The Assumed Breach Model A Practical Approach

Manager – Security Architecture Heavily focused on Cloud/AWS Experience includes moving from End User Support, to Sys Admin, to Consulting, to Information Security to Security Architecture

Agenda Current Landscape Strategy Next Steps

Current Security Landscape Checking Boxes We play whack-a-mole with security controls and tools

Shiny New Toys…Tools This is a firewall without a strategy

Primarily Reactive We just collect logs to collect logs

What is assumed breach? Simply put: A security strategy that assumes any given endpoint is breached to some extent and controls risk as such.

Strategy Access Control Choke Points Trust Zones Detection Capabilities

Principles Empower Business Keep It Simple

Access Control What is being protected? How do we protect it if we assume it is already breached?

Access Control: What is being protected? Internal Restricted Public Payroll Policies and Procedures PII, PCI, PHI SOX, GLBA Marketing Public Website Access Control: What is being protected?

Access Control: Tiered Access Lateral Movement Administrative Access WannaCry https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

Choke Points Trusted sources Areas of known activity Minimize surface areas for non-standard things (i.e. front gate and not the walls) Not a new concept

Choke Points

More than network segmentation We can have segmentation and still have a flat network Must empower businesses Too many hoops to jump through, at best users will be mad, worst case, they will find a way around Trust Zones

Medical Devices/ATMs/ICS Trust Zones Medical Devices/ATMs/ICS User Networks VDI EMR/Mainframe/ICS Servers

Detection Strategy Identify the needles before building the haystack Minimize attack surfaces Focus on ‘all hands on deck’ alerts Review alerts vs reports

Detection Strategy Don’t try to think like an attacker Stop trying to prevent the latest and greatest 0 day – just assume it is already there

Next Steps Access Control Minimize perimeter Control changes Tiered accounts for administration

Next Steps Choke Points Bring the battle to you Know what normal looks like Tiered Accounts Reduce the noise

Next Steps Trust Zones Segment your network Know what is supposed to talk to each other This should be transparent to users Keep it simple, but not flat

Next Steps Detection Capabilities Use guides (see references) Know what normal is, be able to detect what isn’t Reduce the noise

References Don’t Think like an attacker Strategy: Detection: Mitre ATT&CK – https://attack.mitre.org/wiki/Main_Page Known IOCs - https://github.com/Neo23x0/sigma Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook Strategy: http://threatexpress.com/2018/01/threat-mitigation-strategies-observations-recommendations/ - James Tubberville http://www.andrewalaniz.com/2017/12/10-immutable-laws-assumed-breach/ - Andrew Alaniz – 10 Immutable Laws of Assumed Breach https://www.slideshare.net/JoeVest1/using-ioc-to-design-and-control-threat-activities-during-a-red-team-engagement - Joe Vest – Using IOCs to control threats https://technet.microsoft.com/en-us/library/hh278941.aspx - Microsoft - 10 Immutable Laws of Security Detection: https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ - Jessica Payne – Tracking Lateral Movement http://www.andrewalaniz.com/2017/12/assumed-breach-model-practical-approach-part-1/ - Andrew Alaniz – Assumed Breach Model http://www.andrewalaniz.com/2016/10/windows-event-forwarding-collector-resources/ - Resources for capturing Windows Events References