The Advanced Persistent Threat and You

Transcript

1. The Advanced Persistent Adversary and You a lesson on why

   not to rewrite your slides the day before your talk Brad Lhotsky! http://twitter.com/reyjrar! http://github.com/reyjrar

2. $WORK Disclaimer: The views presented here are almost certainly! do

   not reflect the views of my $EMPLOYER.

3. $PLAY Owner (how did that happen?) of Baltimore PM! http://baltimore.pm.org!

   ! ! Co-founder and regular of CharmSec! http://charmsec.org! http://citysec.org

4. $JOB

5. security noun 1 the security of the nation's citizens: safety,

   freedom from danger, protection, invulnerability. ANTONYMS vulnerability, danger. 2 he could give her the security she needed: peace of mind, feeling of safety, stability, certainty, happiness, confidence. ANTONYMS disquiet. 3 security at the court was tight: safety measures, safeguards, surveillance, defense, protection. 4 additional security for your loan may be required: guarantee, collateral, surety, pledge, bond.

6. getting CISSP-ie wit it

7. learning from war, because ‘computer’ eq ‘gun’

8. http://www.penny-arcade.com/comic/2000/6/26/

9. APT!
   not just a package manager anymore!

10. buzzword

11. misleading

12. not tangible

13. None

14. Advanced Persistent Adversary

15. “.. APT is ‘who’ not a ‘how’ .. ” Source:

    Mandiant, LLC

16. what does that mean?

17. Governments

18. Organized
    Crime

19. Activists

20. possibly Bristol Palin.

21. what’s the harm?

22. Compromised: DoD • In April of 2009 malware was discovered

    on the DoD Classified network, it stole at least 6 terabytes of data before being detected! • The entire volume of data pertaining to the Joint Strike Fighter Program was taken

23. Compromised: HB Gary • Aaron Bar decides to unmask Anonymous

    in late 2010! • Feb 5th 2011, Anonymous announce compromise of HB Gary including internal email and documents! • Feb 7th, Anonymous release torrent of all the data! • FBI/DoD were contracting HB Gary to develop malware for domestic spying initiatives

24. Compromised: RSA • March 17th, RSA announces they’ve been breached,

    details unknown. Says SecurID is “safe”! • April, Level 3 announces a breach believed to be related to SecurID! • May, DoD, DHS, and Lockheed Martin announce breaches confirming SecurID has been compromised

25. Compromised: Sony • January 11th, 2011, Sony files a suit

    against George Hotz for a mod to the PS3 which allows another OS to be run! • Since April 14th of 2011, Sony and its holdings have experienced 20 major compromises, totaling more than 200 MILLION Customer records

26. Sony may be a game changer

27. Sony Stock, 6m

28. Panasonic Stock, 6m

29. Compromised: AZPD • While I was writing this presentation, LulzSecurity

    released details of their compromise of the AZPD due to SB1070, the racial profiling bill! • Included in the press release were threats to continue targeting corrupt companies, politicians, law enforcement and military agencies.

30. who else?

31. if your company’s on this list

32. you’re probably screwed.

33. that’s not true.

34. we’re all screwed.

35. ok. what the fuck does this have to do with

    Perl?

36. more than you think ..

37. but I’m data driven, so ..

38. Verizon DBIR 2011

39. Verizon DBIR 2011

40. Verizon DBIR 2011

41. and that brings me to:
    Standards Compliance

42. PCI-DSS
    SOX
    HIPAA
    FISMA
    

43. boo!
    ! right?

44. wrong.

45. what do we call this ...

46. when this guy says it?

47. useless bull shit

48. when this guy says it?

49. DevOps

50. WebOps
    ! *Ops
    ! WebDevSecOps!!
    

51. and I think we’re already doing it

52. recommendations •Auditing! •Log fucking everything! •Configuration Management! •Puppet / Chef

    / whatever! •Visibility and Accessibility! •Graphs, Metrics! •Contingency Planning! •Risk Assessments! •Did you know it’s OK to have risks?

53. cool deploy macros subversion::deploy { ‘project’:! owner => apache, group

    => apache,! svnurl => ‘svn+ssh://svn/repo/project’,! target => ‘/var/www/project’,! notify => Service[‘httpd’]! } It just got DevOpsy up in here .. https://github.com/reyjrar/svnutils

54. metrics

55. do something cool w/ metrics

56. example

57. small IT department
    lots of users

58. forced efficiency

59. Open Source Software and some glue, duct tape, and WD-40

    • Netdisco (Network Discovery via SNMP, CDP, LLDP)! • Custom libpcap based detectors at key points in the network (Service Discovery, DNS Monitoring, Traffic Monitoring)! • syslog-ng (Communication Bridge)! • dhcpd (Node Discovery)! • snort (Security Event Detection)! • Windows Event Logs (Correlation / Discovery)! • OSSEC HIDS (Correlation / Detection / Prevention)! • PostgreSQL Database (Storage / Correlation)! • RRDTool (Storage / Visual Analysis)! • Perl (Glue / Duct Tape / WD-40)

60. why?

61. it makes my job simpler

62. Security Under the Veil of Utility Identify and Locate Users

63. Get useful information on our users

64. None
65. None

66. all of these things satisfy requirements

67. talk to your security staff

68. talk to your help desk

69. talk to your core business groups

70. how can you help them solve their problems?

71. chances are .. you already have.

72. and if you haven’t ...

73. you’re Perl programmers ..

74. and you can.

75. how will that help with security?

76. Other stuff • http://github.com/reyjrar/dns-monitor/! • DNS Statistics! • DNS Anomaly

    Detection (soon)

77. Thank you! [email protected] https://twitter.com/reyjrar https://github.com/reyjrar