Webinar sldies how ap ts changed the game

Copyright © 2014 BAE Systems. All Rights Reserved.

BAE Systems is a trade mark of BAE Systems Plc 1

Applied Intelligence

COMMERCIAL IN CONFIDENCE

APTs Changed the Game:

Find out what your peers are doing to address them





GUEST SPEAKER

Jason Malo

• Research Director – Security & Fraud

CEB TowerGroup





GUEST SPEAKER

Colin McKinty

• Regional Vice President – Cyber

BAE Systems Applied Intelligence

4 © 2013 The Corporate Executive Board Company. All Rights Reserved.

APTs CHANGED THE GAME …

APTs: Monster

Under the Bed

Revealed

CEB TowerGroup Retail Banking

How Your Peers

Are Organizing

and Investing

Where

Countermeasures

Are Effective and

Need Help


Targeted Attacks

LAYERED ATTACKS MEET LAYERED SECURITY

Social Engineering, Phishing, SMiShing

Denial of Service Attacks

April 26, 2011 — 77 million customer records were stolen.

“Security teams were working very hard to defend against denial of service attacks, and that

may have made it more difficult to detect this intrusion quickly.”1

These efforts are still very effective, and are often used in concert with more complex attacks

Source: CEB IREC, A Guide to Advanced Persistent Threats, January 2012

Profile the Target

Track the Target

Install Malware

Malware Disables Existing Security

Controls

Attacker Takes Control

• Takes direct control

• Leaves behind tracks

• Primitive/clumsy methods

• Scattered search

• Easier to identify

• Spelling/grammatical errors

• Takes indirect control

• Wiping tracks

• Unique methods

• Clear objectives

• Dormant/low profiles

Low Sophistication High Sophistication

CEB TowerGroup Retail Banking 1. Sony Computer Entertainment chairman in letter to Congress, May 2011

Stuxnet – June 2010

Sophisticated malware designed specifically to target one kind of supervisory control and data

acquisition (SCADA) and subvert detection.

http://en.wikipedia.org/wiki/File:Sony_logo.svg



MOST ATTACKS ARE NOT “ADVANCED”

Verizon only saw one breach due to a highly-sophisticated, “advanced” attack, but one complex event is enough.

Sophistication of Attack Methods Resulting in a Data Breach

510 attributable data breaches

What about attacks or data

thefts that go undetected?

We have to address the

most significant risk, but we

wary of the existence and

the typical evolutionary path

of these threats.

10%

67%

23%

0%

Very Low

Low

Moderate

High

THE DIFFICULTY RATING OF ATTACKS VERY LOW: the average person could have done it.

LOW: basic methods, little or no customization or resources required.

MODERATE: some skilled techniques and customization required.

HIGH: advanced skills, significant customizations, and/or extensive resources required.

Source: 2013 Data Breach Investigations Report, Verizon

(1)

(116)

(343)

(50)



APTS ARE PERSISTENT & TARGETED

Targeted persistent

attacks utilize multiple

techniques and tools of

varying levels of

sophistication.

“Advanced” is a moving standard, but focused attackers have deeper toolkits

APT Characteristics

Targeted Persistent

Well-funded Control Targeted

Malware Coordinated

Sophisticated Code Data Exfiltration

Circumvents Firewall Multi-Vector

Sophisticated Hacking Sustained

Social Engineering Clandestine

Internally Supported Focused


Source: The Insider Threat , Vormetric

31%

43%

45%

54%

54%

61%

62%

66%

Lack of forensics

Advanced persistent threats

System sabotage

Compromised user accounts

Trusted/Privileged user abuse

Introduction of malware

Theft of data or intellectual property

Exposure of sensitive data

RENEW FOCUS ON WHAT’S IMPORTANT

It’s important to understand the threat landscape, but an effective defense must always come back to the protection of what’s important

The impact of advanced threats are



APTs: Monster

Under the Bed

Revealed


How Your Peers

Are Organizing

and Investing

Where

Countermeasures

Are Effective and

Need Help



2013 ENTERPRISE THREAT LANDSCAPE OVERVIEW

Regulatory compliance,

threats, and malicious

actors are the greatest

sources of risk.

