Length 01:00:00
they are discussing about a new product/service that they are
designing.. very interesting .
Getting in by stealing someone’s identity and pretending being them… any credential will do to evade & to have access for long period of time.
Common deception based attack:
Phishing
Convincing drive-by
Malicious USB distribution
Use compromised pwd (ex: adobe breach)
Malicious mobile app
MITM
MITB
Pass the hash
Fake add drive-by
In the news, MS employee account compromised by the syrian electronic army
Target
Dropbox spear phishing campaign deploy new zeus trojan varian
RSA SecureID breach with spear phishing attack
Accessing through wifi
Russia iron chip suppy chain was compromised.
USB malicious USB cellphone charger
Compromised credential
South Carolina almost all tax payer had their credential stolen IRS.
Most apps from top bank are insecure
Very difficult to discover
Yahoo drive-by add – they are legitimate
Often there is not signature / exploit .
Very hard to detect against deception based attack.
Tool to for detection and investigation
Userinsight
Effortless discover of user behavior
Detection of deception
Incident investigation
Many tools today is asset function not user function
Suspicious network access
Domain admins
Mobile device
Cloud services
User phishing risk
Monitor riskiest users
You want to know if employee who is about to leave is dropping lots of data to dropbox…
Service account - non expiring account
Domain admin activity
Smart detection of deception
Account leak in massive data breach
Network ingress from multiple location
Elevated admin privileges
Authentication from disable accounts
Re-enabling disabled account
Remote access with service accounts
Traffic from TOR nodes or known proxy servers
Addition of an unusual number of mobile device
Involved in mega breach
A lot of people use the same password across different services.
Alert if same user access network from different location in short period of time.
Example of adobe breach –
Fast incident investigation
- Cut investigation time
- Immediate context to close incident faster than ever
- Connect users to assets
- Prove user responsibility
- Complete picture of user actions
- Minimize the need to look into various system
IP correlation
How user behavior being discover
Most of log data (fw, proxy, ldap, AD, auth services) just pulling the relevant info
It scales for big organization 20 to 50K
What sw should be installed in client side.
2 part:
a. Very small sw need to be install can be install in vmware – we collect all logs
It is not SIEM
Most customer use SIEM for compliance reason…
Pricing model..
Yearly, active user.