idata Improving Defences Against Targeted Attack



Similar documents
SPEAR PHISHING UNDERSTANDING THE THREAT

The Advantages of a Firewall Over an Interafer

A GOOD PRACTICE GUIDE FOR EMPLOYERS

BYOD Guidance: Architectural Approaches

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

FAQs about PAS , A Specification for securityminded building information modelling, digital built environments and smart asset management

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Advanced Threat Protection with Dell SecureWorks Security Services

Introduction. Clarification of terminology

ONLINE RECONNAISSANCE

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

SIEM is only as good as the data it consumes

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Defending Against Data Beaches: Internal Controls for Cybersecurity

DYNAMIC DNS: DATA EXFILTRATION

Additional Security Considerations and Controls for Virtual Private Networks

The Cyber Threat Profiler

Breaking the Cyber Attack Lifecycle

Effective Log Management

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Practical Steps To Securing Process Control Networks

Protecting against cyber threats and security breaches

The Business Case for Security Information Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Protecting Your Organisation from Targeted Cyber Intrusion

Fighting Advanced Threats

Covert Operations: Kill Chain Actions using Security Analytics

Perspectives on Cybersecurity in Healthcare June 2015

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Speaker Info Tal Be ery

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

External Supplier Control Requirements

Cybersecurity and internal audit. August 15, 2014

Advanced Threats: The New World Order

MANAGE THIRD PARTY RISKS

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Agenda , Palo Alto Networks. Confidential and Proprietary.

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

The Next Generation Security Operations Center

Enterprise Security Platform for Government

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Enterprise Cybersecurity: Building an Effective Defense

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

After the Attack. The Transformation of EMC Security Operations

Reinventing Network Security Vectra s cyber-security thinking machine delivers a new experience in network security

Network Security Redefined. Vectra s cybersecurity thinking machine detects and anticipates attacks in real time

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Enterprise Cybersecurity: Building an Effective Defense

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

A Modern Framework for Network Security in the Federal Government

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Beyond the Hype: Advanced Persistent Threats

Defense Security Service

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

A Cyber Security Integrator s perspective and approach

integrating cutting-edge security technologies the case for SIEM & PAM

Unified Security, ATP and more

Reference Architecture: Enterprise Security For The Cloud

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Practical Threat Intelligence. with Bromium LAVA

Cyber Watch. Written by Peter Buxbaum

TLP WHITE. Denial of service attacks: what you need to know

Bio-inspired cyber security for your enterprise

McAfee Security Architectures for the Public Sector

EC-Council. Certified Ethical Hacker. Program Brochure

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

MANAGE VULNERABILITIES

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

43% Figure 1: Targeted Attack Campaign Diagram

BlackRidge Technology Transport Access Control: Overview

SPEAR PHISHING AN ENTRY POINT FOR APTS

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Use of tablet devices in NHS environments: Good Practice Guideline

Evolution Of Cyber Threats & Defense Approaches

A New Approach to Assessing Advanced Threat Solutions

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Transcription:

idata Improving Defences Against Targeted Attack Summary JULY 2014 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. Crown Copyright 2014

idata Improving Defences Against Targeted Attack idata is a CPNI cyber research programme. The programme consists of a number of projects aimed at addressing threats posed by nation states and state-sponsored actors. idata has resulted in a number of outputs for the cyber security community. This document provides a description of the idata programme and a summary of the outputs. Background The corporate IT systems of UK organisations are targeted by adversaries seeking to steal information and/or disrupt business operations. idata is a CPNI programme of research to address cyber-attacks conducted by adversaries with significant resources and access to sophisticated tools and techniques. Such adversaries are capable of defeating most conventional cyber security measures. The Critical Controls [1] and other established advice products place emphasis on preventing attackers from penetrating IT infrastructures. idata assumes that infrastructures are already compromised and considers the best approaches for impeding the progress of an attack, making attacks more expensive to conduct and frustrating the efforts of an adversary. To date, idata has addressed remotely conducted, espionage-driven, attacks. Projects CPNI use a Cyber Kill-Chain [3] to help describe the stages of a cyber attack and the areas at which idata research are aimed. A Cyber Kill Chain contains a number of stages that an attacker must complete in order to compromise a target infrastructure and achieve objectives. An attack will fail if the defenders of an infrastructure are successful at any one of the stages. As idata assumes that an infrastructure is already compromised, the relevant parts of the Cyber Kill Chain are stages 6 and 7. Figure 1 shows the topics covered (mapped to the Cyber Kill Chain) and shows suppliers for the idata work - undertaken between July 2013 and April 2014. In order to capture different perspectives and to work with different datasets, each supplier worked independently on their topic. However, contact between suppliers was encouraged, to ensure sharing of ideas and awareness of efforts in each area.

