2024-08-06 –, Siena
Our current administration lists "Defend Critical Infrastructure" as the #1 item in the 2023 National Cybersecurity Strategy. To take on this challenging endeavor and provide complete security to not only our critical infrastructure but all organizations, we must be willing to go deeper than simple vulnerability scans, basic red teaming or blindly accepting the risk due to a lack of understanding. The product security testing methodology of deep enumeration, which includes dissecting and understanding proprietary protocols, is vital to our success in meeting our nation's objective. This presentation will present a well-defined and repeatable methodology, then using an actual proprietary protocol, demonstrate how to dissect, understand, and how threat actors can use this proprietary protocol to their advantage. The presentation will then conclude by showing how defenders can use this deep understanding to reduce the risk proprietary protocols pose on their networks. These skills will become instrumental for our cyber security professionals' ability to defend our critical infrastructure and business, which leverage these protocols.
What's new in this talk?
This talk presents a new approach to understanding proprietary protocols. I propose an eight-step process that allows an engineer to uncover what each byte means within an unknown payload of a packet. During the presentation I will discuss in depth five of the eight steps, which is enough for a beginning to leave and gets started applying the skills learned. I conclude the presentation by showing how attackers are leveraging these protocols for malicious purposes and show how using this process, defenders can be better prepared to overcome those attacks.
Key takeaways
1. A proven, repeatable methodology to use when studying unknown protocols
2. An example of how to apply this to an actual protocol from the medical industry
3. The risk of ignoring what we don't understand on our networks and practical mitigations that can be used to overcome this risk
Who will enjoy this talk?
- An engineer or threat hunter who is responsible for creating alerts for malicious traffic in their network
- A manager who runs a SOC, product security testing or threat-hunting team
- A CISO who wants to understand the investment and benefits to understanding unknown network traffic within their organization
- Anyone interested in understanding proprietary protocols
Douglas McKee is the Executive Director of Threat Research at SonicWall where he and his team focus on identifying, analyzing, and mitigating critical vulnerabilities through daily product content. He is also the lead author and instructor for the SANS SEC568 class focused on combating supply chain attacks using product security testing. Doug is a regular speaker at industry conferences such as DEF CON, Blackhat, Hardware.IO, and RSA, and in his career has provided software exploitation training to many audiences, including law enforcement. His research is regularly featured in publications with a broad readership including Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic, and Axios.