Security Reflections of 2012 and Predictions for 2013 › › resource › ...(decoy) •Preferred...
Transcript of Security Reflections of 2012 and Predictions for 2013 › › resource › ...(decoy) •Preferred...
Security Reflections of 2012 and Predictions for 2013
January 22, 2013 Start Time: 9 AM US Pacific,
Noon US Eastern, 5 pm London
1
Generously sponsored by:
2
Welcome Conference Moderator
Phillip H. Griffin
Raleigh, USA Chapter
ISSA Web Conference
Committee
3
Agenda Speakers
• Michael Versace Global Research Director, Worldwide Risk, Big Data Industry Lead, IDC Financial Insights
• Wayne Proctor Director, Information Security & Risk Management, United Parcel Service
•Darien Kindlund Senior Staff Scientist, FireEye, Inc.
Open Panel with Audience Q&A Closing Remarks
4
2012/2013 Infosec Trends
*The slide deck is not available for this presentation – please view the On-Demand
recording posted on the ISSA website.
Michael Versace
Global Research Director, Worldwide Risk,
Big Data Industry Lead, IDC Financial Insights
5
2012/2013 Infosec Trends
Wayne Proctor
Director, Information Security & IT Risk Management
United Parcel Service
5
Agenda
• Security intelligence & behavioral analysis
• Advanced malware protection
• Attacks targeting a specific individual
• Technologies for mobile device protection
• DDoS attack intensity & complexity
• Cyber security program information sharing
7
Security Intelligence & Behavioral Analysis
• SIEM systems implemented mainly for compliance
purposes are not providing significant value
• Security Intelligence leverages SIEM at its core but includes key value-added features – Input feeds from many new sources
– Alignment with business rules
– Integration with Big Data
– Behavioral Analysis
• Behavioral Analysis is the future of InfoSec monitoring – Why try to define what to look for?
– Alert when something is not acting within a normal range
8
Advanced Malware Protection
• Traditional AV is only effective against known threats
– Signature based tools [...] are only effective against 30-50 percent of current security threats – IDC, early 2012
• Advanced malware protection features may include: – Finding advanced malware
– Stopping advanced malware infection
– Analyzing advanced malware forensically
– Removal and/or quarantine of advanced malware
• Stopping the advanced malware infection is key as it is close to impossible to stop all company employees from clicking links and opening attachments
9
Attacks Targeting a Specific Individual
• Social Networking sites have made it possible to focus
attacks on specific targets
• Enough personal information can be found in minutes to get a normal person to click a link
• An advanced people search for “DBA” in a current job title on LinkedIn replies with over 29,000 results
• An advanced people search for “CEO” in a current job title on LinkedIn replies with over 500,000 results
10
Technologies for Mobile Device Protection
• Simple MDM and container approaches for mobile
security have limited corporate innovation
• We need all of the security that we expect on laptops
• Concerns are encountered when the use of personal devices are considered
• Future solutions should run as a cloud service
• Goal of future mobile protection systems should offer industry standard levels of security with minimal impacts to the user experience
11
DDoS Attack Intensity & Complexity
12
• DDoS Attacks have increased over 2000% over the last three years (source: Akamai)
• A sustained attack of 1 Gigabit per second was considered large prior to mid-2012
• Attackers are now using a small number of owned large servers with large bandwidth pipes
• Sustained attacks of 60 gigabit per second with spikes over 100 gigabits are common
• These next-gen attacks originate from only one group and only against large financials today but will expand
Cyber Security Program Info Sharing
• Former Defense secretary Leon Panetta warned in Oct 2012 of a “Cyber Pearl Harbor” threat that could “be just as destructive as terrorist attacks of 9/11”
• The FBI sees Cyber Security surpassing Terrorism as their primary focus
• Cyber Security Act of 2012 was voted down in the senate by a 52-46 vote (60 needed to pass) in September of 2012
• A Cyber Security Executive Order (EO) may be issued in the next several weeks – establishing a “voluntary” program for critical infrastructure companies
