Atlantic Security Conference

Defensible networks are designed to prevent and detect computer attacks, and are hardened at every layer. Per Richard Bejtlich, defensible networks "can be watched" and "limit an intruder’s freedom to maneuver." For example: modern malware often attempts to steal credentials and move laterally via tools such as WMIC, PSExec, and PowerShell. Most host-based firewalls can block (and log) based on applications such as PSExec. Prudent organizations use host-based firewalls to block and log network connections initiated by these tools from "regular" user desktops, and only allow authorized use from system administration drop boxes.

This talk focuses on designing a defensible security architecture that limits an intruder's ability to maneuver, and creates logs when it is successful in doing so. Specific examples will be provided that prevent recent malware such as Petya, NotPetya, SamSam, and others. We will provide an actionable list of techniques that prevent and detect the deadliest events that occur during virtually every successful breach.