Wednesday, February 12, 2014

CISSP CPE8: Rapid7 webinar: The Anatomy of Deception Based Attacks: How to Secure Against Today’s Major Threat

Length 01:00:00



they are discussing about a new product/service that they are designing.. very interesting .


Getting in by stealing someone’s identity and pretending being them… any credential will do to evade & to have access for long period of time.

Common deception based attack:
Phishing
Convincing drive-by
Malicious USB distribution
Use compromised pwd (ex: adobe breach)
Malicious mobile app
MITM
MITB
Pass the hash
Fake add drive-by

In the news, MS employee account compromised by the syrian electronic army

Target
Dropbox spear phishing campaign deploy new zeus trojan varian
RSA SecureID breach with spear phishing  attack


Accessing through wifi
Russia iron chip suppy chain was compromised.
USB malicious USB cellphone charger

Compromised credential
South Carolina almost all tax payer  had their credential stolen IRS.

Most apps from top bank are insecure
 Very difficult to discover

Yahoo drive-by add – they are legitimate
Often there is not signature / exploit .

Very hard to detect against deception based attack.
Tool to for detection and investigation
Userinsight

Effortless discover of user behavior
Detection of deception
Incident investigation

Many tools today is asset function not user function


Suspicious network access
Domain admins
Mobile device
Cloud services
User phishing risk
Monitor riskiest users


You want to know if employee who is about to leave is dropping lots of data to dropbox…


Service account  - non expiring account

Domain admin activity

Smart detection of deception

Account leak in massive data breach
Network ingress from multiple location
Elevated admin privileges
Authentication from disable accounts
Re-enabling disabled account
Remote access with service accounts
Traffic from TOR nodes or known proxy servers
Addition of an unusual number of mobile device

Involved in mega breach

A lot of people use the same password across different services.


Alert if same user access network from different location in short period of time.


Example of adobe breach –


Fast incident investigation
-    Cut investigation time
-    Immediate context to close incident faster than ever
-    Connect users to assets
-    Prove user responsibility
-    Complete picture of user actions
-    Minimize the need to look into various system


IP correlation

How user behavior being discover

Most of log data (fw, proxy, ldap, AD, auth services)  just pulling the relevant info

It scales for big organization 20 to 50K

What sw should be installed in client side.

2 part:
a.    Very small sw need to be install  can be install in vmware – we collect all logs
It is not SIEM
Most customer use SIEM for compliance reason…

Pricing model..

Yearly, active user.


Labels: ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home