IDC IT security roadshow 2016, Moscow

1. QIWI SOC benchmarking:
Blue Team story
Svetlana Arkhipova
Head of infrastructure security
QIWI

2. About me
• Head of infrastructure security at QIWI group
• Past: Security analyst at GE Capital, independent security
consultant at fintech start-ups, systems and network
administrator
• a.k.a. Mona

3. Common way
• Limited scope and vectors
• Single team/vendor
• Well-known testing scenario
• Approved ’testing windows’
• Whitelisting

4. Traditional testing benefits
• No affect on stability and performance of systems (in
most cases)
• Known ‘markers’ on suspicious activity
• Approved time frames
• Low security team overload

5. Classic way disadvantages
• Lack of coverage
• Toolbox
• Approvals ‘on every click’
• “This is for compliance only”
Does not seems like a real incident as a result

6. What is Red Team Exercises?
The term originated within the military to describe a
‘friendly’ attacker
• No restrictions on bypass ways
• No time frames
• Full emulation of real intrusion and/or APT
• Mixed team of extremely high-qualified testers

7. Blue Team Response
”Guard the flag”
• Security team does not alerted on start and end
• No idea if it is friendly test or a real attack
• Systems tuning ‘on-the-fly’
• Manual analysis on indexed data
• ‘Insider’ within the team

8. Benefits of Red Team testing
• Full coverage of internals
• Scope is related to all security and awareness processes
(not only IT systems)
• Greatest way to test your team and tools
• Safe way to get a ’real’ incident and apply appropriate
mitigations

9. Red Team way disadvantages
• DOS and urgent changes
• Urgent reinstall
• ALL employees are the target too
• IT security team 200% overload
• 24x7 attacks

10. QIWI: Red Team vs Blue Team 2015
• Red team: ONSEC+Digital Security
• Blue team: QIWI IT security
• Blue team ‘insider’: CISO
• Time range: ~2,5 month
• Scope: everything and everyone

11. Goals and Objectives
Red Team
• Any access to critical systems
• Application or DBA account in database
• Enterprise administrator (Windows)
• Any *nix administrator’s account
Blue Team
• 90% of performed attacks should be noticed by SoC core systems
• Live response

12. QIWI Blue Team: months of pain
• Social engineering
• Bruteforce and tons of locked accounts
• Urgent shutdowns of systems and VPN channels
• Strange “lost” devices in office
• Strange approval requests
• Hours on SIEM alerts, Forensics and CCTV recordings
requests

13. Results
First test of Q-SoC
• SoC response: ~70% - FAILED
• Multiple MacOS configuration mismatch
• Lack of awareness
• Total disappointment in security systems on overload
• 5 month on remediation

14. What’s the profit?
• ’Fresh look’ on your company’s security
• Improved qualification and awareness of technical teams
• Pack of tested SoC rules and processes for the real cases
• Response and disaster recovery plans test
• Review of used systems and tools
Attack cost increase if proper actions taken

15. Most interesting attacks
• 0-day in DVR
• Wi-fi intrusion
• Bridging between WAN and LAN
• Physical intrusion points

16. Questions?
Svetlana Arkhipova
Head of QIWI infrastructure security team
mona@qiwi.com