Figure 1: idata projects, with suppliers, mapped to the Cyber Kill Chain Outputs Tables 1,2,3 and 4 present the outputs of each project. In addition to these, all suppliers contributed comments on version 5 of the Critical Security Controls for Effective Cyber Defence [1]. A submission has been made to the Council on CyberSecurity [2]. All suggestions resulting from the idata work will be considered as part of the consensus process during the next update of the Controls. References 1. Critical Controls for Effective Cyber Defence, Version 5, ~Feb 2014, URL: http://www.cpni.gov.uk/advice/cyber/critical-controls/ 2. Council on CyberSecurity, Council on CyberSecurity, URL: http://www.counciloncybersecurity.org/practiceareas/technology 3. Intelligence-Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D., Lockheed Martin Corporation, 2010, URL: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/lm- White-Paper-Intel-Driven Defense.pdf

Main conclusions & recommended Command and Control (C2) Understanding, Denying, Detecting Command and Control Birmingham University A review of current cyber-attacks has been conducted and is presented in a technical report. The review highlights significant recent changes in how and why attacks are performed and provides an improved understanding of C2 techniques. This foundational work is presented in the outputs of this work and has resulted in the design of a set of effective counter-measures. Detect known bad-network activity by monitoring DNS traffic, monitoring IP traffic and inspecting traffic content. Detect anomalous network activity by establishing traffic baselines and evaluating current network activity. Deny C2 by segmenting the network, introducing rate-limiting to slow traffic directed to disreputable or untrusted endpoints. Block unwanted / unused communications mechanisms that may be used to piggy-back C2 activity. Format Description Intended Audience Detailed report including review of published literature on the topic, a round-up of C2 techniques and approaches, real-world examples, tactics to avoid detection, measures to detect and prevent C2. /academic with sections for nontechnical Key Facts Document to present recommended measures for detection and denial of C2 channels. Managerial / (Attack) C2 from an attacker perspective Non-technical (Detect) C2 from a defence perspective Non-technical Web Pages: http://c2report.org/report.pdf http://www.cpni.gov.uk/advice/cyber/idata/command-and-control-birmingham/ Table 1: Birmingham University - Command and Control Outputs

Main conclusions & recommended Format Command and Control (C2) Understanding, Denying, Detecting Command and Control QinetiQ Research into techniques for detecting advanced attack that evades traditional defence techniques such as Antivirus, IDS, and firewalls, concentrating especially on spotting and blocking C2 (command and control) channels of malware. Detailed investigation into the ways in which advanced malware can be detected, using a combination of theoretical research and practical investigation. Amongst other things, QinetiQ have demonstrated use of Big Data analytics to spot some advanced malware that was resident on an organisation s network. Direct detection of C2 channels is difficult and subject to change by innovative attackers. Detection is best achieved by looking at communication patters over key nodes and over an extended period rather than micro-examination of specific packets. Description Intended Audience Detailed report including C2 techniques and approaches, real-world examples, tactics to avoid detection, measures to detect and prevent C2. with sections for nontechnical Key Facts Document to present recommended measures for detection and denial of C2 channels. Managerial / s Detection and Disruption Non-technical Web pages: http://www.cpni.gov.uk/advice/cyber/idata/command-and-control-qinetiq/ www.qinetiq.com/cpni-idata Table 2: QinetiQ - Command and Control Outputs

