Strategies to Combat New, Innovative Cyber Threats - 2017 · Strategies to Combat New, Innovative...
Transcript of Strategies to Combat New, Innovative Cyber Threats - 2017 · Strategies to Combat New, Innovative...
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 2017 1
Strategies to Combat New, Innovative Cyber Threats - 2017
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Enterprise Security for 2017
Key Cyber Threats to Defend Against in 2017Key
Cyber Strategiesto Deploy in 2017
Ransomware and its evolving variants
Compromised business processes
Increased organizational social engineering
Insider technical compromises
Threats to non-perimeter assets
Analytical machine learning based detection
Enhanced end-point detection
Orchestrated responses
Digital VM systems
CloudOps and DevOps security
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
3 STRICTLY PRIVATE & CONFIDENTIAL © 2017
New, Innovative Threats to Watch out for
IOT threats
AI & voice first attacks
Smart cities attack
Bionics attack
The Mirai worm and Dyn attack exposed vulnerability of IOT systems, acting as a launch pad for other attacks. IOT device usage is expected to rise by 400% in 2017, making this a significant threat.
Attacks on IOTs such as cars, drones, industrial systems, and others should also be considered
The rise in social media, self publishing ,and the shrinking attention span of readers has caused an increase in fake news circulation. This will soon be used for cyber fraud by luring users to act on false information—such as selling of stock and other schemes
As we move beyond touch to voice based interactions, new forms of attacks are likely.
Example #1: Tricking AI algorithms with fake data to gain info and then having the voice-enabled system fool users into performing an action.
Example #2: Your banking bot could talk consumers into giving away credentials to attackers.
Smart city grids that control transportation, utilities, communication, financial services, and other citizen life data will be prone to innovative attacks that leverage a single vector; impacting multiple facilities. Eg: using business logic weaknesses to obtain data that enables compromise
Attacks on medical devices such as pacemakers are already being researched. As greater integration of human capability and technology occurs, attacks will become life threatening. 2017 will see more concept level threats showcased by researchers. The future will see a combination of neuro and cyber weapons as criminals catch on
Fake news attacks
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 2017 4
Key Threats 2017
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
5 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Ransomware and Variants
Malware objectives between 2001- 2017 now include file deletions, network clogging, botnet creation, data stealing & selling, and data encryption for ransom
Ransowmworm: ransomware combining worm capabilities that spreads fast.
Double dipping: adding data stealing capabilities along with encryption to double profits—once through ransom from the organization and then through the underground selling of data
2017 WILL SEE
Aided by more data on end points and easy anonymous pay gate options
Increased by 4 times compared to 2015
Total losses due to ransomware attacks cost over one billion USD, affecting over 100 thousand companies
2016 SAW A RAPID INCREASE IN RANSOMWARERansomware variations have also increased
Layered infections that include Trojans and key loggers along with ransomware
Selective files and folder encryption
Attackers are targeting high risks sectors such as Financial services, healthcare, utilities and SMB.
Refer to Paladion paper for top variants of ransomware during 2016 and their IOCs for detection
Opportunity
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
6 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Business Process Compromise (BPC)
BPC is complex attacks using-social engineering, malwares,
account takeovers, man-in-middle attacks, sniffing and
data exfiltration
Cyber criminals are targeting entire business processes more and more.
Attacks on banks target payment processes involving multiple assets, users, and intimate transaction knowledge (e.g. Bank of Bangladesh). Several copycat attacks on payment systems were reported in the financial sector during 2016. Attackers also targeted inventory management processes, vendor payment processes, and supply chain processes.
These attacks have a higher payoff (averaging millions of USD as opposed to hundreds for ransomware). Larger, more organized cyber crime gangs and rogue nation state players will be attracted to such attacks. They take more time, skills and knowledge of internal processes, but the pay-off is significantly higher.
Global losses are estimated at over 2 billion USD; affecting thousands of organizations.
Organizations’ abilities to defend themselves are weaker today. The focus is on protecting individual assets and applications, while ignoring attack campaigns on business processes.
2017 prediction: The average value in BPC attacks will go up, causing some organizations to lose tens of millions of USD. The number of affected organizations will still be lower given the effort involved in launching such attacks.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
7 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Targeted Business Social Engineering
Business social engineering schemes included- CEO fraud,
bogus invoice schemes, legal scare scams,
identity takeover of executives, PII data
stealing
Social engineering attacks on organizations have increased; with attackers conducting research on employees and company strategies before scamming high level employees.
Attacker research includes social media data, company news releases, technology case studies, and internal data obtained through sniffing. Attackers then target lower level employees with emails, social media communications, and customized website messages.
