An Effective Approach to Defense in Depth

okay um let's get started Tom cup Hurrican Labs an effective approach to defense and death thank you Andy good morning everyone welcome to bides I know we already did the welcome with them but I'm going to do that again so this talk is one of those talks that is designed to cover a topic that is something that can be very boring if done poorly and pretty much my goal with this talk was to come up with something that covered defense and depth in a way that didn't suck so hopefully if no one's asleep at the end of this talk I did my job well if you're all asleep you can uh have lunch later we'll go with that but I'm

Tom cup I'm a senior security engineer at Hurricane Labs we're based out of Cleveland uh we do slunk Network management all that kind of fun stuff and um I get the opportunity to reach out and uh give presentations also lead our operations team uh and it's great to be here so without further Ado talk a little bit about defense and depth and this kind of parallels the talk that happened previously uh where we covered some of the pentest T tactics like they said it's not difficult to break in uh if you're a red team your job is easy uh you just need to find the little crack in the castle wall and really the whole

analogy that I'm going with for this presentation the security Castle um instead of talking about you know Steer technical things I want to really use this extended analogy of the castle throughout this entire presentation so all the imagery that we're going to use in this that was created by our designer is going to focus on that whole practice of trying to make this a Medieval theme so I think that's going to be a little bit more interesting and different from what you would normally see at a security conference presentation so yeah breaking in is easy and attackers they only need to find the little crack to get in the tiny hole in the castle wall uh there

could be a domain admin account that's of escalated privileges like we covered previously there could be a spear fising attack on a single user and from that point you can pivot to somewhere else in the network and basically do almost everything once you find a single vulnerability now on The Blue Team side uh which is a lot of my specialty you are having to struggle with trying to defend all that and trying to deal with all the different possible ways an attacker to get in and they only need to find the one thing that you miss which really kind of stinks uh so we need to try to find a way to leverage our defenses in such a way that we protect

the Fortress that is our company's infrastructure and defense and depth is the way to do that one of the things that I see all too often is we have our existing controls we have firewalls we have security software we have web application for filters we have you know all these defenses that are layered on top of each other and then we also want to say you know there's this new shiny new technology that comes out and we want to spend money to buy that too all too often though the existing controls that we have are not optimized in such a way that they are the most effective at defending something uh we have poor configuration on our firewalls we have

any rules that allow all kinds of traffic we're having vulnerable client applications and vulnerable plugins um and all these work together to kind of defeat the defenses that we have and then we're looking at spending more money at putting more defenses in and just really not being effective to use what we have and I understand that you know there's always the cool shiny new security thing um everyone has pushes for upgrading that using that but we can do more with what we have so really one of my goals in this presentation is not to say hey you guys need to go spend more money on something because you know I I understand I come from a security

vendor and part of our job is to have people buy services and things and all that but that's not what I'm trying to go for use the controls that you have and try to use them to be more effective and defend your infrastructure and your Castle more effective so spending more on security of course doesn't mean that you're going to get more security uh and really by minimizing your costs and kind of like echoing from our previous talk to keep going back on that use the free methods use the tools that are available to First make a case uh politically for ultimately spending more money on something that you could use down the road but start small and then go from

there so this is where I want to introduce the concept of defense and depth the layers of defenses on top of each other to better defend the organization's crown jewels and really the concept of Defense in depth is the idea of layers of protection and this is where we go to the castle team uh you can think of your organization as a castle and you have different forms of Assets in this Castle uh in the castle you have gold which is obviously a very tangible asset you have the people who are living in the castle because the castle was the kind of like the premier defense of its time uh you had the peasants who lived in there the

servants you had the fair Maiden you didn't want anything bad to happen to her so we protect all of these parts of the castle and we use l ERS of protection we have the moat that's kind of in the background there's the big walls there's guards all these defenses work together to make the castle the premier defense of its type and we should think of our defense and our organization in the same way so one of the principles that US security people like to talk about until we're blue in the face is the idea of least access uh where all forms of access are completely and tightly controlled it's a utop it doesn't happen but but it's something we should strive

