Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
3 likes3,091 views
If you’re tasked with keeping your enterprise network infrastructure secure against cyber attacks, then you’d better start thinking like a hacker. Do you know what your network looks like? Where are all the access points? Can you create a short list of the most vital vulnerabilities a hacker could exploit? And how long does it take you to get this info? Days? Weeks? Never? In this webcast, we will discuss a practical game plan to continuously monitor your cyber security status and proactively fix concerns before they become a data breach or attack. Learn how to minimize risks by combining a detailed understanding of your network topology, cyber threats, and likely attack scenarios with everyday security management processes. This webcast is appropriate for firewall and network administrators, IT security managers, and CISOs in medium to large business and government agencies. We will examine: • Network mapping – How to create a virtual network model to use for security architecture planning and policy compliance checks • Access analysis – Ways to identify all network access routes , to block unauthorized access and quickly troubleshoot network availability issues • Securing the perimeter – Enable daily checks of firewalls and network devices to keep them configured securely • Attack simulation – Find and fix the vulnerabilities most likely to be used in an attack – every day
More Related Content
What's hot (20)
Similar to Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps (20)
More from Skybox Security (20)
Recently uploaded (20)
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
- 1. Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps • Michelle Johnson Cobb • VP, Marketing and BD • March 15, 2012 • SANS webcast © 2012 Skybox Security
- 2. Skybox Security Overview Leading Security Risk Management Solutions • Automated Firewall Management • Continuous Network Compliance • Risk and Vulnerability Management Unique, High-Performance Technology • Network Modeling • Access Path Analysis • Attack Simulation Proven in Demanding Network Environments • 6 of the top 10 banks, 5 of the 10 largest NATO members • Financial Services, Retail, Energy, Government, Defense, Retail, Telecommunications, Manufacturing, Technology © 2012 Skybox Security 2
- 3. Preventing Attacks is not Trivial • 300 firewalls • 25,000 rules • 250 routers/gateways • 55,000 nodes • 65 daily network changes • 10,000 daily reported vulnerabilities • Infrastructure spanning three continents © 2012 Skybox Security 3
- 4. First… Think Like a Hacker Pre-Attack Gather info on Or Find and Fix to network topology Reconnaissance? Prevent Attack? Find access paths Find exploitable vulnerabilities Hacker toolkit: Security Manager Wireshark, nmap, toolkit: Nessus, netcat, Try out attack Snort, Google, John scenarios the Ripper, etc. © 2012 Skybox Security 4
- 5. Building a Network Model Gather info on network topology Automatically import data from network devices, management systems Firewall Router Load IPS Vulnerability Patch Balancer Scanner © 2012 Skybox Security 5
- 6. Feeding the Network Model Gather info on network topology Must be imported, normalized, correlated © 2012 Skybox Security 6
- 7. How is the Model Created? Gather info on network topology • Import topology data • Device configs • Routing tables • Automatically create a hierarchical model tree, grouping hosts by TCP/IP network • Add function, location, type • Analyze model to detect missing info – hosts, ACLs, routing rules for gateways © 2012 Skybox Security 7
- 8. Comprehensive Network Model Gather info on network topology • Normalized view of the network security situation • Visualize entire network • Updated continuously • 3 models: Live, Forensic, and What-if © 2012 Skybox Security
- 9. Virtual “Sandbox” for Complex Security Analysis Analyze access paths Prioritize exposed vulnerabilities Find device misconfigurations © 2012 Skybox Security
- 10. Now - Check the Firewalls! Find access paths • Analyze firewall rule base against policies/best practices (NIST, PCI…) • Identify risky rules • Uniform policy for all firewalls
- 11. Access Analyzer Finds all Paths Find access paths • Complete End-to- End path analysis • Highlighting ACL’s and routing rules • Supports NAT, VPN, Dynamic Routing and Authenticated rules
