Evolving Threat Landscape

Transcription

1 Evolving Threat Landscape

2 Briefing Overview Changing Threat Landscape Profile of the Attack Bit9 Solution Architecture Demonstartion Questions

3 Growing Risks of Advanced Threats APT is on the rise 71% increase in APT attacks over the past 12 months APT targets any industry 83% of US companies have been hit by the APT APT is low profile 46% say it takes 30 days or more to detect APT is targeted 97% of the 140M records compromised through customized malware APT is elusive AV databases are 20-50% effective at detecting new or low-volume threats

4 What s Different About the APT? CLASSIC THREAT ADVANCED PERSISTENT THREAT RETRIEVE INFORMATION GAIN ACCESS TO INFORMATION GET IN; GET OUT FOOTHOLD FOR CONTROL ACTIVE HIBERNATES SINGLE ENTRY POINT MAINTAINS MANY ENTRY POINTS WORKS OUTSIDE/IN WORKS INSIDE/OUT MONEY MONEY; POWER; ESPIONAGE

5 Profile of the APT Establish Trust With Social Engineering Drops Custom Malware on an Endpoint Creates a Backdoor to Ensure Access Moves Laterally To Other Endpoints Establishes a Staging Area Extracts Data Evolves to Evade Detection 7. Malware Morphs 6. Remote Command & Control 5. Build Stolen Data Archives 1. Target Individuals 3. Obtain Elevated Privileges/ Passwords 2. Send malicious , PDF or URL 4. Migrate to Other Endpoints

6 Endpoint is a Massive Blind Spot Exponential Growth in AV Signatures 2,895,802 AV signatures Symantec Internet Threat Research Report April % to 50% effective at detecting new or low-volume threats. A Buyer s Guide to Endpoint Protection Platforms Gartner, Dec 2010 For Every 10 New Threats Pushing 7,933 AV signatures / day Stopped Maybe Evade Protection

7 Advanced Persistent Threat Targets Bit9 Parity Suite Registry Registry Protection APT attempts to change critical resources Config Files Portable Storage Devices Applications Memory File Integrity Monitoring Device Control Application Whitelisting Memory Injection Protection Operating System OS Tamper Protection

8 Bit9 Overview Advanced Endpoint Protection Parity Suite Portable Storage Devices Registry Settings Configuration Files Parity Visibility Advanced Threat Detection Parity Control Advanced Threat Prevention Applications Memory Operating System Files Parity Knowledge Software Reputation Service Global Software Registry Cyber Forensics Service Software Reputation to Filter Known Good

9 Bit9 Architecture Clients Management Server Software Reputation Service LAPTOPS CONSOLE DESKTOPS SERVERS GLOBAL SOFTWARE REGISTRY KIOSKS BIT9 PARITY SERVER MSFT SQL SERVER ATMS ACTIVE DIRECTORY SERVER POINT OF SALE Cyber Security Essentials

10 The New Strategy for Advanced Threats Advanced Network Protection Advanced Endpoint Protection Incident Response/Forensics SIEM APT Event Consolidation Traditional Network Protection Traditional Endpoint Protection

11 The Power of Correlation 1. Suspicious Network Traffic Alert on SIEM aurora.exe 2. Correlate Network Behavior with Endpoint Events aurora.exe 3. Identify Software Introduced in Last 24 Hrs 1 st Seen 4. Advanced Threat Detection aurora.exe MD5 hash: Advanced Threat Protection

12 Reducing the APT Attack Surface ESTABLISH EXECUTIVE COMMITMENT DEFINE AND MAP RISK PROFILES ESTABLISH ENDPOINT VISIBILITY AND REPUTATION 4 INTEGRATE EVENTS WITH EXISTING SECURITY FRAMEWORKS 5 COMMUNICATE RISK AND THREATS TO BUSINESS UNITS 6 REDUCE THE APT ATTACK SURFACE

13 Bit9 Case Study: Military Command Austere Challenge Friendly exercise to test security RED TEAM attempts to penetrate defenses Fishing s have been traditionally successful Detailed in After Action Report (AC08) Bit9 Solution Initial deployed on NIPRNet 100% deterrent of RED TEAM attempts Expanded to SIPRNet

14 Custom Risk Analysis 2 Day Process Identify High Risk Endpoints Comprehensive Trust Assessment Share Risk Results with Stakeholders Deliverables Comprehensive Software Inventory Baseline Drift Analysis Report Software Risk Analysis Report