some quick notes taken while watching the presentation:
Know your network, the devices the security technologies and things inside it.
Attackers will often employ ppl that study the security technology of the devices you use to a very deep level. They end up knowing it better than those who develop it.
Reduce attack surface, red team, pen test and act on results. Don’t assume a small crack is too small to be found. Attackers are patient and persistent, they’ll keep poking and they’ll wait for windows of opportunity if needed.
network boundaries expanded with byod, work from home, cloud, mobile devices that come and go
spear phishing, waterhole, known cve, sql injection, 0day.
Note that it’s not all 0days.. attackers persistence and focus will get them in.
brest practices, baselines, credentials. Have processes to know what is norm.
move laterally, how will you detect it? segment, manage trust
offense has tight feedback loop (attacks either succeed or they don’t) vs defense can think it’s doing something meaningful when actually the only thing is that you have not been attacked on your watch yet.
defense ends up doing things that are of very little value like forcing ppl to change their pass every two weeks
offense understand cost better than defense does
offense knows cost of attacking and usually knows the value of the prize he’s after vs defense doesn’t necessarily know how the attacker values his information or how much it cost them to attack
only have to win once : discovering offense burns toolsets and TTPs. see
get to choose time & cadence
Complexity tends to favor the attacker
Attackers ability to throw things/tools away once they are not useful
Clarity : attackers specializing while defenders to it all
attackers write more code. Defenders need to write more stuff, own tools, rely less on blinking lights and SLAs (I really liked the way Haroon spoke about this one)
least privilege: ppl complain of lacking permissions, but no one complains for having too much access
enterprise obstacles: defenders attitude “if only they did it right”
network awareness: attackers choose when but defenders choose where
custom detection: there’s value in things put together by defense, also, there’s value in a little of security by obscurity as long as it’s not the only thing you rely on. add variables that attackers can’t easily guess
what we can do
expect breach: how quickly can we detect it, how we can contain, how we can respond. and KNOW your network
Learn your stuff
USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers bDJb8WOJYdA
Build it! Embrace the hackiness as in, get the solution that works; defense is a series of hacks too.