The Future of Cyberattacks

Similar documents
Advanced Persistent Threats

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Spear Phishing Attacks Why They are Successful and How to Stop Them

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

RSA Security Anatomy of an Attack Lessons learned

Advanced Persistent Threats

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

After the Attack. The Transformation of EMC Security Operations

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Carbon Black and Palo Alto Networks

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

APT Advanced Persistent Threat Time to rethink?

Advanced & Persistent Threat Analysis - I

Dealing with Big Data in Cyber Intelligence

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

Evolving Threat Landscape

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Advanced Threat Protection with Dell SecureWorks Security Services

The Next Generation IPS

Persistence Mechanisms as Indicators of Compromise

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Are you prepared to be next? Invensys Cyber Security

Advanced Threats: The New World Order

2012 Bit9 Cyber Security Research Report

A Trend Micro White Paper April Countering the Advanced Persistent Threat Challenge with Deep Discovery

Trends in Advanced Threat Protection

24/7 Visibility into Advanced Malware on Networks and Endpoints

Advanced Persistent Threats

CISO Guide to Next Generation Threats

Stop advanced targeted attacks, identify high risk users and control Insider Threats

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Incident Response. Proactive Incident Management. Sean Curran Director

Data Center security trends

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Beyond the Hype: Advanced Persistent Threats

Anti-exploit tools: The next wave of enterprise security

Understanding the Advanced Threat Landscape an MSPs Guide. IT Security: Enabled

Cloud Services Prevent Zero-day and Targeted Attacks

E-Virus in Six Cisco Routers

5 Steps to Advanced Threat Protection

Randy Lee FireEye Labs. Understanding Modern Malware.

WRITTEN TESTIMONY OF

Fighting Advanced Threats

Defending Against Cyber Attacks with SessionLevel Network Security

Protecting Your Organisation from Targeted Cyber Intrusion

Advanced Targeted Attacks

Enterprise Cybersecurity: Building an Effective Defense

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

White. Paper. Understanding and Addressing APTs. September 2012

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

Cisco & Big Data Security

Breaking the Cyber Attack Lifecycle

The Custom Defense Against Targeted Attacks. A Trend Micro White Paper

Security and Privacy

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

Getting real about cyber threats: where are you headed?

Covert Operations: Kill Chain Actions using Security Analytics

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Perspectives on Cyber Security Strategies & Tactics

The Hillstone and Trend Micro Joint Solution

Hunting for Indicators of Compromise

Unknown threats in Sweden. Study publication August 27, 2014

Using big data analytics to identify malicious content: a case study on spam s

Incident Response. Six Best Practices for Managing Cyber Breaches.

PENETRATION TESTING GUIDE. 1

Networking for Caribbean Development

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

I ve been breached! Now what?

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

Security & Threat Detection: Go Beyond Monitoring

Web 2.0 and Data Protection. Paul Tsang Security Consultant McAfee

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

The Federal CISO Dilemma. You have to do FISMA. You must defend against cyber threats.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Unified Security, ATP and more

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

Windows XP End-of-Life Handbook for Upgrade Latecomers

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Global IT Security Risks

5 Design Principles for Advanced Malware Protection

Protecting Point-of-Sale Environments Against Multi-Stage Attacks

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

SPEAR-PHISHING ATTACKS

Big Data Analytics in Network Security: Computational Automation of Security Professionals

Enterprise Cybersecurity: Building an Effective Defense

Malware. Stopping cyberattacks. Sponsored by

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Cisco Advanced Malware Protection for Endpoints

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Security Analytics The Beginning of the End(Point)

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

WildFire. Preparing for Modern Network Attacks

OUR MISSION IS TO PROTECT EVERYONE FROM CYBERCRIME

Practical Steps To Securing Process Control Networks

Transcription:

The Future of Cyberattacks What you should know about Flame and other Advanced Persistent Threats Harry Sverdlove January 10, 2013 2013 Bit9. All Rights Reserved

The Advanced Threat Landscape Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources

Deluge of IP Loss What s been going on over the last few years in the networks is the greatest theft that we ve seen in history. What we re losing in intellectual property is astounding. - U.S. Cyber Command General Keith Alexander, September 2011 The extent of what is going on is astonishing - Director General of MI5, Jonathan Evans, June 2012

Impact on Economies and Governments United States reserves the right to use military force against a nation that launches a cyberattack on the country.

2010: A Watershed Year for Security January 2010: Operation Aurora Targeted over 3 dozen Silicon Valley companies, including Google, Adobe, and Juniper Networks Mainstreamed the term Advanced Persistent Threat (APT) Raised awareness of cyber-espionage June 2010: Stuxnet Targeted industrial control systems in Iran Leveraged 4 zero-days, Deemed a cyber superweapon Raised awareness of cyber-sabotage

Past Two Years at a Glance 2010 2011 2012 Duqu (Sep 2010) Primarily targeting Iran, related to Stuxnet Night Dragon (Feb 2011) Several energy and petrochemical companies RSA Breach (Mar 2011) Up to 700 companies, multi-stage campaign Gmail Hacking (Jun 2011) Email of gov, military and political activists Shady RAT (Aug 2011) 70+ companies, 32 categories, 14+ countries Black Tulip (Sep 2011) Attack on certificate authority DigiNotar Nitro (Oct 2011) 48+ companies, chemical industry, 20 countries Flame (May 2012) Middle East, comprehensive espionage kit SPE/miniFlame (Jul 2012) Lighter weight remote control backdoor Gauss (Aug 2012) Primarily Lebonese banks, related to Flame

