Objectives History Lesson Overview of Cox Communications Threats Theft of Service.
Advanced Persistent Threats - govmu.org Presentation APT.pdf · advanced threats result in IT...
Transcript of Advanced Persistent Threats - govmu.org Presentation APT.pdf · advanced threats result in IT...
1© Copyright 2011 EMC Corporation. All rights reserved.
Advanced Persistent Threats
Craig Harwood
Channel Manager – SADC and Indian Ocean Islands
2© Copyright 2011 EMC Corporation. All rights reserved.
Agenda
• Introduction
• Today‟s Threat landscape
• What is an Advance persistent Threat
• How are these crimes perpetrated
• Why traditional security measures alone are no longer effective
• Why is security Management and compliance so important
• Solutions and Technologies to help YOU!
3© Copyright 2011 EMC Corporation. All rights reserved.
The Hyperextended EnterpriseExpanding entities, explosive information growth, increased regulation
Enterprise HQ Remote Offices
Mobile
Workers
Telecommuter
s
Consumers
Supply Chain &
Collaboration Partners
Retail Stores
Distribution
Centers
Service Provider
Virtualization, Cloud Computing
& other ISPs
Hijacks
Data Theft
Application Hacking
Cookies
Screen Scraping
Identity Theft, Privacy
Viruses, Worms, P2P
Content Piracy, SPAM
Solicitation
Cyber Attacks on
Apps. & Infrastructure
Industrial Espionage
Extortion
Service Theft
Spoofing, BOTNETS
Phishing
Threats are Everywhere…
4© Copyright 2011 EMC Corporation. All rights reserved.
The Attacking Community is Professionalizing
Enterprise HQ Remote Offices
Mobile Workers
Telecommuters
Consumers
Supply Chain & Collaboration Partners
Retail Stores
Distribution Centers
Service Provider Virtualization, Cloud Computing & other ISPs
Hijacks Data Theft
Application Hacking
Cookies Screen Scraping
Identity Theft, Privacy Viruses, Worms, P2P
Content Piracy, SPAM Solicitation
Cyber Attacks on Apps. & Infrastructure
Industrial Espionage Extortion
Service Theft Spoofing, BOTNETS
Phishing
Threats are Everywhere…
PII, Government,
Defense,
Industrial Base,
IP Rich Enterprises
Governments
Organized, sophisticated
Supply chains (PII,
Financial Services, Retail)
Organized Crime
“Hacktivists”
Targets of Opportunity
Anti-
Establishment
Vigilantes
PII, Government
Critical Infrastructure
Terrorists
Agencies
Between 2006 and 2010
there was a 660%
increase in Cyber
Incidents reported from
Government Agencies
Agencies
In 2010 - 88% of the
Global 500 had BOTNET
activity associated with
their domains
Government Accountability Office and Time Magazine, July 2011RSA Security Brief, February 2011 “Malware and the Enterprise”
6© Copyright 2011 EMC Corporation. All rights reserved.
What are we facing?
• Well organized, well funded entities with a specific
set of Collection Requirements (CR) that may be
controlled by a gov‟t or criminal entity
• CR‟s could be anything from military secrets to
source code to pharmaceutical intellectual
property to documentation about critical
infrastructure
7© Copyright 2011 EMC Corporation. All rights reserved.
Advanced Persistent Threat (APT)
• “Targeted Computer Attacks By Government
Agencies, Cyber Criminals, Terrorists And/Or
Individuals With The Intent Of Stealing Intellectual
Property, Trade Secrets Or Other
Political/Economical Motivation.”
8© Copyright 2011 EMC Corporation. All rights reserved.
83% 71% 65%
51% 45% 44%
believe that
they have
been the
victim of
advanced
threat
have seen an
increase in
advanced
threats in the
last 12 months
believe they
have
insufficient
resources to
prevent
advanced
threats
result in IT
downtime
result in the
theft of
intellectual
property
result in the
theft of
confidential or
sensitive
information
• 18 months of high-profile sophisticated cyber
attacks; pandemic levels, not a passing fad
• Advanced Persistent Threats have moved
from realm of military to mainstream
• Highly targeted, well researched and well
funded
• Moving beyond credit card data to intellectual
property
• Multiple vectors: social engineering, zero-day
vulnerabilities, application-layer exploits, etc.
• The primary attack vector has shifted from
technology to people
Advanced Persistent ThreatsThe New Norm
Of companies…
Of advanced
persistent threats…
It is now not a question of IF but WHEN you are attacked…
…but more importantly will you notice, and can you react?
Source: Ponemon Institute Survey “Growing Risk of Advanced
Threats”
9© Copyright 2011 EMC Corporation. All rights reserved.
Advanced
Persistent
Threats
Sophisticated attacks and
well resourced
adversaries
Nation State
Actors
Cyber
Criminals
Open Source
Intelligence
Collection
Foreign
Nationals
Black Markets
Who How
Non-Nation State
Sub Contractors
Supply Chain
Tampering
Third Countries
The Age of Advanced Persistent Threats
10© Copyright 2011 EMC Corporation. All rights reserved.
