Advanced Threat Protection with Dell SecureWorks Security...

Advanced Threat Protection with

Dell SecureWorks Security Services

Copyright © 2012 Dell SecureWorks Page 1

Table of Contents

Summary ............................................................................... 2

Commodity Threats vs. Advanced Threats ...................................... 3

The “who,” “why” and “how” behind Advanced Threats ................... 4 Who are they? .................................................................................. 4 Why are they doing this? ..................................................................... 4 How do they operate? ......................................................................... 4 Tools of the Trade ............................................................................. 5

Ask the right questions of your security operation ............................. 7

Creating an effective security strategy ........................................... 8 Addressing the Stages of an Advanced Threat ............................................ 8 Defense-in-Depth ............................................................................. 10 Testing .......................................................................................... 11 Security Awareness ........................................................................... 11

How Dell SecureWorks Can Help .................................................. 13 Intelligence, Operations, Visibility and Response Capabilities ....................... 14 Testing and Security Awareness ............................................................ 15 About Dell SecureWorks .................................................................... 16


Summary

Across the corporate landscape, IT security organizations are fighting a battle of 1s and 0s. In other

words, security professionals are relying on technology such as firewalls, Intrusion Detection Systems,

Intrusion Prevention Systems and the like to protect their environments from a range of cyberthreats.

In the government sector, security experts are fighting a battle to identify and stop the actors behind

the host of malware and other malicious tools that are hitting our government and corporate

networks.

In fact, there are many commonalities in the tools that sophisticated and unsophisticated actors use.

For this reason, looking just at the malware tools would lead one to believe all threats are created

equal when, in fact, they are very different. It is for these and other reasons that understanding the

threat your organization faces must be done on the basis of the actors, their motives and the

processes they employ.

This paper distinguishes and discusses the various types of advanced threats, the actors, their motives

and processes, and provides a roadmap for how to enhance your security posture to better detect and

resist advanced threats, including Advanced Persistent Threats (APT). This roadmap includes

information on how Dell SecureWorks’ services can help you protect and resist Advanced Threats

across the cyber landscape.


Commodity Threats vs. Advanced Threats

Commodity Threats

A “Commodity” Threat represents a non-targeted or broad-based attack to gain access to networks,

systems and assets, through the use of common hacker and malware tools and techniques widely

available across the Internet. These threats may be automated and are intended to cast a wide net

across many organizations in order to detect and exploit a vulnerability. Generally, commodity threat

actors lack the prowess and resources associated with Advanced Threat actors.

When considering computer and security controls, controls are commonly focused on detecting

specific malware, known bad network traffic and other patterns that can be codified into signatures.

These controls work because many threats are deployed en masse with the actor’s hope of gaining

access across a large spectrum of organizations targeting a specific type of resource.

By the time these Commodity Threats reach the majority of the population, they are likely to have

been observed and had signatures developed for their detection. Examples include bot malware that

can use the army of infected systems for spam proxies, denial of service attacks, password cracking

and other exploits. In these cases, a large population of compromised systems is useful. Another

common example is banking Trojans that seek to infect large numbers of systems to collect

credentials that may allow the actors to access victims’ financial accounts.

Commodity Threats such as these are generally focused on a class of target or information type, but

not necessarily on a specific individual or system. If security controls make obtaining the resource

even slightly difficult, many adversaries will not expend the effort to make adjustments to overcome

the particular victim or site’s security controls. In these cases, the adversaries are satisfied to abandon

the target and instead focus on assets they can acquire from targets with inadequate protections. Even

in the case of slightly more targeted attacks, a reasonably secured environment may cause the

adversary to move on to another equally appealing computer to host their malware or another victim

with a bank account from which they can extract funds.

Advanced Threats

An “Advanced Threat,” in simplest terms, is a targeted exploit. Advanced threat actors have deliberately

selected an organization and are mounting offensives to penetrate security defenses and gain access

to the assets of the targeted organization. The actors behind these threats are driven by specific

motives and objectives which include financial gain, competitive advantage, intelligence collection,

intellectual property theft, and embarrassment or harm to your organization as in the case of

hacktivists. An Advanced Persistent Threat represents the most organized, sophisticated and

committed threat among Advanced Threats.

