A Brief History of p0wn4ge: 18 Years and 4506 Incidents presented at FirstConferenceKualaLumpur 2018

by Aashish Sharma, Jay Karma,

Summary : We present both a broad reflection and detailed analysis of security incidents at Lawrence Berkeley National Lab (LBNL) based on extensive data (Bro logs since 1999) and detailed incident tracking that allows us to showcase trends in intrusions and detection capabilities from 1999 to 2017.We review how our security monitors flagged some compromises while examining the reasons why others were missed. We also highlight the evolution of detection techniques and incident response process that result in finding malicious but rare events. We will discuss how the analysis we conducted on these incidents provides a basis for attack modeling and the design of new methods for security monitoring and response.Focus of proposal topic and importance, relevance, value, and/or interest to the audience: The focus of this presentation is to provide insights into some of the most interesting security incidents that our security team handled over the past two decades. We will describe how we discovered each incidents, our team’s response and the lessons learned. By presenting the incidents in a way that demonstrates the discoveries and what might have been done better, we hope to provide IT security practitioners and leaders better ways to detect, investigate and discuss their own incidents. We also focus on our detection methods and how new incidents feed back into our monitoring techniques. One intention of this talk is that we wish to break the glass ceiling and make it alright to talk about security incidents and getting p0wned.Most important outcomes or points we want session attendees to grasp: Historical trend analysis of cyber security incidents, resulting in a deeper understanding of the evolution of attack types as well as detection capabilities. Discuss “interesting attacks” seen at Lawrence Berkeley National Lab We present in-depth lessons learned and our reactive and adaptive attack mitigation strategies We focus on how to secure a open, functional and yet unrestricted large scale network