Targeted A6ack Security - A Case Study

Similar documents
Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

You ll learn about our roadmap across the Symantec and gateway security offerings.

Integrating MSS, SEP and NGFW to catch targeted APTs

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Spear Phishing Attacks Why They are Successful and How to Stop Them

Securing OS Legacy Systems Alexander Rau

Secure Your Mobile Workplace

Unified Security, ATP and more

Quick Reference. Administrator Guide

Advanced Threat Protection with Dell SecureWorks Security Services

SPEAR PHISHING UNDERSTANDING THE THREAT

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

End to End Security do Endpoint ao Datacenter

IBM Security Strategy

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Facing Up to the Threats of Cyber A6acks in a 5G World

Dealing with Big Data in Cyber Intelligence

Improving Business Outcomes: Plug in to Security As A Service Adrian Covich

Better Together: Microsoft Office 365 & Symantec Office 365

Countering Insider Threats Jeremy Ho

UP L13: Leveraging the full protection of SEP 12.1.x

Defending Against Cyber Attacks with SessionLevel Network Security

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

SR B10: Improving Antispam Effectiveness and Protecting Against Threats with Submissions 2.0

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

IBM Advanced Threat Protection Solution

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Best Practices for a BYOD World

RSA Security Analytics

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Fighting Advanced Threats

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

Microsoft Security Intelligence Report volume 7 (January through June 2009)

SPEAR-PHISHING ATTACKS

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

RSA Security Anatomy of an Attack Lessons learned

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Ty Miller. Director, Threat Intelligence Pty Ltd

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

IBM Security re-defines enterprise endpoint protection against advanced malware

AntiVirus. Administrator Guide

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Cybercrime Security Risks and Challenges Facing Business

Extreme Networks Security Analytics G2 Vulnerability Manager

Security Intelligence Services.

IBM Security IBM Corporation IBM Corporation

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Getting Ahead of Malware

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

The Next Generation Security Operations Center

Threat Landscape. Threat Landscape. Israel 2013

AMPLIFYING SECURITY INTELLIGENCE

Reducing the Cost and Complexity of Web Vulnerability Management

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

AppGuard. Defeats Malware

2012 Bit9 Cyber Security Research Report

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Symantec Endpoint Protection

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

APT Advanced Persistent Threat Time to rethink?

On and off premises technologies Which is best for you?

Defending Against Data Beaches: Internal Controls for Cybersecurity

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Symantec Intelligence Report: February 2013

WHITE PAPER: THREAT INTELLIGENCE RANKING

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Cyber intelligence in an online world

Track and Trace. Administration Guide

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Security.cloud Configuring DLP on to your flow and applying security to your hosted deployment

Practical Steps To Securing Process Control Networks

Breaking the Cyber Attack Lifecycle

Protecting Your Organisation from Targeted Cyber Intrusion

Attack Intelligence: Why It Matters

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

The webinar will begin shortly

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

Advanced Endpoint Protection

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Security Analytics for Smart Grid

BigData Analytics per la sicurezza delle Infrastrutture Critiche

Transcription:

Looking Back at Three Years of Targeted A6acks Lessons Learned on the A>ackers Behaviors and VicBms Profiles Olivier Thonnard Principal Research Engineer 1

OUTLINE 1 IntroducBon 2 Targeted A>ack Intelligence 3 VicBms Profiles: OrganizaBons and Individuals 4 Conclusions and Lessons Learned 2

IntroducBon Targeted A6acks Symantec TRIAGE methodology 3

IntroducBon CharacterisBcs of Targeted A6acks Targeted A>ack relevant to interests of recipient Low copy number Tailored malware, osen embedded in weaponized documents Obscure business model Non- targeted No regard to recipient High volume Common malware, osen based on exploit kits Clear revenue stream Cyberespionage Privacy breach IP thes 4

Targeted A6acks 2011-2013 5

Data Set Spear Phishing Emails SKEPTIC (and a combinabon of various filters/analyzers) used to block targeted a>acks sent to Symantec.cloud customers Data set: over 100K a>ack emails blocked between 2011 à 2013 Every email a>achment was further analyzed: AV Signatures from most common AV engines Dynamic analysis: file and registry acbvibes, network acbvity IP addresses of a>ackers mapped to geographical locabon Targeted recipients and domains mapped to industry sectors Based on the SIC taxonomy à The enriched dataset was fed to TRIAGE for mulb- dimensional clustering analysis and campaign/threat group idenbficabon 6

Email- targeted Spear- phishing A>acks Intelligence Going from isolated a6acks to coordinated campaigns (a6ribubon) Symantec TRIAGE technology: idenbfies a>ack campaigns performed by various threat groups 7

An A6ack Campaign A series of emails that: Show clear evidence that the subject and target has been deliberately selected. Contain at least 3 or 4 strong correlabons to other emails, such as the topic, sender address, recipient domain, source IP address, etc. Are sent on the same day or across mulbple days. A Sykipot campaign (2011) 8

Typical Use case: Bo6om- up Forensics Analysis Start from specific IOC s: MD5: 78c3d73e2e2bba6d8811c5dc39edd600 Zero- day exploit: CVE- 2012-0779 C&C: 126.19.84.7 à Any previously idenbfied campaign associated to one of these IOC s? Find and visualize all related a>acks (campaign analysis) Quickly idenbfy which threat group is likely behind these a>acks Other way around: CommentCrew is presumably linked to following IOC s: MD5: e1117ec1ea73b6da7f2c051464ad9197 C&C: 50.115.140.211 Exploit: CVE- 2012-0754.B à Can we idenbfy an a>ack campaign associated to these IOC s? 9

Why TRIAGE AnalyBcs? Intelligence ExtracBon and A6ack InvesBgaBon IdenBfy groups of a>acks related to the same campaign, likely orchestrated by a specific threat group Correlate indicators across data sets, enterprises, geographies, industry sectors, etc Determine the pa>erns and behaviors of the intruders, i.e., their tacbcs, techniques, and procedures (TTP s) Find how they operate, rather than what they do Challenge: Intrusions sourced by the same a>ackers (group) may have varying degrees of correlabon (md5, IP, from/to domains, a>achments, etc) 10

Typical challenge addressed by TRIAGE IdenBfy CommonaliBes and Overlapping Indicators Phase Email feature Intrusion 1 Intrusion 2 Intrusion 3 Reconnaissance Recipient [user1]@org1.gov.uk [user2]@org2.gov.uk [user3]@org2.gov.uk WeaponizaBon Delivery A>ach_name Global Pulse Project***.pdf Agenda G20***.pdf A>ach MD5 dd2ed3f7dead4a[***] 2e36081dd7f62e[***] Date 2011-05- 13 2011-05- 14 2011-07- 02 From addr. [A>1]@gmail.com [A>2]@gmail.com Sender IP 74.125.83.*** 74.125.82.*** Subject FW:Project Document Project Document G20 Ds Finance Key Info Paris July 2011 Email body [body1] [body2] ExploitaBon AV signature CVE- 2011-0611.C Persistence C&C domains www.webserver.*** [N/A] 11

Targeted A6ack Intelligence 12

Targeted A6acks 2013 2012 +91 % Increase in targeted a6ack campaigns 13

Targeted A6ack Campaigns 2011 2012 2013 Email per Campaign 78 122 111 779 29 Recipients/Campaign 61 408 23 Campaigns 165 DuraBon of Campaign 4 days 3 days 8.3 days 14

Focused versus Large- scale campaigns Target' Nr'of'Targeted' companies'' Type%1:"More"focused" campaigns":"68%%% "5" >"5" Sector' Type'1:'' 'Highly'focused' ( '5'sectors)' Type'2:'' Mass@scale' (>'5'sectors)' Type%2:"Mass2scale" (MOTA):""""32%%% 15

Targeted campaign does not always mean small in size! Elderwood Campaign April 2012 An Elderwood Campaign that used gg880dd.com accounts Over 1,800 a>acks on April 25, 2012 Exploits CVE- 2012-0779 (disclosed May 5, 2012) Was targebng only 2 large Defense/Manufacturing industries

Mass- scale Targeted A>ack Campaign (2012) APT1/CommentCrew - CVE- 2012-0754/0158 1200+ a>acks On 10 days in April/May Over 20 companies hit Mainly Defense & Aerospace 17

Doc types More than 50 percent of email a>achments used in spear phishing a>acks were executable files in 2013. MicrosoS Word and PDF documents are both used regularly, making up 7.9 and 5.3 percent of a>achments, respecbvely. However, these are both down from 2012. Java.class files also made up 4.7 percent of email a>achments used in spear phishing a>acks. 18

Email Topics Used in Targeted A6acks Most frequently occurring words used in targeted spear- phishing email a>acks throughout 2013. 19

Watering Hole A6acks (2012-2013) 20

EffecBveness of Watering Hole A6acks 21

Example of Watering Hole A6ack 22

RelaBonship with VulnerabiliBes There were a total of 23 zero- day vulnerabilibes discovered in 2013. This is up from 14 in 2012. There have been more zero- day vulnerabilibes discovered in 2013 than in any year since Symantec began tracking them, and more than the past two years combined. 23

RelaBonship with VulnerabiliBes 24

Spear- phishing campaigns are becoming more aggressive The Francophoned a>ack campaign (April 2013)

Spear- phishing campaigns are becoming more aggressive A>acker impersonates a high- ranked execubve, requesbng the vicbm to open immediately the a>achment

Spear- phishing campaigns are becoming more aggressive 27

Targeted A6acks: Profiling VicBms OrganizaBons and Individuals 28

Industries 29

Targeted A6acks by Industry in 2012 30

OrganizaBon size 31

Risk Analysis Epidemiology Concepts Afflicted group IdenBfied Factor Similar populabon - - #subjects with factor #subjects without factor Goal: Compare likelihood of finding factor in afflicted ( diseased ) group with that of control group. - - #subjects with factor #subjects without factor Control group 32

Risk Analysis Epidemiology Concepts Odds RaBo (OR): Calculate strength of associabon of factor with diseased state by comparing probabilibes. Diseased (afflicted) Control (unafflicted) With risk factor p 11 p 10 Without risk factor p 01 p 00 Odds rabo > 1 è posibve correlabon < 1 è negabve correlabon 33

At- Risk Industries 34

At- Risk OrganizaBons by Size 35

At- Risk Individuals Based on data collected from: 36

Most Likely To Be Targeted in 2013 To: JohnDoe@drillanddig.com Subject: Re: Order Payment From: A>acker Personal Assistant at a Large Mining company Please click on this executable to see your order information. 37

Targeted A6acks by Job FuncBon in 2012 38

Conclusions Lessons Learned 39

Targeted A6acks Lessons Learned The Number of Targeted A6acks has steadily increased over the last few years Campaigns are becoming more persistent, more diverse and widespread (somebmes even automated), more prevalent Increases in zero- day vulnerabilibes and unpatched web sites facilitate move to watering hole style targeted a>acks Most industries are at elevated risk, in parbcular in favorable economic markets or government- related areas, and large organisabons Users conbnue to fall for social engineering tricks and are not applying street smarts to online acbvity Urgent need for more advanced intelligence capabilibes to be>er defend ourselves against such a>acks (moving target) 40

ThwarBng Targeted A6acks 41

42

Thank you! Olivier Thonnard Olivier_Thonnard@symantec.com 2013 was the Year of the Mega Breach Copyright 2010 Symantec CorporaBon. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec CorporaBon or its affiliates in the U.S. and other countries. Other names may be trademarks of their respecbve owners. This document is provided for informabonal purposes only and is not intended as adverbsing. All warranbes relabng to the informabon in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informabon in this document is subject to change without nobce. 43

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information