the threats are changing so are we
play

The Threats Are Changing, So Are We. October 2019 About Me Five - PowerPoint PPT Presentation

Mar 30, 2024 •120 likes •562 views

The Threats Are Changing, So Are We. October 2019 About Me Five years as CIO in private industry Thirty years at the European Commission IT management Internal and external audit COO, CRO at the Joint Research Centre

  1. The Threats Are Changing, So Are We. October 2019

  2. About Me • Five years as CIO in private industry • Thirty years at the European Commission – IT management – Internal and external audit – COO, CRO at the Joint Research Centre (3000 scientists) – Founder and Head of CERT-EU 2011-2017 • Consultancy – Trusted Strategic Advisor – Advisor/Board Member in cybersecurity startups 2

  3. Context • Internet of Everything – Increased dependency – Everything connected • Vulnerability Expanding – Inherently fragile – Frequently misconfigured, often unpatchable • Agile Adversaries – Determined – Industrialized – Stealthy 3

  4. Agenda • Threats • Prepare • Adapt • Contribute 4

  5. Threats • Proliferation of Adversaries • More Impact • Proliferation of Techniques 5

  6. Adversaries: Proliferation • State-sponsored actors: more of the same and some more – Established players not afraid of being called out – New kids on the block copycatting established players • Criminal groups – Streamlining operations – Specialization – Copycatting state-sponsored actors • More dramatic (potential) impact

  7. (Not)Petya • Initial infection using legitimate software • Spreading using a leaked NSA tool • Destructive intent: no way to decrypt • “Targeted” • Massive collateral damage 7

  8. 10% of all computers in UA destroyed 3 billion € collateral damage 8

  9. Maersk/APM • 17 container terminals disrupted for weeks • Loading and unloading impossible • Truck chaos • Reinstallation of 40.000 computers • Saved by power cut in Ghana… • More than 300mio € financial impact 9

  10. Big Game Hunting 10

  11. Intermediate Questions • Has your company been facing this type of problem? • Does your company have a cyber insurance in place? • Would your company pay ransom? • Is this a Board issue in your company? • How confident are you in your organisation’s backup? 11

  12. 12

  13. Techniques: Proliferation • Leaked superweapons • Blending in • Broader surface

  14. Leakage of Superweapons • Espionage & law enforcement tools – Three letter agencies – Hacking Team – NSO • Penetration and vulnerability testing tools – Mimikatz – Cobalt Strike – Metasploit – Bloodhound

  15. Blending In • Mails appearing as originating from a trusted origin - Typo squatting - Spoofed - Compromised • Credible content • Stealthy infection and lateral movements – Using legitimate credentials, replicating legitimate behavior – Abusing legitimate C&C infrastructure – Using legitimate tools (PowerShell, WMI, RDP) – Living off the land / file-less

  16. Powershell 16

  17. Targeting Us! 17

  18. Credible 18

  19. Broader Surface • CMS/wiki/webservers • Cloud, VMs • Routers, switches • Control systems, IOT • Processors, firmware • Credentials

  20. Your RDP Open? Sophos - RDP Exposed 20

  21. Your IOT Open? 21

  22. Your Network Open? 22

  23. Your Credentials Open? 23

  24. Agenda • Threats • Prepare • Adapt • Contribute 24

  25. Prepare • Prevent, detect, respond is not enough • Gain visibility –> ZEEK J • Offline backups of your crown jewels Ø AD, configs, gold images, clients, orders… • Manual fall backs / resilience • Incident response plan - BCP • Insurance / Legal support 25

  26. Typical APT • Find a weak entry point • Scan the internal infrastructure • Escalate privileges • Move laterally • Obtain keys to the Kingdom(s) • Establish persistence (golden ticket, routers, bios, legit credentials) • Detonate • Return when you are kicked out

  27. 27

  28. Agenda • Threats • Prepare • Adapt • Contribute 28

  29. Adapt • Prevent, detect, respond are not static • APT, the new normal • Don’t contain too quickly, assume lateral movement • Internal reconnaissance can be noisy -> ZEEK J • Move from Respond into Detect • Track your adversaries and adapt your approaches 29

  30. Gap Sophistication Adversary Dynamic Static Time 30

  31. Gaps In Prevention/Detection 31

  32. Analytics Instead of Indicators Indicators* Analytics Detect known bad Detect suspicious events Artifact-driven Behavior-driven Fewer false positives More false positives More atomic Broader Higher quantity Lower quantity Longer lifetime *good, fresh, indicators are useful too 32

