Post on 15-Apr-2017
The Threat Landscape
and
Network Security Measures
Carl B. Forkner
February 1, 2016
2
Table of Contents
• Key Terms
• The Threat Landscape
• Network Security Overview
• Evolving and Future Threats
The Threat Landscape
4
Key Terms – Threat Landscape
• APT. An advanced persistent threat (APT) is a network attack in which an
unauthorized person gains access to a network and stays there undetected
for a long period of time.
• Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is
a software application that runs automated tasks over the Internet.
• Botnet. A botnet is a number of Internet computers that, although their
owners are unaware of it, have been set up to forward transmissions
(including spam or viruses) to other computers on the Internet.
• Drive-by. A drive-by download refers to the unintentional download of a virus
or malicious software (malware) onto your computer or mobile device.
5
Key Terms – Threat Landscape
• Exploit. A piece of software, a segment of data, or command sequences that takes
advantage of a vulnerability.
• IP/PII.
– IP stands for Internet Protocol, or the address commonly used to identify the origin
of an Internet transmission—i.e. your device.
– PII stand for Personally Identifiable Information, sometimes referred to as
“Personal Information,” and is often equated in the U.S. with “Privacy Act
Information.”
• Malvertising. This is the use of online advertising to spread malware.
• Phishing. Phishing is an e-mail fraud method in which the perpetrator sends out
legitimate-looking email in an attempt to gather personal and financial information from
recipients.
6
Key Terms – Threat Landscape
Malware. Malware is a category of malicious code that includes viruses, worms, and
Trojan horses.
– Virus. A computer virus is a program or piece of code that is loaded onto your
computer without your knowledge and runs against your wishes. Viruses can also
replicate themselves. All computer viruses are man-made.
– Worm. Computer worms are similar to viruses in that they replicate functional
copies of themselves and can cause the same type of damage.
– Trojan. A Trojan [horse] is a program in which malicious or harmful code is
contained inside apparently harmless programming or data in such a way that it
can get control and do its chosen form of damage.
Vulnerability. In cybersecurity, vulnerability refers to a flaw in a system that can leave
it open to attack.
Watering Hole. The watering hole attack vector targets specific groups by infecting
frequently visited websites with malware.
7
The Threat Landscape
• The crime:
– Motive, means, & opportunity
• The technology explosion and a dynamic
environment
– The changing face of threat
vectors
8
The Network Security Battle of Minds
Hacker Economy
and Threats
Network Security
Measures
9
Who are the Adversaries?
• Previously
– Attention seekers
– Many independent operators
• New breed of attackers
– Hacktivists
– Profit-driven organizations
– Rival corporations
– Rival political nations
10
Ranking Adversaries
Threat Level
User ErrorUsers making
Mistakes with
Configurations which
May bring down
Critical resources.
Opportunistic
HackerThese attackers are
usually script kiddies
driven by notoriety.
Insider ThreatAttackers are typically
disgruntled
employees or
ex-employees.
HacktivistsAttackers that have a
political agenda to
get awareness to it.
Organized
CrimeMass attacks driven
by profits.
Government
SponsoredTargeted attacks and
well funded.
11
What are they after?
• IP
• Credit Cards & Bank info
• PII – Identity Theft
• Shutting down competition
• Being the next Wikileaks
• Pure profit
• Sabotage
12
The Threat Landscape
• Some Major Victims of Network Attacks:
13
The Threat Landscape
• Threat Timeline Fall 2013 – Summer 2014
14
Organizational Hacking is Rewarding
• Education, training, tech support
• Storefront for hacking tools and zero-day exploits/vulnerability information
• Sophisticated organization
• Backed by governments
• Supported by currencies like Bitcoin
• Obscured through anonymous networks like TOR
15
Anatomy of an Attack ‒ The Hacker’s Point of
View
Keep safe Evade Law Enforcement and defensive measures
Define target
Sub – Zero
Research target
Build or acquire tools
Test tools + detection
Planning
Obtain credentials
Strengthen footprint
Initial intrusion
getting in
Outbound communication
initiated
Exfiltration data
Initial intrusion
getting out
Survive
16
Hacker Tools
• 2 main categories:
– Social Engineering – The Techniques
– Malware – The Tools
17
The Tactics of Social Engineering
• Spoofing
• Phishing
• Spearphishing
• Watering-hole attacks
• Phone calls/impersonation
• Malvertising
• Social Media links
18
Known Viruses still a threat
• Why are the old threats still working?
