超越入侵：高级威胁时代的主动防御.pdf

《超越入侵：高级威胁时代的主动防御.pdf》由会员分享，可在线阅读，更多相关《超越入侵：高级威胁时代的主动防御.pdf（111页珍藏版）》请在三个皮匠报告上搜索。

1、Beyond the Breach:Proactive Defence in the Age of Advanced ThreatsMichael Brunton-Spall(he/him)mbscabinetoffice.gov.ukQCon London 2024Agile Application Security2https:/3“The second-most terrifying words in the English language are:Im from the Government,and Im here to help”4What are the most terrify

2、ing words in the English language?5“The most terrifying words in the English language are:Hi,Im from security,and Im here to help”6Im from Government Security7My team does:Horizon ScanningCyber ThreatCyber Policy8A disclaimer:Everything here is derived from public information9What are advanced persi

3、stent attackers doing today?Why should you care?What can you do now?10Takeaways:5 things you can focus on in your org today that will protect you tomorrow11Some context Why security matters12200613201214201715162024171819202122232425262728So many to pick from so lets look at 3 examplesSolarwindsVOLT

4、 TYPHOONStorm-055829DARK HALO,Solarwinds and FireEye/Mandiant30Timeline31322019 Volexity spots DARK HALO activityMid 2020 Volexity spots DARK HALO back again DoJ spots unusual activityNovember 2020 Mandiant sees odd MFA alerts,starts investigatingDecember 8th,2020 Fireeye/Mandiant announces compromi

5、seDecember 13th,2020 Solarwinds,Mandiant and Microsoft release public blogpostsHow did it work?3334 Hidden files injected code into Solarwinds OrionCompromise of Solarwinds build system Stayed dormant for 12-14 days Sent information about victims server Decided whether to download next stageSUNBURST

6、 More complex architecture Stole credentials Searched for emails,documents and source codeTEARDROPHow did they compromise Orion?3536Feb 19th 2019SUNSPOT deployed to Solarwinds TeamCity agentsMarch 2020 Orion builds with backdoor includedJune 2020 Attackers delete the TeamCity backdoorWhy did they de