SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
Key Takeaways
The SANS SEC530 course introduces defensible security architecture, focusing on zero-trust mindset and security architecture layers. The course covers security controls, network segmentation, and threat detection.
Full Transcript
welcome to the sans AIPAC webcast series trust no one introducing SEC by thirty defensible security architecture my name is Ravi Sousa and I will be moderating the webcast today your presenter is Eric Conrad please feel free to submit your questions at any point by using the questions tab and a brief Q&A portion will take place at the end of the webcast thank you for your attention now let me turn the mic over to your presenter Eric Conrad Thank You Ruby and welcome everyone to the webcast so just a little background on on this course and the concept of defensible networks defensible security architecture so sans years ago had a course on firewalls 502 and we've retired that course and it was the perimeter security class and when we retired it the the course sought to left and you know it didn't have a champion and it wasn't up to date anymore and so we had a hole in the curriculum for architecture security architecture and I'll talk about security architecture and how it compares with network architecture they're related but they are a bit different and so we had a big hole in the curriculum for an architecture class and five thirty is now filled that hole it is a totally different class in 502 familiar with that brand new class all new slides it's just you know it took you know the firewall track was very specific to firewalls it was also called perimeter security and the perimeter is now dead and so it's much much broader that this is you know security architecture layers one through seven so everything from cables to data and literally everything in between and I wrote it along with Justin Henderson it was a real passion project for me and Justin and I'm absolutely thrilled to see it taking off off the ground you know we've had three runs so far and taking it I'm gonna be in Vegas and under a week teaching it there and then I'll be in Singapore in October and then in Sydney in early November doing the same thing it's a little bit of us but us you know Justin is lead author of 555 tactical sim and analytics 530 in a 455 he's GSC as am i I'm co-opted a few classes and I'm a co Kirkham lead along with Seth Meyers NAR of the stands Blue team curriculum sanz's newest curriculum one of the newest curriculums focusing on the blue team blue team of course being defense red team being offense red team is things like penetration testing and things like that blue team is defending against all that good stuff and you know so I talked briefly about the concept of a perimeter and the perimeter is dead if you have a perimeter based mindset at the very 15 20 year old mindset the idea that you can build this secure firewall sort of analogous to a castle wall and keep all the bad things on the outside and all the good things on the inside and and think along the lines of insides trust a ton sides untrusted that's a very 15 20 year old mindset we need to move away from that we need to move towards what's called zero trust and the idea of I don't particularly care where that device is inside outside etc nothing is automatically trusted zero trust in the end state means filtering between every interface and an entire organization which of course is going to be quite challenging for many of you many of us that's the end goal but don't let perfect get in the way of good you know so just because you can't reach a perfect solution of you know full filtering between every single interface there was some big big steps you can take along that way to at least narrow that gap and so back in the in the 90s late 80s you know Bill Cheswick and I'm not knocking built razmik for saying this was a perfectly reasonable statement to say too soft crunchy shell around a softer center we call it a candy bar design now in 1990 when firewalls have literally just been invented a couple of years ago that was a pretty reasonable statement back in 1990 it's no longer reusable anymore the idea that you could just harden a perimeter and secure the things on the outside and not worry about the things on the inside well those days are long long gone but we still see corporate networks design this way I am I am familiar with a number of 41 hundreds in the u.s. who have a globally flat network now we define flatness in a few different ways when I talk about flat I'm not talking about VLANs per se I'm talking about filtering and we'll talk about VLANs and all kinds of other fun stuff and VLANs are a good thing certainly and segmenting at layer 2 and layer 3 is also a good thing however you have to have filtering and if I can break in an EPC in our network and then reach say TCP port 445 and any other PC on that network that network is too flat you know it regardless of how many layer 2 layer 3 filters you may have we need the segmentation you may have we need filtering between devices and there's a number of different ways to do that of course but if again if I could break in any system and reach any other system on say TCP port 445 that's SMB famously abused by things like Petty and not petty eternal blue things like that you can have catastrophic failures and I'm familiar with a number of Fortune 100's 500s in the u.s. that have a essentially a flat design meaning no filtering and we need to move beyond that right and so I want to be clear with me by security architecture now some people see the word architecture and just stop reading and say Oh network architecture like you're gonna teach me how to design networks globally you know we're gonna teach you how to secure networks globally and so this is not a network design course it's it's a network that's a security architecture course so the idea for security architecture is described right here and then actually now and we'll talk about this it's security at every layer layer 1 layer 2 layer 3 Leverett layer fall all the way to layer 7 layer I'm not gonna go to the OSI model here but layer one is you know cabling and things like that layer 2 switches layer it's for user outers and on the way up right and you secure it at every layer and it turns out you can remove huge amounts of attack surface by simply hardening every layer so we go through the security architecture