inject Additional Code,
ATTACK EMAIL
Corrupt File Executed
Trojan or Backdoor
DEVICE
USB Flash Drive,
Phones, Tablets
Malware Establish
Becomes APT Command and
(Final Stage, Control Channel
Mutation)
19
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Target Breach
Supplier portal and facilities RAM scrapping and data Data exfiltrated in plain text
management information Classic phishing campaign exfiltration malware loaded to a server in Russia
publically available directed towards Fazio on POS devices at Target
Target missed warnings from its Target missed information provided by its
anti-intrusion software that anti-intrusion software about the attackers’
attackers were installing malware escape plan, allowing attackers to steal as
in its network. many as 110 million customer records.
22
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Many Similar Versions
Differences
• Change the wording
• Breakout specific actions into stages
• Combine different actions into stages
Gigamon
23
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Limitations
External Intrusion-Centric
• Reinforces perimeter-focused mindset
• Predominately malware-prevention focused
• Less effective for insiders and social engineering
Light on Recommendations
• Steps 1,2,3 have little defensive actions
• Steps 4,5 are classic protection solutions
• Steps 6,7 are more reactive solutions
24
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Final Thoughts
25
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Other Threat Modeling Approaches
http://www.schneier.com/paper-attacktrees-ddj-ft.html
26
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Actors – Intel Threat Agent Library
27
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Threat Modeling – Maturity Assessment
RESUR-
RECTION
28
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Battle Plan – Break the Kill Chain
RESUR-
RECTION
Stop
Fallback Update
Attacker Last Stand
Position Resume
Here
29
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.
Brian.Wrozek@optiv.com
214-797-2007
@bdwtexas
30
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved.