Advanced Threat Protection with Dell SecureWorks Security...
Transcript of Advanced Threat Protection with Dell SecureWorks Security...
Advanced Threat Protection with
Dell SecureWorks Security Services
Copyright © 2012 Dell SecureWorks Page 1
Table of Contents
Summary ............................................................................... 2
Commodity Threats vs. Advanced Threats ...................................... 3
The “who,” “why” and “how” behind Advanced Threats ................... 4 Who are they? .................................................................................. 4 Why are they doing this? ..................................................................... 4 How do they operate? ......................................................................... 4 Tools of the Trade ............................................................................. 5
Ask the right questions of your security operation ............................. 7
Creating an effective security strategy ........................................... 8 Addressing the Stages of an Advanced Threat ............................................ 8 Defense-in-Depth ............................................................................. 10 Testing .......................................................................................... 11 Security Awareness ........................................................................... 11
How Dell SecureWorks Can Help .................................................. 13 Intelligence, Operations, Visibility and Response Capabilities ....................... 14 Testing and Security Awareness ............................................................ 15 About Dell SecureWorks .................................................................... 16
Copyright © 2012 Dell SecureWorks Page 2
Summary
Across the corporate landscape, IT security organizations are fighting a battle of 1s and 0s. In other
words, security professionals are relying on technology such as firewalls, Intrusion Detection Systems,
Intrusion Prevention Systems and the like to protect their environments from a range of cyberthreats.
In the government sector, security experts are fighting a battle to identify and stop the actors behind
the host of malware and other malicious tools that are hitting our government and corporate
networks.
In fact, there are many commonalities in the tools that sophisticated and unsophisticated actors use.
For this reason, looking just at the malware tools would lead one to believe all threats are created
equal when, in fact, they are very different. It is for these and other reasons that understanding the
threat your organization faces must be done on the basis of the actors, their motives and the
processes they employ.
This paper distinguishes and discusses the various types of advanced threats, the actors, their motives
and processes, and provides a roadmap for how to enhance your security posture to better detect and
resist advanced threats, including Advanced Persistent Threats (APT). This roadmap includes
information on how Dell SecureWorks’ services can help you protect and resist Advanced Threats
across the cyber landscape.
Copyright © 2012 Dell SecureWorks Page 3
Commodity Threats vs. Advanced Threats
Commodity Threats
A “Commodity” Threat represents a non-targeted or broad-based attack to gain access to networks,
systems and assets, through the use of common hacker and malware tools and techniques widely
available across the Internet. These threats may be automated and are intended to cast a wide net
across many organizations in order to detect and exploit a vulnerability. Generally, commodity threat
actors lack the prowess and resources associated with Advanced Threat actors.
When considering computer and security controls, controls are commonly focused on detecting
specific malware, known bad network traffic and other patterns that can be codified into signatures.
These controls work because many threats are deployed en masse with the actor’s hope of gaining
access across a large spectrum of organizations targeting a specific type of resource.
By the time these Commodity Threats reach the majority of the population, they are likely to have
been observed and had signatures developed for their detection. Examples include bot malware that
can use the army of infected systems for spam proxies, denial of service attacks, password cracking
and other exploits. In these cases, a large population of compromised systems is useful. Another
common example is banking Trojans that seek to infect large numbers of systems to collect
credentials that may allow the actors to access victims’ financial accounts.
Commodity Threats such as these are generally focused on a class of target or information type, but
not necessarily on a specific individual or system. If security controls make obtaining the resource
even slightly difficult, many adversaries will not expend the effort to make adjustments to overcome
the particular victim or site’s security controls. In these cases, the adversaries are satisfied to abandon
the target and instead focus on assets they can acquire from targets with inadequate protections. Even
in the case of slightly more targeted attacks, a reasonably secured environment may cause the
adversary to move on to another equally appealing computer to host their malware or another victim
with a bank account from which they can extract funds.
Advanced Threats
An “Advanced Threat,” in simplest terms, is a targeted exploit. Advanced threat actors have deliberately
selected an organization and are mounting offensives to penetrate security defenses and gain access
to the assets of the targeted organization. The actors behind these threats are driven by specific
motives and objectives which include financial gain, competitive advantage, intelligence collection,
intellectual property theft, and embarrassment or harm to your organization as in the case of
hacktivists. An Advanced Persistent Threat represents the most organized, sophisticated and
committed threat among Advanced Threats.
