Slide 1

Slide 1 text

The Advanced Persistent Adversary and You a lesson on why not to rewrite your slides the day before your talk Brad Lhotsky! http://twitter.com/reyjrar! http://github.com/reyjrar

Slide 2

Slide 2 text

$WORK Disclaimer: The views presented here are almost certainly! do not reflect the views of my $EMPLOYER.

Slide 3

Slide 3 text

$PLAY Owner (how did that happen?) of Baltimore PM! http://baltimore.pm.org! ! ! Co-founder and regular of CharmSec! http://charmsec.org! http://citysec.org

Slide 4

Slide 4 text

$JOB

Slide 5

Slide 5 text

security noun 1 the security of the nation's citizens: safety, freedom from danger, protection, invulnerability. ANTONYMS vulnerability, danger. 2 he could give her the security she needed: peace of mind, feeling of safety, stability, certainty, happiness, confidence. ANTONYMS disquiet. 3 security at the court was tight: safety measures, safeguards, surveillance, defense, protection. 4 additional security for your loan may be required: guarantee, collateral, surety, pledge, bond.

Slide 6

Slide 6 text

getting CISSP-ie wit it

Slide 7

Slide 7 text

learning from war, because ‘computer’ eq ‘gun’

Slide 8

Slide 8 text

http://www.penny-arcade.com/comic/2000/6/26/

Slide 9

Slide 9 text

APT! not just a package manager anymore!

Slide 10

Slide 10 text

buzzword

Slide 11

Slide 11 text

misleading

Slide 12

Slide 12 text

not tangible

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Advanced Persistent Adversary

Slide 15

Slide 15 text

“.. APT is ‘who’ not a ‘how’ .. ” Source: Mandiant, LLC

Slide 16

Slide 16 text

what does that mean?

Slide 17

Slide 17 text

Governments

Slide 18

Slide 18 text

Organized Crime

Slide 19

Slide 19 text

Activists

Slide 20

Slide 20 text

possibly Bristol Palin.

Slide 21

Slide 21 text

what’s the harm?

Slide 22

Slide 22 text

Compromised: DoD • In April of 2009 malware was discovered on the DoD Classified network, it stole at least 6 terabytes of data before being detected! • The entire volume of data pertaining to the Joint Strike Fighter Program was taken

Slide 23

Slide 23 text

Compromised: HB Gary • Aaron Bar decides to unmask Anonymous in late 2010! • Feb 5th 2011, Anonymous announce compromise of HB Gary including internal email and documents! • Feb 7th, Anonymous release torrent of all the data! • FBI/DoD were contracting HB Gary to develop malware for domestic spying initiatives

Slide 24

Slide 24 text

Compromised: RSA • March 17th, RSA announces they’ve been breached, details unknown. Says SecurID is “safe”! • April, Level 3 announces a breach believed to be related to SecurID! • May, DoD, DHS, and Lockheed Martin announce breaches confirming SecurID has been compromised

Slide 25

Slide 25 text

Compromised: Sony • January 11th, 2011, Sony files a suit against George Hotz for a mod to the PS3 which allows another OS to be run! • Since April 14th of 2011, Sony and its holdings have experienced 20 major compromises, totaling more than 200 MILLION Customer records

Slide 26

Slide 26 text

Sony may be a game changer

Slide 27

Slide 27 text

Sony Stock, 6m

Slide 28

Slide 28 text

Panasonic Stock, 6m

Slide 29

Slide 29 text

Compromised: AZPD • While I was writing this presentation, LulzSecurity released details of their compromise of the AZPD due to SB1070, the racial profiling bill! • Included in the press release were threats to continue targeting corrupt companies, politicians, law enforcement and military agencies.

Slide 30

Slide 30 text

who else?

Slide 31

Slide 31 text

if your company’s on this list

Slide 32

Slide 32 text

you’re probably screwed.

Slide 33

Slide 33 text

that’s not true.

Slide 34

Slide 34 text

we’re all screwed.

Slide 35

Slide 35 text

ok. what the fuck does this have to do with Perl?

Slide 36

Slide 36 text

more than you think ..

Slide 37

Slide 37 text

but I’m data driven, so ..

Slide 38

Slide 38 text

Verizon DBIR 2011

Slide 39

Slide 39 text

Verizon DBIR 2011

Slide 40

Slide 40 text

Verizon DBIR 2011

Slide 41

Slide 41 text

and that brings me to: Standards Compliance

Slide 42

Slide 42 text

PCI-DSS SOX HIPAA FISMA

Slide 43

Slide 43 text

boo! ! right?

Slide 44

Slide 44 text

wrong.

Slide 45

Slide 45 text

what do we call this ...

Slide 46

Slide 46 text

when this guy says it?

Slide 47

Slide 47 text

useless bull shit

Slide 48

Slide 48 text

when this guy says it?

Slide 49

Slide 49 text

DevOps

Slide 50

Slide 50 text

WebOps ! *Ops ! WebDevSecOps!!

Slide 51

Slide 51 text

and I think we’re already doing it

Slide 52

Slide 52 text

recommendations •Auditing! •Log fucking everything! •Configuration Management! •Puppet / Chef / whatever! •Visibility and Accessibility! •Graphs, Metrics! •Contingency Planning! •Risk Assessments! •Did you know it’s OK to have risks?

Slide 53

Slide 53 text

cool deploy macros subversion::deploy { ‘project’:! owner => apache, group => apache,! svnurl => ‘svn+ssh://svn/repo/project’,! target => ‘/var/www/project’,! notify => Service[‘httpd’]! } It just got DevOpsy up in here .. https://github.com/reyjrar/svnutils

Slide 54

Slide 54 text

metrics

Slide 55

Slide 55 text

do something cool w/ metrics

Slide 56

Slide 56 text

example

Slide 57

Slide 57 text

small IT department lots of users

Slide 58

Slide 58 text

forced efficiency

Slide 59

Slide 59 text

Open Source Software and some glue, duct tape, and WD-40 • Netdisco (Network Discovery via SNMP, CDP, LLDP)! • Custom libpcap based detectors at key points in the network (Service Discovery, DNS Monitoring, Traffic Monitoring)! • syslog-ng (Communication Bridge)! • dhcpd (Node Discovery)! • snort (Security Event Detection)! • Windows Event Logs (Correlation / Discovery)! • OSSEC HIDS (Correlation / Detection / Prevention)! • PostgreSQL Database (Storage / Correlation)! • RRDTool (Storage / Visual Analysis)! • Perl (Glue / Duct Tape / WD-40)

Slide 60

Slide 60 text

why?

Slide 61

Slide 61 text

it makes my job simpler

Slide 62

Slide 62 text

Security Under the Veil of Utility Identify and Locate Users

Slide 63

Slide 63 text

Get useful information on our users

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

all of these things satisfy requirements

Slide 67

Slide 67 text

talk to your security staff

Slide 68

Slide 68 text

talk to your help desk

Slide 69

Slide 69 text

talk to your core business groups

Slide 70

Slide 70 text

how can you help them solve their problems?

Slide 71

Slide 71 text

chances are .. you already have.

Slide 72

Slide 72 text

and if you haven’t ...

Slide 73

Slide 73 text

you’re Perl programmers ..

Slide 74

Slide 74 text

and you can.

Slide 75

Slide 75 text

how will that help with security?

Slide 76

Slide 76 text

Other stuff • http://github.com/reyjrar/dns-monitor/! • DNS Statistics! • DNS Anomaly Detection (soon)

Slide 77

Slide 77 text

Thank you! [email protected] https://twitter.com/reyjrar https://github.com/reyjrar