Advanced Persistent Threats

Similar documents
Fighting Advanced Threats

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

One Minute in Cyber Security

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Spear Phishing Attacks Why They are Successful and How to Stop Them

Advanced Persistent Threats

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Perspectives on Cybersecurity in Healthcare June 2015

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

The Hillstone and Trend Micro Joint Solution

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Protecting Your Organisation from Targeted Cyber Intrusion

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Anti-exploit tools: The next wave of enterprise security

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Cisco Advanced Malware Protection for Endpoints

Symantec Advanced Threat Protection: Network

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Advanced Threat Protection with Dell SecureWorks Security Services

IBM Security re-defines enterprise endpoint protection against advanced malware

Combating the Next Generation of Advanced Malware

Advanced Persistent Threats

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Networking for Caribbean Development

Breaking the Cyber Attack Lifecycle

Covert Operations: Kill Chain Actions using Security Analytics

Beyond the Hype: Advanced Persistent Threats

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Internet threats: steps to security for your small business

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Defending Against Cyber Attacks with SessionLevel Network Security

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Veranderende bedreigingen Security in het virtuele datacenter

Cisco Advanced Malware Protection for Endpoints

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Practical Steps To Securing Process Control Networks

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

High Performance NGFW Extended

CYBER SECURITY THREAT REPORT Q1

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Operation Liberpy : Keyloggers and information theft in Latin America

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Unknown threats in Sweden. Study publication August 27, 2014

Advanced & Persistent Threat Analysis - I

Malicious Network Traffic Analysis

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Inspection of Encrypted HTTPS Traffic

Defending Against. Phishing Attacks

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Advanced Threats: The New World Order

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Next Generation Firewalls and Sandboxing

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Getting Ahead of Malware

Securing Cloud-Based

Illuminating the Deep Dark Web with drugs, exploits, and zerodays CLE-R09. Jack Chan

SPEAR-PHISHING ATTACKS

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Secure Your Mobile Workplace

isheriff CLOUD SECURITY

SPEAR PHISHING UNDERSTANDING THE THREAT

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

A Case for Managed Security

24/7 Visibility into Advanced Malware on Networks and Endpoints

ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS:

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

IBM Security Strategy

Content-ID. Content-ID URLS THREATS DATA

SIZE DOESN T MATTER IN CYBERSECURITY

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Transcription:

Advanced Persistent Threats George R Magee~ FCNSA, FCNSP, Fortinet Larry Cushing~ CEO, Unified Technologies Visit us at Booth #11 1 May 27, 2014

2 Threat landscape

An Internet Minute 7 7 Fortinet Confidential

Threat Intelligence and Response 2,500 Application control signatures 70 Terabytes Of Threat Samples 12,000 Vulnerability management signatures 250 Million Rated websites in 78 categories Spam e-mails intercepted Attempts to access malicious websites blocked 900 Web application firewall attack signatures Network intrusion attempts resisted Website categorization requests Botnet command and control attempts thwarted Malware programs neutralized 70 Intrusion prevention signatures 8,000 Hours of research in labs around the globe 190,000 New and updated antivirus definitions 66 Million New and updated antispam signatures 600,000 URL ratings for web filtering 8

Agenda What are APTs? Malware or Vulnerability? Case Studies Latest APT Infiltrations Defense Comprehensive, Multi-layer Defenses 9

APT : Defined - Now An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives. - NIST 10

What are we up against? Dynamic APT attacks that require proactive protection ADVANCED AV evasion Crypters IPS/App evasion Obfuscation Custom protocol Piggybacking Sandbox evasion Mouse click Time bomb PERSISTENT Rootkits Hide threats at O/S layer Bootkits Invoke at startup Process killers THREATS Keyloggers Steal data Ransomware Encrypt data and hold for ransom HD Wipers What are Zero-Day attacks? Previously unseen pieces of code that can only be mitigated, at that time, proactively. 11

What are APTs? Defining Advanced Persistent Threats D.S.I. DISGUISE Advanced threats focus on disguise to slip past security detection Detect Disguise, Kill the Chain SURVIVABILITY Persistent threats aim to survive on systems as long as possible Reduce Survivability, Break Impact IMPACT Hard drive killers Stolen IP, customer data Blackmail & Ransom Critical infrastructure 12

APT Stages - Reconnaissance Unlike typical malware infiltration, advanced threats perform initial probes towards targets Information gathering such as phishing, social engineering, or social media 13

APT Stages - Infiltration Armed with relevant information, threats infiltrate their targets using various vectors Evasion techniques such as crypters, mouse clicks, and piggybacking are used Phishing emails, malicious flash (SWF) or PDF documents, malicious websites that attack flaws in browsers like Internet Explorer or Firefox. Small scale spear phishing attacks generate little awareness TARGETS Microsoft Adobe Web browsers JAVA 14

APT Stages Malware Action Once the malware is installed, attempts to initiate a call back, using common transmission methods that are allowed by typical security policies. Otherwise, it keeps a low profile, generating no activities that are likely to be noticed. It remains in sleep mode, awaiting further instructions. Increasingly, malware is aware of its environment and won't allow itself to be detected in a virtual machine sandbox. 15

16

APT Stages Exfiltration The exfiltration usually involves the surreptitious delivery of stolen data via often encrypted but common channels, such as HTTPS, back to the command center or to another compromised system controlled by cybercriminals. 17

