Using Graph Theory to Understand Security
Information security is
hard. It must be, because we keep getting hacked. One aspect that makes
it so difficult is the level of complexity that exists in even a
modestly-sized digital infrastructure. Humans can consider only so many
security relationships, trust boundaries, and attack scenarios at once.
This complexity makes it hard to decide where to focus our defensive
resources and we're regularly led astray by the latest shiny tool or
security advisory. Remarkably, our adversaries actually have a similar
challenge: once a digital intruder gains a foothold in an environment
that is completely new to them, how do they know what next steps they
should take to efficiently achieve their goal? The environments they
attack are not only complex, they are also unexplored landscapes that
must be mapped out.
This is where graph theory can lend a hand.
Several open source tools, such as BloodHound and Infection Monkey,
provide intruders (whether that be your friendly neighborhood pentester
or your adversaries) with easy ways to map out infrastructures and
identify the quickest path to your crown jewels. While this is certainly
alarming, we can also use these tools ourselves to find out what our
infrastructures look like in the eyes of an attacker.
In this
talk, Tim will provide a brief introduction to graph theory, show some
demos of the free tools that use it, and discuss how he is using these
techniques to build automated threat models "at scale" to make
defenders' lives easier.
Speaker: Timothy Morgan
After
earning his computer science degrees (B.S., Harvey Mudd College and
M.S., Northeastern University) and spending a short time as a software
developer, Tim began his career in application security and
vulnerability research. In his work as a consultant over the past 14
years, Tim has led projects as varied as application pentests, incident
response, digital forensics, secure software development training,
phishing exercises, and breach simulations. Tim has also presented his
independent research on Windows registry forensics, XML external
entities attacks, web application timing attacks, and practical
application cryptanalysis at conferences such as DFRWS, OWASP's AppSec
USA, BSidesPDX, and BlackHat USA.
For the past three years Tim
has been building an innovative new risk-based vulnerability management
product (DeepSurface) that helps his customers gain a much deeper
understanding of the complex relationships present in their digital
infrastructures. Visit
kanchil.com to learn more about Tim's latest
R&D effort.