RSA Security Anatomy of an Attack Lessons learned

Similar documents
The Next Generation Security Operations Center

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Advanced Threats: The New World Order

Advanced Persistent Threats

RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats

Using Network Forensics to Visualize Advanced Persistent Threats

After the Attack. The Transformation of EMC Security Operations

RSA Security Analytics

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

After the Attack: RSA's Security Operations Transformed

Bernard Montel Directeur Technique RSA. Copyright 2012 EMC Corporation. All rights reserved.

The Future of the Advanced SOC

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Getting Ahead of Advanced Threats

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Joining Forces: Bringing Big Data to your Security Team

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Unified Security, ATP and more

A Case for Managed Security

Detect & Investigate Threats. OVERVIEW

Protecting Your Organisation from Targeted Cyber Intrusion

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Discover & Investigate Advanced Threats. OVERVIEW

Security Analytics for Smart Grid

Networking for Caribbean Development

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Rashmi Knowles Chief Security Architect EMEA

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Under the Hood of the IBM Threat Protection System

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Hunting for Indicators of Compromise

Software that provides secure access to technology, everywhere.

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Enterprise Cybersecurity: Building an Effective Defense

Incident Response. Six Best Practices for Managing Cyber Breaches.

Enterprise Cybersecurity: Building an Effective Defense

Compliance Risks in APT Response & Defense

Locking down a Hitachi ID Suite server

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Secret Server Qualys Integration Guide

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Concierge SIEM Reporting Overview

Top 20 Critical Security Controls

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

The session is about to commence. Please switch your phone to silent!

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

IBM QRadar Security Intelligence April 2013

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Enabling Security Operations with RSA envision. August, 2009

Evolution Of Cyber Threats & Defense Approaches

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

APPLICATION PROGRAMMING INTERFACE

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cisco Advanced Malware Protection for Endpoints

FISMA / NIST REVISION 3 COMPLIANCE

How We're Getting Creamed

Targeted attacks: Tools and techniques

THE EVOLUTION OF SIEM

Security Information & Event Management (SIEM)

Critical Security Controls

APT Advanced Persistent Threat Time to rethink?

Ovation Security Center Data Sheet

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

05 June 2015 A MW TLP: GREEN

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Agenda , Palo Alto Networks. Confidential and Proprietary.

Security Analytics The Beginning of the End(Point)

WHY ATTACKER TOOLSETS DO WHAT THEY DO

The SIEM Evaluator s Guide

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Comprehensive Advanced Threat Defense

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

74% 96 Action Items. Compliance

UNCLASSIFIED. General Enquiries. Incidents Incidents

Securing OS Legacy Systems Alexander Rau

Analyzing HTTP/HTTPS Traffic Logs

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Spear Phishing Attacks Why They are Successful and How to Stop Them

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Security and Privacy

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Transcription:

RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1

Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack Security Analytics Incident Response and Governance Q & A 2

IN 2011 THE DIGITAL UNIVERSE WILL SURPASS 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 3

$ 4

5

The RSA Attack On March 17 th, RSA disclosed it was the target of an Advanced Persistent Threat (APT) Communicated that certain information related to RSA SecurID was extracted during the attack Provided Best Practices guidance and prioritized remediation steps On June 6 th, RSA issued an open letter to customers Shared that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology 6

The Initial Vector in the RSA Attack 1 2 Phishing emails Some clues about the email lead us to believe that this was from some slightly dated research on employees 2 Launch Zero-day One user opened email attachment (an Excel spreadsheet) which launches a flash zero-day 3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes X X X X X 7

Reducing Attacker Free Time Attacker Surveillanc e Target Analysis Access Probe Attack Setup System Intrusion Attack Begins Discovery/ Persistenc e Cover-up Starts Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME TIME Physical Security Threat Analysi s Defender Discovery Attack Forecast Monitoring & Controls Attack Identified Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) Containme nt & Eradication Incident Reportin g Impact Analysi s Damage Identificati on System Reactio n Respons e Recover y 8

