Upload File

detecting threats - how to think like an attacker

  • Home
  • Business
  • Detecting Threats - How to Think Like an Attacker
16
DETECTING THREATS HOW TO THINK LIKE A CYBER ATTACKER Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC Principal Consultant Cyber Risk Workshop October 28 th 2014 @ Hong Kong

Upload: albert-hui

Post on 29-Jun-2015

541 views

Category:

Business


1 download

Report

Tags:

DESCRIPTION

A brief overview of hackers' motivations and methods.

TRANSCRIPT

Page 1: Detecting Threats - How to Think Like an Attacker

DETECTING THREATSHOW TO THINK LIKE A CYBER ATTACKER

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

Cyber Risk WorkshopOctober 28th 2014 @ Hong Kong

Page 2: Detecting Threats - How to Think Like an Attacker

WHO AM I?

• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.

• Risk Consultant for Banks, Government and Critical Infrastructures.

• SANS GIAC Advisory Board Member.

• Former HKUST lecturer.

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

[email protected]

Page 3: Detecting Threats - How to Think Like an Attacker

AGENDA

Cyber Attackers’• Motivations (Why do they hack you?)• Methods (How do they break in?)• Damage Potentials (What can they do to you?)

Countermeasures• How to detect cyber attacks?

Copyright © 2014 Albert Hui

Page 4: Detecting Threats - How to Think Like an Attacker

CYBER ATTACKERS’ MOTIVATIONS

Page 5: Detecting Threats - How to Think Like an Attacker

PRIMARY MOTIVATIONS

Secular Sacred

egomoneyideology

(e.g. hacktivists)

revenge(e.g. formeremployees)

curiosityindustrialespionage

war and terrorism(e.g. state-sponsored

hackers)

Copyright © 2014 Albert Hui

Page 6: Detecting Threats - How to Think Like an Attacker

OPPORTUNISTIC ATTACKTREND: HACKER SUPPLY CHAIN

Anon Payment

Hacker Tools /

Bulletproof

Hosting

Monetization

Implications• Sophisticated attacks now available to

non-experts

• Lower breakeven point for attacks

• More “worthwhile” targets

Copyright © 2014 Albert Hui

Page 7: Detecting Threats - How to Think Like an Attacker

TARGETED ATTACKTREND: CYBER WARFARE AND APT

Implications• More attack budgets

• 0-day attacks

• Threat level corresponds to strategic value

Copyright © 2014 Albert Hui

Page 8: Detecting Threats - How to Think Like an Attacker

CYBER ATTACKERS’ METHODS

Page 9: Detecting Threats - How to Think Like an Attacker

CYBER KILL CHAIN

Recon Weaponize Deliver Exploit Install C2 Action

Copyright © 2014 Albert Hui

Page 10: Detecting Threats - How to Think Like an Attacker

ATTACK ROUTES

Outside-In(e.g. SQLi, XSS, CSRF)

Inside-Out(e.g. web malware, trojaned pdf) Indirect

Home

Office

FW, IPS, etc.

AV, HIPS, etc.Copyright © 2014 Albert Hui

Page 11: Detecting Threats - How to Think Like an Attacker

CYBER ATTACKERS’ DAMAGE POTENTIALS

Page 12: Detecting Threats - How to Think Like an Attacker

COMMON EXPLOITATIONS

Steal Stuff• Intellectual property theft

• Steal money

• Monetize the loot for credit card fraud, spam, DDoS etc.

Wreak Havoc• Break system (e.g. via DDoS)

• Cause system malfunction

• Delete business data and ransom

Consequential Damages• Legal and regulatory consequences

• Reputational damage

• Loss of license

Copyright © 2014 Albert Hui

Page 13: Detecting Threats - How to Think Like an Attacker

DETECTING CYBER ATTACKS

Page 14: Detecting Threats - How to Think Like an Attacker

PHILOSOPHY

Defender’s Dilemma• Must secure all possible vulnerabilities

Intruder’s Dilemma• Must evade all detections

Reason’s Swiss Cheese ModelPicture from NICPLD

Copyright © 2014 Albert Hui

Page 15: Detecting Threats - How to Think Like an Attacker

ESSENTIALS FOR DETECTING CYBER ATTACKS

• Layered defense-in-depth• Redundant security (e.g. two different brands of FWs)• Security event correlation (e.g. SIEM)• Trustworthy logging• Up-to-date threat intelligence• Security awareness and reporting channel• Incident response capability (e.g. CSIRT)

Copyright © 2014 Albert Hui

processpeople

technology

Page 16: Detecting Threats - How to Think Like an Attacker

THANK YOU

[email protected]