– Unpatched systems
– Old OS versions
– AV/AM signatures not up to date
– SMB, small agencies, partnerships lack security spending but still have
network access
19
Kill Chain of an Advanced Attack
SpamMaliciousEmail
MaliciousWeb SiteExploit
Malware Command &Control Center
Bots leverage legitimate IPs to pass
filters. Social engineering fools recipient.
MaliciousLink
Bot Commands& Stolen Data
Fast flux stays ahead
of web ratings
Zero-days pass IPS
Compression passes
static inspection
Encrypted communication
passes controls
20
What are Advanced Persistent Threats?
• Advanced Persistent Threats (APT):
– Advanced – Using organized methods, advanced malware, buying new
tools constantly developed
– Persistant – Patient. Using more social engineering combined with
malware and codes. Can be very hard to detect, with expectation of
higher payout.
– Threats – Designed to attack deliberate choices of target. Credit Card
info is cheap on the open market. Now it’s about business disruption,
massive identity theft, IP theft, spying.
21
The Advanced Threat Lifecycle -
The Threat
Manufacturing/Recon- Scan for vulnerabilities
- Design phishing emails
- Customize malware, etc.
Command
& Control
1
4
Threat
Vector
Extraction- Package
- Encrypt
- Stage
2
3
Communication- Hide, Disarm
- Spread, Move, Morph
- Dial Home, Update
- Recruit
- Gather targeted data
Infection
….and more
Network Security Measures
23
What is Security Intelligence?
• Security intelligence represents knowledge of the identity,
capabilities, and intentions of adversaries engaged in espionage,
sabotage, or theft online.
– Operational (indicators of compromise)
– Tactical (understanding tools, techniques)
– Strategic (understanding who, their intentions, and capabilities)
24
Key Terms – Security Measures
• Application Control. Protects managed desktops and servers by allowing or denying
network application usage based on policies established by the network administrator.
• ATP. Advanced Threat Protection (ATP) relies on multiple types of security
technologies, products, and research -- each performing a different role, but still
working seamlessly together -- to combat these attacks from network core through the
end user device.
• AV/AM. Anti-virus/Anti-malware (AV/AM) provides protection against virus, spyware,
and other types of malware attacks in web, email, and file transfer traffic.
• IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking
attacks that might otherwise take advantage of network vulnerabilities and unpatched
systems.
25
Key Terms – Security Measures
• NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a
single firewall appliance instead of a basic firewall and numerous add-on appliances.
• Sandboxing. Sandboxing refers to the process of analyzing files in a contained
environment to identify previously unknown threats and uncovering the full attack
lifecycle.
• UTM. Unified Threat Management (UTM) provides administrators the ability to monitor
and manage multiple, complex security-related applications and infrastructure
components through a single management console.
• Web Filtering. Web Filtering technology gives you the option to explicitly allow web
sites, or to pass web traffic uninspected both to and from known-good web sites in
order to accelerate traffic flows.
26
Infrastructure Evolution
• From closed networks to a global information grid
• From governments & corporations to housewives & children
1985 1991 1995 2000 200219991967 200719761970 2004 2013-14
27
The Importance of Network Security
• What is Modern Network Security?
– User-friendly, but threat-unfriendly
– Unique…just like everyone else
– Maintaining balance, relevance, and Unified Threat Management (UTM)
Servers
Users
VPN
IPS
Firewall
AV/AM
Anti-Spam
URL Filters
Legacy Systems UTM
Servers
28
The Advanced Threat Lifecycle –
Breaking the Chain Pt 1
Manufacturing/Recon- Scan for vulnerabilities
- Design phishing emails
- Customize malware, etc.
Command
& Control
1
4
Threat
Vector
Extraction- Package
- Encrypt
- Stage
2
3
Communication- Hide, Disarm
- Spread, Move, Morph
- Dial Home, Update
- Recruit
- Gather targeted data
Infection
29
The Advanced Threat Lifecycle –
Breaking the Chain Pt 2
Manufacturing/Recon- Scan for vulnerabilities
- Design phishing emails
- Customize malware, etc.
Command
& Control
1
4
Threat
Vector
Extraction- Package
- Encrypt
- Stage
2
3
Communication- Hide, Disarm
- Spread, Move, Morph
- Dial Home, Update
- Recruit
- Gather targeted data
Infection
30
Advanced Threats
• Hackers:
– Experience + Resources = Increased Threats
• Advanced Threat Protection
• Advanced Threats & Network Security: Continuing Evolution…
The Threat Landscape
and
Network Security Measures
Carl B. Forkner
February 1, 2016