which is of course you know it goes along well with network architecture but this is not a class for designing global networks it's a class for securing networks right architecting networks to be resilient at every layer and some of the the recent attacks we've seen including the destructive malware fueled by the alleged NSA hacking toolkit there's a bunch of tools that allegedly leaked from the NSA in the US and eternal blue ms70 no one oh those now in the hands of course of criminals and many other and those are being weaponized and they've caused billions of dollars in damage you know large shipping company International shipping company was hit by a couple hundred million dollars u.s. a large pharmaceutical company and we've seen literally billions of dollars of losses due to this weaponized malware and sometimes people call this stuff ransomware a lot of us not actually ransomware ransomware implies you can pay a ransom and get your data back that's not what's happening in many cases in many cases she's simply destroying your data there's no ransom be paid it's just gone and we'll talk about how these things move and how these things propagate on a network and strong security architecture largely mitigates most of the attack surface for these things and what's nice about these concepts are I'm not gonna ask you to buy a whole bunch of new products now at the end of the day there may be a gap analysis we have to buy more products but usually my clients have sufficient that they bought enough stuff already let's just reconfigure what you have let's reconfigure what you have to do a better job now at the end of the day if we do that and you still have gaps perhaps then we'll need to buy some more stuff but it's never my first suggestion to buy more stuff I just go to my clients and I said listen let's just reconfigure what you have retune it reconfigure it and make it better and then at the end of the day we distill a gap will address the gap then so this is Richard bate like Richard Balak is the Godfather of the blue team as I call him he was came out of the air force in the u.s. he wrote to dial of network security monitoring which is a seminal book any blue teamers should have this book on their bookshelf he talks about this term called defensible networks now it's not my term it's his term he actually thanked me on Twitter when he saw that we call this class defensible security architecture and I was quite embarrassed to have him thank me I said no no I need to thank you and he made his points about defensible networks they could be watched they limited a true touch freedom to maneuver that's important they offer a minimum number of services and they can be kept current and that this is the DNA now of what we're talking about here and that book dates to 2004 it is admittedly a bit older it's 14 years old now but it is it is solid gold you should have it on your bookshelf or perhaps Kendyl and when you read a book like that don't get stuck on the tools because obviously 14 years ago tools were a bit different we didn't have Wireshark then we did a serial then but don't get stuck on that don't think about the tool think about the technique he is a new book called the practice of network security monitoring which is wonderful he then updated the concepts of defensible network architecture and these networks can be monitored inventory controlled claimed minimized assessed and current and you know I'm not sure where you folks you know work or what industry you're in you know I've run my own company for 10 years now plus but my previous job before every male company was I was a security officer at a the second largest healthcare provider in New England so the second largest healthcare provider in New England in Boston now I was there what's called a HIPAA security officer that's the u.s. regulation governing healthcare and we you know 12,000 employees a three-state wind probably 20,000 nodes on that wind and we tried I tried to do this and one of the things I found was simply you need to have what a government person might call a data owner that's very important needs identify all your data all your systems and you need to have clear corporate ownership of each because if you don't have clear corporate ownership of each meeting someone's responsible these from a corporate perspective of protecting it it may not get protected and what I've noticed is lots of people love to ignore the the cost of protecting data now if there's any questions just type them in and what I'll do is I'll check them at the end okay sort of try to leave 10 minutes at the end you have any questions just type them in and then I'll go through them at the end and we see doctors for example grabbing a personal PC putting lots of healthcare data on it and then having 10 people share the same login every day so one person will log in the morning 10 people would access healthcare data there'll be no accountability etc and there was no say disk encryption on the laptop etc etc and they were simply ignoring the cost of protecting data meaning they weren't paying the cost of protecting data I mean the data was not being protected so you have to have clear corporate ownership of every asset you have to have someone who's responsible from an organizational perspective now it doesn't mean when I say responsible I mean they're actually doing the hands-on work if you're a manager or director you may not be hands-on but you make sure it happens you delegate those roles so everyone owns assists all systems are owned they're controlled your inventory you minimize the attack surface and you keep them current and this is the DNA of what we're talking about I'll get into specific use cases very quickly that's you right now so just to talk about how the games changed as of last year so it used to be when mal were here to network worms worms used to be what we call breeders not warriors they were very that were dumb they were good at spreading and not doing much else like the Conficker worm from about ten eleven years ago now MS o eight oh six seven that's every pen tester knows that patch right from eleven years ago so MSOE know six seven was the last universal server-side flaw in Windows until well eternal blue you looking at right here and back then if you were missing that patch and something like conficker guard and say you have a thousand systems and one was missing the patch for MS o 7 MS o 8 o 67 