  33. TTPs are more stable Incident 2 Incident 1 Incident 1 Incident 3 Unique TTPs Yara Snort Zeek Scripts Incident 2 Sigma Incident 3 33

  34. Analytics in SIGMA https://github.com/Neo23x0/sigma 34

  35. Sample SIGMA Rule title: Renamed PowerShell status: experimental description: Detects the execution of a renamed PowerShell often used by attackers or malware references: - https://twitter.com/christophetd/status/1164506034720952320 author: Florian Roth date: 2019/08/22 tags: - car.2013-05-009 logsource: product: windows service: sysmon detection: selection: Description: Windows PowerShell Company: Microsoft Corporation filter: Image: '*\powershell.exe' condition: selection and not filter falsepositives: - Unknown level: critical 35

  36. SIGMA Rules 36

  37. SIGMA Tools Atomic Threat Coverage SIGMA Editor https://github.com/krakow2600/atomic-threat-coverage https://github.com/socprime/SigmaUI 37

  38. Zeek Packages 38

  39. Agenda • Threats • Prepare • Adapt • Contribute 39

  40. Contribute • Prevent, detect, respond are can inspire others • Provide feedback and contribute analytics to the Community • Crowdsource behavioral detection libraries • Sharing TTPs/SIGMA/ZEEK rules is easier than sharing IOCs • It’s also more useful – More context – More stable in time • Defense: Proliferation 40

  41. EU ATT&CK User Community • Mailing list -> opt in ? -> email to info@circl.lu • User conference in Brussels 18-19 May 2020 41

  42. Conclusion • The Threats Are Changing • And So Are We: – Preparing – Adapting – Contributing 42

  43. Thank You Don’t Hide The Risk, Manage It www.FreddyDezeure.eu 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig picture The asymmetric nature of the Internet The current state of cyber underground Our current approach UNCLASSIFIED 7 Software Integrity Denial

388 views • 18 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing Places/Changing Faces: Immigrant Youth and Identity Development Elham Bagheri & Jay M. Greenfeld, M.A. University of Iowa Changing Places/Changing

401 views • 11 slides
Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give them a hand. Mark : Good afternoon, Simon and I have the absolute pleasure to be presenting on behalf of Team Looming Threats. So, one of the, I guess

377 views • 3 slides
Right way to establish critical pro-active defences against emerging cyber threats Andrew J

Right way to establish critical pro-active defences against emerging cyber threats Andrew J

Right way to establish critical pro-active defences against emerging cyber threats Andrew J Clarke Director, One Identity A fast changing world Digital Transformation Internet of Things (IoT) 2 Andrew J Clarke - One Identity The new attack

498 views • 24 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
The Future of Internet Security Keeping up with the ever changing security Drupalcon 2017

The Future of Internet Security Keeping up with the ever changing security Drupalcon 2017

The Future of Internet Security Keeping up with the ever changing security Drupalcon 2017 threats to Drupal and the web 1 Who is this guy? Chris Teitzel Founder / CEO Lockr technerdteitzel Cellar Door 7 years 10 months in Drupal

694 views • 35 slides
Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order): Iljitsch van Beijnum, Steve Bellovin, Brian Carpenter, Mike O'Dell, Sean Doran, Dave Katz, Tony Li, Erik Nordmark, and Pekka Savola Why? Allowing

612 views • 11 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats

ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats

ICA ICA ICA Self-Defending Networks Digital antibodies neutralize threats Automatically responds to threats faster than any security team can Takes measured, targeted actions Does not disrupt day-to-day business or

169 views • 5 slides
Responds to Active Threats By: Eric J. Queller ABOUT ME Student Advisor (2017-2019)

Responds to Active Threats By: Eric J. Queller ABOUT ME Student Advisor (2017-2019)

Changing the way Northside ISD Responds to Active Threats By: Eric J. Queller ABOUT ME Student Advisor (2017-2019) Northside ISD School Health Advisory Committee Student Advisor (2018-2019) Northside ISD School Safety & Security

594 views • 37 slides
The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana Wagemann Director of Sales, Darktrace Evolving Threats in a New Business Landscape Outsourced IT, SaaS, cloud, virtual, supply chain, IoT Not just data

412 views • 15 slides
Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed by us are not representative of the City of Charlotte. OUTLINE INTRODUCTIONS HUMAN THREATS CYBER THREATS QUESTIONS INTRODUCTIONS

