PHDays VII: how the new rules of the "Confrontation" will affect the balance of power
The next Positive Hack Days will take place soon, within which traditionally the “Standoff” will take place - the hours-long cyber battle between the Defenders and the Attackers and, perhaps, the most intense part of the whole event.
We participated in the “Confrontation” last year. It was hard, but no doubt very cool. This year we will continue the tradition, but the rules of “Confrontation” have seriously changed, and in this article I would like to tell you what these changes are, how much the new conditions of the game are similar / not like real life and how they will affect the course of the struggle.
The infrastructure this year has changed very significantly and in several directions at once.
First, services and organizations appeared in the city that are outside the sphere of activity of the Defenders and SOCs, although they play an important role in urban life. Whether it means that they will not be protected at all, it is not known, the organizers leave some room for surprise. But this will certainly affect the overall balance, especially if we take into account that different infrastructures are now much more closely linked. The first attempt to carry out this integration was last year (intercepting SMS allowed to attack the Bank, the infrastructure of the city center allowed attacking any object), but now there are much more of these connections.
')
If we turn to the “everything in life” characteristic, a very interesting innovation also appeared here - part of the infrastructure is generally not subject to the Defenders and SOCs. It can neither be protected nor patched. Inner intuition suggests that it is in this part that the main surprises are expected from the point of view of the ancient legacy software, default passwords, vulnerabilities from the times of restructuring and real street magic. Indeed, in real life, this is often the case: customers have services that were made in ancient times, and “by design” is designed so that nothing can be done with them. We have to live with a certain amount of problems and vulnerabilities in the infrastructure, take them into account in the threat profile and try to work at the level of compensatory measures and monitoring (which is also often limited there). Naturally, such elements and services will become the main headache for the Defenders, the main vector of SOC attention and the point of maximum first attackers' attacks, because, clinging to the infrastructure, it will be much easier for them to move towards their goals.
Game economics
One of the strong and steep innovations is, of course, a restriction on the possibility of using means of defense and mechanisms of repulsing an attack. There are real budget constraints. Now you need to think what is more important for you - it is more effective to protect the perimeter, stick a sandbox or close your web services. And, given the professionalism of the Attackers, it looks like an assembly of incomplete armor - “which is more important to me, the head or the belly”. At the same time, the cost of the same remedy is estimated very differently depending on whether it is worth monitoring or breaking. That is, if the IDS system becomes IPS, or if WAF automatically blocks attacks, they begin to cost much more. And although, at first glance, this is not at all like reality, the approach has a right to exist. Although the cost of a license for a vendor, as a rule, does not depend on the passive or active mode, it is necessary to take into account the full operating costs. Maintaining up-to-date signatures, tuning rules for a changing butt and web resources to avoid false positives and blocking legitimate questions - all this translates into a lump sum, because it requires the expertise of people serving the system, ensuring 24 * 7 mode for continuity of operation and other “pleasant” trivia in business and IT consumables.
From gifts to the Defenders - opensource is absolutely free. Therefore, security wizards from Defenders operating in script mode, custom signatures, and tuning basic configuration rules gain a significant advantage. Although in reality such an approach in the enterprise-environment is not too popular, because It is always more comfortable to rely not only on your own experience, but also on the practices and expertise of vendors
What confuses us as a SOC team is the high cost of SOC services in the domestic game currency. In the game, SOC services eat up half of the company's IT budget, although it covers only security monitoring and control tasks. In real life, the distribution of budgets is somewhat different :).
Of the strange, but also justified, differences of the “Confrontation” infrastructure from real life is a very unusual “Internet”. All connections in the past year, and this will come from a single NATRED address. The reason for the approach is clear - the temptation for Defenders to neglect the fair play rules and temporarily block sessions of attackers by ip is very high (especially since in real life with a focal attack such methods are sometimes used even with some business risks). But, on the other hand, this radically changes the life of Defenders and SOCs: all detection rules and scenarios, aimed at profiling external activities, exceeding statistics and entropy from addresses and other statistical models, will automatically stop working. Fortunately, all this is known in advance, and SOCs have time to rework their content in accordance with other criteria and key characteristics.
The Defenders' life will not bypass this change: instead of being able to block ip and take a pause for 5–10 minutes, the countermeasure now has to make decisions in a continuous attack, while trying to extinguish attempts to penetrate deeper in parallel. Yes, and countermeasures will need more sophisticated. This could be writing custom signatures or continuously cutting off malicious sessions in semi-automated mode. This will add to the “Confrontation” of dynamics and intellectual struggle.
The event itself is called “The Enemy Within”, so one can hope that in addition to external “frontal” attacks, dormant botnets and malicious software will appear in the infrastructure, social engineering and other delights of current approaches to complex attacks. Since this is truly one of the most relevant attack vectors in real life, highly effective and at the same time relatively “cheap” for intruders, Defenders and SOCs will be extremely interested in testing their achievements. After all, for a quick reaction, you must understand your infrastructure very well and follow it very carefully.
The next event creates an excellent atmosphere and a testing ground for testing and testing hypotheses: The attackers once again carry out interesting work on trying to make an imperceptible attack on a “wary” and protected infrastructure; monitoring centers - how far-reaching "tentacles" they successfully cover the customer's infrastructure and detect exotic attacks. In any case, it will be boring, so we advise everyone to get to PHDays and devote at least a little bit of time to the ongoing “Confrontation”.