excuse me and what would happen is conflict would hit that one system exploit it and that was it your other 999 were fine and what if we simply do his own that one system exploit it and then would fire that exploit off against the other 999 systems it would fail to exploit them because day but they were patched and that was the end of the story and many of us including myself back then were like wow that's really dumb because humans don't work that way human penetration testers don't fire off a thousand exploits on a thousand systems I'm you know I do pen testing as well that's not what I do what I do is I fire off one exploit of one system try to escalate my privileges if I need to to say administrator or system dump the user names dump the hashes dump the plaintext passwords using a tool call me be cats steal credentials and move laterally through stolen credentials through say PS exec or W Mik or remote desktop that's all pen testers move so I might own a thousand systems and I'll use one exploit on one steal credentials and on the other 999 to buy stolen credentials that's what human penetrations have been doing for decades malware didn't really do that commonly until last year and so what not petia did was it married allegedly the the tools allegedly leaked from the NSA married them to this very intelligent pivoting mechanism where it moved just like a human pan Chester all in one box steal credentials dump usernames dump hashes dump plaintext passwords log into other systems as a quote authorized user at least stolen you know authorized access stolen access and then move laterally through W Mik or PS exact and things like that which by the way natively offer virtually no logging with with default logging configuration on Windows and in the end one system on patch 2000 go down depending on how you've set up your authentication things like that and so we had not petia caused billions of dollars in damage and very large companies is a pharmaceutical company based in the US who has suffered hundreds of millions of dollars in losses they've had a ship they've had a triage the creation of medicines including vaccines because they were so heavily impacted by this malware and so you now have the nightmare scenario of malware impacting health and human safety because this large company for a period of time couldn't ship medicines they had a triage how they were shipping medicines and I think you know now that that standards been said that that that mold has been cast I think we'll see a lot more malware doing this we have seen a lot more malware doing this now city of Atlanta got hit with Sam Sam and so marrying these advanced attacks from allegedly leaked from the NSA was intelligent pivoting based on how humans pivot and it's really changed the game in a meaningful and very negative way and the old design of the candy bar design of a hardened perimeter and a software inside is simply failing wholesale we need to move towards zero trust or at least toward zero trust to mitigate that threat so we're gonna look at it obviously this is just a sampling of what five-thirty has and it's a six day course with you know net wars and everything else and add a sixth challenge and so I'm just about best of highlight-reel here and if you think this is you know looks did receive you come check us out so we'll talk about private VLANs which to me is one of the simplest things you can do to largely to move the needle towards zero trust in a very meaningful way we'll look at net flow darknet routing other things like proxies let's dig in now so usually my first suggestion for a client is this private VLANs private VLANs offer the same functionality that some corporate style wireless solutions offer which is called station isolation station isolation on a wireless network means clients can't talk to clients clients can only talk to the access point and things beyond the access point like the internet or other servers but you can't talk to other clients in the same wireless network now at a hotel or coffee shop I very much want station isolation there's no value-add for me in hotel room 178 to have someone's PC and one room 179 scanning me there was zero value add there's no need to talk to other pcs in a hotel in a coffee shop etc so everyone pretty much agrees that wireless station isolation is a great idea it removes entire swathes of attack surface off the table clients can't attack clients which is great they can only attack things beyond the access point or the access point itself I suppose and things beyond the access points such as servers or perhaps things on the internet but in order to attack a system now you have to route because normally on a switch or an access point if I attack something else in that same switch I'm not actually routing I'm simply attacking something on the same switches me so if some client PC attacks some other client PC and a wireless network most companies can't see that you don't have intrusion detection systems on every switch or access point you don't have IPS is you know you might have that towards your core you might have that on critical networks but you probably don't have that in every client network and so if one client affects another client that's often visible at least from a network perspective and so why the station isolation I think is a obviously a great idea in many many environments and all the private VLAN is the same thing for a wired network that's all it is any um you know commercial grade switch such as a Cisco or juniper or anything like that anything else like that can easily do this and what you do is you create you have to have some basic sane network segmentation and and the the most basic level of network segmentation you require our server networks and client networks right so you put your servers and now you can have a lot more segmentation than that but if you want to have baby steps and start somewhere put your servers on a server VLAN put your clients on a client VLAN now you want to have at least two classes of clients IT clients and regular clients regular clients can't talk to any other client IT clients could talk to anyone why because they're administering systems obviously right and so if you make if you have IT clients and then regular Klein on IT clients and you mark the non IT client VLAN private none of those pcs can talk to each other and you just move the needle in a huge way toward zero trust with about