The Assumed Breach Model A Practical Approach
Manager – Security Architecture Heavily focused on Cloud/AWS Experience includes moving from End User Support, to Sys Admin, to Consulting, to Information Security to Security Architecture
Agenda Current Landscape Strategy Next Steps
Current Security Landscape Checking Boxes We play whack-a-mole with security controls and tools
Shiny New Toys…Tools This is a firewall without a strategy
Primarily Reactive We just collect logs to collect logs
What is assumed breach? Simply put: A security strategy that assumes any given endpoint is breached to some extent and controls risk as such.
Strategy Access Control Choke Points Trust Zones Detection Capabilities
Principles Empower Business Keep It Simple
Access Control What is being protected? How do we protect it if we assume it is already breached?
Access Control: What is being protected? Internal Restricted Public Payroll Policies and Procedures PII, PCI, PHI SOX, GLBA Marketing Public Website Access Control: What is being protected?
Access Control: Tiered Access Lateral Movement Administrative Access WannaCry https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
Choke Points Trusted sources Areas of known activity Minimize surface areas for non-standard things (i.e. front gate and not the walls) Not a new concept
Choke Points
More than network segmentation We can have segmentation and still have a flat network Must empower businesses Too many hoops to jump through, at best users will be mad, worst case, they will find a way around Trust Zones
Medical Devices/ATMs/ICS Trust Zones Medical Devices/ATMs/ICS User Networks VDI EMR/Mainframe/ICS Servers
Detection Strategy Identify the needles before building the haystack Minimize attack surfaces Focus on ‘all hands on deck’ alerts Review alerts vs reports
Detection Strategy Don’t try to think like an attacker Stop trying to prevent the latest and greatest 0 day – just assume it is already there
Next Steps Access Control Minimize perimeter Control changes Tiered accounts for administration
Next Steps Choke Points Bring the battle to you Know what normal looks like Tiered Accounts Reduce the noise
Next Steps Trust Zones Segment your network Know what is supposed to talk to each other This should be transparent to users Keep it simple, but not flat
Next Steps Detection Capabilities Use guides (see references) Know what normal is, be able to detect what isn’t Reduce the noise
References Don’t Think like an attacker Strategy: Detection: Mitre ATT&CK – https://attack.mitre.org/wiki/Main_Page Known IOCs - https://github.com/Neo23x0/sigma Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook Strategy: http://threatexpress.com/2018/01/threat-mitigation-strategies-observations-recommendations/ - James Tubberville http://www.andrewalaniz.com/2017/12/10-immutable-laws-assumed-breach/ - Andrew Alaniz – 10 Immutable Laws of Assumed Breach https://www.slideshare.net/JoeVest1/using-ioc-to-design-and-control-threat-activities-during-a-red-team-engagement - Joe Vest – Using IOCs to control threats https://technet.microsoft.com/en-us/library/hh278941.aspx - Microsoft - 10 Immutable Laws of Security Detection: https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ - Jessica Payne – Tracking Lateral Movement http://www.andrewalaniz.com/2017/12/assumed-breach-model-practical-approach-part-1/ - Andrew Alaniz – Assumed Breach Model http://www.andrewalaniz.com/2016/10/windows-event-forwarding-collector-resources/ - Resources for capturing Windows Events References