- 12. Determine Rules Allowing Access Find access paths • Find blocking or allowing devices • Show rules involved • View routes
- 13. Check for Access Policy Violations Find access paths • Define what is allowed, limited and denied between Security Zones • Compliance Metrics • Violating Rules • Exceptions • Multiple policies • Dashboard
- 14. Exploitable Vulnerabilities? Start with the scan… Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490
- 15. Add Skybox Vulnerability Dictionary Content Find exploitable vulnerabilities • Collects vulnerability data from multiple sources (scanners, published repositories, threat feeds) • Represent vulnerabilities in standard format • Adds severity, degree of difficulty, commonality of exploit and attack impact (CIA) • Models pre-conditions for exploitation – used in attack simulation © 2012 Skybox Security 15
- 16. Look at Potential Threat Origins Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue Admin Internet Hacker Compromised Partner
- 17. Simulate all Possible Attacks Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue Admin Internet Hacker Attack Compromised Simulations Partner
- 18. How Attack Simulation Works Connectivity Path Probable attack vector to Finance servers asset group This attack is a “multi-step” attack, crossing several network zones Business Impact Attack Vector How to Block Potential Attack? © 2012 Skybox Security
- 19. Quantify and Prioritize Risks Vulnerability (CVSS Score & CIA Impact) + Exposure (Threat Origins & Network) + Business Impact (CIA Impact and Asset Importance) {Attack Simulation} Risk
- 20. Plan Defensive Strategy Most Critical Actions Vulnerabilities Threats © 2012 Skybox Security
- 21. Skybox Security Portfolio Firewall Assurance Network Assurance Risk Control Automated firewall Network compliance and Identify exposed analysis and audits access path analysis vulnerabilities Change Manager Threat Manager Complete firewall Workflow to address change workflow new threats © 2012 Skybox Security 21
- 22. Remote Buffer Overflow Attack Steps 1. Buffer overflow vulnerability MS11-004 on FTP server in DMZ 2. Exploit to gain root control on the FTP server 3. FTP server trust relations with DNS server in core network 4. DNS server running Free BSD has BIND vulnerability - enables control of DNS server 5. Finance server compromised. Significant damage or data loss
- 23. Prevent a Buffer Overflow Attack • Skybox Risk Control identifies attack paths Buffer Overflow Attack • Attack simulation reveals a small number of exposed vulnerabilities • Skybox issues urgent ticket request to patch the FTP server • Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise © 2012 Skybox Security 23
- 24. Firewall Bypass Attack Steps 1. DMZ firewall allowed access through TCP port Firewall Bypass 443 to internal network (which might be okay) 2. A misconfigured load balancer rule performed NAT to TCP port 80 3. Allowing port 80 access to the development network – a very risky situation © 2012 Skybox Security 24
- 25. Preventing the Firewall Bypass Attack • Skybox Firewall Assurance automatically finds risky rules and configs in firewalls • Skybox Network Assurance creates up-to-date network model and checks rest of layer 3 devices - load balancers, switches, routers • Skybox checks policy rules such as: “No access from Internet to Internal except …” • End-to-end access path analysis – every possible path • Skybox issues tickets to address violations reported
- 26. Client-Side Attack Steps User opens infected email attachment or clicks link to a A vulnerability or misconfig malicious or hacked website on desktops is exploited and malware is installed Malware enables attacker to collect data from machine, continue attack within the network, and send data back to attacker Source: SANS Tutorial: HTTP Client-side Exploit
- 27. Preventing a Client-Side Attack EMEA region at highest risk Retrieve exact list of vulnerable hosts Remediate in order Adobe Reader 9.x and of risk impact 8.x contribute the majority of the risk (76%)
- 28. Best Practices to Prevent Attacks Get the comprehensive Find security gaps network view every day Prioritize by Validate changes Automate security risk level in advance processes © 2012 Skybox Security 28
- 29. Time for Questions Thank You! www.skyboxsecurity.com © 2012 Skybox Security