APT Stages Further Exploitation With successful communication links between the command center and the compromised hosts, further exploitation is easy to accomplish. Malicious acts include attempts to access materials of host connections, such as file shares, cloud-based applications and database credentials. Expect lateral moves within the network to expand reach as well as destruction 18

Zero-Day Threats What are they? Previously unknown code, used with software vulnerabilities 1. MALWARE Very Short Lifespan minutes or hours Reformed code Reshaped Crypters / Packers 2. VULNERABILITY Long Lifespan months or years Security hole that remains unpatched or unknown EXPLOIT Attack code for a zero-day vulnerability Code is checked against AV detection before an attack is launched Can be disclosed or undisclosed Disclosed zero-days are very dangerous, attack code is widespread 19

Zero-Day Threats Why are they significant? High exploit success rate, no fix available IMPACT Exploit can provide full control of vulnerable system Targeted or Mass Attack market EVASION Transparent end user unaware of attack Allows exploit to retain its value Profit SUCCESSFUL? Very Highly prized and hunted Sell for Tens of thousands of dollars Systems can remain infected for months Multiple Revenue Streams Vulnerability knowledge Delivery framework creation Evasion and repacking and reforming services 20

Is it just malware? Fake certificates Attackers are known to forge SSL certificates to get victims to visit compromised sites. Inside jobs (or recruits) In the case of Stuxnet many believe that a sympathetic insider launched attack from a USB drop 21

Zero-Day : Under the radar Potentially most concerning aspect of ATPs is the attack pattern When will malware be executed once dropped? It s very possible that today a major power grid is compromised just waiting for the highest bidder. Is it a stretch to imagine that every municipal power grid infected by the same malware? This scenario was reporting by the Wall Street Journal in response to a stimulus package to upgrade the nations power grid systems - http://news.investors.com/040109-472919-not-so-smart-grid.htm http://www.youtube.com/watch?v=fjywngdco3g Electric power supply / Nuclear Generator Airport, Harbor, subway control systems Bank, Stocks, Financial systems 22

Agenda What are APTs? Malware or Vulnerability? Case Studies Latest APT Infiltrations Defense Comprehensive, Multi-layer Defenses 23

Threat Trends Mobile (2013) 24 Fortinet Confidential

Notable Attacks Operation Aurora : Google botnet agent installed via fake malware prompt Operation Olympic Games led to development of Stuxnet, flame, and others RSA Attack prime example of spear phishing U.S. Department of Defense Breach took place months before actual attack New York Times Utilized 45 pieces of custom malware NBC Example of drive-by infection using multiple toolkits LinkedIn / Evernote May lead to future APT attacks 25

Agenda What are APTs? Malware or Vulnerability? Case Studies Latest APT Infiltrations Defense Comprehensive, Multi-layer Defenses 26

Preparing for the next threat Eliminate your blind spots Demonstrate your policy compliance Lower your response time Accelerate adoption of best practices and expert systems Reduce the potential of significant or catastrophic loss to reputation or revenue 27

Protective Measures Security Partnerships ISSA, ISACA, SANS, Vendors End user education Especially those with access to sensitive data Network segregation preventing lateral moves Whitelisting applications, web sites, network resources Application Control Consider identity based application access Web Filtering / IP Reputation Role and geo based filtering Data Leak Prevention protect employees from themselves IPS Consider blended anomaly, signature, and malware solutions Proactive patching Exploit kits contain exploits within hours of patch releases Restrict Administrative Roles Preventing RAT kits 28

Types of Inspection Proxy, Stream, and Behavioral Stream AV checksum comparison only Proxy AV deep inspection, behavior analysis Sandboxing/Behavior Scan Full sandbox environment to analyze sample behaviors 29

Zero-day protection Comparing Proxy vs. Stream PROXY 99.82% Effective PROXY 99.81% Effective 573 18,165 WILDLIST STREAM 98.6% Effective STREAM 28.18% Effective 30 FortiGuard Internal Test Comparative

Is Sandboxing Useful? It solves part of the puzzle VISIBILITY & REPORTS New viral families may not have existing signatures INCIDENT RESPONSE Infection is likely underway, how to deal with it? NOT USEFUL FOR: Mitigation & proactive defense Critical for cases like South Korea attacks, etc 31

Sandbox Concerns Evasion Techniques Sandbox Evasion Techniques VM detection Time bombs Debug loops Event triggers Mouse clicks System reboots Common Sandbox Problems Fixed operating systems Only a few to pick from, and it s slow Fixed software versions Adobe reader, Java Attacks very specific to certain versions IE: Some require newest version of Java Malware won t execute in Sandbox Will execute once passed through 32

APT Strategy: Multi-Layer Defenses 1) Anti-Virus -------------------------------------- Detect known viruses Detect new variants (emulation and sandboxing) 2) Web Filtering -------------------------------------- Detect connections going to malware sites Typically to download the real malware 3) Botnet / AppCtrl -------------------------------------- Detect connections or traffic going to botnet sites Detect known botnet applications 5) Behavioral -------------------------------------- Sandbox analysis Client reputation analysis 4) IPS -------------------------------------- Block known vulnerabilities Including undisclosed vulnerabilities 33

34

Chris Dumais City of South Portland 35

Kevin Murphy Hancock Lumber 36

Questions for George Larry Chris or Kevin? Visit us at Booth #11! 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information