Advanced or “targeted” threats are different from “commodity” threats in their application – they are

targeted. By their very nature, Advanced Threats introduce the complexities of motives, objectives and

identities of actors. Effective IT security organizations of the future must establish capabilities to

identify these actors, understand their motives and work to stop them from achieving their objectives.


The “who,” “why” and “how” behind Advanced Threats

Who are they?

An Advanced Threat is any targeted activity intended to exploit your organization’s systems, networks

and data, or cause some type of harm. The spectrum of Advanced Threat actors can be quite

extensive and may include:

o Disgruntled employees or consumers

o Hacktivists

o Organized cybercrime rings

o Corporate espionage actors

o Nation-states

Hacktivists

Despite recent extensive media coverage, the real threat from hacktivist groups may be the adverse

publicity they bring to an organization, rather than any damage they can inflict through cyber exploits.

We have seen groups enjoy tremendous airtime while actual exploits were largely inconsequential.

Though it is important to monitor for hacktivist actors, it is also important not to overestimate their

capabilities and overlook other cybercriminal actors that also may be targeting your organization.

Advanced Persistent Threat actors

Advanced Persistent Threat actors represent a subset of the list above. Advanced Persistent Threat

actors will attempt various exploits until they achieve their objectives. The actors’ persistence,

adaptability and variability differentiate Advanced Persistent Threat actors from less organized and

more opportunistic Advanced Threat actors.

Why are they doing this?

The motives driving advanced threat actors vary greatly. While organized cybercriminals may be after

information and access that can result in financial gain, nation-state sponsored actors may be driven

by the desire to obtain intelligence, obtain intellectual property, or gain competitive advantage for

industry. A hacktivist’s motive may be to embarrass an organization, damage its reputation or cripple

systems resulting in significant downtime and cost. In some cases, actors may be working to obtain

access to a targeted affiliate.

How do they operate?

The following illustration highlights the process steps or “lifecycle” of various threats from

“Commodity” Threats to “Advanced Threats,” which includes hacktivism and Advanced Persistent

Threats (APT). The illustration helps us understand how we can effectively address each stage of the

lifecycle in order to effectively combat threats.


Figure 1: Lifecycle Comparison of Advanced and Commodity Threats.

Advanced Threat actors do not always perform the stages above in their entirety. It’s only the most

sophisticated threat actors that follow a very deliberative and organized process in their efforts.

Advanced Persistent Threat actors do likely follow a more formalized and staged approach to target,

penetrate and exploit your organization.

Advanced Threat actors will pursue the path of least resistance using simpler tools and exploits first,

and graduate their level of sophistication as successes or setbacks dictate. Some Advanced Threat

actors may adapt and customize their Tactics, Techniques and Procedures (TTP) to predict and

circumvent your security controls and standard incident response practices during the course of their

exploit and infiltration.

Many Advanced Threat actors may not be concerned about covering their tracks after they have

accomplished their initial goals whereas an Advanced Persistent Threat actor may lie in wait to exploit

your network again in the future.

We recommend reading “Lifecycle of the Advanced Persistent Threat” white paper for more detailed

discussion of Advanced Persistent Threats as a complement to this discussion.

Tools of the Trade

Advanced Threat actors may use a number of tools throughout the process. This includes rootkits,

exploit kits, downloader kits, drive by downloads, DNS and routing modifications, use of rogue Wi-Fi

devices and just about any method that may prove useful. More advanced threat actors may use

custom hacking tools and deploy zero-day exploits when other tools and tactics are unsuccessful. In


the case of an organized team, roles and responsibilities may actually be defined and

compartmentalized for optimum efficiency and effectiveness.

In addition, advanced threat actors may use social engineering, a common tactic, to gain information

from your employees that may be useful for exploit efforts. Phishing and spear-phishing are

particularly effective ways to deliver malicious programs.


Ask the right questions of your security operation

The risk associated with Advanced Threats is more about the actors, their motives and their processes,

rather than the technology they deploy. Effectively addressing the threat means addressing each stage

of the lifecycle.

Before that happens, security leaders must ask the right questions of their organizations. The goal is to

determine how prepared their organization is to detect and resist an Advanced Threat, and how robust

the capabilities are to respond successfully to a breach that is a likely eventuality.

Figure 2: Asking the Right Questions of Your Security Organization


Creating an effective security strategy

IT security’s challenge is, at the earliest lifecycle stage possible, to stop the threat and threat actor

behind it from progressing. To do so, IT security organizations must add new capabilities that address

each stage of the threat lifecycle.

