Advanced Persistent Threats

Transcription

1 Emilio Tonelli Senior Sales Engineer South Europe WatchGuard Technologies, Inc. Advanced Persistent Threats the new security challenge Are you protected?

2 Current Threat Landscape 2

3 Global Threat Landscape: Threats Rising!

4 The Cloud s Becoming Suspect

5 Snowden Effect Influences Encryption

6 Information Security Trends Attackers more sophisticated Mobile attacks increase Ransomware is hot Attacks more targeted Security s a boardroom conversation You will get breached Internet of Things (IoT) Threat Intelligence gains prominence Encryption use grows Governments more involved

7 You ve Heard the APT spiel, for sure An Advanced Persistent Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value political or business target. Three APT Attributes: 1. Advanced 2. Persistent 3. Targeted

8 APTs are Only Nation-State Right? These don t affect me, right?

9 Advanced Threats Timeline Nation-states / Political Criminals / Private China-based C&C Spear Phishing Political Targets Four 0day PLC Rootkit Broke Centrifuges 0day Word flaw Iran, Sudan, Syrian Cyber Espionage Targeted Lebanon USB LNK Flaw APT Bank Trojan 152M records 0day Coldfusion Stolen source GhostNet Stuxnet Duqu Gauss Adobe Mar Jan Jun Mar Jun. Sep May 2012 Jan Oct Dec Operation Aurora RSA/Lockheed Flame NYTimes Target IE 0day Comment Crew (CN) Stole Gmail and Src 0day Flash Flaw 0dayTrojan Stole SecureID Info 0day MS Cert Flaw Stole IP Target Iranian Oil China-based Spear phishing 0day malware 40M CCNs 0day malware Partner access

10 Modern Evasive Malware Advanced Persistent Threats How WatchGuard Protects

11 Advanced Threats Require Defense-in-Depth Advanced threats, by definition, leverage multiple vectors of attack. No single defense will protect you completely from computer attacks Firewall Intrusion Prevention System AntiVirus AntiSpam Reputation Services APT Protection The more layers of security you have, the higher chance an additional protection might catch an advanced threat that other layers might miss.

12 Cyber Kill Chain 3.0 ( the WatchGuard Edition) Reconnaissance Delivery Compromise/Exploit Infection/Installation Command and Control (C&C) Lateral Movement / Pivoting Objectives/Exfiltration *Cyber Kill Chain is an intelligence defense-driven process registered by Lockeed Martin

13 WatchGuard Breaks the Cyber Kill Chain Reconnaissance Delivery Compromise/Exploit Infection/Installation Command and Control (C&C) Lateral Movement / Pivoting Objectives/Exfiltration

14 APT Techniques Trickle Down Today, normal criminal malware exploits the same advanced tactics as nation-state APTs. Every organization is at risk of advanced threats! Zeus copies Stuxnet 0day exploit Criminals use evasive malware (Cryptolocker) Zeus uses stolen certificates Criminal spear phishing Criminal watering hole attacks

15 Advanced Phishing Hosts Compromised Opportunistic Attacks Hosts Compromised Is Anti-Virus Really Dead? Traditional antivirus software is best used to combat opportunistic (untargeted) attacks, offering effective and efficient protection following the creation of a signature. THRESHOLD OF DETECTION Signature available Goal for the cyber miscreant is to maximize slope. Time THRESHOLD OF DETECTION Signature available? Goal for the cyber miscreant is to minimize slope. Time Source: Jeffrey J Guy; Director, Product Management; Bit9/Carbon Black

16 APT Blocker How Does it Work (1) The «legacy» infection process 12 The Once attacker the malware buildspackage generic as been malware recognized to attack large no. of victims base Target: a signature is created and bytecode is damages comparedto against as much those assignatures possible hosts stored into AV DB Malware is distributed using: - phishing, spear phishing, - drive-by download on crowded, generic, communities and web services drive-by download mail GAV Signature DB (updated) attacker

17 APT Blocker How Does it Work (2) The «APT» approach > targeted for A 12 The attacker only way builds we have SPECIFIC today to (targeted) identify these threats packed is to launch (i.e. encrypted), them! malware to attack A s victim base Target: data An hash leaks/spy/damages for the malware isto calculated A s assets and compared on the cloud, just to check if it has been already found A can be a company, pool of targeted victims, Malware If not... an is array distributed of sandoboxes using: (Lastline) are used to lauch -the phishing, malware, spear inspect phishing, the code to and A sbehaviour users & «relatives» of the malware -on drive-by the victim s download system, on then communities is classified visitedatby runtime A s users drive-by download for A s victims mail sandbox cloud array attacker

18 That s why APT Blocker fills that security gap! Identifies and submits suspicious files to cloud-based, next-generation, full system emulation sandbox Provides real-time threat visibility; protection in minutes not hours Analyzes comprehensive set of files (Executables, Office documents, PDFs & Android APKs) Detects Zero Day Malware Scalable; inspects millions of objects at any given time Not fooled by evasion

19 Emilio Tonelli Info&Sales: