Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The 7 Habits of Highly Effective Hackers

The 7 Habits of Highly Effective Hackers

The best cyber-criminals manage to compromise organizations that have invested millions of dollars in cybersecurity, operate effectively as geographically-dispersed teams, and develop extensible & reliable malware that can support campaigns over many years. What are the underlying success factors that allow such attackers to be so successful? Assessing the habits and traits of the most effective hackers can teach us surprising lessons about how we can better manage our networks, build resilient security software, nurture effective teams, and prioritize the right investments. This talk focuses on lessons-learned from first-hand experience challenging hackers from inside the walls of global Fortune 100 organizations.

Presented at CeBIT in March 2017 and Evanta Orlando CXO Summit, June 2017.

Ryan Kazanciyan

June 06, 2017
Tweet

More Decks by Ryan Kazanciyan

Other Decks in Technology

Transcript

  1. The 7 Habits of Highly- Effective Hackers
 (and what we

    can learn from them) Ryan Kazanciyan Chief Security Architect, Tanium
  2. The 7 5 Habits of Highly- Effective Hackers
 (and what

    we can learn from them) Ryan Kazanciyan Chief Security Architect, Tanium
  3. unmanaged endpoints typically identified by Tanium 
 in production networks

    ~20% Source: https://blog.tanium.com/broken-cyber-hygiene-case-study/
  4. • Hostname • Hardware • Geolocation • Custodian • User

    role / function • Current logged-in users • Recent logged-in users • Common logon sources • Common logon destinations • Installed applications • Application usage metrics • Missing patches • Compliance status • Processes and libraries • Autostart programs • Network traffic profile • New binaries • Script activity • …
  5. Build your lists Network
 team Database servers Remote access
 servers

    Domain
 controllers Engineering
 team Legal team Helpdesk
 team Web servers Finance team SOC analysts PoS terminals Security 
 servers E-mail servers Employee
 desktops Executive 
 team Endpoint
 admins ?
  6. Source: Microsoft Security Intelligence Report v21 of malicious files detected

    by Microsoft Office365 in 
 2016 were Word documents 38.5%
  7. said the greatest rise in potential IT security risk came

    from mobile devices, such as smartphones 86% Source: Ponemon Institute, 2016 State of the Endpoint Report, April 2016
  8. said that zero day attacks do the most harm 71%

    Source: Ponemon Institute, 2016 State of the Endpoint Report, April 2016
  9. “We found 12 weeks was where most organizations had completed

    their patch process” ‘on time’ may be seven days for [critical] findings, where a quarterly patch cycle may be the “norm” for the rest.” -Verizon DBIR 2017
  10. Source: Ponemon Institute, 2016 State of the Endpoint Report, April

    2016 34% - 6-10 Average # of endpoint agents 15% - 10+
  11. What do the best attackers worry about? 
 (as learned

    from certain leaks) • Identifiers and exposure from re-used code • Standardized vs. homegrown protocols and crypto • Development rigor → stability and reliability • Forensic footprint • Code security
  12. EvLog Classic Shell Linux Mint Ask.com 
 Toolbar Transmission August

    
 2016 January 
 2016 November 
 2016 April 
 2015
  13. UltraEdit Web Developer 
 for Chrome HandBrake MeDoc March 


    2017 May 
 2017 June 
 2017 Aug. 
 2017 Sept. 
 2017 CCleaner
  14. Managing what you trust • Review completeness and accuracy of

    application inventory • Assess where controls implicitly trust end-user software • Table-top supply-chain attack scenarios • Baseline trusted application behaviors • Manage and restrict software sources
  15. 99 days median dwell time from compromise to detection in

    2016 Source: Mandiant M-Trends 2017