Rich Baich Principal March 22, 2012

Similar documents
Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Into the cybersecurity breach

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

Cybersecurity The role of Internal Audit

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Advanced Threat Protection with Dell SecureWorks Security Services

Cyber Security Metrics Dashboards & Analytics

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Perspectives on Cybersecurity in Healthcare June 2015

Defending Against Cyber Attacks with SessionLevel Network Security

Practical Steps To Securing Process Control Networks

Getting real about cyber threats: where are you headed?

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

The Next Generation Security Operations Center

A New Approach to Assessing Advanced Threat Solutions

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Comprehensive Advanced Threat Defense

Unknown threats in Sweden. Study publication August 27, 2014

September 20, 2013 Senior IT Examiner Gene Lilienthal

Fighting Advanced Threats

Defending Against Data Beaches: Internal Controls for Cybersecurity

Gregg Gerber. Strategic Engagement, Emerging Markets

WRITTEN TESTIMONY OF

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Breaking the Cyber Attack Lifecycle

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

How To Manage Security On A Networked Computer System

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Advanced Threats: The New World Order

Zak Khan Director, Advanced Cyber Defence

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

CyberArk Privileged Threat Analytics. Solution Brief

Agenda , Palo Alto Networks. Confidential and Proprietary.

Addressing Cyber Risk Building robust cyber governance

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Cybersecurity and internal audit. August 15, 2014

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

IBM Security re-defines enterprise endpoint protection against advanced malware

Information Security Services

After the Attack. The Transformation of EMC Security Operations

7 Things All CFOs Should Know About Cyber Security

Developing Secure Software in the Age of Advanced Persistent Threats

SANS Top 20 Critical Controls for Effective Cyber Defense

Covert Operations: Kill Chain Actions using Security Analytics

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cybersecurity Awareness. Part 1

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Data Breach Lessons Learned. June 11, 2015

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Solution Path: Threats and Vulnerabilities

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Key Cyber Risks at the ERP Level

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Intelligence Driven Security

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

IBM SECURITY QRADAR INCIDENT FORENSICS

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Enterprise Cybersecurity: Building an Effective Defense

Payment Card Industry Data Security Standard

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Attack Intelligence: Why It Matters

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Enterprise Cybersecurity: Building an Effective Defense

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

RETHINKING CYBER SECURITY

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Technical Testing. Network Testing DATA SHEET

Understanding and Responding to the Five Phases of Web Application Abuse

Can We Become Resilient to Cyber Attacks?

Network Security Redefined Vectra s cybersecurity thinking machine detects and anticipates attacks in real time

Digital Evidence and Threat Intelligence

Supplier Vigilance: A Critical Layer of Defense

RETHINKING CYBER SECURITY

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Cyber Intelligence Workforce

Big Data Analytics in Network Security: Computational Automation of Security Professionals

Getting Ahead of Malware

Concierge SIEM Reporting Overview

Advanced Persistent Threats

Incident Response. Proactive Incident Management. Sean Curran Director

Anti-exploit tools: The next wave of enterprise security

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

SPEAR-PHISHING ATTACKS

Protecting against cyber threats and security breaches

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Statement of Qualifications Cybercrime & data breach

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Transcription:

Cyber espionage The harsh reality of advanced security threats Rich Baich Principal March 22, 2012

Agenda Introductions Threat landscape update How organizations are responding Other discussion topics 1 Cyber espionage: The harsh reality of advanced security threats

Threat landscape update

The changing threat landscape The cybercrime landscape has evolved into a set of highly specialized criminal products and services that are able to target specific organizations, regions, and customer profiles by using a sophisticated set of malware exploits and anonymization systems which routinely evade present-day security controls. 3 Cyber espionage: The harsh reality of advanced security threats

The cyber underground economy An entire underground economy has been built for the purpose of stealing, packaging, and reselling electronic information. Cyber criminals have expanded their reach into other forms of information theft and are now selling access to private networks. Compromise Acquire Enrich and validate Sell Monetize Stolen Data Drop Sites Payment Gateways ecommerce Sites emoney On-Line Gambling Phishing Spammer Botnet Service Keyloggers Botnet Owner Data Validation Service Instant Messaging Carding Forums Bank Retailers Wire Transfer Drop Service Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing Malware Authors Identity Collectors Credit Card Cashers Cyber Criminals Key: Malicious Code Related Roles Underground Services Criminal Communications 3 rd Party Enablers 4 Cyber espionage: The harsh reality of advanced security threats

An overview of Advanced Persistent Threats Advanced Persistent Threats (APTs) are modern, automated versions of traditional espionage. Goals Targets Brand damage Corporate espionage Military advantage Revenge Actors Domestic competitors Foreign competitors Foreign governments Hacktivist groups Rogue nations Board members IT administrators Key executives Privileged users Supply chain Support staff Tools Custom malware Packet capture tools Satellite imaging Targeted exploit tools Wireless surveillance 1. Target selection and research Horizontal exploitation opportunities Internet search engines Social networking sites Underground repositories Vertical and geographic exploitation targets 3. Maintaining access Command and control infrastructure Covert network tunnels Wireless surveillance 2. Exploitation and infiltration Distributing specialized malware Embedding field agents Social engineering Spear phishing System vulnerability exploitation 4. Exfiltration Encrypted outbound transmissions Hardware and software key loggers Rogue devices performing network packet captures 5 Cyber espionage: The harsh reality of advanced security threats

How are adversaries planning and carrying out attacks? Cyber adversaries, such as Hacktivists, collect open source intelligence in order to generate schemes and methodologies for carrying out well-planned attacks to achieve their tactical and strategic goals. Attack sequence Goals Denial of service Open source intelligence collection Intelligence analysis and review Attack planning and target selection Attack execution Social or Political Change Peer to peer networks Search engines Social networking Job sites Vulnerabilities System information Supply chain data Credentials Privileged users Available exploits Target information Target systems Target employees Anonymization Obfuscation Schedule Customer lists Control systems System and network access Patents and research Personal identity information Targets A cyber threat profile represents how cyber criminals perceive an organization. Financial data Intellectual property On-line credentials Protected health information Secret formulas System access 6 Cyber espionage: The harsh reality of advanced security threats

Tools and techniques Selecting and profiling targets Hacktivists are taking advantage of public open source intelligence found on the Internet to select specific people of interest to target. Roles and duties Email addresses User IDs Organizations Physical addresses Contact information Person of Interest Relationships Personal web sites Telephone numbers IP addresses Social network profiles Devices 7 Cyber espionage: The harsh reality of advanced security threats

Understanding the current threat landscape A review of recent breaches and developments in the cyber underground have identified several threat focus areas that require additional diligence and vigilance. Spear phishing Mobile malware Targeted exploits Zero day exploits Privileged users Mobile devices Supply chain Un-remediated vulnerabilities Board members Executives Personal Corporate Technology Data processing Services and applications Personal computers Key questions 1. What is leaving our network and where is it going? 3. Do we know what s running on our computers? 2. Who is really logging into our network and from where? 4. What information are we making available to a cyber adversar 8 Cyber espionage: The harsh reality of advanced security threats

How organizations are responding

The old approach for information security Reactive Perimeter security focus Information silos Signature based controls Inward facing Too many alerts Too much data Organization silos Resource constrained Manual analysis 1 2 3 4 5 Threat Security Investigation isolated and Remediation incident reported contained Root cause analysis Security incidents are typically reported to an information security organization through a variety of different channels including other departments, external vendors, law enforcement, media outlets, and the public. Investigations typically take a considerable amount of time and often are plagued with missing or lost information that could have assisted significantly with understanding what happened Quickly finding and containing compromised devices can be very challenging in large distributed network environments. This process can often involve dispatching resources on-site to locate devices of interest. Remediation often involves having to reimage devices, which can take long period of times and also result in lost data and negative impacts to employee productivity. Root cause analysis often involves collecting and analyzing logs from multiple internal sources. In some cases, the true root cause is not determined due to a lack of consistent logging or missing cyber intelligence 10 Cyber espionage: The harsh reality of advanced security threats

Current cyber security challenges Our experience with our clients highlights the following challenges which organizations need to address: Current signature-based information security controls are not effective against sophisticated, evolving cyber threats and exploits. A large number of unique security appliances are generating even larger number of false positives and false negatives Lack of automated capability to rapidly identify, contain, analyze and remediate compromised devices. Information provided by various intelligence sources is often outdated, high level, and not actionable. Organizations lack technology and process capabilities for taking timely action on near real-time intelligence data. What kind of security controls are necessary to detect cyber threats that are currently flying under the security radar? How do we collect data from multiple disparate sources and generate normalized, enriched, and actionable information? How do we ensure that we can quickly find and contain compromised devices? How do we collect timely, relevant, and actionable cyber intelligence data? How can cyber intelligence data be used to automatically challenge or stop fraudulent transactions? 11 Cyber espionage: The harsh reality of advanced security threats

Developments, trends, and strategies Development Significance Counter-strategy Cyber criminals have been able to infiltrate millions of computers located in corporate networks, government sites, military networks, and homes, around the world. While the evidence showing the number of compromised devices is staggering, what is not fully known is what the cyber criminals have learned and collected that could be used to support future attacks and criminal activities. Cyber intelligence data should be leveraged and used to expose internal devices that are communicating with known criminal destinations. Cyber criminals are increasing their ability to use cryptography, code obfuscation, and code packing techniques. Cyber criminals are capitalizing on the broad based appeal of social networking sites to gain a foothold inside of corporate networks. Cyber criminals are now leveraging custom counterfeit hardware with embedded malicious code to establish covert attack vectors. Kernel level root kits are being enhanced with additional capabilities to avoid detection from network based controls. Social networking users are downloading and installing applications that cyber criminals have developed for the purpose of stealing identities and getting access to their network. It is now necessary to examine the supply chain more vigorously in order to detect fraudulent hardware that has been purposely designed to enable espionage and cyber fraud. Binary hash information needs to be collected from computers whenever new binary files are detected and compared against large hash databases. Never before seen binaries need to be analyzed in a sandbox. Additional behavior based browser and proxy security controls should be considered when allowing users to visit social networking sites. Partnerships with government intelligence agencies are becoming a priority and necessity. 12 Cyber espionage: The harsh reality of advanced security threats

Organizations are turning to cyber intelligence to enhance their security programs Social networks Cyber criminals Fraudulent services Compromised hosts Underground data Available target data Criminal tradecraft Available target data Peer to peer Malware and exploits Target list Attack tools Search engines External cyber intelligence Internal cyber intelligence Attack vectors Security controls Logs Business processes Business locations Technology inventory Logs Vulnerabilities Residual Risks Vulnerabilities Key suppliers Privileged users Executives and board members 13 Cyber espionage: The harsh reality of advanced security threats

Cyber threat management programs Organizations are developing and implementing cyber threat management programs that integrate and enhance existing information security capabilities. Supporting capabilities Core cyber threat intelligence capabilities Supporting capabilities Cyber security education Insider threat detection Cyber threat modeling Cyber security readiness assessment (Red Teaming) Penetration testing Vulnerability management Log collection and analysis Cyber threat intelligence acquisition Cyber threat intelligence capability 3 rd Party threat monitoring Patch management Solution research and development Application security review Emerging threat research Brand monitoring Network and malware forensics Incident response 14 Cyber espionage: The harsh reality of advanced security threats

The new approach for cyber security Proactive External Intelligence Internal Data Normalization Enrichment Fusion Raw Data Actionable Intelligence Security Control Updates Authentication Decisions Risk Assessment Technology Investment Intel Vendor Selection and HR Decisions Business Unit Level Decisioning A forward looking security threat management capability 1. Conduct emerging threat research 2. Establish partnerships to collect and share intelligence 3. Assign and prioritize threat focus areas 4. Establish live, dynamic intelligence feeds 5. Implement a holistic approach to security threat identification 6. Actively track the criminal element 7. Perform daily emerging threat reviews 8. Maintain awareness of the changing technology and business environment 9. Patch operating system, network, process, and application vulnerabilities 10. Deploy and maintain signature and behavioral based controls 11. Produce metrics and trending data for multiple key threat indicators 12. Continuously innovate and improve automation capabilities 15 Cyber espionage: The harsh reality of advanced security threats

Cyber intelligence functionality and usage framework A comprehensive, holistic cyber threat intelligence framework is required to maximize the value gained from collecting, correlating, enriching and distributing intelligence data. Commercial Feeds Law Enforcement Industry Associations Underground Forums Hash databases GEOIP data Fraud investigations Security event data Abuse mailbox info Vulnerability data Sandboxes Human intelligence Honeynets Malware Forensics Brand monitoring P2P monitoring DNS monitoring Watchlist monitoring External Cyber Threat Intelligence Feeds Internal Threat Intelligence Feeds Proactive Surveillance Near-Real Time Criminal Surveillance Recovered PII & Company Confidential Data Cyber Threat Intelligence Collection Research, and Analysis Process All Source Fusion Ideally, cyber intelligence should flow to a central cyber threat intelligence function to be normalized, enriched, and then distributed to the appropriate function using automation where possible. Risk Assessment Process Urgent security control updates IP reputation data for authentication Threat Intelligence Reporting Risk Acceptance Process Risk Mitigation & Remediation Line of Business Teams Security, Fraud and Operational Risk Teams Proactive Surveillance Proactive Surveillance 3 rd Parties, Subsidiaries 16 Cyber espionage: The harsh reality of advanced security threats

Proactive Defense Capability Measuring cyber threat intelligence capability maturity It has been our experience that many of our larger clients are between level 2 and level 3. Cyber Threat Intelligence Capability Maturity Matrix Capability Measurement Area A. Situational Awareness B. Actionable Intelligence C. Malware Forensic Analysis Capability C B A Adaptive Authentication Manual Malware Forensics Brand Monitoring & Awareness Situational Awareness of Threats to Financial Services Sector Automated Security Control Updates Automated Malware Forensic Analysis Process D. Quality of Intelligence E. Depth of Intelligence Distribution F. Proactive Threat Planning G. Event Correlation E D Cyber Intel from Law Enforcement Manual Intelligence Distribution to Limited Audience Cyber Intelligence from Criminal Surveillance Cyber Intelligence Distributed to Fraud Operations Cyber Intelligence from Self Managed HoneyPots & Baiting Operations Cyber Intelligence Distributed to Subsidiaries & Key Suppliers H. Operations I. Type of Intelligence F Manual Cyber Threat Modeling Automated Cyber Threat Modeling Risk Based Decisioning Support G Security Event Management Pilot Security Event Management System with Basic Correlation Cyber Threat Analysis Portal with Targeted Use Case Correlation Insider Threat & Cross Channel Fraud Monitoring I H Help Desk Signature Based Security Controls Security Opertations Center Internal Log Collection Cyber Intelligence Team Focused on General Threats and Hi-Level Security Briefings Commercial Threat Intelligence Feed Cyber Intelligence Analysts Assigned to Technology Categories Threat Specific Open Source Intelligence Feeds Cyber Intelligence Analysts Assigned to Business Functions Self Generated Threat Intelligence Cyber Threat Intelligence Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 17 Cyber espionage: The harsh reality of advanced security threats

Sample leading practices for a cyber threat intelligence function 1. Organization Resources dedicated toward reviewing and analyzing emerging threats. Annual budget for security control upgrades, new detection tools, and intelligence sources Cyber command center 2. Process Daily regimen to review and communicate emerging threat data Threat matrix Scenario planning 3. Malware forensic capability Ability to rapidly collect and review forensic information from devices that are suspect. Network extrusion monitoring 4. Perimeter monitoring Network conversation recording and reconstruction 5. All Source Intel fusion Automated, monitored, incremental feeds with aging algorithm. Two-way, cross-industry intelligence sharing Contingency plans for loss of intelligence sources 6. Metrics and reporting Regular cyber bulletin updates. Threat briefings by line of business/delivery channel Automated custom alerting based on thresholds 7. Threat modeling Capability to model and analyze the likelihood that an emerging threat will impact an organization and identify where the weaknesses are that will be exposed 8. Threat lifecycle management Case management tools to coordinate cyber incidents across multiple business areas and support organizations 9. Research and development 10. Supporting capabilities Threat intelligence teams should work in conjunction with internal security teams to identify new strategies and solutions for testing and improving the security posture of customer devices and banking applications Patch management Vulnerability management Incident Response Configuration management Security event management 18 Cyber espionage: The harsh reality of advanced security threats

Evolving with the changing cyber threat environment Fundamental change in the threat Historical threat landscape Generic attack tools and resources General targeting and exploiting Often easily thwarted by existing security controls Basic methodology and processes Often done in plain sight Focus is finding any information that will work Often noisy and clumsy techniques Need for a fundamental change to security Existing cyber-security landscape Perimeter security focused (Castle mentality) Information silos often based on organization Inwardly focused with manual analysis Signature based and reactive controls Too much data and too many alerts Often resource constrained Focus on preserving the status quo Emerging threat landscape Highly evolved specialized criminal products Able to target specific entities Advanced malware and hardware development Increased use of anonymization Moving beyond traditional security controls More complete attack methodology Increased use of encryption and stealth Increased use of Social Media Increased use of foreign carrier networks Evolving cyber-security landscape Unique solution set for each organization Solutions cannot be mass produced Must be fully integrated with business operations Solutions often require non-cyber integration Outward looking cyber threat intelligence Create security before the emergency! Prevention focused versus reaction focused Process and people focused versus technology Humans are more important than technology Not only more technology; use existing better! Quality is better than quantity! 19 Cyber espionage: The harsh reality of advanced security threats

Cyber threat analyst tradecraft Cyber Threat Intelligence Data Acquisition Sources, Proactive Acquisition, Data Normalization Cyber Criminal Profiling Techniques, Methodologies, Tools, and Information Sources for determining how Criminals are currently operating. Cyber Threat Risk Analysis Techniques and Methodologies for understanding likelihood of impact, determining scope, and assessing existing security posture. Network Forensics Tools, Techniques, and Analysis Methods for exposing active compromises, intrusions, and extrusions. Cyber security analyst Emerging Cyber Threat Management Identification, Analysis, Threat Vector Considerations, Security Control Considerations, and Action Planning Malware Forensics Tools, Techniques, and Analysis Methods for examining and understanding malicious code and how it is impacting your organization. Cyber Threat Incident Response Methodologies, Key Tools, Escalation Procedures for handling security incidents and breaches. Cyber Threat Internal Log Collection & Analysis Tools, techniques, behavioral analysis, correlation rules, and threat patterns. Understanding ways to reduce noise levels and properly tune security controls. 20 Cyber espionage: The harsh reality of advanced security threats

Special Operations Forces (SOF) Truths Advanced threats have always required advanced capabilities and methodologies to counter them and re-seize the operational momentum. The development and implementation of these advanced capabilities and methodologies has been driven by those who are not satisfied with merely performing the status quo SOF Truths Humans are more important than hardware Quality is better than quantity Special Operations Forces cannot be mass produced Competent Special Operations Forces cannot be created after emergencies occur Most special operations require non-sof assistance Cyber Truths Integrated processes are more important then technology silos Can t chase the latest technology, must employ basic technologies to their fullest potential The cyber Jedi Knight is grown over time Cyber defense is more than incident response; it must include predictive Cyber Intelligence Must be fully integrated into all business processes Sure I am this day we are masters of our fate, that the task which has been set before us is not above our strength; that its pangs and toils are not beyond our endurance. As long as we have faith in our own cause and an unconquerable will to win, victory will not be denied us. 21 Cyber espionage: The harsh reality of advanced security threats Sir Winston Churchill

Contact information Rich Baich Principal Deloitte & Touche LLP +1 704 887 1563 jbaich@deloitte.com 22 Cyber espionage: The harsh reality of advanced security threats

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information