Tactics, Techniques and Procedures (TTP‟s)
• There are typically precursors to APT attacks. Knowing the TTP’s used by threat actors can give an organization a jump start on defending the network.
• The following are the steps used by APT threat actors when staging attacks. This is referred to as the APT “killchain”
• Open Source Collection
• Malware and toolkit creation
• Delivery of malware
• Exploitation
• Command and Control communications (C2 beaconing)
• Exfiltration
11© Copyright 2011 EMC Corporation. All rights reserved.
Open source collection TTP
• Identify high value programs, technology and
people– Threat actors will use open source data to research their
targets.
– There is a surprising amount of information freely
available
– Clean documents are harvested from Internet sources
– A company‟s public website
– News stories (CNN, FOX News, etc)
– Relationships are researched which can be leveraged in
an attack
13© Copyright 2011 EMC Corporation. All rights reserved.
Malware and toolkit creation
• The act of placing malicious payload inside the
delivery mechanism (i.e. DOC or PDF file)– APT actors use a variety of custom toolkits to create
malware
– Metasploit modules bring toolkits to a larger audience
– Link based attacks are on the rise and much harder to
detect
15© Copyright 2011 EMC Corporation. All rights reserved.
Delivery methods
• Threat actors will utilize intelligence gathered from their
collections to target specific users. Emails will typically
contain a link or attachment that entices the recipient. The
malware is sophisticated and will evade most standard
COTS software.
• Other server side attacks have also been observed such as
SQL Injections
• “Water holing” is another popular technique
17© Copyright 2011 EMC Corporation. All rights reserved.
Exploitation
• Threat actors will attempt to exploit a system using specially crafted malware. The main goal is to compromise the target asset that will allow the attacker access to the system
• This is a key phase of the attack, If exploitation is successful, the machine is compromised
– Tendency toward multi-stage exploits
– Shellcode delivered which in turns downloads & executes other malware
– Exploitation depends on Vulnerability, proper execution and compatibility
19© Copyright 2011 EMC Corporation. All rights reserved.
Command and Control Communications (C2)
• C2 communications is established once the target
system can communicate with the threat actors
infrastructure. Attackers could perform the
following– Tool dropping
– System enumeration
– Lateral movement
– Credential harvesting
21© Copyright 2011 EMC Corporation. All rights reserved.
Exfiltration
• Once the threat locates the data they are after they
usually will compress the data and send out. – Intellectual Property
– PII
– Government Data
23© Copyright 2011 EMC Corporation. All rights reserved.
Importance of knowing these TTP‟s
• These APT TTP‟s are commonly known in the security world
as the “Kill Chain”
Reconnaissance
Weaponization
Delivery
Installation &
Exploitation
Command &
Control
Exfiltration
24© Copyright 2011 EMC Corporation. All rights reserved.
ATTACKER FREE TIME
Attack
Begins
System
Intrusion
Attacker Surveillance
Cover-up
Complete
Access
Probe
Leap Frog
Attacks
Complete
Target
Analysis
Time
Attack
Set-up
Discovery /
Persistence
Maintain foothold
Cover-up
Starts
Attack
Forecast
Physical
Security
Containment
& eradication
System
Reaction
Damage
Identification
Recovery
Defender discovery
Monitoring &
ControlsImpact
Analysis
ResponseThreat
Analysis
Attack
Identified
Incident
Reporting
Need to collapse attacker free time
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
The Anatomy of an Attack
Need to ID attack
precursors
25© Copyright 2011 EMC Corporation. All rights reserved.
• Focus is on breaking the kill-chain before exfiltration
• Deveopment of a proactive approach to the detection of APT
• Understanding the methodologies used by attackers allows organizations to select safeguards and security controls to counter the threat.
What Can you do About APT’s?
26© Copyright 2011 EMC Corporation. All rights reserved.
Customer Breached by
Hackers, APT‟s or Malicious
Code
33© Copyright 2011 EMC Corporation. All rights reserved.
Traditional Security is Not Working
Source: Verizon 2012 Data Breach Investigations Report
99% of breaches led to
compromise within “days” or less
with 85% leading to data
exfiltration in the same time
85% of breaches took
“weeks” or more to
discover
34© Copyright 2011 EMC Corporation. All rights reserved.
Advanced
Security
Close the risk gap
Deliver new intelligence
Enable agility
Transforming Security
address the pervasiveness of dynamic, focused adversaries
Traditional
SecuritySignature-based
Perimeter oriented
Compliance Driven
Advanced
ThreatAgile
Definitive
Intelligent
35© Copyright 2011 EMC Corporation. All rights reserved.
Security Paradigm Shift
– „Shift From Perimeter-Based Security Model To An
Intelligence-Based Model.‟• Risk-Based
• Agile
• Contextual
• Information Sharing – Peers, Government, etc…
– Intel Cannot Just Be Gathered Internally, It Also Needs
To Come From External Sources• Pattern Recognition
• Predictive
• Big-Data Analytics
36© Copyright 2011 EMC Corporation. All rights reserved.
