Advanced Persistent Threats– Coming to a Network Near You - Barry Hensley Director, Counter Threat...
-
Upload
dell-enterprise -
Category
Technology
-
view
1.249 -
download
1
description
Transcript of Advanced Persistent Threats– Coming to a Network Near You - Barry Hensley Director, Counter Threat...
Advanced persistent threats – Coming to a network near you
Barry HensleyDirector, Counter Threat Unit
Advanced persistent threats – Coming to a network near you
Jeff SchillingDirector, Security & Risk Consulting
Confidential
Public breaches are tip of the iceberg…
Advanced persistent threats
Contentstyleguidelines
A “who,” not a “what”• Specifically targeted because you
have something they want
• Will invest time and resources until they achieve the objective
• Can and will adapt until they win
Organized
Efficient
Tenacious
Your cash, intellectual property, access credentials, intelligence and access to your infrastructure are all on someone’s wish list
Confidential
Scope of APT is bigger than you think…
~800Hard-coded Command
and control IPs
~14,500 Command and control
hostnames
~900Actor-registered APT
domain names
~200Unique malware
families (thousands of samples)
APT tracking
Confidential
APT methods are not limited• Compromised numerous
domain admin accounts
• Dozens of external IPs from different network address blocks and geographic locations, associated with attacker
• Attackers deleted their tools and recovered credentials after use.
• Forensic review identified attacker presence over 180 days
Victim’s network access points were distributed across multiple sites and access mechanisms, including different VPN endpoints, Virtual Desktop Infrastructure (VDI) systems, Outlook Web Access (OWA) interface, and several Microsoft SharePoint portals
Confidential
The struggle to defend
37%
Insufficient
visibility +
Insufficient
counter-measure
s=
Ripe for breach
Most organizations fail to notice APT until long after compromise
“I don’t know if I am being targeted and how.”
“I don’t know if I have been compromised.”
“I can’t stop the threat before it reaches my assets.”
“I can’t completely remove the threat’s presence and access.”
Insu
fficie
nt c
ou
nte
r-measu
res
Insu
fficie
nt
vis
ibilit
y?
? !
!
Confidential
Your best defense*
Each element fuels the others,
maximizing your
chance of thwarting
the adversary
Successful defense against advanced threats requires integrated threat intelligence, security operations and incident response
Security operations
Incident response
Threat intelligence
Know your adversarie
s and their methods
Detect threat
activityearlier in the kill chain
Disrupt the kill chain
and stop the attack
Eradicate actor
presenceand
remove the threat
Confidential
Dell provides your best defense
Integrated solutions
that deliver
exceptional
protection against
advanced threats.
Know your adversaries, detect their activity, disrupt the kill chain and eradicate their presence with Dell’s Advanced Threat Management solutions
Counter Threat Unit Intelligence Group
24 x 7 Managed Security Services
Incident Response Services
1
2
3
Confidential
Counter Threat Unit Intelligence Group
The relentless pursuit of who
and how
CTU
AV Vendors
IPS Vendors
Targeted
Broad
AdvancedCommodity
Elite cyber-intelligence experts provide
• Insight into attackers and tradecraft
• “Over the horizon” threat anticipation
• Countermeasures against emerging threats
1
Confidential
24x7 Managed Security Services*
Global Visibility
7 SOCs
Thousands of
Customers
Data
Counter-measuresCounter Threat
PlatformIntelligen
ceFlexibilityScalabilit
y
Counter Threat Unit
Detect and
respond to threats 24x7x365
Protect against
emerging threats
2
Confidential
Active attack
Reporting
Containment
Root cause analysis Forensic analysis
Assessment/identification
Incident response services*
Active attack Active attack
Day 0Breach Detected
Day 7Incident Response contract in place
Day 7 + 3Malware analyzed, actor profiled
Day 7 + 6Malware and actor presence removed
Day 7 + 8Engagement reported and lessons learned
Day 7 + 8.END
Day 7 + 2Boots on the ground
Day 6Engages Dell SecureWorks
Day 7 + 5Entry point and scope confirmed
Data loss assessment
Active attack
3
Day 2IT staff tries to remediate
Day 4Seeks 3rd party help
What was breached and how
Disrupt and
contain the threat
Thoroughly eradicate
and prevent re-entry
Codename “Wisconsin”
Real world APT breach at a Research Institute
Wisconsin targeted and compromisedSeptember:
Wisconsin sees the threat
• Administrators first noticed odd activity
• Domain Administrator account exhibited unusual behavior
February-September:Wisconsin is
breached• Attacker gained access
to Wisconsin’s network
• Established outbound communications
• Expanded access, obtained privileged credentials
• Installed persistence measures to strengthen foothold
• Exfiltrated data
February:The attack begins
• APT attacker launched two “spear-phishing” campaigns targeting “Wisconsin”
October 25:Threat contained
and removed
Wisconsin turns to Dell for help*October 18-24:
Breach confirmed and assessed
• Host forensics confirm infiltration and timeframes
• Detected compromised accounts via event correlation
• Swept environment for additional compromised systems
• Conducted data loss assessment
October 14-17:Wisconsin reached
out for help
• Contacted Dell SecureWorks
• Dell SecureWorks IR specialists arrive onsite and initiate response process
• Initial assessment reveals A/V trigger for password dump tool on a host
• Isolated all compromised systems
• Blocked related traffic at all network boundaries
• Implemented intermediate countermeasures to detect and prevent re-entry
• Infected machines cleaned and rebuilt
Wisconsin gets the bad news
Four APT campaigns discovered in Wisconsin’s network
Malicious Domain ***.edu.Freshdns.org 211.***.***.76 ***.edu.Blankchair.com ***.edu.Bcvziy.com
Date of Activity 16 June, 2011 29 June, 2011 29 June, 2011 29 June, 2011
Country of Origin Vietnam Korea Hong Kong China
Clear evidence of communication with malicious APT domains at least since June.
(“Wisconsin” had no log data prior to June.)
Wisconsin’s lessons learned
Lacked even basic security controls
• No dual administrator accounts
• No network-based intrusion detection or prevention systems
• No log retention system
• No security event monitoring and analysis
• Poor segregation for sensitive systems
Now on path to
Wisconsin’s Security Management did not take the threat of APT seriously.
• Customer brought in new security management
• Working with Dell to implement proper controls and develop a good IR plan
On the Dell World app
Or
Contentstyleguidelines Session Evaluation Survey
On paper• Forms in room• Turn in on the way
out
4. Select survey title
5. Simply complete the survey
3. Select Surveys
1. Select My Schedule
2. Select session to evaluate
Please help Dell meet your needsby filling out the Session Evaluation Surveys