a 10 line configuration change on the switches it's simple it's very simple to do now obviously you need to test this is built-in functionality it's about 10 line config change four of my five clients we keep turned it on click no one noticed and it just worked and now if you have 10,000 client pcs say you have 50 IT pcs 10,000 client pcs and maybe 100 servers let's say those 10,000 client pcs can't talk to each other they can't attack each other they can't affect each other and this is stuff you probably already bought this is a switch you already have or switches you already have there's no additional cost for this now you will get some resistance probably if what one thing I've noticed an IT is a lot of people in IT fight changed they'll fight almost every change you bring down the pike because it's just human nature to fight something that's different and they think it's difficult and it's not actually difficult your network engineer's may complain Eric you know we have 10,000 client pcs are you suggesting 10,000 VLANs no I'm suggesting one VLAN one view only need one your market private and they can't talk to each other they can only talk to the default gateway and things beyond it right that's it obviously IT is going to be accepted from this because they're administering systems right and you could Trump private VLANs it works very very well are there any use cases where clients have to talk to clients usually not now other cases where clients do talk to clients sure on a Windows network especially not buyers broadcast that stuff happens all day long but it's not actually required to operate my Windows 10 does have this quote delivery optimization mode for patching which is optional we're basically pcs can send patches to pcs on a very ad hoc basis I wouldn't recommend that for a you know any kind of formal network anyways you should have a patching server that's more designed for like workgroups and very informal at things I wouldn't recommend that anyways for company some audio/video stuff goes peer-to-peer but almost all of that like the Cisco stuff can go via a server and there's a few use cases like that but usually there's easy workarounds right and again this largely hardens that network if we again client pcs can't attack other client pcs when I was describing some of these concepts to a pen tester I know I went through about four or five things that I do for all my clients and he looked at me he said I am so happy Eric that you don't work with the companies that I perform pen tests on cuz you're killing me ma'am you just killing me what stuff so one of the things you want to look for as a defender and as a security architect you want to look for these asymmetries you want to look for controls that are easy to configure for the defender you make the attackers job much much harder so things that might take you minutes or a few hours with testing which is all that we're looking at here in most cases and now you're adding days or weeks to a pen testers or malware's life or it's simply failing it's easy for you and it's hard for them it's easy for the blue team and hard for the red you should do those things use a search for those things and those red blue asymmetries where the blue team has an easy time doing it the red team's job is much much harder this speaks strongly to that this is an old-school thing I've been doing for a long time now the term dark net is it's kind of been borrowed now dark net often people talk about the dark web and things like you know tor dark nets that term predates that and the original term for an IP dark net was simply IP space you owned but weren't using and you can even use this for private networks right so you own say a number of Class C addresses my last company we owned twenty one class C's right twenty one public class C's and internally now you in my last company the hospital chain we're only actually using five of them so we're using five of the sixteen they were contiguous they were in order and so five the sixteen we were using and five of the 21 rather we were using and other 16 we weren't using so what I did was internally now not on the Internet internally I routed that traffic to a darknet router where I basically counted it and dropped it now why are you routing unrouted traffic Erik why would you do that well how does malware work most malware when it hits a PC it scans things around them it'll scan if it's on you know 192.168 1.7 it'll scan 1.0 1.1 1.2 1.3 i'll go through like it'll go through 2.1 and 2.2 and 2.3 and 3.1 and 3 and it'll often skin networks it'll scan PCs on the same network or IPs on the same network and ip's in nearby networks and the thinking is if I find another network that's contiguous for the network I'm on as malware that network may be on firewall because it's behind that firewall right and so this even works for private addresses if you're using 192.168.0.0 and 1.0 and 2.0 let's say and you're ignoring 3.0 4.0 5.0 route that to a darknet router and then either just counted there and drop it or then fold it to a packet vacuum why because you'll see explosions in darknet traffic when something starts scanning when something hits a network say a 192 dot 168 at 1.7 it'll often for the scan again the two network the three network the four network and what you'll see is explosions of traffic two unrouted addresses so formally unrouted addresses now on the internet you'll stuff hitting darkness all day long because that's the nature of the Internet but internally this should be pretty unusual you shouldn't see things scanning networks well you have nothing there right so behind your firewall you know formally unrouted traffic router to the darknet router and you can just simply you know count it there and drop in a monitor via SNMP or even better send it to a packet vacuum something like security onion and why would you want to do this well I'll show you here sorry I am my pcs locked up momentarily my slides are rather so hopefully is come back one moment you all right let's try this again there we go sorry about that and so here is team Crow Murray detecting the witty worm and what you see some time right before 5:00 a.m. you can see it right down there the giant burst in traffic right and so I caught a big five accounting firm conducting a pen test this way at that same company I mentioned so we had 21 class C's I we were using five of them behind its internally now and the