Advanced or “targeted” threats are different from “commodity” threats in their application – they are
targeted. By their very nature, Advanced Threats introduce the complexities of motives, objectives and
identities of actors. Effective IT security organizations of the future must establish capabilities to
identify these actors, understand their motives and work to stop them from achieving their objectives.
Copyright © 2012 Dell SecureWorks Page 4
The “who,” “why” and “how” behind Advanced Threats
Who are they?
An Advanced Threat is any targeted activity intended to exploit your organization’s systems, networks
and data, or cause some type of harm. The spectrum of Advanced Threat actors can be quite
extensive and may include:
o Disgruntled employees or consumers
o Hacktivists
o Organized cybercrime rings
o Corporate espionage actors
o Nation-states
Hacktivists
Despite recent extensive media coverage, the real threat from hacktivist groups may be the adverse
publicity they bring to an organization, rather than any damage they can inflict through cyber exploits.
We have seen groups enjoy tremendous airtime while actual exploits were largely inconsequential.
Though it is important to monitor for hacktivist actors, it is also important not to overestimate their
capabilities and overlook other cybercriminal actors that also may be targeting your organization.
Advanced Persistent Threat actors
Advanced Persistent Threat actors represent a subset of the list above. Advanced Persistent Threat
actors will attempt various exploits until they achieve their objectives. The actors’ persistence,
adaptability and variability differentiate Advanced Persistent Threat actors from less organized and
more opportunistic Advanced Threat actors.
Why are they doing this?
The motives driving advanced threat actors vary greatly. While organized cybercriminals may be after
information and access that can result in financial gain, nation-state sponsored actors may be driven
by the desire to obtain intelligence, obtain intellectual property, or gain competitive advantage for
industry. A hacktivist’s motive may be to embarrass an organization, damage its reputation or cripple
systems resulting in significant downtime and cost. In some cases, actors may be working to obtain
access to a targeted affiliate.
How do they operate?
The following illustration highlights the process steps or “lifecycle” of various threats from
“Commodity” Threats to “Advanced Threats,” which includes hacktivism and Advanced Persistent
Threats (APT). The illustration helps us understand how we can effectively address each stage of the
lifecycle in order to effectively combat threats.
Copyright © 2012 Dell SecureWorks Page 5
Figure 1: Lifecycle Comparison of Advanced and Commodity Threats.
Advanced Threat actors do not always perform the stages above in their entirety. It’s only the most
sophisticated threat actors that follow a very deliberative and organized process in their efforts.
Advanced Persistent Threat actors do likely follow a more formalized and staged approach to target,
penetrate and exploit your organization.
Advanced Threat actors will pursue the path of least resistance using simpler tools and exploits first,
and graduate their level of sophistication as successes or setbacks dictate. Some Advanced Threat
actors may adapt and customize their Tactics, Techniques and Procedures (TTP) to predict and
circumvent your security controls and standard incident response practices during the course of their
exploit and infiltration.
Many Advanced Threat actors may not be concerned about covering their tracks after they have
accomplished their initial goals whereas an Advanced Persistent Threat actor may lie in wait to exploit
your network again in the future.
We recommend reading “Lifecycle of the Advanced Persistent Threat” white paper for more detailed
discussion of Advanced Persistent Threats as a complement to this discussion.
Tools of the Trade
Advanced Threat actors may use a number of tools throughout the process. This includes rootkits,
exploit kits, downloader kits, drive by downloads, DNS and routing modifications, use of rogue Wi-Fi
devices and just about any method that may prove useful. More advanced threat actors may use
custom hacking tools and deploy zero-day exploits when other tools and tactics are unsuccessful. In
Copyright © 2012 Dell SecureWorks Page 6
the case of an organized team, roles and responsibilities may actually be defined and
compartmentalized for optimum efficiency and effectiveness.
In addition, advanced threat actors may use social engineering, a common tactic, to gain information
from your employees that may be useful for exploit efforts. Phishing and spear-phishing are
particularly effective ways to deliver malicious programs.
Copyright © 2012 Dell SecureWorks Page 7
Ask the right questions of your security operation
The risk associated with Advanced Threats is more about the actors, their motives and their processes,
rather than the technology they deploy. Effectively addressing the threat means addressing each stage
of the lifecycle.
Before that happens, security leaders must ask the right questions of their organizations. The goal is to
determine how prepared their organization is to detect and resist an Advanced Threat, and how robust
the capabilities are to respond successfully to a breach that is a likely eventuality.
Figure 2: Asking the Right Questions of Your Security Organization
Copyright © 2012 Dell SecureWorks Page 8
Creating an effective security strategy
IT security’s challenge is, at the earliest lifecycle stage possible, to stop the threat and threat actor
behind it from progressing. To do so, IT security organizations must add new capabilities that address
each stage of the threat lifecycle.