Threat Rankings By Level of Information Executive Concern

Source: CEB 2013 Threat Landscape Survey, N=69

Denial of Service

Environmental

Vulnerabilities in Domain Controllers

Third Party Risk: IaaS

Other Social Engineering

Use of Employee-Owned Mobile Devices

Hactivism

Third Party Risk: Non-Cloud

Unintentional User Behavior, Employee Carelessness

Regulatory Non-Compliance: Employee Owned Devices

Regulatory Non-Compliance: Big Data and Customer…

Web Application Vulnerabilities

Organized Crime and Fraud

Privilege Abuse

Third Party Risk: SaaS

Malicious Insiders

Targeted Phishing

State-Sponsored Attacks

Regulatory Non-Compliance: All Types



CURRENT DEFENSES ARE INCOMPLETE, NOT

OBSOLETE Current, outward-looking network-layer security “walls” are being subverted, requiring an inward-looking complement.

What happens between checkpoints, and what happens between devices?

Often checkpoints are

asymmetric and provide

inadequate data capture.

What happens in-between

checkpoints, or even once

past all of them.

What are the network layer

data ingress points that

bypass checkpoint?

Perimeter

Core

Edge

Datacenter

Virtual

Network

Point-in-Time

Assessment



RELATIVE SUCCESS AGAINST THE MOST PROLIFIC

ATTACKS

Types of cyber attacks experienced Average days to resolve attack (days)

2013, n = 234 separate companies 2013, n = 234 separate companies

38%

48%

50%

52%

55%

57%

57%

98%

99%

Malicious Insiders

Malicious Code

Stolen Devices

Phishing & SE

Botnets

Denial of service

Web-based attacks

Viruses, worms, trojans

Malware

2.6

2.7

5.0

13.3

19.2

19.3

28.9

42.4

53.0

Viruses, Worms, & Trojans

Botnets

Malware

Stolen Devices

Denial of Service

Phishing & SE

Web-Based Attacks

Malicious Code

Malicious Insiders

Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013 Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013



CYBER CRIME COSTS DRIVEN BY SOME OF THE

LEAST TECHNICAL MEANS

Average annualized cyber crime cost weighted by

attack frequency

Cost mix of attacks by organizational size

n=234 companies Size measured by number of enterprise seats in organization

$491

$630

$899

$26,249

$31,059

$80,847

$80,995

$139,931

$154,453

Malware

Viruses, Worms, Trojans

Botnets

Stolen Devices

Phishing & SE

Malicious Code

Web-Based Attacks

Denial of Service

Malicious Insiders

4%

4%

7%

13%

13%

9%

15%

14%

22%

8%

10%

12%

8%

9%

15%

9%

13%

16%

Botnets

Malware

Phishing & SE

Malicious Code

Stolen Devices

Viruses, Worms, Trojans

Malicious Insiders

Web-Based Attacks

Denial of Service


Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013 Source: 2013 Cost of Cyber Crime Study, Ponemon Institute, 10/2013

Large Organizations Small Organizations



RECOGNIZING ANTI-MALWARE BENEFITS AND

CONSTRAINTS Malware protection has successfully relied on blacklisting recognized code for years, but has always had a blind-spot with zero-day attacks

Signature-based threat detection isn’t a silver bullet, nor is it completely outdated.

PROS CONS

Unobtrusive to users Need to have seen at least once

Definitive (Not based on probability) Need to have a fingerprint

Easy to Manage Expanding Signature set /

unmanageable blacklist size

Effective against many known

threats

Asymmetric

Expansion of checkpoints and user-

attributable monitoring



APTs: Monster

Under the Bed

Revealed


How Your Peers

Are Organizing

and Investing

Where

Countermeasures

Are Effective and

Need Help



INFORMATION SECURITY ALIGNING 2014 EFFORTS

CISO’s strategic

priorities for 2014 stress

an analytics-driven, risk-

aware, modern

technology focused

enterprise approach to

security

CISO’s Priorities for 2014

Percentage of Respondents Identifying Topic as a Top Three Concern

18%

22%

28%

30%

30%

31%

32%

34%

38%

48%

Presenting information about advanced attacks tothe Board of Directors

Building staff technical skills to deal with advancedthreats

Driving the business to create an official statementof risk appetite

Updating processes and around privileged accessand superusers

Upgrading risk assessments as the "cloud" portionof portfolio increases

Maturing application security processes as mobiledevelopment increases

Bringing rigor to the selection of defenses fromadvanced threats/sophisticated attackers

Formalizing the interfaces with other risk functions(ERM, Legal, etc.)

