The economics of attacks heavily favor the attackers. 0 day vulnerabilities and malware kits are coming with support and SLAs similar to legitimate software vendors. It is becoming increasingly difficult to stop even lower budget attacks because of this. International/Nation state cyberespionage and cyberwarfare fuels the fire of hactivists and cybercriminals by allowing the former bleeding edge tools and techniques to make their way down the chain once they are no longer deemed effective at the government level. Financial institutions were the first business sector to suffer persistent attacks because of the ease of monetization of the data that could be bought and sold on the black market. Large retail sectors quickly followed due to the prevalence and ease of access to credit card data that can quickly be turned into cash. Healthcare targets are next on the cybercriminals lists. Healthcare organizations have not been held to the same data security standards as financial institutions and payment card vendors, but their data is harder to change (SSN, healthcare data). This data can be used to spearfish, perform tax fraud and successfully execute identity theft. All of these events validate the increasing need for advances threat detection systems and ultimately faster and better forensics. Signature based AV is dead. Symantec has said so. Sandboxing can be circumvented with advanced malware that detects whether it is running within a VM. Polymorphic malware and exploits that run at the kernel level are almost impossible to stop. All of the data gathered breaches lead to better spear phishing attacks to the harvesting passwords. These passwords would allow legitimate access to data in networks and in the cloud. Password and stolen credential attacks are not only difficult to detect but also difficult to investigate. Attackers are starting to mine this data that will ultimately be used in future attacks. Forensics tools that focus on user credentials, stolen passwords and lateral movement make it easier to uncover threat actor movements within a network and the extent of the breach. Despite all of the threats heading our way, this is not a moment for despair. This is a time for action. Building security response teams, bringing on security response services and using tools that limit the extent of breaches and attacks are critical to our success.
Offensive security is the best method to ensure that defensive countermeasures are working effectively. This session will explore automated and manual techniques used by hunters focusing on being able to search vast amounts of data quickly as well as leveraging machine learning and data science to help tip the scales back in our favor.
Rene Aguero is currently the Area Manager of Security Markets at Splunk. Prior to Splunk he was at Rapid7. At Rapid7, he helped architect Rapid7 deployments and services ranging from Vulnerability Management, Penetration Testing, User Threat Actor Detection and Attribution. Prior to Rapid7, Rene worked in the financial sector in Southern California as an IT Manager where he designed networks and security solutions to keep PII and Credit Card data secure through the use of FWs, IPS/IDS and various encryption methods. Rene received a Master of Science in Business Administration with Emphasis in IT Security, IT Audit and Computer Forensics from California Polytechnic University Pomona. Rene has appeared on Associated Press and their consuming news agencies on topics like the End of XP and the Anthem healthcare breach.