for uh users and administrators they should only have the access they need to do their jobs if your administrators are doing Administration work that's when they would escalate their privileges to a role where they have administrative permissions otherwise they would be running as normal users kind of reducing the risk of that uh we usually think of this as an admin or as a user perspective limit what your users can do uh but yeah the way that we want to do this on organization to have our admins be limited as well and only use administrative permissions when they need them that's also important uh what this does is it reduces the scope of an attack when you're doing your spear

fishing attacks and sending out your emails to try to attack users most of the time it's not necessarily going to be an admin like we said previously it's going to be someone who is just going to be your average user if your average users is a domain admin God help you pretty much because everything is just going to be able to go downhill from there however if your average users don't have permissions to install software or do other changes to your infrastructure you're going to be more likely to have those users not compromise the systems the same way as an admin would be compromised then we get to the idea of firewalls this is the outside defense of

your castle and I know there's been talks recently about firewalls being less relevant and less useful and that's that's not true um castles they had your big walls you had your Moes you had those defenses they were there for a reason uh and pretty much what the castle was designed to do was funnel all the traffic into a single point of entry that was well protected but it was known and observed as a vulnerability you had the draw bridge you had the guards there you had the poles where you could pour boiling oil and shoot arrows down at the bad people that's that's what you're far is doing uh castles they didn't have multiple entries they weren't shopping

malls where you could come and go as you pleased everything was well controlled your organization should be handled the same way for Network traffic anyone that's coming in any traffics that's coming in should get inspected it should be decided hey is the service allowed to talk to the server and using the firewall is really the best way to do that at the outside and the initial defense but by itself it's not necess necessarily going to be the best way to secure a system because firewalls can get bypassed easily a lot of times what we think about is firewalls being more uh than just uh all too often you think you see incoming traffic for your firewall uh

it's more than just incoming incoming traffic you also have outbound filtering that you need to consider for firewalls uh so let's just say someone passes the inspection at the castle gate they walk through they get checked by the guards you know the medieval equivalent of the TSA PS them down uh they get the go ahead they're in the castle should they be allowed to do everything they want let's say they saw some gold and wanted to put that in their pocket let's say they uh really like the fair maiden and wanted to run off and write the medieval B of Taylor's s song you know pretty much that's uh not something you want to have happen you want to have that

inspected when you leave the firewall as well which would be at the castle gate so what I see and this is less and less common but a lot of organizations still allow everything to go out of their Network the firewall will protect what comes in but if you're allowed to make a communication outbound that's just going to be allowed by the firewall and that's bad that makes the job of someone trying to exultate data easy it makes exploits really work well because they don't have to worry about expecting uh outbound connectivity they can just hit whatever they want so don't assume that everything leaving your Nile network is legitimate just like you don't assume everything coming into your network is

legitimate and really just by restricting that access you can stop a lot of uh some of the basic and non specialized malware from being effective because there is a lot of malware that will still try to connect out found on high ports plus common you're going to see a lot more on HTTP and htps anymore because that's pretty much going to be more likely to be allowed but there is a lot lot of the Legacy stuff that we'll still try to communicate outbound on high courts also you have the idea of intrusion detection and prevention in the castle analogy these are your guards and your alarms uh essentially your guards and your soldiers they would see

something that was going on they'd sound the alarm and these would be indicators of there being a threat for a potential problem well before that this actually was something that happened to bear in mind though with IDs and IPS not everything is a threat you could have people who were walking by your castle and you medieval teenagers they pick up a rock they throw it at the wall of the castle that's not a problem that's a port scan the same thing that you see now do you want to get alerted about everything that happens against your firewall your outside IP range that is potentially somehow bad to something no you'd never sleep so a lot of times