• Companies are concerned that liability can’t be waived without legislation
• The EO would direct federal agencies to "incorporate cybersecurity standards as part of the regulatory requirements they impose on the industries they regulate”
13
Question and Answer
Wayne Proctor
Director, Information Security & IT Risk Management
United Parcel Service
2012/2013 Infosec Trends
Darien Kindlund
Senior Staff Scientist
5
Spectrum of Frequent Advanced Attacks
For 2012/2013
16
Mass Website Compromises
• Exploit toolkits
• Zero-day exploits (rare)
• Sophisticated crimeware
Watering Hole Attacks
• Compromised site specific to industry vertical
• Zero-day exploits more common
• Frequently nation-state driven
Weaponized Email Attachments
• Common file formats
• Legit work product presented (decoy)
• Preferred by nation-states
Malicious URLs in Email (Spearphish)
• Exploits specific to target environment
• Only exploit if visited from target network(s)
• Use existing trust relationships
1000+ Victims
(Easiest to Detect) ~1-2 Victims
(Hardest to Detect)
Watering Hole Attacks
17
Mass Website Compromises
• Exploit toolkits
• 0-day exploits (rare)
• Sophisticated crimeware
Watering Hole Attacks
• Compromised site specific to industry vertical
• Zero-day exploits more common
• Frequently nation-state driven
Weaponized Email Attachments
• Common file formats
• Legit work product presented (decoy)
• Preferred by nation states
Malicious URLs in Email (Spearphish)
• Exploits specific to target environment
• Only exploit if visited from target network(s)
• Use existing trust relationships
1000+ Victims
(Easiest to Detect) ~1-2 Victims
(Hardest to Detect)
1) Offense: ▲Watering Hole Methods
• Growing in popularity among nation-state threat actors
• Useful when precise targeting intel is unknown
• Compromise web site likely visited by target
• Start campaign when target is distracted (e.g. holidays)
• Once victim compromised, cleanup site
• Or, leave exploit for opportunistic attacks
18
Ex: Council on Foreign Relations (CFR)
• On Dec 21st, 2012, FireEye detected attacks from cfr.org to 4 major customers – Victims: large scale ISP, large US financial, US media outlet,
& local government
– Only worked from US, JP, KO, and CN systems
– Exploit triggers only one time (cookie tracking)
– First reported IE 8 zero-day exploit (CVE-2012-4792)
– Obfuscated JS + Heapspray via Flash + IE 8 exploit
– Fetches xsainfo.jpg as XOR encoded backdoor
– Loads backdoor as “shiape.exe”
– Callbacks to dynamic DNS C2 provider as normal HTTP POST traffic
– More at: http://blog.fireeye.com
19
1) Offense: ▲Watering Hole Methods
Sept 2012 Capstone Turbine Space Foundation Reporters Without
Borders
Oct 2012 (Earlier
Campaigns End)
Dec 2012 CFR
Taiwan Travel Dissident Uygur
CFR is not the first…nor the last…
20
1) Offense: ▲Watering Hole Methods
Email Attacks
21
Mass Website Compromises
• Exploit toolkits
• 0-day exploits (rare)
• Sophisticated crimeware
Watering Hole Attacks
• Compromised site specific to industry vertical
• 0-day exploits more common
• Frequently nation state driven
Weaponized Email Attachments
• Common file formats
• Legit work product presented (decoy)
• Preferred by nation-states
Malicious URLs in Email (Spearphish)
• Exploits specific to target environment
• Only exploit if visited from target network(s)
• Use existing trust relationships
1000+ Victims
(Easiest to Detect) ~1-2 Victims
(Hardest to Detect)
2) Offense: ▲Email Attacks During Holidays
22
Mal
icio
us
Att
ach
men
t
23
2) Offense: ▲Email Attacks During Holidays D
aily
Co
un
ts
Typical Defensive Lifecycle
Collection
Detection
Incident Response
Remediation
Threat Intelligence
24
Threat Intelligence Improvements
Collection
Detection
Incident Response
Remediation
Threat Intelligence
25
3) Defense: ▲Localized Threat Intelligence
• Picking defensive technologies that provide max intel – Tolerance for false positives (FPs) is exceptionally low
– Not enough to state something is malicious by fiat
– Must provide more evidence as to why the alert is valid
– Includes IOCs, PCAPs, historical data, copies of malware, copies of dropped files, and memory dumps of processes
• Analyzing attack trends specific to the organization
26
• How did the attack work?
• Vulnerabilities used?
• Applications targeted?
