Security Reflections of 2012 and Predictions for 2013 › › resource › ...(decoy) •Preferred...

Security Reflections of 2012 and Predictions for 2013

January 22, 2013 Start Time: 9 AM US Pacific,

Noon US Eastern, 5 pm London

1

Generously sponsored by:

2

Welcome Conference Moderator

Phillip H. Griffin

Raleigh, USA Chapter

ISSA Web Conference

Committee

3

Agenda Speakers

• Michael Versace Global Research Director, Worldwide Risk, Big Data Industry Lead, IDC Financial Insights

• Wayne Proctor Director, Information Security & Risk Management, United Parcel Service

•Darien Kindlund Senior Staff Scientist, FireEye, Inc.

Open Panel with Audience Q&A Closing Remarks

4

2012/2013 Infosec Trends

*The slide deck is not available for this presentation – please view the On-Demand

recording posted on the ISSA website.

Michael Versace

Global Research Director, Worldwide Risk,

Big Data Industry Lead, IDC Financial Insights

5


Wayne Proctor

Director, Information Security & IT Risk Management

United Parcel Service

5

Agenda

• Security intelligence & behavioral analysis

• Advanced malware protection

• Attacks targeting a specific individual

• Technologies for mobile device protection

• DDoS attack intensity & complexity

• Cyber security program information sharing

7

Security Intelligence & Behavioral Analysis

• SIEM systems implemented mainly for compliance

purposes are not providing significant value

• Security Intelligence leverages SIEM at its core but includes key value-added features – Input feeds from many new sources

– Alignment with business rules

– Integration with Big Data

– Behavioral Analysis

• Behavioral Analysis is the future of InfoSec monitoring – Why try to define what to look for?

– Alert when something is not acting within a normal range

8

Advanced Malware Protection

• Traditional AV is only effective against known threats

– Signature based tools [...] are only effective against 30-50 percent of current security threats – IDC, early 2012

• Advanced malware protection features may include: – Finding advanced malware

– Stopping advanced malware infection

– Analyzing advanced malware forensically

– Removal and/or quarantine of advanced malware

• Stopping the advanced malware infection is key as it is close to impossible to stop all company employees from clicking links and opening attachments

9

Attacks Targeting a Specific Individual

• Social Networking sites have made it possible to focus

attacks on specific targets

• Enough personal information can be found in minutes to get a normal person to click a link

• An advanced people search for “DBA” in a current job title on LinkedIn replies with over 29,000 results

• An advanced people search for “CEO” in a current job title on LinkedIn replies with over 500,000 results

10

Technologies for Mobile Device Protection

• Simple MDM and container approaches for mobile

security have limited corporate innovation

• We need all of the security that we expect on laptops

• Concerns are encountered when the use of personal devices are considered

• Future solutions should run as a cloud service

• Goal of future mobile protection systems should offer industry standard levels of security with minimal impacts to the user experience

11

DDoS Attack Intensity & Complexity

12

• DDoS Attacks have increased over 2000% over the last three years (source: Akamai)

• A sustained attack of 1 Gigabit per second was considered large prior to mid-2012

• Attackers are now using a small number of owned large servers with large bandwidth pipes

• Sustained attacks of 60 gigabit per second with spikes over 100 gigabits are common

• These next-gen attacks originate from only one group and only against large financials today but will expand

Cyber Security Program Info Sharing

• Former Defense secretary Leon Panetta warned in Oct 2012 of a “Cyber Pearl Harbor” threat that could “be just as destructive as terrorist attacks of 9/11”

• The FBI sees Cyber Security surpassing Terrorism as their primary focus

• Cyber Security Act of 2012 was voted down in the senate by a 52-46 vote (60 needed to pass) in September of 2012

• A Cyber Security Executive Order (EO) may be issued in the next several weeks – establishing a “voluntary” program for critical infrastructure companies

• Companies are concerned that liability can’t be waived without legislation

• The EO would direct federal agencies to "incorporate cybersecurity standards as part of the regulatory requirements they impose on the industries they regulate”

13

Question and Answer

Wayne Proctor

Director, Information Security & IT Risk Management

United Parcel Service


Darien Kindlund

Senior Staff Scientist

5

Spectrum of Frequent Advanced Attacks

For 2012/2013

16

Mass Website Compromises

• Exploit toolkits

• Zero-day exploits (rare)

• Sophisticated crimeware

Watering Hole Attacks

• Compromised site specific to industry vertical

• Zero-day exploits more common

• Frequently nation-state driven

Weaponized Email Attachments

• Common file formats

• Legit work product presented (decoy)

• Preferred by nation-states

Malicious URLs in Email (Spearphish)

• Exploits specific to target environment

• Only exploit if visited from target network(s)

• Use existing trust relationships

1000+ Victims

(Easiest to Detect) ~1-2 Victims

(Hardest to Detect)


17



• 0-day exploits (rare)




• Zero-day exploits more common

• Frequently nation-state driven




• Preferred by nation states





1000+ Victims


(Hardest to Detect)

1) Offense: ▲Watering Hole Methods

• Growing in popularity among nation-state threat actors

• Useful when precise targeting intel is unknown

• Compromise web site likely visited by target

• Start campaign when target is distracted (e.g. holidays)

• Once victim compromised, cleanup site

• Or, leave exploit for opportunistic attacks

18

Ex: Council on Foreign Relations (CFR)

• On Dec 21st, 2012, FireEye detected attacks from cfr.org to 4 major customers – Victims: large scale ISP, large US financial, US media outlet,

& local government

– Only worked from US, JP, KO, and CN systems

– Exploit triggers only one time (cookie tracking)

– First reported IE 8 zero-day exploit (CVE-2012-4792)

