Protecting your organization from advanced threats

Similar documents
Securing Microsoft Office 365

ARgon: The Foundation of an Adaptive Data Loss Prevention Strategy

Critical Information Protection & Security Questions for the Board to ask. January 2016

Symantec Advanced Threat Protection: Network

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

The Hillstone and Trend Micro Joint Solution

Defending Against Cyber Attacks with SessionLevel Network Security

Cloud App Security. Tiberio Molino Sales Engineer

Data Center security trends

SPEAR-PHISHING ATTACKS

Clearswift Adaptive Redaction

Fighting Advanced Threats

SECURE ICAP Gateway. Blue Coat Implementation Guide. Technical note. Version /12/13. Product Information. Version & Platform SGOS 6.

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Perspectives on Cybersecurity in Healthcare June 2015

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Cisco Advanced Malware Protection for Endpoints

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

Marble & MobileIron Mobile App Risk Mitigation

Spear Phishing Attacks Why They are Successful and How to Stop Them

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Sophistication of attacks will keep improving, especially APT and zero-day exploits

POLIWALL: AHEAD OF THE FIREWALL

10 Smart Ideas for. Keeping Data Safe. From Hackers

CYBER SECURITY THREAT REPORT Q1

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Malicious Mitigation Strategy Guide

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

SPEAR PHISHING AN ENTRY POINT FOR APTS

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

2012 Bit9 Cyber Security Research Report

Top Ten Cyber Threats

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Trust the Innovator to Simplify Cloud Security

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cyber Security Trends Market trends from leading security analysts and consultants at TÜV Rheinland, OpenSky, and OpenSky UK

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

User Documentation Web Traffic Security. University of Stavanger

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

GOING BEYOND BLOCKING AN ATTACK

Has the enforcer become the enabler?

Cloud Based Secure Web Gateway

Beyond the Hype: Advanced Persistent Threats

PENETRATION TESTING GUIDE. 1

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Trend Micro Hosted Security. Best Practice Guide

Active Threat Control

Desktop and Laptop Security Policy

How To Install & Use Metascan With Policy Patrol

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Driving Success in 2013: Enabling a Smart Protection Strategy in the age of Consumerization, Cloud and new Cyber Threats. Eva Chen CEO and Co-Founder

IBM Security Strategy

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Security Guide

Nine Cyber Security Trends for 2016

FACT SHEET: Ransomware and HIPAA

Integrating MSS, SEP and NGFW to catch targeted APTs

WildFire. Preparing for Modern Network Attacks

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Internet security: Shutting the doors to keep hackers off your network

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Breaking the Cyber Attack Lifecycle

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Protecting the Infrastructure: Symantec Web Gateway

DATA SHEET. What Darktrace Finds

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Protection Against Advanced Persistent Threats

One Minute in Cyber Security

Protecting Your Organisation from Targeted Cyber Intrusion

white paper 5 Steps to Secure Internet SSO Overview

IBM Security re-defines enterprise endpoint protection against advanced malware

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

WHITE PAPER. Understanding How File Size Affects Malware Detection

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Analyzing HTTP/HTTPS Traffic Logs

Introducing IBM s Advanced Threat Protection Platform

Endpoint Threat Detection without the Pain

Reducing the cost and complexity of endpoint management

POLIWALL: AHEAD OF THE FIREWALL

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Technology White Paper. Increase Security and Maximize Spam Blocking

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

Cisco RSA Announcement Update

UNCLASSIFIED. General Enquiries. Incidents Incidents

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

Agenda , Palo Alto Networks. Confidential and Proprietary.

Reduce Your Network's Attack Surface

Transcription:

Protecting your organization from advanced threats Prevent advanced Malware and Ransomware attacks from striking Copyright Clearswift 2017 www.clearswift.com

Contents Introduction 3 Are the number of threats really increasing? 3 The next generation of evading malware 3 Spear phishing 3 Ransomware 4 Evolution of attacks 5 What are the options to mitigate APTs? 5 What about sandboxing? 5 What about a dual anti-virus solution? 6 What about next generation anti-virus? 6 What about Clearswift? Why is this approach different? 6 Structural Sanitization from Clearswift 6 Document Sanitization from Clearswift 7 Distributed Operational Management 7 In summary 7 2 Protecting your organization from advanced threats www.clearswift.com

Introduction Today s cyber-attacks appear relentless, growing in frequency, intensity and proliferating throughout all industries. There is no normal and the impact of each attack is felt throughout the business through the organization s supply chain to its customers, partners and beyond. It is almost impossible not to notice the cyber-security stories in the media. It doesn t seem to matter where you are in the world, or what industry you are in. But what has come to light, is traditional cyber-security protection is becoming increasingly ineffective against this next generation of ever evading malware and the myriad attacks. Cyber-attackers have become patient. Mounting increasingly sophisticated campaigns against both organizations and the individuals within them using all the latest social engineering methods available. Silently harvesting information from social media platforms and hidden document metadata readily found on the company website or cloud collaboration tools, preparing for targeted attack. To combat this onslaught, organizations need to deploy a more effective layer of advanced threat protection, aimed at securing their most valuable asset; critical information. Mitigating the new threat vectors of embedded malware in conjunction with supporting collaborative working practices, enabling the business to remain secure yet agile. With a deeper layer of inspection and sanitization, the automated removal of hidden malware is the cornerstone to providing a more complete and cost effective solution to mitigating the new threats. Are the number of threats really increasing? For most CFOs, their favorite graph is up and to the right, unfortunately for the CIO when it comes to cyber-threats this is certainly not what they want to see. There was a 36% increase in unique malware in 2015 over 2014 which equates to 430 million instances 1. But numbers are difficult to get to grips with, it is the impact of the malware on organizations which is easier to relate to. The next generation of evading malware Today s cyber-attacks are not just after credit cards or bank details, they are also targeting critical information. The information could be new product designs or personnel records, contract information or customer details. Critical information takes on many forms, and is pertinent to each organization, but each guise of critical information can be monetized very easily on the dark web or simply for the attackers own personal gain or held hostage for ransom. Spear phishing Most people are aware of phishing; an email which appears to be sent to you from a friendly source which you then act upon, creating the problem. This could be opening an attachment or clicking on a link - both resulting in a malware infection. Spear phishing is very similar but it is an attack which targets an individual or group of individuals with content which is very specific. Rather than a blanket approach of you are a customer of grocery store X, click here for a super deal, it s a crafted attack using personal references. A recent spear phishing attack 2 targeting the US Nuclear Regulatory Commission (NRC) used employees personal email accounts as the attack vector. There were three vectors used, a PDF attachment with malicious active content, a link to a document hosted on Microsoft OneDrive which was malware and a link to a Google docs spreadsheet also containing malware. Today nearly 80% of spear phishing attacks use employees personal email and other mail accounts rather than directly through corporate email. This route is chosen, as often corporate email accounts are better protected than personal email, which is delivered over the Internet. 1 Symantec Internet Security Threat Report, April 2016 2 www.theregister.co.uk/2014/08/19/nuclear_facility_hacked_three_times_in_three_years/ 3 Protecting your organization from advanced threats www.clearswift.com

Ransomware Ransomware is the latest branch of malware to move from being a consumer to enterprise blight. Rather than having to exfiltrate information, the malware encrypts it in place and then displays a demand for money. There has been a spate of attacks, particularly in the healthcare vertical with the Hollywood Presbyterian Medical Center 3 being one of the most recent and high profile. In this case the ransom demanded was $3.6M, but the real challenge for the organization was that computer systems were shut down for days whilst the medics were forced to use fax, pen and paper, causing a massive decline in productivity. Furthermore procedures had to be postponed, which not only created a short term issue, but ultimately will impact the organization s reputation. These attacks are not localized but global, with attacks on German hospitals 4 and a New Zealand District Heath Board 5. Likewise, while healthcare was targeted, attacks have been reported across other verticals, including local government. For today s business, ransomware is a real threat and has evolved so that the outcome can be Potentially devastating. Ransomware is just a process and infection is as simple as 1,2,3. One recent example is DRIDEX, see Figure 1. Figure 1: Ransomware through DRIDEX malware 2 1 The attachment is a trusted file type that has an embedded macro or script 3 DRIDEX arrives as an attachment to an email The DRIDEX loader downloads the DRIDEX worker DLL file onto the system 4 1001101101010010010 1101001101101010000 1011010011011010100 1001011010011011010 1001001011000101110 The loader contains a configuration file that has botnet network and command & control (C&C) details. All stolen information is sent to the C&C servers 3 www.itgovernance.co.uk/blog/major-hollywood-hospital-brought-down-by-a-ransomware-attack/ 4 www.dw.com/en/hackers-hold-german-hospital-data-hostage/a-19076030 5 www.nzherald.co.nz/wanganui-chronicle/news/article.cfm?c_id=1503426&objectid=11594628 4 Protecting your organization from advanced threats www.clearswift.com

Evolution of attacks The early hackers were motivated by fame rather than fortune and the targets used to be high-profile trophy organizations. The next round of hackers went after the low hanging fruit, information which could be easily monetized, credit card details and then bank account details. The value here was the immediacy of the monetization and an industry grew up around being able to process the stolen information as quickly as possible. After credit card details, came other personally identifiable information (PII) which could be used for identity theft and hence monetization through impersonation. Medical information is now worth ten times more than credit cards. Usernames and passwords can also be monetized with demand for corporate credentials as well as consumer. Today we are at the point where all critical information carries a value to someone and so is now a target, or in the case of hacktivists, it is about disruption (who also deploy other attack mechanisms, such as Distributed Denial of Service, or DDoS attacks.) Thanks to the Internet, there are no boundaries, the perpetrators are no longer just individuals who are out for fame, but rather larger groups, from hacktivists to organized crime to governments themselves (allegedly! 6 ) and can be based anywhere on the planet. The attack vector has moved on from expecting someone to open an executable in an email, to clicking on a malicious link, to today s malware which is now embedded in innocuous looking documents. Open the document, infect the machine. Infect the network. This malware is almost impossible to detect using traditional mechanisms as it has been crafted for a specific individual or organization, evading even next generation firewalls, anti-virius and sandbox solutions. Once installed it operates low and slow, carrying out its task over a period of time rather than instantly, in order to avoid detection and is most frequently referred to as an Advanced Persistent Threat or APT. What are the options to mitigate APTs? Information borne threats are particularly difficult to mitigate against. In essence the malware is embedded into the document but the document can also contain information which is actually required for legitimate business. For example infecting documents stored in a cloud based collaboration repository so that their payload is delivered when they are opened while on a corporate network. Cloud based collaboration is now the defacto standard when working with other organizations but due to lack of control, they can become the weakest link in the security chain. What about sandboxing? APTs are seldom detected by traditional anti-virus solutions, detection can be improved by using multiple AV engines, however even this is not 100% effective. Another approach is to use a sandbox. This is where the executable is run, or the document is opened in a controlled environment, a sandbox, and its behavior monitored. The major disadvantage of this approach is the ever-increasing sophistication of the malware which can now evade detection in sandboxes 7. Malware sandboxes have registered good results and potential in curbing the problem; however, authors of the malware have found ways of bypassing the analysis measures put in place. It is sound to say that sandboxes no longer provide or guarantee the needed protection that required to be afforded computing systems to prevent against malware attacks. 8 Sandboxing s secondary impact is the delay in delivery while the behavioral monitoring is taking place. Business communication is frequently time critical, especially those with documents attached (which is why people tend to open them before considering where they came from, and who might have sent it), so any delay is a delay to business. Organizations who deploy sandbox technology often switch off the technology to ensure that the communication is delivered immediately and then take a copy for analysis. If malware is detected, they then have a process to try and delete the offending document before it infects the organization; the remediation often being too late. 6 www.nextgov.com/cybersecurity/2014/08/exclusive-nuke-regulator-hacked-suspected-foreign-powers/91643/ 7 www.doctorchaos.com/malware-sandbox-and-breach-detection-evasion-techniques/ 8 www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667 5 Protecting your organization from advanced threats www.clearswift.com

What about a dual anti-virus solution? Most companies today have an anti-virus solution of one sort or another. Best practice is to have different vendor solutions on the ingress points to that which is on the endpoint. The reason for this being that each will detect viruses slightly differently, especially through heuristics. While it is not practical to have multiple AV solutions on each endpoint, it is on the ingress points, the email and web gateways. Using more than one solution improves detection by up to +19.2% on recently discovered viruses. Over time, all the anti-virus engines will detect the same viruses, but it is that additional coverage when a virus is first discovered which makes dual anti-virus effective. What about next generation anti-virus? Anti-virus solutions are only as good as the virus signatures and heuristics that they support. Signature updates from most vendors happen multiple times during the day and are automatically downloaded. However, there is the time from when a virus is detected to when the new signatures are installed. The next generation of anti-virus solutions enable a cloud-based lookup which makes the new signatures available in the time before it is downloaded as an update. This does reduce the risk with the reduction of the window of opportunity for the cyber-attacker, between the release of the virus and it being detected and blocked. However, fundamentally, the risk still exists. What about Clearswift? Why is this approach different? Clearswift has built its reputation on a technology called Deep Content Inspection, this is the ability to take a document or an archive and pull it apart and then analyze the constituent pieces. Further innovation came in 2013 with the launch of Adaptive Redaction and with it the ability to rebuild documents having removed any data which breaks information security policies. While the technology was originally developed as part of an Adaptive Data Loss Prevention solution, it has been refined to additionally deliver an easy to use, cost effective, advanced threat protection solution. The key component being Structural Sanitization. Structural Sanitization from Clearswift Deep Content Inspection (DCI) is used to fully understand a document and its constituent parts in real-time. When it comes to protecting against APTs, it is primarily about detecting and removing active content. These are embedded macros and scripts which activate when a document is opened. It can also look for and remove piggybacked content which is attached to other embedded objects, such as images. In order to be effective, DCI doesn t stop at one level, it recurses through until an end is found 9. So if there is embedded malware in a spreadsheet which is embedded in a word document which is in an archive, in an archive, then DCI will find and remove it. Unlike anti-virus solutions, it doesn t rely on signatures and doesn t require constant updating. Structural Sanitization can be rapidly deployed and typically costs less than a fifth of sandbox technology. It requires no specialist training and does not impact business agility. It can also be combined with sandboxing, enabling a safe version of the document to be delivered while analysis takes place, at which point the original can be forwarded on if there are no threats detected. Furthermore, active DCI within the email (or web gateway) can ensure that only documents with active content are forwarded to the sandbox solution, reducing the overhead of the sandbox scanning innocent files. 9 The default number of levels to recurse through is 50, at which point the policy can quarantine the content as it is most probably malware. 6 Protecting your organization from advanced threats www.clearswift.com

