Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1
Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC APTs Investigation Q&A 2
Traditional Security Is Not Working 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 3
What is APT? 4
What is APT? Gartner uses a simple definition for APT : Advanced: It gets through your existing defenses. Persistent: It will keep trying until it gets in, and once done, it succeeds in remaining hidden from your current level of detection until it attains its objective. Threat: It can cause harm. Strategies for Dealing with Advanced Target Attacks Gartner, 6 Jun 2013 5
Aims of APT Information compromise: Stealing, destroying or modifying business-critical information. Theft of service: Obtain use of the business product or service without paying for it. Denial of service: Disrupting business operations. 6
Known vs Unknown Threat Detection Known Unknown Firewall IDS/IPS AV DLP SIEM Others Detect What Where How Investigate 7
Unknown Threat. Targeted attacks often use custom-created malware that is undetectable by signaturebased techniques. Such attacks generally require some means of communication back to an outside party (beaconing). 8
APT leaves clues! APT footprints Payload (one or several) Compromised host Remote C2 server Network communications Routable IP address or a domain name pointing to it Registered with a fully qualified domain name Or an account with a DDNS provider Payload Binaries, strings & functions, etc. Configured with the address\domain Proactive Intelligence to detect these clues 9
Advanced Threats Are Different 1 TARGETED SPECIFIC OBJECTIVE 2STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time [Attacker Free Time] Attack Identified 2 Speed Response Time Response 10
Resource Shift: Budgets and People Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Traditional Defense Increase the ability to detect and respond 11
A New Security World It will become increasingly difficult to secure infrastructure We must focus on people, the flow of data and on transactions 12
You need Visibility!! 13
SIEM has been a good start SIEM can provide: Valuable reporting on device and application activity Basic alerting on known sequences (i.e. basic correlation) Proof of compliance for internal and external auditors Central view into disparate event sources being collected In today s world Threats are multi-faceted, dynamic and stealthy The most dangerous attacks have never been seen before Threats often don t leave a footprint in logs 14
Today s tools need to adapt Today s tools need to be able to detect and investigate Lateral movement of threats as they gain foothold Covert characteristics of attack tools, techniques & procedures Exfiltration or sabotage of critical data Today s tools need to be able to scale To collect and store the volume and diversity of data required To provide analytic tools to support security workstreams Time to respond is critical in a breach situations and SIEM often falls short Traditional SIEM will not meet these needs! 15
Control Coverage Attack the control white space Defense in Depth DLP FW IDS AV End Point DLP Adversary Emerging Threats 0 day malware Trusted C2 Valid Credentials log log log log log full packet capture Assets SIEM threat intelligence Log Packet Intelligence ECAT Live Intelligence & CCI Governance
Holistic Approach to Address APT 17
Critical Questions against APTs Governance Comprehensive Visibility Actionable Intelligence What Matters? What is going on? How do I address it?
Use a Strategic Security Approach to Implement Tactical Best-Practice Controls Best Practice Strategies from Gartner Use a comprehensive approach; no one single technology will stop advanced targeted attacks, even products specifically targeted at advanced forms of attacks. Acknowledge that technology alone won t stop APT; your strategy must include the search for compromised systems, improvements in your forensics and incident response capabilities, and rapid response. 19
List of RSA offerings within Gartner control layers Technologies Authentication Technology Advanced Threat Protection Appliances Network forensics Security information and event management Security Intelligence Services Endpoint Threat Detection and response Incident Response Capabilities DLP Solution Offerings RSA SecurID RSA Security Analytics RSA Security Analytics RSA Security Analytics RSA Security Analytics RSA Cyber Crime Intelligence RSA ECAT RSA Archer RSA DLP Garnter:G00256438 20
Korean Incidents The power of Detect and Investigate 21
Disruptive Attacks - 2011 22
Disruptive Attacks - 2013 23
Multi-Vector Co-ordinated Attack 24
What changed between 2011->2013 2011 2013 Target 1 Bank 3 Banks and a TV Station Destruction Delete Bootfiles & Reboot Delete MBR & Reboot Delivery Single Vector Multi-Vector SIEM No Mostly Network Forensics No Partial Investigative Capabilities None Minimal Downtime 2 Days 2 Hours 25
EMC CIRC 26
Global Security Organization Functional Areas Implement Office of Information Security Investigate Corporate Protective Services RISK MGT Enable Business Security Enablement Group Detect Critical Incident Response Group 27
Sphere of Protection Fed by more than 2,000 security devices which generate 12 to 14 million security events per hour Protecting critical infrastructure of thousands of customers spanning more than 500 sites in over 100 countries Manages Security Incidents, Investigate Suspicious Behavior, Vulnerability Analysis, Malware Analysis, and Threat Management Built on EMC Proven Technologies from RSA, including RSA Security Analytics and RSA Archer A specialized cross-functional highly skilled team focused just on monitoring for critical threats and incident response 28
EMC CIRC Statistics Reference After filtering, alerts that need to be handle is around 200 instances. Out of the 200 alerts, ~30 need to do further investigation. Need 3 person to handle the in-depth advance investigation. 29
Investigating against APTs - a case study 30
Solutions Highlights RSA Security Analytics (upgradable from RSA envision) Provide enterprise-wide visibility into network traffic and log event data to reduce attacker free time from weeks to hours. RSA ECAT (Enterprise Compromise Assessment Tool) Detect advanced malware and quickly response leveraging innovative live memory analysis. RSA Archer Provide business context hence incident prioritization, manage remediation procedures. 31
Planning Your Journey CONTROL COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL Technology Focused Business Risk Focus 60
RSA ACD Services Portfolio NextGen SOC Design & Implementation Identity & Access Control Breach Management Cyber Threat Intelligence Breach Readiness Incident Response/Discovery Impacting the Attack Cyber Kill Chain Establish Beach Head Copyright 2011 EMC Corporation. All rights reserved. Infiltration Data Exfiltration 61