Effectively defending against Advanced Threats, and especially Advanced Persistent Threats, will force
many organizations to revisit and re-architect their current security strategies to address the numerous
points advanced threat actors can exploit. Because no organization can ever pre-empt, detect and
defend against an Advanced Threat 100 percent of the time, the goal for any organization should be to
pursue a continuous process of “heightened security resiliency.”
The concept of heightened security resiliency is a straightforward one involving four phases:
1. Assess your current state: This phase involves identifying what may make your organization
attractive to an advanced threat actor. This includes your assets and your company’s overall
operations. In addition, this phase involves assessing your current security policies, capabilities
and posture.
2. Evaluate your risk: This phase takes the information collected in phase one, assesses a value
to assets, and maps that information to what we know about Advanced Threats to determine
the risk of exploit to your organization.
3. Articulate and implement your vision: For those organizations where there is a greater risk of
exploit by an Advanced Threat actor, security leadership will need design and implement a
revised security vision or strategy to address the threat.
4. Test and enhance your security: Given the relative sophistication and range of persistence of
Advanced Threat actors, testing of security capabilities and policies is critical to promote
continuous improvement.
This entire process is to be repeated on a periodic basis.
Addressing the Stages of an Advanced Threat
Building on our illustration, the green arrow depicts the core areas that must be considered when
devising a strategy against Advanced Threats. We have overlayed the core capabilities that must be
present for any organization to effectively defend, resist and respond to Advanced Threats. These
areas can be divided into four main areas: Intelligence, Visibility, Operations and Response.
Copyright © 2012 Dell SecureWorks Page 9
Figure 3: The Four Core Capabilities Needed to Address Risk from Advanced Threat Actors
Copyright © 2012 Dell SecureWorks Page 10
Intelligence
Organizations should look to deploy forward intelligence capabilities that provide actionable
information on Advanced Threat actors and their operations. Regardless of the intelligence’s
generalized or specific nature, the intelligence must be actionable to enhance the organization’s
security posture and educate security professionals to threats.
Visibility
Security teams must have full visibility into the operations and security of their systems, networks and
assets. Organizations must evaluate their current security architecture and consider recalibrating
security policies to ensure that the right information is being correlated to give security professionals a
view of the big picture across your networks, information and assets. This “big picture” view may be
instrumentation in a “dashboard” representation. Having visibility into what is happening behind the
firewall is just as important as what is trying to penetrate the firewall from the outside.
Operations
Security leaders must evaluate the capabilities of operations and personnel. Leaders must answer
whether their operations are efficient and effective and if not, how they can be improved. This
includes assessing the expertise and constraints on that expertise to monitor and address threats in
real time.
Response
Because there is no “silver bullet” to protect against Advanced Threats 100 percent of the time,
organizations must evaluate their capability to respond effectively to an incident.
Containing a problem rapidly and effectively can make all the difference. Security professionals should
take an introspective look at their organization to determine if the organization is adequately prepared
to respond effectively to a breach by an Advanced Threat actor. Many organizations are looking at a
breach as a “when” and not an “if.” It is critical your organization has a Computer Incident Response
Plan detailing roles and responsibilities, and that the plan is robust and tested.
Defense-in-Depth
Advanced Threats, and especially Advanced Persistent Threats, heighten the need for a broader
layered security or “defense-in-depth” model.
The illustration below highlights how the defense-in-depth model must evolve to address Advanced
Threats and changing technologies, such as mobility and cloud computing that expand the network
edge, and the attack surface Advanced Threat actors could exploit. This model addresses the four
capabilities of Intelligence, Visibility, Operations and Response mentioned above.
Copyright © 2012 Dell SecureWorks Page 11
Figure 4: Defense-in-Depth Model
Testing
Testing against Advanced Threats is not optional. For organizations serious about defending, resisting
and responding to Advanced Threats, testing security policies, processes and personnel against
simulated Advanced Threats is critical.
Testing should examine security from logical (systems, networks, applications, etc.), physical (offices
and facilities) and employee (susceptibility to social engineering or phishing activities) standpoints.
Security Awareness
Employees represent your “human firewall.” Unfortunately, as many security leaders will attest, success
for an Advanced Threat actor requires only one employee to open a phishing email or divulge
information during a social engineering exploit. The challenge for security professionals is to raise
awareness and vigilance among employees, but also maintain layered security defenses that can
address when an employee does open a phishing email or divulges information through social
engineering exploits.