Main conclusions & recommended Output Network Reconnaissance PIANOS Protecting Information About Networks, the Organisation and its Systems BAE Systems Applied Intelligence (Previously Detica) An insight into the network reconnaissance activities of intruders following successful compromise of a target network. Work includes a look at emerging threats and a number of case studies. Attackers predominately use legitimate system tools and applications to perform internal network reconnaissance. It s difficult for organisations to restrict use of these tools without hampering legitimate and essential use. Log analysis, network monitoring, and incident response, are highlighted amongst the most important controls to detect and deal with network reconnaissance. Network diodes and software inventories are presented as effective ways of impeding the progress of an attack. Description Intended Audience Detailed report including Network reconnaissance techniques and approaches, real-world examples, tactics to avoid detection, measures to impede progress of an attacker. with sections for nontechnical. High level view of target technical information within an organisation and what controls can protect it. Non-technical Checklist Web pages: Advisory checklist to help an organisation assess the strengths and weaknesses of current security measures with respect to defending against network reconnaissance activities. http://www.cpni.gov.uk/advice/cyber/idata/pianos/ http://www.baesystems.com/solutions-rai/cyber-security/prepare Table 3: BAE Systems Applied Intelligence Network Reconnaissance Outputs

Main conclusions & recommended Data Exfiltration Detecting and Deterring Data Exfiltration MWR InfoSecurity Current and future exfiltration tactics are covered within this work. Defensive measures are discussed, with the most important measures presented, in order to increase organisational resilience. To illustrate the problem and highlight the solutions, a day in the life of an attacker and a defender is provided. Case studies and further reading are given. Given the motivation and resources of some attackers and the complexity of modern organisations, protection of digital assets cannot be guaranteed. A comprehensive defence-in-depth strategy is needed to detect and deter data exfiltration. Such defences can be expensive and the need for such a strategy must be understood by top layers of management. A successful strategy will increase costs for the attacker and minimise potential impact on an organisation. Defensive measures include; ensuring a network is manageable, logging throughout an organisation, auditing accounts, using data loss prevention, using anti-virus, using intrusion detection systems, host hardening and honeypots. Download Description Detailed report including Data Exfiltration techniques and approaches (current and future), real-world examples, tactics to avoid detection, measures to detect and prevent Data Exfiltration. Intended Audience Executive High level report explaining the topic, and the importance of implementing measures to prevent Data Exfiltration. Executive / Non technical Graphics on Data Exfiltration and measures to prevent it. Executive / Non technical Animation 3 minute animation to present the topic of Data Exfiltration to a non-technical audience. Designed to promote other guidance products. Non- Web pages: http://www.cpni.gov.uk/advice/cyber/idata/data-exfiltration-mwr/ https://www.mwrinfosecurity.com/practice-areas/cyber-defence/ Table 4: MWR InfoSecurity Data Exfiltration Outputs

Main conclusions & recommended Data Exfiltration Detecting and Preventing Data Exfiltration Lancaster University A systematic review of relevant literature, collection of case-studies and production of incident trees have all been completed in order to improve understanding of the topic of data exfiltration. The consequences of new and emerging technologies and business practices have been considered with respect to the impact on data exfiltration modes. Areas for increased effort include; post exfiltration recovery, defensive measures in relation to business needs, and the need for data exfiltration detection and prevention as opposed to information protection. Format Description Intended Audience Detailed report including Data Exfiltration techniques and approaches (current and future), real-world examples, tactics to avoid detection, measures to detect and prevent Data Exfiltration. / Academic Executive High level report explaining the topic, and the importance of implementing measures to prevent Data Exfiltration. Executive / Management Graphics on Data Exfiltration and measures to prevent it. Executive / Non technical Cyber-Wheel Tool to suggest approaches to detection and prevention of data exfiltration. Table 5: Lancaster University Data Exfiltration Outputs

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information