RSA@NYTHUN 2017D E L L E M C T E C H N O L Y F O R U M

2

3

Top Enterprise Risks

4

Attacks on Industry

Attacks on Government

Cyber attacks are real and growingCybercrime & Espionage*: Hi anonymity; Low attribution

2006 2009 2012

APT1

Taidoor Comodo

Black

Tulip

Nitro IMF

RSA

Lockheed

Martin

>2004 2005 2007 2008 2010 2011 2013

Ghost

Net

Nortel

State

Dept.

US Naval

War College Commerce

Secretary

Estonia

2014 2015

*Many of these threat actor activities and campaigns are ongoing, often collaborating and working

with each other, sharing registrant information, malware, C2 domains, servers and general attack

infrastructure. Dates represent threat groups and malware variants based on dates of information

published by the security industry with thousands of organizations impacted. Putter Panda

Boleto

Backoff

Carbanak

Desert

Falcons

Safe GOZ

Dark

Seoul

Comment

Panda

Olympic

Games

Flame

Gauss

Stuxnet Shamoon

US Investigations

Services

Red October

Los Alamos

Oak Ridge

Night Dragon

PLA

Unit 61398

Aurora

Anunak

US Transport

Command

Equation

Group

Shady

RAT

VOHO

Shell

Crew

Vixen

Panda

Grey

Goose

ArachnophobiaMoonlight

Maze

Titan

Rain

Solar

Sunrise

Buckshot

Yankee

Ababil

Duqu

Australian

Mining

Dragonfly

Op. Pawn Storm

Shylock

Pitty Tiger

Regin

5

Threat Landscape

6

VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT

Attacker Capabilities

Time to Discovery

Attackers are Outpacing

Defenders Percent of breaches where time to compromise

(red)/time to Discovery (blue) was days or less

Time to compromise

Time to discovery

100%

75%

50%

25%

2006

2007

2008

2009

2011

2010

2012

2013

2014

2015

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

7

Defender’s ChallengesExisting strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes

must adapt to

today’s threats

Teams need

to increase experience &

efficiency

Security teams need

comprehensive visibility from

endpoint to cloud

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

8

Blind Spots in Threat Detection &

ResponseONLY 24%

Have Visibility into Attacks

ONLY 8% Can Quickly Detect Attacks

ONLY 11% Can Quickly Investigate Attacks

24%8% 11%

*Attacks = Multiple Incidents, Campaigns.

RSA Threat

Detection Effectiveness Survey,

February 2016

9

At first, there were HACKS Preventative controls filter known attack paths

Evolution of Threat

Actors & Detection

Implications

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful HACKS

10

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKSDespite increased investment in controls, including SIEM

Evolution of Threat

Actors & Detection

Implications

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

SIEM

Blocked

Session

Blocked

Session

Blocked

Session

Alert

Whitespace Successful ATTACKS

11

Now, successful ATTACK CAMPAIGNS

target any and all whitespace.

Complete visibility into every process and network

sessions is required to eradicate the attacker opportunity.

Unified platform for advanced threat

detection & investigations

Evolution of Threat

Actors & Detection

Implications

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked

Session

Blocked

Session

Blocked

Session

Alert

Process

Network Visibility Network

Sessions

Fu

ll V

isib

ilit

y

12

Web Threat Landscape

• Layer 7 DDoS Attacks

• Man in the Middle/Browser

• Password Cracking/Guessing

• Parameter Injection

• New Account Registration Fraud

• Advanced Malware (e.g. Trojans)

• Account Takeover

• New Account Registration Fraud

• Promotion Abuse

• Unauthorized Account Activity

• Fraudulent Money Movement

Begin

Session Login Transaction LogoutIn the

Wild

• Phishing

• Rogue Mobile App

• Site Scraping

• Vulnerability Probing

Fraud: Attacks Designed to Defeat Traditional Defenses

Evolving Fraud Threat Landscape

13

T

T

P

actics

echniques

rocedures

How attackers work

to target,

compromise, and

exploit your

organization

14

THREAT ACTORS AND OBJECTIVES

$

IP

PII

Criminals

Nation States

Hacktivists

15

STAGE 1: ESTABLISH FOOTHOLDProbe external servers

and apps for

vulnerabilities

• Develop exploit

• Install webshell or other

remote access mechanism

(Spear-) Phish users

• Obtain credentials

• Deliver malware to obtain

remote access

(RATs, etc.)

