Embed Size (px)
Citation preview
12th July 2017
Protecting BT and our Customers…and a little bit of IPv6
Dave Harcourt, Chief Security Advisor
2COMMERCIAL - INCONFIDENCE
Rethinkthecybersecuritythreat.
Asthethreatofcyberattackgrows,majorcorporationsarestrugglingtokeeppacewiththetacticsofcriminalgangs,hacktivists,lessethicalgovernmentsandmaybeevencyberterrorists.
Ruthlessentrepreneurs.
The21stcenturycybercriminalisaruthlessandefficiententrepreneur,supportedbyahighlydevelopedandrapidlyevolvingblackmarket.Likeanyentrepreneur, thecyberattacker’sintentionistomakemoney– fast.
Takethefighttotheattackers.
Businessesarestrugglingtokeepupwithcyberattackers,notleastbecauseprocurementcyclesarefailingtokeeppacewiththeefficiencyoftheshadowmarket.Achangeinapproachandmind-setisboth requiredandlongoverdue.
Theneedforspeedandagility.
Tosucceed,weneedourowncybersecurityorganisationstobeascreativeandagileastheiropponents.Businesseswillalsohavetoharnessinnovativetechnologiesandapproaches.
Riskandopportunityaretwosidesofthesamecoin.Throughouteveryglobalregion, countryandindustry,digitalinnovationiscreatingnewopportunitiestodriveefficiencies,serve
customersbetterandincreaseprofits&economicgrowth.Butthatinnovationcanbringrisk.
Thedigitalopportunityandhowtoexploitit.
3
ProtectingBT&CustomersfromtheGlobalThreatLandscape
Customerexpectations/requirements
Legal&RegulatoryrequirementsPressinterestin“cyber”stories
+InsiderThreat
4COMMERCIAL - INCONFIDENCE
Sustained&IntensifyingCyberThreat
• >1000% increase in major cyber incidents• Step change in complexity & sophistication of attacks
• Increasing the scope of protection and monitoring• Matching the scale of Global DDoS threat• Simplifying internal structure• Increasing discovery, intelligence & insight
CYTADEL
5COMMERCIAL - INCONFIDENCE
Core IT Estatee.g.21CN, NGA, WiFi
Subsidiariese.g. Plusnet, EE
Non-UK Domestice.g. Italy, Spain, Brazil
Cloud Servicese.g. Yahoo, Oracle
IT/CPE Servicese.g. Network Management
Decisions on approach to achieve new outcomes for each ring
Steps towards even stronger control and security posture
§ BT’scyberdefensivestrategymustappropriatelyprotectallelementsofthetarget
§ TheserangefromcoreBTnetworkandinternalITelementsintheUK,throughBT’ssubsidiaries,tonon-UKdomesticbusinesses
§ Increasingly,third-partysuppliersareusedtoprovidecriticalservices.Wemustensurethatthesealsohaveadequateprotectioncapabilities
§ ProtectionmustalsobeaffordedtoITandnetworkservicesusedtosupportcustomersolutions
§ Somedefensivemeasuresarespecifictoaring,whilstothersareneededtoprotectmultiplerings
CyberDefensiveScope
Understandwhatareyouprotecting– whereandfromwhat
6COMMERCIAL - INCONFIDENCE
IntelligenceLedSurgicalOperations:CyberSecurityPlatform(CSP)
7COMMERCIAL - INCONFIDENCE
Protecting BT & Customers: Being Hunter Gatherers
Threat,Risk,Policy&Execution Engine StakeholderRealisation(VoiceoftheCustomer&Stakeholders)
Utilised by Utilised by
Utilised by
Cyber&PhysicalSecurityOperations
ChiefSecurityAdvisor&Discovery
PenetrationTest&EthicalHackers
Threat&CyberAnalytics
WarRooms
Incidents
Discovery&RedTeaming
CYTADEL
FunctionFunctionFunctionFunctionFunctionFunction
Dialthefunctionsup/down asneeded
‘aHunter/Gatherer– intelligenceledandintelligenceseeking,drivenbythreatandrisk’
Global,MFUandHMGSecurity
MFUSecurity
BTConsumerEE
BTGSB&PSW&VGroup
GlobalSecurity
Americas(US&CLatam)EuropeAMEAIndia
HMG/AssetSecurity
ListX SecurityController
HMGAssurance(people,physical,info,cryptoetc.)
PSNAssetSecurity&exploitation
Intelligence
8COMMERCIAL - INCONFIDENCE
Threat Trends
Unique count oftelnet andSSHIPsseenattackinghoneypots
Unique malwaresamples collected perday
Overallspamvolumesperbotnet
Malspam volumestargetingBTusersoverlast30days
9COMMERCIAL - INCONFIDENCE
IPv4:32-bitslong,provides4,294,967,296 (4.3billion)IPaddresses
Itispossible toscanall these inareasonable periodoftime (days)
Theworldhasofficially runoutoftheseaddresses
IPv6:providesunique340,282,366,920,938,463,463,374,607,431,768,211,456(340undecillion)addresses
TheanswertoIPv4depletion
Goodluckscanningallthose!!
ToolslikeSHODANhavetofindothertechniques todiscoverandscan IPv6hosts
…it’snotpractical tosimplyscananentire IPv6netblock!!
GlobaldiscoveryandIPv6
10COMMERCIAL - INCONFIDENCE
BTownsIPv6addressingaroundtheworld,someexamples:
BGPASN Where IPv6allocation Numberofaddresses
AS12541 BTSpain 2001:ac0:30fd::/48 1,208,925,819,614,629,174,706,176
AS2856 UKIPP 2a00:2380::/25 10,141,204,801,825,835,211,973,625,643,008
AS5400 BTGlobal2001:740::/322a00:2000::/22
79,228,162,514,264,337,593,543,950,33681,129,638,414,606,681,695,789,005,144,064
AS8968 BTItaly 2a02:4d80::/32 79,228,162,514,264,337,593,543,950,336
IPv6inBT
11COMMERCIAL - INCONFIDENCE
WhatcanwedotofindBTsystemsusingIPv6?
Example methods:
§ Someopen-source toolsexist (IPv6Walk)
§ Examine BTDNSserver zonefiles,lookingatquad-A,or‘AAAA’recordswhichareusedbyIPv6
§ Inventories,assetmanagement systems
§ PassiveDNSmonitoring, todetectAAAAlookupsbeingperformed
§ Netflow datacapture
§ pool.ntp.org?
12COMMERCIAL - INCONFIDENCE
Thankyou
