A Call to Arms: Using a Working Model of the Attack Surface to Improve Incident Response

Gidi Cohen | CEO & Founder | Skybox Security

Sources: Spending-IDC & Gartner; Costs – Center for Strategic and Interational Studies; Chart - 2015 Verizon Data Breach Investigations Report

The Defender Deficit

£260B annual cost of cyber crime £45B annual

spend on solutions

NO CHANGE in “defender gap”

In 10 years!

80% of AttackersCompromise Network in Days

25% of DefendersDiscover Attacks in Days

Peacetime

From Peacetime to Wartime Mindset

Process Focused

Advanced Planning

Compliance Driven

Battlefield View

Attack Detection

Jump Teams

Wartime

What’s your Incident Response Time?

Sources: ISACA.org for Incident Response process, Ponemon 2014 Cost of Cyber Crime Study for IR times

+45 days to resolve

170 days to detect

Incident Response Process

Insert graph

What Takes So Long?

Potential ExfiltrationSuspicious outbound data Shut down unnecessary ports

• Does this event match a possible attack vector?

• What assets are exposed through that access path?

• Which security controls can we leverage?

• Will a firewall change disrupt necessary services?

Ongoing Visibility of the Battlefield

Security ControlsFirewalls

IPSVPNs

Ongoing Visibility of the Battlefield

Security ControlsFirewalls

IPSVPNs

Network TopologyRouters

Load BalancersSwitches

Ongoing Visibility of the Battlefield

Security ControlsFirewalls

IPSVPNs

Network TopologyRouters

Load BalancersSwitches

AssetsServers

WorkstationsNetworks

Ongoing Visibility of the Battlefield

Security ControlsFirewalls

IPSVPNs

Network TopologyRouters

Load BalancersSwitches

AssetsServers

WorkstationsNetworks

VulnerabilitiesLocationCriticality

Ongoing Visibility of the Battlefield

Network TopologyRouters

Load BalancersSwitches

AssetsServers

WorkstationsNetworks

VulnerabilitiesLocationCriticality

Threat ActorsHackersInsidersWorms

Security ControlsFirewalls

IPSVPNs

Ongoing Visibility of the Battlefield

Security ControlsFirewalls

IPSVPNs

Network TopologyRouters

Load BalancersSwitches

AssetsServers

WorkstationsNetworks

VulnerabilitiesLocationCriticality

Threat ActorsHackersInsidersWorms

The attack surface is the sum of all reachable and

exploitable attack vectors against an organization.

Apply Understanding of the Attack Surface

With Knowledge of the Attack Surface

Improve planning

Reduce mean time to detect

Speed containment actions

Verify resolution

Preparation: Reduce Attack Vectors

• Target concentrations of vulnerabilities

• Address zoning violations

• Fix risky firewall rules

Preparation: Optimise SIEM Monitoring

SIEMCreate a SIEM watch list

• Watch specific servers with known vulnerabilities

• Monitor access paths to high-value assets

• Look for services usedin recent threats

High volume to review

False positives

Detection: Confirm Real Attacks Fast

Attack Detection

SIEM Level 1SOC Analysts

Level 2 IR Team

BEFORE

High volume to review

False positives

Detection: Confirm Real Attacks Fast

Attack Detection

SIEM Level 1SOC Analysts

Level 2 IR TeamBEFOREAFTER

Get attack contextAssets at riskPrioritisation

Analysis: Triage Based on Impact to Assets

Analysis: Triage Based on Impact to Assets

Analysis: Triage Based on Impact to Assets

Flag high-risk vector

Alert: anomalous

behavior

Low risk

Alert: unexpected

router change

Multiple ways to compromise

finance server

Contain: Fast Zero-Day Response

Source: ISACA.org

Attack Surface Model

New Vulnerability Identified!

CVE-2015-01234

• Which systems have the vulnerability?

• Are they part of an attack vector?

• Triage responseThreat

Vulnerability

Asset

Contain: Understand Scope, Exfiltration Paths

Exfiltration Path

Contain: Understand Scope, Exfiltration Paths

Exfiltration Path

Contain: Understand Scope, Exfiltration Paths

Recommended Actions• Generate firewall

change requests to block exfil route

• Switch advanced malware to block mode

• Enable IPS signature

Exfiltration Path

Post-Incident Activity

Attack Surface Model

Long term architectural changesNetwork segmentation

Use of advanced controlsVerify risk elimination

Summary: Using Attack Surface for IR

Incident Response Process

Incorporate broad set of data sources

for full attack surface view

Arm the IR teamTools to correlate, query,

and monitor attack surfaceSpeed detection and

analysis

Use contextual info on likely next stepsContain attacks and

limit damage

Visit Skybox Security at Infosec

• Powerful platform for visibility of the attack surface• Vulnerability and threat management• Firewall management• Network visibility and compliance

Risk Analytics for Cyber Security

Thank you