Today‟s tools need to adapt
• Today‟s tools need to be able to detect and
investigate– Lateral movement of threats as they gain foothold
– Covert characteristics of attack tools, techniques &
procedures
– Exfiltration or sabotage of critical data
• Today‟s tools need to be able to scale
– To collect and store the volume and diversity of data
required
– To provide analytic tools to support security work
streams
– Time to respond is critical in a breach situations – and
SIEM often falls short
37© Copyright 2011 EMC Corporation. All rights reserved.
CONTROLS
Integrated Advanced Security
BUSINESS DRIVERS
PROTECT AND DEFEND
Enterprise HQ Remote Offices
Mobile Workers
Telecommuters
Consumers
Supply Chain & Collaboration Partners
Retail Stores
Distribution Centers
Service Provider Virtualization, Cloud Computing & other ISPs
Hijacks Data Theft
Application Hacking
Cookies Screen Scraping
Identity Theft, Privacy Viruses, Worms, P2P
Content Piracy, SPAM Solicitation
Cyber Attacks on Apps. & Infrastructure
Industrial Espionage Extortion
Service Theft Spoofing, BOTNETS
Phishing
Threats are Everywhere…
Ide
nti
tie
s
Info
rmatio
n
Infrastructure Update controls
POLICIES AND PROCESSESDEFINE POLICIES
GOVERNANCE, RISK AND COMPLIANCE MANAGEMENT DASHBOARD
DETECT
INVESTIGATE
REMEDIATE
Monitor
Manage Governance, Risk and Compliance
38© Copyright 2011 EMC Corporation. All rights reserved.
SIEM has been a good start
• SIEM can provide:– Valuable reporting on device and application activity
– Basic alerting on known sequences (i.e. basic
correlation)
– Proof of compliance for internal and external auditors
– Central view into disparate event sources being
collectedIn today’s world…Threats are multi-faceted, dynamic and stealthy
The most dangerous attacks have never been seen before
Threats often don’t leave a footprint in logs
40© Copyright 2011 EMC Corporation. All rights reserved.
What is RSA Security Analytics?
• RSA Security Analytics is RSA‟s platform for– Security monitoring
– Incident investigation
– Malware analytics
– Log compliance reporting
• Is the cornerstone of RSA‟s Security Management & Big Data strategy
– Going beyond enVision and NetWitness – a new approach to security operations
• RSA Security Analytics is the convergence of enVision/SIEM with Netwitness high speed analytics and forensics
42© Copyright 2011 EMC Corporation. All rights reserved.
Suspect Attack ScenarioSpike in Suspect Network TrafficIP Address shows multiple RDP connections tunneled over non-standard port
Authorized User Logged in to ADAD Logs show user logged in from suspect
IP with authorized credentials
Different user logged into VPN from same IP
VPN logs show a different set of authorized credentials used to log into
VPN
Data ex-filtrationEncrypted ZIP file transferred out to Internet via FTP server
2
3
●●●●●●●●
PASSWORD4
1 ●●●●●●●●
PASSWORD
43© Copyright 2011 EMC Corporation. All rights reserved.
Only RSA Security Analytics can tell you the impact of the attack
Attack Step Traditional SIEM RSA Security
Analytics
Alert for RDP tunneled over non-
standard portNo Yes
Recreate activity of suspect IP
address across environmentNo Yes
Show user activity across AD and
VPNYes Yes
Alert for different credentials
used for AD and VPNYes Yes
Reconstruct exfiltrated dataNo Yes
44© Copyright 2011 EMC Corporation. All rights reserved.
Investigation ScenarioFind Workstation acting as SPAM hostMultiple outbound SMTP connections from workstation.
Multiple internet DNS connections from workstation
Find out how the workstation got infected
User clicked on the link and got infected by Trojan from drive-by
download.
Analyze malwareDetermine whether targeted or vanilla malware in use
2
3
4
1
Recreate phishing e-mail message
Determine whether targeted phishing attack at play
45© Copyright 2011 EMC Corporation. All rights reserved.
Only RSA Security Analytics can tell if this is a targeted attack
Attack Step Traditional SIEM RSA Security
Analytics
Alert for suspected SPAM host Yes Yes
Show all WWW requests where
executable downloadedNo Yes
Recreate email with suspect linkNo Yes
Analyze malware and incorporate
community intelligenceNo Yes
Determine whether attack is part
of a targeted campaignNo Yes
46© Copyright 2011 EMC Corporation. All rights reserved.
Key Point: Increasingly sophisticated models of both “good” and “bad” are needed. Better models require more data and analytics.
= BAD
Separating “Bad” from “Good” is Increasingly Difficult
• Understand what “bad”
looks like and look for
similarities
– Antivirus
– Intrusion Prevention
Systems
– Thresholds exceeded
= BAD
• Understand what “good” looks
like and look for meaningful
differences
– Network analysis and baselining
– Anomaly detection
– Predictive failure analysis
47© Copyright 2011 EMC Corporation. All rights reserved.
Security Analytics Methodology: Ripping away the hay with automated queries
ALERT ME for sessions
to/from critical assets
SHOW ME files where file
type
does not match extension
SHOW ME all downloads of
executable content
(pdf, doc, exe, xls, jar etc)
Start with all network
traffic and logs
No SIEM will let you do this!