Anatomy of a Targeted Attack Phishing and 0-Day Attack 1 2 3 4 5 Handful of users are targeted by phishing attacks; one user opens zero day payload Back Door Victim s machine is accessed remotely by a remote admin tool Lateral Movement Attacker elevates access to important services and accounts, and specific systems Data Gathering Data is acquired from target systems and staged for exfiltration Exfiltration Data is exfiltrated via encrypted files or hidden in plain sight to external machine RSA Attack Example 2011 Recruitment Plan email with XLS Contains Flash 0-day (CVE- 02011-0609) Dropped Poison Ivy RAT Harvested access credentials and moved laterally Set up internal staging servers Aggregated, compressed and encrypted data FTP used to transfer password-protected RAR

Common Characteristics of Advanced Attacks Target people not technology Use social engineering to walk through front door Manually controlled Attacks are interactive - human operator on other end Long term campaigns Establish foothold, expand, hide in plain sight, persist

Enter Flame A cyber espionage toolkit Most comprehensive malware Over 20MB in total payload, 100x typical size WiFi, Bluetooth, Network, USB, Keyboard, Screen, Microphone Large command-and-control (C&C) infrastructure 80+ domains through 20+ registration companies Rotating IP addresses Sophisticated cryptographic attack Able to spoof Microsoft Windows Updates with forged certificates Around anywhere from 2 to 5+ years

Multi-Dimensional Attack Some of the components of Flame: Code Name Beetlejuice Microbe Infectmedia Limbo Frog Munch Snack Weasel Gator Security Description Enumerate and attack Bluetooth devices Records audio Select removable media infection method (autorun, Euphoria) Creates backdoor accounts Infect machines using backdoor accounts Responds to remote requests Listen/collect network data Captures directory listing Connects to CnC, gets updates, uploads collected data Identifies existing security programs e.g. AV and firewall Source: Laboratory of Cryptography and System Security (CrySyS Lab), http://www.crysys.hu/

Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Commercialization of malware

Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Both the concepts and the techniques are now freely available IP is no longer just electronic documents Potential information extending from the virtual to the physical Microphones, cameras, GPS,

Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Both the concepts and the techniques are now freely available IP is no longer just electronic documents Potential information extending from the virtual to the physical Microphones, cameras, GPS, It s not only what you know, it s who you know Relationships are stepping stones for multi-stage cyber attacks

Failure of Traditional Security Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected [Flame]. - Kaspersky Lab, May 28, 2012 The truth is, consumer-grade antivirus products can t protect well against targeted malware created by well-resourced nation-states with bulging budgets. It s not a fair war between the attackers and the defenders when the attackers have access to our weapons. - Mikko Hypponen, F-Secure, June 2, 2012

Traditional Security Approaches are Insufficient 400M+ variants Cloud-based servers Mobile Anti virus Downloads Phishing Web drive by Database Applications Email Storage VDI Domain Controllers Desktops/laptops Mac PC Firewall HIPS Zero-day attacks Installs Social engineering Fixed-function Memory infections Virtual/physical servers ATMs Kiosks Email gateway Other threats Point of sale Updates

Failed Approach: Focus on Detect/Reject Bad 400M+ variants Mobile it s Cloud-based clear that blacklistbased antivirus is fighting a servers losing battle Forrester Research Database Applications Email Storage VDI Domain Controllers Sept 2012 Desktops/laptops ATMs PC Mac We re fighting a new war with old weapons CISO Fixed-function Fortune 100 company Virtual/physical servers Point of sale Kiosks Anti virus Firewall HIPS Email gateway Downloads Phishing Web drive by Zero-day attacks Installs Social engineering Memory infections Other threats Updates

Better Approach: Focus on Trusted Software Database Applications Email Storage VDI Domain Controllers Only trusted software PROACTIVE Cloud-based servers Virtual/physical servers Desktops/laptops PC Mac Fixed-function ATMs Mobile Point of sale Kiosks Anti virus Firewall HIPS Email gateway EVERYTHING ELSE IS UNTRUSTED By 2015, more than 50% of Downloads organizations will have instituted a default Phishing deny application management Web drive by policy. Gartner Research Zero-day attacks June 2012 Installs Application control and whitelisting provide the advanced weapons needed to counter advanced Other threats threats. Bloor Research Updates Dec 2012 Social engineering Memory infections

Most Companies are not Prepared

Applying Trust to Incident Response / Forensics Application control is a DVR for your endpoints Database Applications Email Storage VDI Domain Controllers Cloud-based servers Virtual/physical servers Desktops/laptops PC Mac Fixed-function ATMs Mobile Point of sale Kiosks Real-time detection of Creation/execution of untrusted software Suspicious registry changes Unauthorized USB devices Unauthorized process access File integrity changes OS/application tampering User session changes Knowledge is power What arrived on a system? Who created it? Did it execute? What did it do? Where else is it?

Understanding the Threat Landscape Increase in sophistication and frequency of APTs and targeted attacks in recent years Every sector, every location, every company size is a potential target We are all reluctant warriors on the cyber battlefield Cyberattacks can be both virtual and kinetic The bar is raising Perimeters are dissolving

Combatting the Threats with Technology There is no silver bullet Understand the threat and your risks Prioritize investments against those risks Invest in response and intelligence, not just defense Security really is about defense in depth New technologies based on trust are needed

Questions? Harry Sverdlove Chief Technology Officer Bit9, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information