other 16 I had been ignoring I routed them to a darknet router and we saw it and I had my my NOC watch this and the NOC would we didn't have a full time sock we had a nine-to-five sock Security Operations Center we had 24/7 NOC but these folks were network operators their backup people their you know good hard-working people but they're not security people and I told them if you see a giant spike on that you watch this graph just put it on one of the monitors if you see a big spike you wake someone up and sure enough there's a giant spike a tenfold spike in traffic to darknet router and they woke up one of our instant handlers and that was a big five accounting firm who had broken into one pc we're in a net nmap scan of the entire Class B and they lit up my dark net router so this was you know our fastest IDs for scanning it could be an nmap scan a port scan it could be any kind of scan that hits a lot of pcs you'll see this right so you catch worms you'll catch malware you'll catch pen testers you'll catch a map you catch all kinds of good stuff right moving on up the chain now and basically 5:30 we secure layers 1 through 7 in order and moving up to email now email is intensely dangerous most intrusions probably north of 80% begin with email and it's an intensely dangerous thing to handle when I tell my small midsize clients is don't run your own mail server you have to be really good at this now if your big company or for your security focus company or there's also some appliance that you can buy certainly to offload this if you're one of those fine I understand you're running your own mail relay but if you're a small midsize company you're better off outsourcing that because it's so intensely dangerous have someone like Microsoft handle for you or Google handle it for you there's a bunch of private providers they're my company uses Google you can buy you know Gmail for private domain and but if you do handle your own email of course you want to be very very careful and also who can spook your email because if someone's sending spoofs spoofed emails some of the worst cases I've handled use cousin domains or look-alike domains you know I saw a talk from an FBI agent two years ago for the sans sans conference and he was saying how there was a company in in Nashville Tennessee and they used their accountants with Johnson accounting comm and the bad guys registered Johnson accountants calm right so you your CPA is Fred at Johnson accounting calm now you're getting email from Freddy Johnson accountants calm all right and you know the day all kinds of fraud they stole millions of dollars you have to be very very careful of these cousin domains they look alike domains and certainly who's authorized to send email from your actual domain that's a very basic form of sanitization need to perform here you can use SPF for that you can use D Kim for that if you have outsourced your email you want to make sure that you set these things up you can set up SPF and DKIM other things through you know Gmail and through office 365 etc so DNS twist is now looking for these cousin dimming and so we have SEC five-30 calm and someone ready someone wedding ready should SEC 5/3 capital o calm and all sudden you're getting email from the CEO at SEC 5/3 capital o comm right and you set a best PF for five thirty calm with a zero but not obviously for five three okay he didn't buy that someone else bought that domain will you and me I could easily miss that if I was rushing a bit on a given day would your employees catch that and so what you want to do is have dns twist running these things this email things come in how how similar are the domains to the mains you actually own and register at a certain percentage of similarity you want to alert or perhaps block right we'll talk about various forms of blocking and how it does not have to be a binary thing but cousin domains and look-alike domains are used as some of them the biggest you know when it comes down like you know spearfishing sometimes called hunting when it's very very tailored to your company as a targeted attack an apt style targeted attack we see these things happening and most companies just fall prey to with Johnson accounting comm is now Johnson accountants calm and your accountants don't notice that and they're sending financials off to the bad guys you want to be very very careful with this and DNS twist capture some of these look-alike domains especially now the DNS supports beyond just ASCII DNS supports Unicode Unicode of course now and so you can have you know a lowercase R but it's not ASCII it could be like Cyrillic or something so it's a different character but it's pixel by pixel that the same pixels your users won't notice that I probably wouldn't notice that but DNS twist can definitely catch that you need again identify your assets you can go network-centric or data centric we actually look at it both ways and you know focus on network pieces as we do in five thirty but then look at the actual data I always ask my clients you know what data can't leave what's your most sensitive data what key what keeps you up at night where is it who owns it and we work from that perspective now there's a lot of great breakthroughs and IDS's lately and of course snort is the granddaddy and all this stuff we also bro and saw ricotta and saw ricotta has really made some great leaps lately and it's and it's also created a lot of great competition with snort as well where there's been short kata added a bunch of great features such as multi-threading and JSON reporting and things like that and now snorts actually adding similar features as well it's great for everyone because you know we get to use these products you can buy you can use this stuff open-source you can buy Cisco fire power which is source fire which is based on snort and so there's been a real kind of arms race and these IDS's bro saw ricotta and snort it's really hard to go wrong and Cercado is great because it's multi-threaded although snort so now adding that some of the reporting now they move beyond just flat logs they've gone to JSON which is great because it's very you can export import that stuff sericata can do things such as automatically carved files out of the the network automatically carve all PDFs automatically carve all exe again now snorts playing catch-up adding those things to so you can't go wrong with any of those products I mentioned and again saw