Targeted & Persistent Attacks in EU
-
Upload
dflabs-srl -
Category
Technology
-
view
611 -
download
0
description
Transcript of Targeted & Persistent Attacks in EU
Targeted & Persistent Attacks in EU
The need for coordination and information sharing between EU member states
Eoghan Casey, CASEITE & DFLabs
2012 Copyright Eoghan Casey and CASEITE All rights reserved Attack against RSA -‐ http://blogs.rsa.com/rivner/anatomy-‐of-‐an-‐attack/
Large-‐scale credit card robbery Initial intrusion into regional office Weak internal security
Servers with well known vulnerabilities Unrestricted access to central servers
Weak egress filtering File transfer permitted from central servers to Internet
Weak system monitoring Intruder created account on central server Installed sniffer on server Sniffer and file transfer log files created on server
Weak network monitoring Network level logs recorded file transfers
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Coordinated Linux intrusions
Attacker's modus operandi Repository of stolen SSH credentials Privilege escalation LKM rootkits & tricky backdoor Trojanized SSH daemon Resilient C2 and exfiltration Destroy digital evidence
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Common mistakes
1) Underestimating the adversary Too quick to containment
2) Lack of evidence
No centralized logging infrastructure 3) Improper evidence handling
Update antivirus and scan compromised systems
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Know the adversary
Initial intrusions not necessarily sophisticated Spear phishing or vulnerable servers
Once inside, they spread virulently Inside out attacks circumvent egress filtering Undermine security monitoring
File system tampering Multiple malware versions with custom packing Blend in with normal traffic Encrypt command, control and exfiltration
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Quick containment?
Current recommendation:
When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. Most incidents require containment, so it is important to consider it early in the course of handling each incident. - NIST SP800-61 Rev. 1, page 3-19
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Managing a data breach effectively
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Effective eradication of intruders
2012 Copyright Eoghan Casey and CASEITE All rights reserved
Cross border information sharing
Same attackers targeting all EU member states > Consolidate adversary knowledge Trust between government and industry Confidentiality agreements More information to examine the better Sanitize what is shared to protect victims 2012 Copyright Eoghan Casey and CASEITE
All rights reserved
Information exchange standards STIX Structured Threat Information eXpression
2012 Copyright Eoghan Casey and CASEITE All rights reserved STIX Whitepaper -‐ makingsecuritymeasurable.mitre.org/docs/STIX-‐Whitepaper.pdf
Get in touch
Eoghan Casey
DFLabs Business Partner Risk Prevention and Response Co-‐manager
[email protected] www.dflabs.com
2012 Copyright Eoghan Casey and CASEITE All rights reserved