Thursday, February 27, 2014

CISSP CPE8: Rapid7 webinar: Vulnerabilities, Dissected: The Past, Present & How to Prepare for their Future

Length 01:00:00

Vulnerability – configuration issue OR programming error that can be exploited.

Why should we care? Because vulnerability put things that we value at risk.

4 categories of vulnerabilities: 
1.    remote code execution
2.    elevation of privilege
3.    information disclosure
4.    DoS

Past: attacker going after company
Present: attacker going after individual (stealing ID & credit card info)

CVE run by MIST  standard to describe vulnerability

Vulnerability risk impact:
1.    Vulnerability category ( remote execution > elevation of privilege > Info disclosure > DoS)
2.    Ease of exploitation
3.    Location of asset
4.    Importance of asset

Attacker motives & techniques:
1.    Discover/recon
2.    Probing of system/network
3.    Passive engagement
4.    Active engagement
5.    Post exploitation
Chaining vulnerabilities together:
Exploiting one vulnerability to exploit other vulnerabilities
Low severity vulnerabilities matter

Example: leaking credentials
Get trivial data as foothold -> gaining limited access -> elevation of privilege
Exploit is the attack that take advantage of the vulnerability

The Near future of Vulnerabilities:
-    Windows XP EOL
-    Mobile & cloud platform
-    Directly attacking payment system
-    Cyber-warfare: asymmetrical battleground/APT engaged in economic espionage

Tip to prepare for the future:
1.    Know your environment
2.    Keep system up to date
3.    Use mitigation techniques

Labels: ,

Wednesday, February 12, 2014

CISSP CPE8: Rapid7 webinar: The Anatomy of Deception Based Attacks: How to Secure Against Today’s Major Threat

Length 01:00:00

they are discussing about a new product/service that they are designing.. very interesting .

Getting in by stealing someone’s identity and pretending being them… any credential will do to evade & to have access for long period of time.

Common deception based attack:
Convincing drive-by
Malicious USB distribution
Use compromised pwd (ex: adobe breach)
Malicious mobile app
Pass the hash
Fake add drive-by

In the news, MS employee account compromised by the syrian electronic army

Dropbox spear phishing campaign deploy new zeus trojan varian
RSA SecureID breach with spear phishing  attack

Accessing through wifi
Russia iron chip suppy chain was compromised.
USB malicious USB cellphone charger

Compromised credential
South Carolina almost all tax payer  had their credential stolen IRS.

Most apps from top bank are insecure
 Very difficult to discover

Yahoo drive-by add – they are legitimate
Often there is not signature / exploit .

Very hard to detect against deception based attack.
Tool to for detection and investigation

Effortless discover of user behavior
Detection of deception
Incident investigation

Many tools today is asset function not user function

Suspicious network access
Domain admins
Mobile device
Cloud services
User phishing risk
Monitor riskiest users

You want to know if employee who is about to leave is dropping lots of data to dropbox…

Service account  - non expiring account

Domain admin activity

Smart detection of deception

Account leak in massive data breach
Network ingress from multiple location
Elevated admin privileges
Authentication from disable accounts
Re-enabling disabled account
Remote access with service accounts
Traffic from TOR nodes or known proxy servers
Addition of an unusual number of mobile device

Involved in mega breach

A lot of people use the same password across different services.

Alert if same user access network from different location in short period of time.

Example of adobe breach –

Fast incident investigation
-    Cut investigation time
-    Immediate context to close incident faster than ever
-    Connect users to assets
-    Prove user responsibility
-    Complete picture of user actions
-    Minimize the need to look into various system

IP correlation

How user behavior being discover

Most of log data (fw, proxy, ldap, AD, auth services)  just pulling the relevant info

It scales for big organization 20 to 50K

What sw should be installed in client side.

2 part:
a.    Very small sw need to be install  can be install in vmware – we collect all logs
It is not SIEM
Most customer use SIEM for compliance reason…

Pricing model..

Yearly, active user.

Labels: ,