From Compromise to Exfiltration 4 Attacker initiates separate network using credentials obtained from steps 1-3 5 Attacker moves laterally through organization, heavily using escalation of privileges, to systems containing disparate information that when combined allowed compromise of RSA SecurID-related information ATTACKER 6 Attacker removes data and stages it on a file share within the network 7 Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination. External Server 9

Shift in spending 10

Asset Criticality Intelligence RSA ACI Asset Intelligence IT Info Biz Context RSA Archer IP Address Criticality Rating Business Unit Facility Asset List Device Owner Device Type Business Owner Device Content Business Unit Criticality Rating RSA NetWitness CMDBs Vuln. Scans Biz Process RPO / RTO Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 11

EMC SOC vs. CIRC SOC = Security Operations Center Level 1 adds, moves and changes, security questions, device health, etc. CIRC = Critical Incident Response Center Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc. 12

RSA Critical Incident Response Team detects file transfer activity DLP Network detects a transfer of encrypted file over FTP protocol 13

Alert Critical Incident Response Team RSA SIEM generates alert from two correlated events 1.Successful RDP connection to critical server 2.DLP activity on the same server 14

Incident escalation to Security Management Dashboard RSA SIEM alerts sent to RSA egrc platform RSA egrc links this incident with business context and prioritize it as HIGH priority 15

Advanced Network Forensics Instant integration from RSA egrc web interface to RSA NetWitness with two clicks SIEMLink transparently retrieves full session detail from RSA NetWitness 16

Situation Aware Analysis Context of all network activities to/from critical server Confirm John s machine (192.168.100.142) as source of RDP session 17

Situation Aware Analysis Drill into all network sessions from John s machine Small executable file Transfer over HTTP Suspicious filename & extension Malware?!? Suspicious domain name 18

Automated Malware Analysis RSA NetWitness instantly provides detailed analysis of the file in question 19

Only Security Analytics can tell you the impact of the attack Attack Step Traditional SIEM RSA SA Alert for RDP tunneled over non-standard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data No No Yes Yes No Yes Yes Yes Yes Yes 20

RSA Methodology: Ripping away the hay with automated queries Start with all network traffic and logs SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc) SHOW ME files where file type does not match extension ALERT ME for sessions to/from critical assets 21

Security Practices Critical Checklist Business Risk Assessment Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring activities Active Directory Hardening Minimize number of admins Monitoring and alerting (Windows Event ID #566) Two factor admin access from hardened VDI platform Executable whitelisting on hardened DCs Disable default account and rename key accounts Complex passwords (9 & 15 Char) Service Accounts Review accounts for privilege creep Change passwords frequently Do not embed credentials into scripts Minimize interactive login Restrict login only from required hosts User Education Increase security training for IT Launch security improvement initiative Regular education of users on phishing attacks Regular education on social engineering Increase mail filtering controls Infrastructure & Logging Full and detailed logging & analysis Tighten VPN controls Increase controls on crypto keys Full packet capture at strategic network locations Network segmentation Team trained and focused on APT activity Web Access Block access to high risk and web filter categories Click through on medium risk websites Black hole dynamic DNS domains Authenticated internet access DNS traffic analysis User Machine Hardening Limit local admin and randomize PW- change often Increase patching regime Enable security controls in applications Deep visibility to identify lateral movement Limit use of non-authorized and approved software Copyright 2011 EMC Corporation. All rights reserved. 22

5 Forward-leaning Practices Anti-social engineering (anti-vishing, etc.) Zero-day malware detection Deeper analysis and responsiveness to network traffic Adaptive authentication and two factor Proactive web application security Copyright 2011 EMC Corporation. All rights reserved. 23

Disintegration of Perimeter Controls Focus on the critical assets Context based security analytics fused with threat intelligence 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information