We participated in the “Confrontation” last year. It was hard, but no doubt very cool. This year we will continue the tradition, but the rules of “Confrontation” have seriously changed, and in this article I would like to tell you what these changes are, how much the new conditions of the game are similar / not like real life and how they will affect the course of the struggle.
Basic infrastructure
The infrastructure this year has changed very significantly and in several directions at once.
First, services and organizations appeared in the city that are outside the sphere of activity of the Defenders and SOCs, although they play an important role in urban life. Whether it means that they will not be protected at all, it is not known, the organizers leave some room for surprise. But this will certainly affect the overall balance, especially if we take into account that different infrastructures are now much more closely linked. The first attempt to carry out this integration was last year (intercepting SMS allowed to attack the Bank, the infrastructure of the city center allowed attacking any object), but now there are much more of these connections.
')
If we turn to the “everything in life” characteristic, a very interesting innovation also appeared here - part of the infrastructure is generally not subject to the Defenders and SOCs. It can neither be protected nor patched. Inner intuition suggests that it is in this part that the main surprises are expected from the point of view of the ancient legacy software, default passwords, vulnerabilities from the times of restructuring and real street magic. Indeed, in real life, this is often the case: customers have services that were made in ancient times, and “by design” is designed so that nothing can be done with them. We have to live with a certain amount of problems and vulnerabilities in the infrastructure, take them into account in the threat profile and try to work at the level of compensatory measures and monitoring (which is also often limited there). Naturally, such elements and services will become the main headache for the Defenders, the main vector of SOC attention and the point of maximum first attackers' attacks, because, clinging to the infrastructure, it will be much easier for them to move towards their goals.
Game economics
One of the strong and steep innovations is, of course, a restriction on the possibility of using means of defense and mechanisms of repulsing an attack. There are real budget constraints. Now you need to think what is more important for you - it is more effective to protect the perimeter, stick a sandbox or close your web services. And, given the professionalism of the Attackers, it looks like an assembly of incomplete armor - “which is more important to me, the head or the belly”. At the same time, the cost of the same remedy is estimated very differently depending on whether it is worth monitoring or breaking. That is, if the IDS system becomes IPS, or if WAF automatically blocks attacks, they begin to cost much more. And although, at first glance, this is not at all like reality, the approach has a right to exist. Although the cost of a license for a vendor, as a rule, does not depend on the passive or active mode, it is necessary to take into account the full operating costs. Maintaining up-to-date signatures, tuning rules for a changing butt and web resources to avoid false positives and blocking legitimate questions - all this translates into a lump sum, because it requires the expertise of people serving the system, ensuring 24 * 7 mode for continuity of operation and other “pleasant” trivia in business and IT consumables.
From gifts to the Defenders - opensource is absolutely free. Therefore, security wizards from Defenders operating in script mode, custom signatures, and tuning basic configuration rules gain a significant advantage. Although in reality such an approach in the enterprise-environment is not too popular, because It is always more comfortable to rely not only on your own experience, but also on the practices and expertise of vendors
What confuses us as a SOC team is the high cost of SOC services in the domestic game currency. In the game, SOC services eat up half of the company's IT budget, although it covers only security monitoring and control tasks. In real life, the distribution of budgets is somewhat different :).
External world
Of the strange, but also justified, differences of the “Confrontation” infrastructure from real life is a very unusual “Internet”. All connections in the past year, and this will come from a single NATRED address. The reason for the approach is clear - the temptation for Defenders to neglect the fair play rules and temporarily block sessions of attackers by ip is very high (especially since in real life with a focal attack such methods are sometimes used even with some business risks). But, on the other hand, this radically changes the life of Defenders and SOCs: all detection rules and scenarios, aimed at profiling external activities, exceeding statistics and entropy from addresses and other statistical models, will automatically stop working. Fortunately, all this is known in advance, and SOCs have time to rework their content in accordance with other criteria and key characteristics.
The Defenders' life will not bypass this change: instead of being able to block ip and take a pause for 5–10 minutes, the countermeasure now has to make decisions in a continuous attack, while trying to extinguish attempts to penetrate deeper in parallel. Yes, and countermeasures will need more sophisticated. This could be writing custom signatures or continuously cutting off malicious sessions in semi-automated mode. This will add to the “Confrontation” of dynamics and intellectual struggle.
The event itself is called “The Enemy Within”, so one can hope that in addition to external “frontal” attacks, dormant botnets and malicious software will appear in the infrastructure, social engineering and other delights of current approaches to complex attacks. Since this is truly one of the most relevant attack vectors in real life, highly effective and at the same time relatively “cheap” for intruders, Defenders and SOCs will be extremely interested in testing their achievements. After all, for a quick reaction, you must understand your infrastructure very well and follow it very carefully.
The next event creates an excellent atmosphere and a testing ground for testing and testing hypotheses: The attackers once again carry out interesting work on trying to make an imperceptible attack on a “wary” and protected infrastructure; monitoring centers - how far-reaching "tentacles" they successfully cover the customer's infrastructure and detect exotic attacks. In any case, it will be boring, so we advise everyone to get to PHDays and devote at least a little bit of time to the ongoing “Confrontation”.
Source: https://habr.com/ru/post/328874/
All Articles