16

• Relying on prevention is futile– Multiple methods for attackers to find initial foothold

• Not all attacks start with malware; identity is an attack vector

• Opportunities for early detection are limited– Lots of noise in data on external systems

– Up-to-date threat intel can help

• Opportunities exist to make attackers jobs harder– Patch vulnerabilities, especially those with known exploits

– User education

– Make their intelligence gathering more difficult

KEY POINTS: STAGE 1

17

STAGE 2: ENTRENCH, EXPAND,

EXPLORE

• Dump local credentials

• Install malware • Keyloggers, RATs

• Download cracking tools

• Control more machines, accounts• Privileged Accounts: esp. IT, Admin

• Domain Controllers, E-mail servers

• Map network

• Copy directory listings

• Dump databases

• Dump emails• Expand access methods

• VPN, RDP, Proxy

18

• Attackers move very quickly once they gain access

– Speed of detection and remediation are key

• Many more opportunities for detection

– Visibility to spot attacker activity is essential: network traffic, endpoint compromise,

elevation of privilege, anomalous Admin activity

• Need to be able to connect attacker activity

– Addressing disconnected alerts will not disrupt attacks

• Opportunities exist to make attackers jobs harder

– Strong authentication

– Network segmentation

KEY POINTS: STAGE 2

19

STAGE 3: EXFILTRATE, MAINTAIN

• Aggregate and stage data

• Obfuscate to avoid detection

• Exfiltrate data

• http / https,

SSH, FTP, email

• Use of Dyn DNS services to

rotate drop zones

• Periodically return to:

• Update malware

• Grab new data

(keylogs, emails, data)

• Option to use your

infrastructure to launch

other attacks

20

• Egress monitoring / visibility is essential

– What is leaving your network and why?

– Tools like DLP that search for un-altered data will not spot or stop exfiltration

• Detection will become harder as entrenched attackers switch to

maintenance mode and cover their tracks

– Have a greater ability to blend in

• Remediation once attackers reach this point is very complex

• If expelled at this point, most attackers will actively seek to return

– They will up their game

KEY POINTS: STAGE 3

21

• Know your enemy, be prepared

• Compromise is inevitable– Goal should be to detect and respond to attacks to minimize loss and damage

– Limit attacker free time inside your network

• Tools that provide visibility / forensic data are essential for detection and response

– Logs, Packets, Endpoint, Threat Inteligence

– Ability to spot anomalous / suspicious activity and investigate

– Ability to pivot and see the whole picture of the attack

• Experienced responders are required– In-house or on-call

CONCLUSIONS

22

23

People & Process

• Staffing Model & Shift Transition; Roles & Responsibilities

• Business Alignment & Risk Alignment

• Incident Prevention Planning

• Security Controls Implementation & Monitoring

Preparation

• Categorization & prioritization of Incident types

• Content, Analytic & Threat Intelligence; Malware Analysis

• L1, L2 & L3 SOPs; Incident Handling Workflow automation

• Generation of Alerts, Watchlists and Notifications and Reports

Detection & Analysis

• Proactive remediation and breaking the “kill-chain”

• Accumulation and protection of evidence and forensic data

• C-level Escalation and cross functional Rules of Engagement

• 3rd Party stakeholders, incl. Law Enforcement

Containment, Eradication & Recovery

• Updated Incident Metrics, Breach Reporting and Disclosure

• Systems Hardening; Updated Threat and Risk Profile

• Evidence Retention; attribution and hacker prosecution

• Lessons Learned and Training

Post Incident Activity

Reference: NIST Computer Security Incident Handling Guide & RSA Best Practices

NIST Incident Phase RSA Best Practices (sample)

24

Resource Shift Needed: Budgets & People

Today’s

Priorities

Prevention

80%

Monitoring

15%

Response

5%

Prevention

33%

Future

Requirements

Monitoring

33%

Response

33%

25

Thank You