Anatomy of an Attack

Wolfgang Kandek, Qualyswkandek@qualys.com

@wkandek 14-September-2015

Verizon Data Breach Investigation Report

Verizon Data Breach Investigation Report

2122 Data Breaches

2122 Data BreachesFinancial data, Product data,

Personal data, Usernames/Passwords

Vulnerabilities

> 99% over 1 year old

> 99%

But 40 in 2014

But 40 in 2014and 50% within 2 weeks

> 99%

MalwareInfects

Computer

Exploit for known

Vulnerability

TargetedE-mailSpear

Phishing

Social MediaProfile

Exploit for 0-day

Vulnerability

KnownWorm/Virus

InfectedUSBDrive

Find infected

Computers

Command and Control

Username/Passwords

Dataloss

Brand

Finance

Others

> 99%

1. CTO (punk rock fan), punk rock concert offer, doc opened, no run2. Employee, employment offer, doc opened, script ran

3. COO (Greek History), article comment, doc not opened4. Employee, inquiry on side project, doc not opened

5. Employee, survey form of past employment, doc opened, infected, but no privileged account

6. System Admin, professional society membership offer, doc opened, infected - Bingo

Demo

PhishingTraining

PhishingTraining

10%->2%

VulnerabilitiesPatch

VulnerabilitiesPatch

95%/99%

> 99%

> 99%

VulnerabilitiesPatch

95%/99%Priority on Exploits

MS15-020, MS15-051

0-daysHardening

Then:Passwords

Finally:Breach Detection

Now: Vulnerability Assessments3 months: Passwords12 months+: Breach Detection

Thank youWolfgang Kandek

wkandek@qualys.com@wkandek

http://www.qualys.com

Resources• Verizon DBIR 2015

http://www.verizonenterprise.com/DBIR/

• Chevronhttps://www.rsaconference.com/events/us15/agenda/sessions/1983/building-a-next-generation-security-architecture

• BSIhttps://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf

• Hardeninghttps://www.virusbtn.com/pdf/conference_slides/2013/Niemela-VB2013.pdf