Document Sanitization from Clearswift Today s documents contain other threats embedded in them, outside of the obvious information, appearing in the guise of meta-data. Metadata is the detail available to users that provides more insight into information; for example it will describe where information was created (such as GPS information in photographs or the name of the computer a document was created on) and hence the location of individuals can be tracked. It might provide details about authors, time and date of creation of information, amongst other property based description. This information is a gold mine for phishers and cyber-attackers by providing the inside track to the organization which makes phishing all the more successful. Would you be more likely to open a document purporting to be from your IT department which has your corporate username as the title? Or maybe one referring to internal printer names? These innocuous looking pieces of data should never make it outside the organization, else it makes it easy for the cyber-criminal. Another class of information hidden inside a document is the revision history. This might be obvious if you have track changes switched on, or it might be embedded in the document by default, for example in fast save information. Either way, this can contain sensitive data which could result in a data leak. Deep Content Inspection can identify meta-data and revision information and using Document Sanitization can automatically remove it, removing the threat it poses as it crosses the organizational boundary. This can be done through email and the web, for example when uploading documents to cloud collaboration platforms. Document Sanitization can also be used in front of an externally facing website using a configuration known as a reverse proxy, whereby any documents at the start of the download process can be checked and metadata or revision history which inadvertently remains is automatically removed before being delivered to the requestor. Distributed Operational Management As with any security solution there is often a management overhead. For many solutions this administration falls to the IT department or other system administrators. The Clearswift DCI technology is not restricted to understanding the content in documents (or emails) but also to the context, the sender, the recipient and the means of communication. Integration with Active Directory or an LDAP service enables the solution to route simplified management tasks to the sender s manager or any other nominated group or individual. In summary Organizations are under constant attack from today s advanced malware and ransomware attacks, with the proliferation urgently requiring a new approach to overcome the problem. As the attacks are becoming increasingly sophisticated and evasive, there is a need to rethink the defenses used. Unfortunately there is no silver bullet, so this is about augmenting existing defenses rather than just replacing them. Structural Sanitization offers organizations effective mitigation against the information borne, evading threats. Automatically removing malware and ensuring there is no piggybacked data. Document Sanitization ensures that no critical information is leaked via metadata or revision history or identifiable information which can then be used by cyber-criminals to build spear phishing attacks against the organization. A Sanitization approach is a cost effective solution to augment sandboxing techniques, traditional anti-virus, dual and next generation anti-virus, IP reputation, intrusion detection and other security applications to build a comprehensive defense-in-depth architecture; applicable for organizations of all sizes, in all industries to secure against today s advanced threats. 7 Protecting your organization from advanced threats www.clearswift.com

Clearswift is trusted by organizations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and adaptive data loss prevention solution, avoiding the risk of business interruption and enabling organizations to have 100% visibility of their critical information 100% of the time. For more information, please visit www.clearswift.com. United Kingdom Clearswift Ltd 1310 Waterside Arlington Business Park Theale, Reading RG7 4SA UK Germany Clearswift GmbH Im Mediapark 8 D-50670 Cologne GERMANY United States Clearswift Corporation 309 Fellowship Road Suite 200 Mount Laurel, NJ 08054 UNITED STATES Japan Clearswift K.K Shinjuku Park Tower N30th Floor 3-7-1 Nishi-Shinjuku Tokyo 163-1030 JAPAN Australia Clearswift (Asia/Pacific) Pty Ltd Level 17 Regus Coca Cola Place 40 Mount Street North Sydney NSW 2060 AUSTRALIA www.clearswift.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information