ricotta is great and they're really pushing the envelope on what you're doing on IDs is Allah bro Bros fantastic you can do a lot of the things I just mentioned previously such as Auto carving files burro is really a language that describes packets so I want to carve all PDFs to come across the wire I want to call carve all spreadsheets or anything with a macro or eyx ease or I want to look at all x.509 certain on and on and on and on all user agents for web traffic and Broz wonderful feeds and things like security onion and of course many many other products so metadata such as you know abnormal events strange user agents you know I I looked at the government funded me to look at ransomware but a year and a half ago so I spent about six weeks in my office infecting myself with hundreds of strains of ransomware on obviously a clean network with you know snapshots and everything else and I clicked YES on everything I agreed everything I channeled my true inner user and I infected myself hundreds of times and they wanted to know you know how do you detect this stuff prevent and detect obviously and I was actually surprised at how very blatant the most of the ransomware is in the network it's not quiet at all it's very very loud you know and a Windows 7 system in fact with ransomware starts sending user agents that claim to be from a Windows 2000 server you know so why does a Windows 7 because you know Windows operating systems will announce the Antique kernel version in the user agent string of like say if you use you know a browser on on Windows it'll in the user ADA string it anounced basically the anti kernel version and obviously the NT kernel version for Windows 7 will happens to be Windows NT 6.1 and all sudden it's claiming a Windows 2000 user agent obviously bogus and so what I saw when I was looking at the ransomware lots of it is notably bogus user agents complete explosions in DNS resolutions like it might to resolve thousands and thousands of bad names and you know we have these things called domain generation algorithms DJs now used to be you had a domain you know evil domain.com and malware used evil domain.com and then of course you know your reputation services within blacklist evil domain comm so now what the criminals do and then the the malware authors do is they'll generate a piece of map will generate fifty domains through an algorithm every four hours or every eight hours so every eight hours it'll generate a new list of 50 domains only one of which is live only one of which is there they'll try to resolve all 50 creating 49 failed resolutions and usually one successful it'll find the one success will connect to that so why are they using 50 domains but only actually one of them well it's gonna be very difficult to blacklist 50 domains every eight hours right and so if they keep churning new domains every eight hours and they'll try to resolve 50 only one works trying to blacklist all that stuff's gonna fail reputation services are gonna fall behind so reputation services don't do a good job on domain generation algorithms which modern malware is now using and so but it creates these explosions of failed lookups and broken catch that through DNS logs and things like that it's pretty easy to pick up once you look at it but most people don't log DNS they don't look at DNS they treat DNS like a utility you know names resolve your names aren't resolving kind of a thing you know all right SSL inspection so once it comes up a lot of caught of course is how we're increasingly blinded through encryption and how do you handle that well there's lots of tools that gonna actually decrypt SSL now there are of course privacy aspects to this if you're listening in Europe the European privacy directives and other things can make this challenging so make sure your lawyer is agree and make sure your HR department agrees and your legal counsel and all that stuff but there are tools even open-source tools like MIT em proxy you can do it for free there were tools like blue code but ideally you do want to look at the the SSL you know decrypted SSL and so what you have what happens is if if a system goes to an SSL proxy it'll you know decrypt it it'll land the SSL session there reinitiated session on the session on the other side and then have the unexpected content in the middle there's a bunch of work you have to do with certificates and trusts and inputting the certs it works fairly well now again there are some privacy issues etc but that does remove the blind spot and again even free tools mi TM proxies a free tool we use we have labs in 5:30 you can do those to the open source tools now pretty well and that removes that blind spot a lot get your IDs back in the game get your IPS back in the game ultimately combination of that if you can and obviously falling back to the end host because the the end host the client of the server will see the decrypted content so if you if you're concerned about this as I think you should be either you can expect the SSL on the wire through the tools like this and or expect it on the end hose because the end hose will see the normalized content so one or both of those options is something you should be looking at and this again gets your IDs back in the game we call it an ssl decrypt me report and so the ssl proxy not only proxies the ssl both from to and from the device it also sends those packets out essentially the equivalent of a span port not exactly it's being employed but a similar thing and now your ids/ips is now back in the game you could run the IIPs right on the ssl proxy putting it putting it in line or have an IDs offline just like it would be normally and now you have all the inspected the plaintext content it's back in the game and that could work very very well so one of the things I've learned from the hospitals especially is you have to hunt down data you can ask people like ok your sensitive data well that's healthcare data or government data or financial data or whatever you have to have if you ask employees where they think it is they usually don't know where all of it is right and so we have to go you know threat hunting is very much in vogue now going out hunting the threats I like to hunt data you know go through and hunt data like find out where that data is like if someone were to you know save healthcare data on an insecure server or an insecure place what would that look like where would that be