what I see is you'll get a report of all the IDs activity on a network and it's like this long and it's like for scan bad stuff you know all of that stuff is not necessarily things you need to worry about you need to worry about things that You're vulnerable to so in the case of the castle analogy let's just say the guards noticed an attack coming in from cve 1426 Canon the Canon was a vulnerability or it was something that what the the castle was vulnerable to that's what made Castle obsolete so if an attacker was coming at a castle with a cannon there would be problems and that would be something that the guards would need

to take action to that's exactly how we should handle IDs and IPS we should be alerting and responding to things that our infrastructure is vulnerable to and not necessarily caring about the guy who's throwing the Rock at the wall who is not really a threat also there's the idea of network segmentation uh once inside the castle you should just have free reign of everything in the castle uh there are different roles and different responsibilities in there obviously the knights are going to be having more access in the castle than others but even in the case let's just say the fair Maiden again you don't want the knights to be able to spend too much time there

they might be able to walk by and say something like hello The Peasants they don't got a chance even so they would be segmented off uh same way not that we're in users peasants but similar idea they would not be able to access everything in the network they shouldn't be able to log into servers that they don't need to access uh and the Knights could be your system administrators they still don't need to be able to access everything your DBA might need to be able to access databases but they shouldn't be able to manage your corporate website those sorts of separation of roles to in the event of a user getting compromised they won't be able to do every single thing

on a network Ed time the way that this usually works is with DMZ uh where you have servers separated on different networks according to role and then you can use the firewall or some other device to separate that traffic so in the case of this example you have a web server that needs to talk to a database um more often than not your web server and database are going to be running on separate systems if they're not on the same system this isn't going to be as practice but what you can do in this case is you can allow the incoming traffic to the web server and then the web server can be allowed to talk to the database

server and the firewall rules can be written in such a way that the web server is only allowed to communicate to the database server on those ports not everything else in the network can talk to the database server and the internet cannot talk directly to database server so what this requires someone to do is to come in through the firewall ex uh exploit the web server which isn't that difficult and then use that access to Pivot into the database so you at least put an extra step in there and then not everyone in the organization has access to the database server so you're separating these roles and making it the attacker's life harder so you

don't have automatic access to this and they might overlook this access depending on how they're trying to exfiltrate data or access the network the nice thing about Network segmentation is basically free most of the time your firewalls are already going to support this you're going to have switching in place to accomplish this you're just going to have to sometimes renumber depending on how it's built out in your network which can be harder than it looks and sounds in some cases but it is something that can be added into an infrastructure with minimal cost and effort uh it is a change though that has to be made also it's important to look at fixing vulnerabilities in your C that

are discovered so stone walls break down just like the roads in Pittsburgh and Cleveland they as the weather and the elements beat down on these things they need to be patched same thing happens for software your software it gets not worn out but there are vulnerabilities that are discovered in it and patching is important and we look at uh application updates and security updates is kind of like the necessary evil when you see a bug or a pat that's released for a software that means some developer did something very very horrible and that very very horrible thing that a developer did is resulting in the software being broken in such a way that it allows some bad guy to do whatever

they want with the software so you have this software application that gets Band-Aid slapped on it left and right and I'm really glad I don't have to write software because it just sounds like a very miserable thing to do how many of you write software okay I'm so I pity all of you but the fact that you're having all these patches that happen in software and these vulnerabilities that are discovered you're going to have to do updates all the time not just your application not just your operating system updates like the Patch Tuesday ones but you also have your Adobe updates your if you have to run Java those Java updates that are in there

those are a lot of the primary targets for attacks when you have a spear fishing and tap trying to get someone to click on a link in a web page a lot of times they're going to be directed to what's called an exploit giit page and that just basically is a cookbook of every possible exploit thrown at a COR user who happens to go there more often than not they're going to be exploiting browser vulnerabilities plug-in vulnerabilities if you have any sort of vulnerable Plugin or browser or application these exploits are designed to find those and find a way to get into the network and then allow the machine to make an outbound connection so that