• Was it likely APT?
• Decoy content used?
• What was the motive?
• Financial gain?
• IP theft?
• Who was targeted? When?
• Common trend?
3) Defense: ▲Localized Threat Intelligence
• Up-leveling attack trends from past incidents – Identifying common tools, techniques, procedures (TTPs) used by
threat actors, over time
– Focusing defenses on identifying common TTPs
• The point: Instead of trying to cover all defenses, focus first on identifying known tactics used by threat actors – The attackers are human and (generally) lazy in nature
– Most operate like a “business”; employing the least sophisticated methods that accomplish the mission
– If sending a weaponized resume (PDF) to your HR dept. (because their Acrobat isn’t updated) achieves a foothold, then why bother using a more complicated attack?
– Once attack succeeds, expect new waves of attacks using same tactics
27
3) Defense: ▲Localized Threat Intelligence
28
Nation State
Military Group #1
TTP 1 Contractor #1
TTP 2 TTP3
Contractor #2
TTP 4 TTP 5
Intel Group #2
Contractor #3
TTP 6
Goal: Identifying TTP patterns specific to your industry
Target: Energy Sector
• Spring/Summer: TTP2
• Fall: TTP1
• Winter: TTP3
Target: Finance Sector
• Spring/Summer: TTP4
• Fall/Winter : TTP5
Target: Legal
• Always:
TTP6
3) Defense: ▲Localized Threat Intelligence
29
Nation State
Military Group #1
TTP 1 Contractor #1
TTP 2 TTP3
Contractor #2
TTP 4 TTP 5
Intel Group #2
Contractor #3
TTP 6
Target: Energy Sector
• Spring/Summer: TTP2
• Fall: TTP1
• Winter: TTP3
Target: Finance Sector
• Spring/Summer: TTP4
• Fall/Winter: TTP5
Target: Legal
• Always:
TTP6
• Don’t focus on attribution (doesn’t help/matter)
• Instead, focus on TTP trends (does matter)
Incident Response Improvements
Collection
Detection
Incident Response
Remediation
Threat Intelligence
30
4) Defense: ▲IR Creativity
31
Att
ac
k R
ate
Breach Successful
IR Starts
How do you measure
successful incident
response engagements?
Why did this
happen?
Time
4) Defense: ▲IR Creativity
32
Att
ac
k R
ate
Time
Breach Successful
IR Starts Cleanup
Fails
Cleanup
Succeeds
Look For This
Summary: 2012/2013 Trends
Offense
▲Watering Hole Methods
▲Email Attacks During Holidays
Defense
▲Localized Threat Intelligence
▲IR Creativity
33
5 Criteria for Advanced Threat Protection
34
1. Dynamic, signature-less engine to detect & block zero-
day and targeted inbound attacks (as used by
Hacktivists, APT and crimeware actors, and nation-
states)
2. Real-time protection to stop data exfiltration
3. Integrated, cross-protocol Web & email inbound infection
and outbound callback protection
4. Accurate, no tuning, and very low false positive rate
5. Global malware intelligence for sharing threat indicators
to block zero-day malware & latest callback channels
Integrated Solution to Stop Advanced Targeted Attacks
35
• Integrated solution to combat advanced malware across multiple vectors, like Web and email
• Exploit, callback, and payload analysis to address all stages of attack lifecycle
• Malware forensics complements real-time protections with deep malware intelligence
• Systems share real-time malware intelligence locally and globally
Question and Answer
Darien Kindlund
Senior Staff Scientist
Open Panel with Audience Q&A
•Michael Versace Global Research Director, Worldwide Risk, Big Data Industry Lead, IDC Financial Insights
•Wayne Proctor Director, Information Security & Risk Management, United Parcel Service
•Darien Kindlund Senior Staff Scientist, FireEye, Inc.
37
38
Closing Remarks
Online Meetings Made Easy
Thank you to Citrix for donating this Webcast service
Thank you to our Sponsor
CPE Credit •Within 24 hours of the conclusion of this webcast, you
will receive a link via email to a post Web Conference quiz.
•After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
•On-Demand Viewers Quiz Link:
http://www.surveygizmo.com/s3/1139768/ISSA-Web-Conference-Security-Reflections-for-2012-and-Predictions-for-2013-January-22-2013
39