Effectively defending against Advanced Threats, and especially Advanced Persistent Threats, will force

many organizations to revisit and re-architect their current security strategies to address the numerous

points advanced threat actors can exploit. Because no organization can ever pre-empt, detect and

defend against an Advanced Threat 100 percent of the time, the goal for any organization should be to

pursue a continuous process of “heightened security resiliency.”

The concept of heightened security resiliency is a straightforward one involving four phases:

1. Assess your current state: This phase involves identifying what may make your organization

attractive to an advanced threat actor. This includes your assets and your company’s overall

operations. In addition, this phase involves assessing your current security policies, capabilities

and posture.

2. Evaluate your risk: This phase takes the information collected in phase one, assesses a value

to assets, and maps that information to what we know about Advanced Threats to determine

the risk of exploit to your organization.

3. Articulate and implement your vision: For those organizations where there is a greater risk of

exploit by an Advanced Threat actor, security leadership will need design and implement a

revised security vision or strategy to address the threat.

4. Test and enhance your security: Given the relative sophistication and range of persistence of

Advanced Threat actors, testing of security capabilities and policies is critical to promote

continuous improvement.

This entire process is to be repeated on a periodic basis.

Addressing the Stages of an Advanced Threat

Building on our illustration, the green arrow depicts the core areas that must be considered when

devising a strategy against Advanced Threats. We have overlayed the core capabilities that must be

present for any organization to effectively defend, resist and respond to Advanced Threats. These

areas can be divided into four main areas: Intelligence, Visibility, Operations and Response.


Figure 3: The Four Core Capabilities Needed to Address Risk from Advanced Threat Actors


Intelligence

Organizations should look to deploy forward intelligence capabilities that provide actionable

information on Advanced Threat actors and their operations. Regardless of the intelligence’s

generalized or specific nature, the intelligence must be actionable to enhance the organization’s

security posture and educate security professionals to threats.

Visibility

Security teams must have full visibility into the operations and security of their systems, networks and

assets. Organizations must evaluate their current security architecture and consider recalibrating

security policies to ensure that the right information is being correlated to give security professionals a

view of the big picture across your networks, information and assets. This “big picture” view may be

instrumentation in a “dashboard” representation. Having visibility into what is happening behind the

firewall is just as important as what is trying to penetrate the firewall from the outside.

Operations

Security leaders must evaluate the capabilities of operations and personnel. Leaders must answer

whether their operations are efficient and effective and if not, how they can be improved. This

includes assessing the expertise and constraints on that expertise to monitor and address threats in

real time.

Response

Because there is no “silver bullet” to protect against Advanced Threats 100 percent of the time,

organizations must evaluate their capability to respond effectively to an incident.

Containing a problem rapidly and effectively can make all the difference. Security professionals should

take an introspective look at their organization to determine if the organization is adequately prepared

to respond effectively to a breach by an Advanced Threat actor. Many organizations are looking at a

breach as a “when” and not an “if.” It is critical your organization has a Computer Incident Response

Plan detailing roles and responsibilities, and that the plan is robust and tested.

Defense-in-Depth

Advanced Threats, and especially Advanced Persistent Threats, heighten the need for a broader

layered security or “defense-in-depth” model.

The illustration below highlights how the defense-in-depth model must evolve to address Advanced

Threats and changing technologies, such as mobility and cloud computing that expand the network

edge, and the attack surface Advanced Threat actors could exploit. This model addresses the four

capabilities of Intelligence, Visibility, Operations and Response mentioned above.


Figure 4: Defense-in-Depth Model

Testing

Testing against Advanced Threats is not optional. For organizations serious about defending, resisting

and responding to Advanced Threats, testing security policies, processes and personnel against

simulated Advanced Threats is critical.

Testing should examine security from logical (systems, networks, applications, etc.), physical (offices

and facilities) and employee (susceptibility to social engineering or phishing activities) standpoints.

Security Awareness

Employees represent your “human firewall.” Unfortunately, as many security leaders will attest, success

for an Advanced Threat actor requires only one employee to open a phishing email or divulge

information during a social engineering exploit. The challenge for security professionals is to raise

awareness and vigilance among employees, but also maintain layered security defenses that can

address when an employee does open a phishing email or divulges information through social

engineering exploits.