the attacker has a command and control Channel by fixing some of these vulnerabilities at least the known ones you're reducing the scope and effectiveness of those automated type tools targeted attack is going to be a lot more effective um but most of the attacks that You' see are going to be the basic spread a wide net across the internet and see what you can catch the other thing just to go back to fixing vulnerabilities you do need to run supported software um this is less of a case now but I'm sure we're still seeing XP and 2000 machines laying around they don't get security updates so so we run into the same problems now also web proxies this is a

little bit less common but it is a really great way for reducing some of the vulnerabilities uh that you see with outbound traffic so what the proxy does is it basically goes in between the computer connecting to the internet and the internet itself and you're forcing all the software on the computer to go through the proxy as opposed to having a direct connection to the internet uh this can have really significant impact on the success of malware because a lot of malware is not designed in such a way that it's proxy aware it assumes that it's going to have a direct connection to the internet and be able to get out and talk to everything um

unfortunately a lot of applications aren't proxy aware so it is an administrative overhead to do this but by adding the layer of having a web proxy in place you really are making a lot of malware less effective and it does significantly improve your security combining the proxy without bound filtering uh a lot of your type of command and control malware is going to not work as effectively or at least you're going to have a way to detect that so that you can take action as quickly as possible when it's detected also there's the idea of the application layer firewall which is sometimes referred to as a reverse proxy what we understand in this case is that

web applications things that are running on web servers they have vulnerabilities you run into buffer overflow attacks there's crite scripting there is uh SQL injection that happens all these different types of attacks and vulnerabilities exist in applications and sometimes you can't necessarily fix them you know utopian perfect world your web applications wouldn't have vulnerabilities and when they're discovered the developers would be able to solve all the problems but looking at the poor people who have to write software that's different than how it actually works and you're going to run into cases where the guy who wrote the code isn't there anymore or the application isn't supported anymore uh or we need to get this application

yesterday and you security people are slowing us down and why do we always have to do these pen tests that make us look bad I hear that from different customers all the time uh when they're trying to have to go through the pent test so from an application layer of firewall it's kind of a Band-Aid in a way but it's a way of putting an addition layer of Defense in front of a web server so if the web application firewall see SQL injection coming in it's going to filter that before it gets to the vulnerable web app so building these layers on ideally you have good firewall rules at the beginning you have your web application firewall to filter

out some attacks and then you have a patch web server that isn't vulnerable to these sorts of things so by layering these even if you have a failure at one level you have the ability to better secure the whole entire environment and then there's also the idea of positive access control um and the separation of roles and we touched on this a little bit before but I want to go in a little bit more depth here uh for example in the castle the king he just doesn't cook he doesn't defend the castle we're not really sure what he does but he's the king but in terms of the king he shouldn't be able to do

things that require that level of access so he he doesn't need have access to all the defenses of the castle he just needs to be able to tell the people who are responsible for that to defend the castle instead uh just like your developer and your application administrators they shouldn't be able to make firewall rules because bad things will happen you're going to end up with a lot of any rules um you're going to end up with a lot of just open connectivity because the networking side they want things to just work they don't want to deal with those pesky security people being in the way your administrators who are dealing with software a lot of times they don't even

know what ports are going to be used for a service to work through a firewall which I don't blame them because a lot of times the people who write the software don't know what ports are needed either so it's kind of a two-way sword on that uh but really to have that cooperation between the two sides where your security team is working with the networking team and application team and database administrators so that there is no one single person who's responsible for making all these changes it definitely allows this access to be better controlled in a larger environment and then really security and it they should work together and not against each other so got another

another utopian thought in my head but all too often what I see is security is kind of like the no you can't do that that's going to make you know things less secure and then security is always going to be like ah now the business wants me to do this so now we have to break down all our security you guys can relate to that right it's the battle that you face instead of making security the team of no we can't do that I think we should try to make security the team of the how can we make that work while still maintaining the security of the environment understanding that users are going to have to do things there's going