The majority of BPC attacks involve long campaigns of targeted social engineering.
These attacks could also be short non-technical attacks such as Business Email Compromise (BEC) attacks which saw a rise in 2016. BEC utilizes the knowledge of an organization’s internal processes to trick employees into conducting payments and other transactions on behalf of attackers.
The estimated losses from BEC alone were over 3 billion USD in 2016, affecting over fifty thousand organizations globally.
2017 prediction: Given the amount of available online data on employees and organizations this type of attack is easy to carry out. Innovation will no longer be on the technical aspects of an attack, but rather on fraud schemes. 2017 will see many variations in tricking employees to give away data or money.
@
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
8 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Hi-Tech Insider Abuse
Insider threats have received reduced attention due to the stream of news about external attacks.
But insider threats continue to affect organizations, despite their small number compared to external attacks. (60% external versus less than 30% internal)
Over the past few years, two key controls—data leakage detection and privileged identity management—have contained this threat
Insider threats continue to rise as the workforce composition changes. Today there is more technical knowhow and teleworking, but less organizational empathy. The following attacks will get more sophisticated:
Data leakage bypass through encryption Chunking through micro blogging Masquerading as normal traffic Collaboration with external threat actors
2017 predictions: Insider attacks will become as hi-tech as advanced external attacks. These attacks will involve longer campaigns, multiple evasive tools, and co-worker social engineering for credential thefts
Nine Things You Need to know about Insider Threats
Types of Incidents35% of organizations have experienced at least one insider threat, with the following breakdown (the total does not equal 100% as some respondents had more than one type of incident)
Data leak: 49%
Fraud: 41%
Data breach: 36%
IP theft: 16%
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
9 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Threats to non-perimeter assets
3 trends have already reached tipping point
Threats to these assets and data outside of enterprise perimeters are a reality. Cloud and social media incidents related to corporate data have seen a 70% rise
Organizations have not formalized risk modeling frameworks for assets and data. In addition, their on-premise risk mitigation isn’t easily transferrable. E.g. monitoring for threats in a cloud requires different architecture and data collection; and existing IPS and SIEM cannot be extended the same way cloud assets are
2017 prediction: Attacks focused only on non-perimeter assets will increase. Organizations will have a significant delay in discovering them—compared to the average 150 days for on-premises attacks
Teleworking and personal devices used for an increasingly mobile workforce
Cloud-first strategy for both native cloud and SaaSapplications
Social media administering corporate information and marketing activities
25% of employees work remotely at least part of the time
32% have used personal devices in addition to corporate devices.
57% of organizations have cloud assets today
Organizations on average have 3 SaaS apps deployed
Corporate data is 40% as likely to be in social media as in internal stores.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 2017 10
Key Strategies 2017
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
11 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 1: Analytical and Machine Learning systems
Advanced threats are bypassing rule based systems. Malware, account takeover attacks, lateral movements, data exfiltration and fraudulent transactions are being modified by attackers to avoid detection
The typical advanced attack is a long drawn out campaign; similar to a war with multiple battles within one single attack. Current detection systems are unable to link individual threats into the full campaign, preventing a big picture view of the attack.
2017 will see organizations adopt more analytical systems with machine learning capabilities and big data storage approaches to solve the latter two problems. Gartner estimates that over 50% of organizations will have security data warehouses with analytics data within the next four years. (For a detailed description of this strategy, refer to the Paladion 2 report on next Gen SOC and security analytics)
Machine learning analytics will be applied for network analytics, end point analytics, user & entity behavior analytics, and for deeper mining of security alerts.
Use analytical and machine learning based systems for advanced malware and ransomware, slow and low attacks, unknown attack methods, data exfiltration, transaction frauds and to see long drawn out campaigns
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
12 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Variation of this Diagram
Visual Layer Collaboration
Active Discover
Raw Data Context Data Alert Data
Connector Layer
Active ResponseAlerts
Big data technology with data sciences
Machine learning methods
Outlier algorithms
Pattern search algorithms
Association algorithms
Rare event algorithms
Graph Theory
Link analysis
Visual analytics
Multi-node streaming rule engine Data mining Statistical & Probabilistic
modelling
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
13 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 2 : End Point Threat Detection
Organizations have matured via logs and network threat monitoring; made possible by wide adoption of SIEM, IPS
and network sandboxing technologies. Advanced attackers are now bypassing these technologies by
attacking users and their end point devices. DBIR data shows over 40% of today’s breaches are caused by end
point compromises.