and go find it you can't assume is it's not happening you have to assume it's happening and hunt it down just like a threat our hunts down threats you should hunt down data that's put in places where it shouldn't be I learned this lesson in a healthcare environment when I looked for medical records outside my firewall they may be the HIPAA security officer you know and I put a idea sensor outside the firewall looking for unencrypted medical transactions it turns out the medical transactions have very unique transaction IDs that should never exist plain text outside my firewall and I found thousands of records in you know the first hour and I after I picked myself up off the floor and I verified there were true positives and they were it wasn't an evil attacker it was just mistakes we had a couple of systems where the the user made a mistake they clicked the wrong button or they didn't click the right button or someone was misguided it was simply mistakes and we call that layer eight by the way not an official OSI model layer layer aid is the person making a mistake but you have to make your systems more resilient against that because people will make mistakes it's human nature and so I learned then if you if you have a policy saying medical data must be encrypted on the internet or banking data or whatever it is you can write the policy you can feel good about the policy you can tell your users about that policy you can enforce the policy but you have to verify it's actually happening or not and then hunt so hunt for data hunt for unencrypted data where it shouldn't be hunt for data in databases where it shouldn't be hunt for data on file servers or storage area networks in areas where it shouldn't be and I've learned and I've had a lot of clients we always find data where it shouldn't be people again like to ignore the cost of protecting data meaning they're not protecting the data and it's not a it's a casual thing they're doing they're making mistakes that they're not intently intentionally trying to harm your company but the introduced and tremendous risk to your company by simply treating data too casually so here's something that Justin came up with he hunts every row and every column for data he here he's looking for credit cards so he pulls in he goes to a database and as your database and he looks through every row in every column in every field of every database table and the entire database server looking for what could be credit cards and you might think hey our credit card data stored right here on this table only well you believe that and that may be true but I wouldn't you know I wouldn't consider that true until I hunt it and so searching every row on every table at every field of every database table and entire database looking for certain things whether it's credit cards whether it's you know healthcare transaction IDs whether it's bank accounts and the US Social Security numbers things like that or passport numbers or whatever hunt that stuff down obviously you want to have permission from HR etc because you can end up seeing sensitive data this way but anytime we've gone through exercises like that you know we find this type of data we find that almost every time and you talk to the user they made a mistake or they didn't know they didn't understand and that's human nature but again you have to plan for human nature and you have to build your systems to be more resilient to human nature you know there's a there's a terrible plane crash in the US a few months ago and you know a engine exploded and it tore open a window and person got killed and it was tragic and was awful but someone on social media took a picture when yell did the air mass fall down the oxygen masks and they took a picture and everyone had their oxygen and in the picture everyone had the oxygen mask below their nose so their nose was not in the mask and a lot of people on social media be like hey you know you should listen to the you know preflight thing I'm like how about you designed a better system you know because the oxygen masks look like little cups that were round on this plane anyways so if it's a round cup you'll probably put it over your mouth but if it's a cup of the little notch where the nose clearly goes you're more likely to put it over your nose right and these cups oxygen mask we just round cups they look like a cup to my drink you know water out of there was no little notch bridge where the nose should go and so sure you should listen to pre-flight video and you should watch all that you should pay attention but we should build better systems those masts should have little notches that way someone's much more likely to use it properly so yes you know right policy train your uses make them aware but ultimately also build better systems you know we've been telling users to make better passwords for decades now and it's just failed it just failed so we need to build better systems this is a neat trick Justin came up with I didn't realize the PowerShell can read images in natively you can do OCR as a built-in command Wow I had no idea so what if you have sensitive data in images or PDFs plenty of PDFs have sensitive data right you fill out all kinds of forms in PDF form so what if you have sensitive data such as credit card numbers or passport numbers or whatever but in an image how do you find that there's many commercial tools that can do that I'm sure you could do this on Linux or UNIX but built-in functionality to PowerShell boom you see the whole thing right there now I read it as five three capital o SEC five thirty they got that fake social security number correct but that's pretty powerful so now you can script things you can search your databases for data and database tables you search images for certain data and go hunting for that sensitive data and again every time we perform steps like this we found stuff I don't think we've ever failed to find something interesting and I'll give credit where it's due PowerShell I'm an old-school Linux UNIX guy but man it is powerful stuff you know I've been learning as much PowerShell as I possibly can I matched gonna be a Derby con if you're there say hi gonna be the Derby con next month taking colors Perez's PowerShell class because I want to learn more PowerShell so it's I'm learning a lot it's it's different than Linux pipes pass objects not text and that hurt my brain for a long time but I think I'm mostly