445 views • 25 slides
International Perspectives to Technological Voter Registration Threats Dr. Beata

International Perspectives to Technological Voter Registration Threats Dr. Beata

International Perspectives to Technological Voter Registration Threats Dr. Beata Martin-Rozumilowicz IFES Director for Europe and Eurasia Background Cyber threats have become an increasing concern since at least the mid-2000s. This has

332 views • 12 slides
Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N , M A S S A C H U S E T T S J U N E 4 , 2 0 12 Antitrust Notice 2 The Casualty Actuarial Society is committed to adhering strictly to the

577 views • 26 slides
1 You may be confused by that statement one of the major responsibilities assigned to the

1 You may be confused by that statement one of the major responsibilities assigned to the

Welcome to the HUD Broadcast on the Continuum of Care Responsibilities in designating and operating a Homeless Management Information System. In this presentation, we will talk about designating and operating an HMIS, one of the major

643 views • 11 slides
T h e F u t u r e o f E n e r g y & M o b i l i t y S e p t e m b e r 1 7 2 0 1 9 A u

T h e F u t u r e o f E n e r g y & M o b i l i t y S e p t e m b e r 1 7 2 0 1 9 A u

T h e F u t u r e o f E n e r g y & M o b i l i t y S e p t e m b e r 1 7 2 0 1 9 A u s t i n , T X w w w . p i v a . v c 1 E x e c u t i v e S u m m a r y Illustrate technology trends through expert analysis and startups

379 views • 11 slides
The Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar AGENDA Team

The Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar AGENDA Team

The Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar AGENDA Team Introductions Topic Summary Key Findings The Grand Cyber Arms Bazaar Forecasts Impact to Government and Private Sector Analytic

329 views • 16 slides
BRIDGING TECHNOLOGICAL GAP BETWEEN SMALLER AND LARGER LANGUAGES Andrejs Vasijevs Tilde Pisa

BRIDGING TECHNOLOGICAL GAP BETWEEN SMALLER AND LARGER LANGUAGES Andrejs Vasijevs Tilde Pisa

BRIDGING TECHNOLOGICAL GAP BETWEEN SMALLER AND LARGER LANGUAGES Andrejs Vasijevs Tilde Pisa Workshop on Multilingual Web 05.04.2011 LANGUAGE DIVERSITY SHOULD BE NURTURED AND TOOLS PROVIDED TO BRIDGE LANGUAGE BARRIERS UNESCO ON LANGUAGE

832 views • 30 slides
SOA proliferation through speci fi cation James Earl Douglas MediaWiki Developer Summit 2015

SOA proliferation through speci fi cation James Earl Douglas MediaWiki Developer Summit 2015

SOA proliferation through speci fi cation James Earl Douglas MediaWiki Developer Summit 2015 Thesis Service development and consumption fl ourishes in a well-speci fi ed ecosystem. Agenda Background Examples Roadmap Background

475 views • 21 slides
Quiz 1: Tomorrow from 11 AM to 12 noon GG Building Ground Floor

Quiz 1: Tomorrow from 11 AM to 12 noon GG Building Ground Floor

Quiz 1: Tomorrow from 11 AM to 12 noon GG Building Ground Floor So far... Importance of 3D structures Realization that molecules / assemblies /

333 views • 10 slides
4-hydroxypipecolic acid analogue Benito Alcaide,a Pedro Almendros,b Amparo Lunaa aDepartamento de

4-hydroxypipecolic acid analogue Benito Alcaide,a Pedro Almendros,b Amparo Lunaa aDepartamento de

1 [a015] Diastereoselective direct aldol reaction and subsequent cyclization of 2-azetidinone-tethered azides for the preparation of a 4-hydroxypipecolic acid analogue Benito Alcaide,a Pedro Almendros,b Amparo Lunaa aDepartamento de Qumica

416 views • 6 slides
Design and in-vitro testing of new antimicrobial peptides based on QSAR modelling Boris

Design and in-vitro testing of new antimicrobial peptides based on QSAR modelling Boris

Design and in-vitro testing of new antimicrobial peptides based on QSAR modelling Boris Vishnepolsky 1, *, Maya Grigolava 1 , George Zaalishvili 2 , Margarita Karapetian 2 and Malak Pirtskhalava 1, * 1 I.Beritashvili Center of Experimental

574 views • 30 slides

More recommend