Traditional anti-malware technologies can no longer contain these advanced attacks
New malware that bypasses signatures and detect sandboxing
Malware using scripts and batch files
Account takeovers via social engineering or privilege escalation attacks on endpoints
Organizations will enable similar 24/7 monitoring for endpoints as done for networks and logs today. This monitoring will continuously search for threat & compromise indicators on endpoints using a combination of rules, signatures, behavior anomalies, and peer profiling.
2017 will see large organizations rolling out EDR technologies and services. IDC estimates that
over 80% of organizations will have this capability by 2018. Refer to Paladion’s report on IST for
more details on how to monitor threats at end points.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
14 STRICTLY PRIVATE & CONFIDENTIAL © 2017
SHORTER FORM OF THIS DIAGRAM
Remediation at scale5
Endpoints with agents installed1 Paladion ETDR – as a Service 2
Analysis and Investigation4 Fast, Accurate, Complete Detection at scale
3
Fix Issues quickly and Completely
DataLeakage
MalwareActivity
UserBehaviors
LateralMovement
IR for alerts
Continuous Monitoring on Endpoints
Validate Prioritize Mitigate
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
15 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 3 : Response Automation and Orchestration
Manual incident response is a time consuming process. The average time for responses involving triage, incident analysis, containment, recovery, and eradication is over 35 days. Furthermore, organizations do not have runbooks for handling common incidents, and end up being unprepared for threats.
2017 will see organizations invest in central incident response platforms with automation for various stages of incident management. Organizations will build or acquire runbooks that integrate with these platforms. The platform will also have analytical capabilities to analyze incidents in-depth, uncovering the full blast radius and patient zero for long campaigns.
Forrester estimates that over 37% of organizations are currently planning to automate incident response management through analytics. For more details on how to implement this strategy, refer to Paladion’s reports on Next Gen SOC and security analytics & orchestration.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
16 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Response Automation Diagram
Alert Validation
Verify how relevant the alert is in your context and the likelihood of damage
Investigate the impact, attacker, attack campaign and extent of compromise
Quickly contain the attack and its impact to stop the spread
Design security features to remove root causes and prevent repeat breaches
Incident Analysis Containment
Root Mitigation
……………. across the lifecycle 24/7
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 4: Digital VM Programs
Continuous Automated Intelligence
Vulnerability management programs in most organizations are slow and cumbersome. Automation of test planning, scheduling, reporting, mitigation, analytics generation, and distribution is limited
The vulnerability results are not prioritized for attack scenarios; i.e. which vulnerability will be exploited in an organization’s own context and hence needs faster remediation. There is limited threat intelligence gathering and correlation of vulnerabilities
Digital VM programs aim to automate analytics and threat intelligence so that vulnerability discovery, mitigation, and stakeholder collaboration is fast tracked. These enable VM programs to run continuously like existing security monitoring programs
2017 will see organizations implement digital VM programs with a centralized VM platform. Gartner estimates that enterprises that implement a strong vulnerability management process will experience 90% less successful attacks
Refer to Paladion’s report on this topic. It’s time to stop being complacent about vulnerabilities and execute this strategy
Analytics
Discovery
Testing
Triaging
Mitigation
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
18 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Digital VM platform
Workflow Management Vulnerability Analytics
Asset Aggregator
TestManager
SecurityTelemetry
TriageEngine
SolutionStore
PolicyEnforcer
Test Administrators PenTesters
Vulnerability Analysts Solution SME Remeditators
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
19 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Strategy 5 : Security for CloudOps and Devops
Organizations moving to cloud for their development—in terms of testing and production systems—will look for integrating security into their CloudOps and DevOps.
DoS attacks are already happening on the cloud. It’s the APT kind of attacks that will be difficult to detect in a cloud environment, and this can potentially affect multiple tenants simultaneously.
The two main requirements for security will be:
speed of controls given that CloudOps and DevOps are both highly automated in providing resources, changing configurations, and deploying systems & users
Seamless use of cloud technologies such as native APIs of cloud providers, configuration management systems such as chef/puppet, and ChatOps system such as Slack
Securing CloudOps and DevOps need tools that are differently built. This can be in security monitoring, vulnerability testing, configuration reviews, or identity & user activity monitoring.
In 2017, organizations will adopt new security architecture & practices to secure cloud assets and a more agile development environment. They will then look at integrating these security processes into their traditional on-premise security management systems for an integrated view.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
20 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Cloud Architecture
Cloud Trail
FlowLogs
CloudWatch
IAM
Docker
Collector
Network Threat Module
Windows servers
Unix servers
Amazon Console Scanners
AutomationScript
Cloud Security PlatformOn
premise SOCs
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
21 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Contact us today to combat today’s sophisticated cyber threats
www.paladion.netVisit