there but um PowerShell is powerful and somebody your company if your window shop of course should be hopefully doing things like this in PowerShell so zero trust I talked about it and this is the old outside untrusted inside trust that we have to go away and we can assign a trust score and it doesn't have to be you know binary it doesn't have to be 1 or 0 maybe the PCs inside that's plus 10 points you login with dual factor another 10 points no etc and then at a certain trust score points you get more access or less so 0 Trust says the network's always hostile inside or out there's always going to be both internal and external threats and simply being on the network internal network is not enough to mean fully trust it can be partially busted but not fully trusted and you have to verify every device log and expect all traffic now again don't let perfect get in the way of good if you see this and think that's impossible my company will never get there in ten years okay take steps towards it okay because my last company we wouldn't have gotten there at ten years at hospital chain it was a non-profit understaffed we could do private VLANs we could do lots of things we couldn't do all of it we could do a lot of it okay so don't look perfect get in the way of good if you can't if this seems impossible do what you can and a private Avilan is a big step towards that at least for the clients one awesome trick I picked this up from Jason Fossum from 505 is Windows servers certainly and many of the clients support IPSec and if you turn on mandatory IPSec on say a server network it's easier on service to get started as a pentester urged malware I can't do a port scan without what they are without negotiating IPSec I literally can't send a single packet or get a single packet responded to like if I send a syn there's no syn ACK back unless I negotiate IPSec and often on Windows Server clusters it's it's a few configuration changes click click click and you're done like if you have a multi tier web architecture where users are talking to the Windows web server and that Windows web servers talking to other servers such as database servers in the backside you turn on a mandatory IPSec on the backside and now all those servers are now on this kind of invisibility shield and users concern for the web server they can't see anything past it unless they negotiate IPSec you can also of course do IPSec on the clients but that's usually a taller a harder lift certainly a good goal but if you turn on mandatory IP ii at least to begin on the servers no pentester no malware can send us get a connect to any ports until they first negotiate IPSec this is a built-in functionality so it may be a few configuration changes maybe a half an hour or an hour of testing or configuration and then more testing and then BOOM and again this is one of those red/blue asymmetries it's very you're making the job very difficult for the red team and it's fairly straightforward for the blue team to pull off it also speaks strongly to zero trust and its built-in functionality on a Windows Network you already own so let's talk about earlier variable trust so it doesn't have to be all or nothing so like maybe okay you're you're on the inside of that Network you're on an internal network you get ten points and then okay you um you also authenticated with dual factor authentication ten more points and your PC is fully patched ten more points and your antivirus is up-to-date ten more points etc so maybe being on the internal network only gets you access to some less sensitive things but not a sensitive database such as PCI you want to access PCI which is payment card industry that requires you know dual factor authentication encrypted connection up-to-date antivirus fully patched all right if you don't have those four things you get less access and maybe no access to PCI so get away from these you know binary one and zero decisions and move more towards a granular a granular approach I'm sorry I just didn't mean to do that there you go all right so I had every share again once in a while I get stuck but I think we're I think we're almost there there we go all right so right about on time yeah 1048 so that's what I want to cover today if you're going to be in Singapore or Sydney October November I love to see you there and you know I did what what five 30s like we're taking it all around the world it's gonna be running about 25 times next year so we don't catch you this time we'll catch you next time and I'll see there's any questions at the meantime thank you for coming to my talk and let's see if there's any questions I don't know Ruby let me know if you're seeing any questions I don't see any currently but I may not be seeing them so let me know if you see them it seems like there were some comments during the talk and one specific question does PV PV LAN s affect functionali
Original Description
More about the SANS SEC530: Defensible Security Architecture course: www.sans.org/SEC530
Presented by: Eric Conrad, SANS Faculty Fellow
This webcast introduces the new SEC530: Defensible Security Architecture course. It is designed to help students understand and design a zero-trust architecture, where the old concepts of a trusted inside network and an untrusted outside are changed: nothing is trusted (by default), whether it's internal or external. "The perimeter is dead" is a favorite saying in this age of mobile, cloud, and the Internet of Things, and we are indeed living in new a world of "de-perimeterization".
This changing landscape requires a change in mindset, as well as a repurposing of many devices. Where does it leave our classic perimeter devices such as firewalls? What are the ramifications of the "encrypt everything" mindset for devices such as Network Intrusion Detection Systems? Join us on this webcast to learn what the course is about as well as some of the fundamentals of up-to-date defensible security architecture.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 53 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
▶
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Vulnhub: Shenron-1 Walkthrough
Medium · Cybersecurity
The Day I Realized Technology Is About People, Not Just Code
Medium · Cybersecurity
🚀 I Built CODELIVLY — A Platform to Learn Cybersecurity Through Hands-On Practice
Dev.to · Rocky
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Medium · AI
🎓
Tutor Explanation
DeepCamp AI