Security awareness training should be a regular part of operations. All employees should be mandated

to receive periodic security awareness training and even more importantly, be tested periodically

against real-world tactics such as phishing, spearphishing and other social engineering tactics.


Unfortunately, for any organization, perfect awareness across an ever-changing employee base

represents a lofty and unrealistic goal. However, IT organizations should still strive to attain a high

security awareness result across their employees, and use additional layered security measures to

address the risk posed by employees who inadvertently fail to identify a threat and allow it into the

environment.


How Dell SecureWorks Can Help

Dell SecureWorks understands the threats organizations like yours face.

Our Counter Threat Unit (CTU) security

researchers are frequently the first to

market with the identification of new

exploit techniques and the analysis of

emerging threats, and their expertise is

often specifically sought by government

agencies, media outlets and large

enterprises. They are among the most

proficient in the industry, with exceptional

talent for malware analysis, reverse

engineering, counterintelligence,

forensics and cybercrime investigation.

Dell SecureWorks’ CTU researchers

monitor thousands of information outlets

and sources around the world. Our

experts leverage hundreds of formal and

informal relationships with other security

experts and research groups to ensure

that they are always abreast of the latest

threats to information security.


Intelligence, Operations, Visibility and Response Capabilities

Capability How Dell SecureWorks Can Help Dell SecureWorks Services

Intelligence With our broad visibility and

relationships, Dell SecureWorks’ CTU

researchers are able to identify threats

in advance, assess their severity and

provide recommendations for

protecting your assets before damage

is done. Services are tailored to meet

the unique environments of our

customers, with threats mapped to

their assets and delivered to the right

people in the organization through a

variety of customizable methods.

CTU Research

CTU Threat Intelligence

Operations Dell SecureWorks helps you optimize

the efficiency and availability of your

security so your staff can focus on

initiatives that move the organization

forward. We can help you get

24x7x365 coverage of your

environment and help you identify

active intrusions by threat actors who

are being actively watched by the CTU.

Security Monitoring

Visibility Dell SecureWorks helps you see what's

happening across your environment.

We can evaluate your architecture,

helping you recalibrate your security

policies to ensure that the right

information is being correlated to your

team to form a view of the big picture

across your networks, information and

assets. We can help you identify active

intrusions by threat actors who are

being watched by the CTU.

Receive immediate alerts when

suspected APTs are detected. Improve

your employees' effectiveness at

detecting and resisting APT attacks.

Managed Security Services

Security Monitoring

Network IPS with iSensor


Response Dell SecureWorks can help you with

your "Plan B" and minimize any impact

of a successful penetration of your

network and systems. We can help you

develop a strong Incident Response

plan within your organization and test

your IR plan. Should you experience an

incident, we can conduct a forensics

investigation to determine the full

extent of the breach following

evidentiary procedures. In addition, we

conduct malware code analysis to

understand the unique nature of the

threat, as needed.

Incident Response Services

CIRP Development

Digital Forensics

Malware Code Analysis

IR Tabletop Exercises

War Gaming

Testing and Security Awareness

Capability How Dell SecureWorks Can Help Dell SecureWorks Services

Testing Dell SecureWorks can help you

evaluate your security through testing

that incorporates Tactics, Techniques

and Procedures (TTP) used by

advanced threat actors today.

Testing and incorporating the lessons

learned represents the most effective

way to continually improve your

security capabilities and personnel to

detect, resist and respond to an

Advanced Threat.

Penetration Testing

Social Engineering

IR Tabletop Exercises

War Gaming

Security Awareness Dell SecureWorks can help you

optimize the efficiency and availability

of your security so your staff can focus

on initiatives that move the

organization forward. We can help you

get 24x7x365 coverage of your

environment and help you identify

active intrusions by threat actors who

are being actively watched by the CTU.

Security Monitoring


About Dell SecureWorks

Should you have any questions about how Dell SecureWorks can help your organization prepare for or

respond to advanced, targeted attacks, contact your account manager, email [email protected]

or call 877-905-6661.

Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and

business solutions they trust and value. Recognized as an industry leader by top analysts, Dell

SecureWorks provides world-class information security services to help organizations of all sizes

protect their IT assets, comply with regulations and reduce security costs.

Advanced Threat Protection with Dell SecureWorks Security...

Documents

Transcript of Advanced Threat Protection with Dell SecureWorks Security...