Improving security staff's business engagementskills

Leveraging security analytics to understand attacksand make control/incident response decisions

Source: CEB 2013 Agenda Survey


KEY TENETS OF AN APT STRATEGY


Delivery Exploitation Installation Command and Control Action on Objectives

Source: Lockheed Martin Kill Chain Model Detection based on scanning may be too late

Indexing

Log Activity

Network

Visualization

Move Detection Up

To Delivery Phase

1. Monitoring Along the Entire Threat Lifecycle

2. End-User Awareness

• Newsletters, training, posters, and other materials are commonplace

• Internal drills oriented to user type and risk

3. Access Control

4. Incident Response

• Ongoing privileged-user audits

• User-based profiling, including risk-based controls

• Data classification, tracking and reporting

• Proactive role and responsibility definition, including communication and response protocols.

• Post-incident learning plans

• Documentation and reporting is a challenge


CEB Information Risk Leadership Council

What is the biggest obstacle in increasing effectiveness of security analytics

for your information security function?

Percentage of Information Risk Executives

TALENT IS THE BIGGEST OBSTACLE TO EFFECTIVE

USAGE OF SECURITY ANALYTICS The highest number of

executives cited the

mindset and skills of

employees as the largest

obstacle to improved

security analytics usage

n= 37

Technology. We don’t have the

tools and technologies

needed to gather, store, or analyze security

data, 16%

Other, 16% Process. We

don’t have mature rules and processes about what to look for in the data we

collect and how to use that

information in decision-making,

30%

People. We don’t have

people with the mindset and

skills needed to analyze complex

security datasets, 38%

Source: CEB Information Risk Peer Perspectives, 09/2013



COMPLEMENT LONG STANDING STRATEGIES WITH

ENHANCED INTELLIGENCE Return on investment

expectations are highest

for advanced intelligence

systems.

Estimated ROI for seven categories of enabling security technologies

2013, n = 234 separate companies


6%

14%

14%

14%

19%

19%

21%

Automated policy management tools

Extensive use of data loss prevention tools

Access governance tools

Enterprise deployment of GRC tools

Extensive deployment of encryption technologies

Advanced perimeter controls and firewalltechnologies

Security intelligence systems

• Notice this is oriented to

“intelligence”, not “big

data”

20 Copyright © 2014 BAE Systems. All Rights Reserved.

BAE Systems is a trade mark of BAE Systems Plc Company Confidential


ADDRESSING YOUR CHALLENGES ANALYTICS, THREAT INTELLIGENCE,

WORKFLOW & ANALYST PRODUCTIVITY




View … How We Protect and Enhance




CyberReveal™ Solution Overview




Large Volumes, Lots of Formats …

CyberReveal™ Threat Analyst




How to Focus on 10 Threats … among Billions?




How Do You Make it Actionable?




INVESTIGATOR: VIEW AND ANALYZE




INVESTIGATOR: SECURITY ANALYST VIEW




INVESTIGATOR: REQUESTING MORE CONTEXT




INVESTIGATOR: WHAT TO DO WITH THE ALERT





THANK YOU. © BAE Systems 2014, unpublished, copyright BAE Systems all rights reserved.

Proprietary: no use, disclosure or reproduction without the written permission of BAE Systems plc.

For more information:

• Visit www.baesystems.com/ai

• Contact us at [email protected]

http://www.baesystems.com/ai

mailto:[email protected]

Webinar sldies how ap ts changed the game

Technology

Transcript of Webinar sldies how ap ts changed the game