– Obfuscated JS + Heapspray via Flash + IE 8 exploit

– Fetches xsainfo.jpg as XOR encoded backdoor

– Loads backdoor as “shiape.exe”

– Callbacks to dynamic DNS C2 provider as normal HTTP POST traffic

– More at: http://blog.fireeye.com

19


Sept 2012 Capstone Turbine Space Foundation Reporters Without

Borders

Oct 2012 (Earlier

Campaigns End)

Dec 2012 CFR

Taiwan Travel Dissident Uygur

CFR is not the first…nor the last…

20


Email Attacks

21



• 0-day exploits (rare)




• 0-day exploits more common

• Frequently nation state driven




• Preferred by nation-states





1000+ Victims


(Hardest to Detect)

2) Offense: ▲Email Attacks During Holidays

22

Mal

icio

us

Att

ach

men

t

23

2) Offense: ▲Email Attacks During Holidays D

aily

Co

un

ts

Typical Defensive Lifecycle

Collection

Detection

Incident Response

Remediation

Threat Intelligence

24

Threat Intelligence Improvements

Collection

Detection

Incident Response

Remediation

Threat Intelligence

25

3) Defense: ▲Localized Threat Intelligence

• Picking defensive technologies that provide max intel – Tolerance for false positives (FPs) is exceptionally low

– Not enough to state something is malicious by fiat

– Must provide more evidence as to why the alert is valid

– Includes IOCs, PCAPs, historical data, copies of malware, copies of dropped files, and memory dumps of processes

• Analyzing attack trends specific to the organization

26

• How did the attack work?

• Vulnerabilities used?

• Applications targeted?

• Was it likely APT?

• Decoy content used?

• What was the motive?

• Financial gain?

• IP theft?

• Who was targeted? When?

• Common trend?


• Up-leveling attack trends from past incidents – Identifying common tools, techniques, procedures (TTPs) used by

threat actors, over time

– Focusing defenses on identifying common TTPs

• The point: Instead of trying to cover all defenses, focus first on identifying known tactics used by threat actors – The attackers are human and (generally) lazy in nature

– Most operate like a “business”; employing the least sophisticated methods that accomplish the mission

– If sending a weaponized resume (PDF) to your HR dept. (because their Acrobat isn’t updated) achieves a foothold, then why bother using a more complicated attack?

– Once attack succeeds, expect new waves of attacks using same tactics

27


28

Nation State

Military Group #1

TTP 1 Contractor #1

TTP 2 TTP3

Contractor #2

TTP 4 TTP 5

Intel Group #2

Contractor #3

TTP 6

Goal: Identifying TTP patterns specific to your industry

Target: Energy Sector

• Spring/Summer: TTP2

• Fall: TTP1

• Winter: TTP3

Target: Finance Sector


• Fall/Winter : TTP5

Target: Legal

• Always:

TTP6


29

Nation State

Military Group #1

TTP 1 Contractor #1

TTP 2 TTP3

Contractor #2

TTP 4 TTP 5

Intel Group #2

Contractor #3

TTP 6

Target: Energy Sector


• Fall: TTP1

• Winter: TTP3

Target: Finance Sector


• Fall/Winter: TTP5

Target: Legal

• Always:

TTP6

• Don’t focus on attribution (doesn’t help/matter)

• Instead, focus on TTP trends (does matter)

Incident Response Improvements

Collection

Detection

Incident Response

Remediation

Threat Intelligence

30

4) Defense: ▲IR Creativity

31

Att

ac

k R

ate

Breach Successful

IR Starts

How do you measure

successful incident

response engagements?

Why did this

happen?

Time

4) Defense: ▲IR Creativity

32

Att

ac

k R

ate

Time

Breach Successful

IR Starts Cleanup

Fails

Cleanup

Succeeds

Look For This

Summary: 2012/2013 Trends

Offense

▲Watering Hole Methods

▲Email Attacks During Holidays

Defense

▲Localized Threat Intelligence

▲IR Creativity

33

5 Criteria for Advanced Threat Protection

34

1. Dynamic, signature-less engine to detect & block zero-

day and targeted inbound attacks (as used by

Hacktivists, APT and crimeware actors, and nation-

states)

2. Real-time protection to stop data exfiltration

3. Integrated, cross-protocol Web & email inbound infection

and outbound callback protection

4. Accurate, no tuning, and very low false positive rate

5. Global malware intelligence for sharing threat indicators

to block zero-day malware & latest callback channels

Integrated Solution to Stop Advanced Targeted Attacks

35

• Integrated solution to combat advanced malware across multiple vectors, like Web and email

• Exploit, callback, and payload analysis to address all stages of attack lifecycle

• Malware forensics complements real-time protections with deep malware intelligence

• Systems share real-time malware intelligence locally and globally

Question and Answer

Darien Kindlund

Senior Staff Scientist

Open Panel with Audience Q&A

•Michael Versace Global Research Director, Worldwide Risk, Big Data Industry Lead, IDC Financial Insights

•Wayne Proctor Director, Information Security & Risk Management, United Parcel Service

•Darien Kindlund Senior Staff Scientist, FireEye, Inc.

37

38

Closing Remarks

Online Meetings Made Easy

Thank you to Citrix for donating this Webcast service

Thank you to our Sponsor

CPE Credit •Within 24 hours of the conclusion of this webcast, you

will receive a link via email to a post Web Conference quiz.

•After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

•On-Demand Viewers Quiz Link:

http://www.surveygizmo.com/s3/1139768/ISSA-Web-Conference-Security-Reflections-for-2012-and-Predictions-for-2013-January-22-2013

39





























Security Reflections of 2012 and Predictions for 2013 › › resource › ...(decoy) •Preferred...

Documents

Transcript of Security Reflections of 2012 and Predictions for 2013 › › resource › ...(decoy) •Preferred...