A Framework for Detecting Insider Threats using Psychological Triggers

A Framework for Detecting Insider Threats using Psychological

Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf · • Attacker POV to computer networks • Attacker profiles and public cases ... Product

Detecting Insider Threats in a Real Corporate Database of ...bader/papers/PRODIGAL-KDD2013.pdf · Detecting Insider Threats in a Real Corporate Database of Computer Usage Activity

Insider Attacker Detection

Detecting Anomalies in Users – An UEBA Approach -Jan31-Final3 · 2020-03-16 · Detecting Anomalies in Users – An UEBA Approach Raguvir. S ... Detect insider threats: ... user

Detecting Insider Threats - Splunk

Mobile Application Security Threats through the Eyes of the Attacker

How workplace satisfaction affects insider threat ...€¦ · detecting potentially malicious insider cyber threats and enabling the visualization of threats as they occur. A cyber

Detecting Insider Threats using RADISH, a System for Real

Recognizing, Detecting and Preventing Cyber Security Threats...•Now known to hackers as a victim and will be subject to future attacks. ... •No system is 100% perfect -since threats

DETECTING ADVANCED THREATS WITH SYSMON, WEF AND ELASTICSEARCH · PDF fileDETECTING ADVANCED THREATS WITH SYSMON, WEF, AND ELASTICSEARCH WHY EVENT LOGS? From an advanced threat detection

Detecting advanced and evasive threats on the network

Detecting, Tracking, and Identifying Airborne Threats with Netted … · 2018-09-25 · Detecting, Tracking, and Identifying Airborne Threats with Netted Sensor Fence 141 calculated

Deep Dive: Likely, Real and Unlikely Cyber- Physical ... · Real threats and attacker capabilities (1) Massive espionage (stale news) −Increasing number of targeted process-related

New Detecting Potential Insider Threats through Email Datamining · 2011. 5. 14. · AFIT/GCS/ENG/06-10 Detecting Potential Insider Threats through Email Datamining James Okolica,

HELDROID: Dissecting and Detecting Mobile …...HELDROID: Dissecting and Detecting Mobile Ransomware 383 is on the rise and will be among the top 5 most dangerous threats in the near

Detecting Emerging Infectious Disease Threats Using the …nationalacademies.org/hmd/~/media/Files/Activity Files/PublicHealth... · Detecting Emerging Infectious Disease Threats

CPS Com2017 Detecting cyber physical threats in an ... · Detecting cyber-physical threats in an autonomous robotic vehicle using Bayesian Networks Anatolij Bezemskij, George Loukas,

Detecting Sybil Nodes in Anonymous Communication Systems · By compromising multiple proxies in the anonymous communication infrastructure, the attacker can perform selective DoS

CDC’s Contribution to the Global Health Security Agenda › globalhealth › healthprotection › ... · Detecting threats, including emerging biological threats, at the earliest

Detecting Insider Threats in a Real Corporate Database of ...web.eecs.umich.edu/~dkoutra/papers/PRODIGAL-KDD2013.pdf · Detecting Insider Threats in a Real Corporate Database of Computer

Detecting APT Malware Infections Based on …...G. Zhao et al.: Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis the C&C servers, it helps the attacker

TIDS: A Framework for Detecting Threats in Telecom Networks

A Multi-view Deep Learning Approach for Detecting Threats

Attacker Math

Detecting Adversarial Threats - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKSEC-3010.pdf · Detecting Adversarial Threats: Tools, Techniques, and Infrastructure

DETECTING ADVANCED THREATS WITH SYSMON, …...DETECTING ADVANCED THREATS WITH SYSMON, WEF, AND ELASTICSEARCH WHY EVENT LOGS? From an advanced threat detection perspective, most analysts

Detecting Insider Threats in a Real Corporate Database of Computer

LogRhythm Detecting Advanced Threats Use Case

Detecting cyber threats through social network analysis: short … · 2017-03-29 · SocioEconomic Challenges, Volume 1, Issue 1, 2017 20 Detecting cyber threats through social network

Systems for Detecting Advanced Persistent Threats · 2014. 5. 19. · The term “Advanced Persistent Threat” is loosely used for a wide variety of cyber threats. In essence it

Detecting Emerging Infectious Disease Threats Using the .../media/Files/Activity Files... · Detecting Emerging Infectious Disease Threats Using the Internet: ... Hendra virus •1996

Detecting Insider Threats with User Behavior Analytics

Detecting Insider Threats using RADISH, a System for … · Detecting Insider Threats using RADISH, a System for Real-time Anomaly Detection in Heterogeneous Data Streams ... and