to be unique requests that you have to deal with and using that as opportuni to give and take while allowing the business to still do their Core Business function which is not Security in most cases uh but to have that buy in so that everyone starts thinking from a security perspective in order to make the security of the organization as a whole better and then also restricting user access um users General should never run with administrative access unless they need it just like administrators shouldn't run with administrative access even when they need it with the exception of when they're actually doing an administrative function I've talked to customers who have moved from the model of having

administrative access everywhere to customers who have restricted that and they've really seen a huge drop in the number of spyware infections and unwanted applications and all that that have happened there was an initial period of growing pain for that uh where users who were just used to installing everything had to go through their service desk for changes and it was you know an adjustment but after they got through the initial month or two of dealing with that they're effort and the amount of time that they spent on an IT perspective of cleaning up malware infections and dealing with user workstation problems it dropped significantly and really that was just by modifying the permissions of what the

users were able to do and locking down the access um how many of you in your organization try to restrict user access to that it's a still a pretty small number how many of you would allow access everywhere oh that's good good good I like to see that so that's the move I want to see as we're reducing that access for users uh it does make users less targeted and less subject to more of these types of attacks and um I see similar results for you know Citrix users and servers that are terminal servers the same benefit and really a lot of uh the IDS alerts that you see in these environments once you have restricted user access they're

more informational like an exploit kit was attempted to run against a client and it failed and that's what you like to see as a Security administrator and yeah client protection is still something that's very important uh anti virus I know it gets a bad W and it's not if you have antivirus you're not all your problems are not going away uh but you also don't want to not have some kind of client protection in place um also you for your more sensitive applications you could do some host intrusion protection and defens uh basically trying to see when a host is compromised see when users log into machines and if you see bunch of failed logins followed by a success that can be

an indicator of compromise um also there's full disk encryption as an option for any type of machine that has sensitive information that might be carried in and out of the building definitely a good thing to have in place not perfect of course and then Java just sucks and it's annoying but by if you don't have to have Java on machines don't put it on there but unfortunately there are many companies where your most critical business application was written in Java by some guy who doesn't work there anymore and no one knows how to change the code so it's there's those problems that you run into too you don't have to have Java on every machine don't put it on every

machine if you have some users that need it only put it on those machines restrict that scope as much as possible so finally I want to wrap things up by bringing everything together uh a lot of these recommendations are just that they're recommendations uh depending on what your organization is doing you might have some of these in place you might have many of these in place uh but there might be always areas of improvement or ways that you can layer these defenses better really what I tend to find is that your smaller type of changes are the ones that get the most success at implementation and they're the more likely to get approved in an

organization if you wanted to just say hey guys I'm going to come to work on Monday and turn off all outbound access except for things that I think are important across my entire organization you're probably going to have your co-workers think you're insane and rightfully so I have done it before at an organization that had a bad malware infection and just basically like guys we need to shut off up on access and they're like okay like what but that actually did a good job at stopping that type of malare that they had because it was not going out on regular htttp and https but to try to do that on a big organization it's not going to be

something you're going to be able to do right away but you might be able to do something like analyzing your log data to see what services are being used and then locking down outbound access to services that are not on that list and kind of chipping away at the Block and figuring out how your network works that kind is an approach if you're not really sure what's being used if you have documentation and you have a better understanding of how your network operating you might be able to do something differently uh but really piecing together and trying to work with what you can as a security person that gives you leverage longterm as you're trying to sell the position of security

of your organization you have the ability to demonstrate then to your management that this is what we were able to do with the firewall that we have uh using this open source IDs we detected these threats uh and then you can say okay now that we've done this work with what we have now I need more help from you guys to be able to support this larger project this new shiny firewall this better client protection system and you can leverage those together uh to really overall benefit your security as an organization as a whole so with that I'd like to open the floor for questions and thank you very much [Applause]

oh question okay what if you don't own the there are ones for sale in Europe and they often cost less than a house in New York City or at least an apartment so I think there's a list on the internet I've seen definitely like castles that cost less than New York City Apartments um the problem you run into with that though is Wi-Fi coverage there's a castle Wen that had yeah just put it in your boat and drive over the ocean it'll work great thank you everyone [Applause]