Security awareness training should be a regular part of operations. All employees should be mandated
to receive periodic security awareness training and even more importantly, be tested periodically
against real-world tactics such as phishing, spearphishing and other social engineering tactics.
Copyright © 2012 Dell SecureWorks Page 12
Unfortunately, for any organization, perfect awareness across an ever-changing employee base
represents a lofty and unrealistic goal. However, IT organizations should still strive to attain a high
security awareness result across their employees, and use additional layered security measures to
address the risk posed by employees who inadvertently fail to identify a threat and allow it into the
environment.
Copyright © 2012 Dell SecureWorks Page 13
How Dell SecureWorks Can Help
Dell SecureWorks understands the threats organizations like yours face.
Our Counter Threat Unit (CTU) security
researchers are frequently the first to
market with the identification of new
exploit techniques and the analysis of
emerging threats, and their expertise is
often specifically sought by government
agencies, media outlets and large
enterprises. They are among the most
proficient in the industry, with exceptional
talent for malware analysis, reverse
engineering, counterintelligence,
forensics and cybercrime investigation.
Dell SecureWorks’ CTU researchers
monitor thousands of information outlets
and sources around the world. Our
experts leverage hundreds of formal and
informal relationships with other security
experts and research groups to ensure
that they are always abreast of the latest
threats to information security.
Copyright © 2012 Dell SecureWorks Page 14
Intelligence, Operations, Visibility and Response Capabilities
Capability How Dell SecureWorks Can Help Dell SecureWorks Services
Intelligence With our broad visibility and
relationships, Dell SecureWorks’ CTU
researchers are able to identify threats
in advance, assess their severity and
provide recommendations for
protecting your assets before damage
is done. Services are tailored to meet
the unique environments of our
customers, with threats mapped to
their assets and delivered to the right
people in the organization through a
variety of customizable methods.
CTU Research
CTU Threat Intelligence
Operations Dell SecureWorks helps you optimize
the efficiency and availability of your
security so your staff can focus on
initiatives that move the organization
forward. We can help you get
24x7x365 coverage of your
environment and help you identify
active intrusions by threat actors who
are being actively watched by the CTU.
Security Monitoring
Visibility Dell SecureWorks helps you see what's
happening across your environment.
We can evaluate your architecture,
helping you recalibrate your security
policies to ensure that the right
information is being correlated to your
team to form a view of the big picture
across your networks, information and
assets. We can help you identify active
intrusions by threat actors who are
being watched by the CTU.
Receive immediate alerts when
suspected APTs are detected. Improve
your employees' effectiveness at
detecting and resisting APT attacks.
Managed Security Services
Security Monitoring
Network IPS with iSensor
Copyright © 2012 Dell SecureWorks Page 15
Response Dell SecureWorks can help you with
your "Plan B" and minimize any impact
of a successful penetration of your
network and systems. We can help you
develop a strong Incident Response
plan within your organization and test
your IR plan. Should you experience an
incident, we can conduct a forensics
investigation to determine the full
extent of the breach following
evidentiary procedures. In addition, we
conduct malware code analysis to
understand the unique nature of the
threat, as needed.
Incident Response Services
CIRP Development
Digital Forensics
Malware Code Analysis
IR Tabletop Exercises
War Gaming
Testing and Security Awareness
Capability How Dell SecureWorks Can Help Dell SecureWorks Services
Testing Dell SecureWorks can help you
evaluate your security through testing
that incorporates Tactics, Techniques
and Procedures (TTP) used by
advanced threat actors today.
Testing and incorporating the lessons
learned represents the most effective
way to continually improve your
security capabilities and personnel to
detect, resist and respond to an
Advanced Threat.
Penetration Testing
Social Engineering
IR Tabletop Exercises
War Gaming
Security Awareness Dell SecureWorks can help you
optimize the efficiency and availability
of your security so your staff can focus
on initiatives that move the
organization forward. We can help you
get 24x7x365 coverage of your
environment and help you identify
active intrusions by threat actors who
are being actively watched by the CTU.
Security Monitoring
Copyright © 2012 Dell SecureWorks Page 16
About Dell SecureWorks
Should you have any questions about how Dell SecureWorks can help your organization prepare for or
respond to advanced, targeted attacks, contact your account manager, email [email protected]
or call 877-905-6661.
Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and
business solutions they trust and value. Recognized as an industry leader by top analysts, Dell
SecureWorks provides world-class information security services to help organizations of all sizes
protect their IT assets, comply with regulations and reduce security costs.