Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
RSA@NYTHUN 2017D E L L E M C T E C H N O L Y F O R U M
2
3
Top Enterprise Risks
4
Attacks on Industry
Attacks on Government
Cyber attacks are real and growingCybercrime & Espionage*: Hi anonymity; Low attribution
2006 2009 2012
APT1
Taidoor Comodo
Black
Tulip
Nitro IMF
RSA
Lockheed
Martin
>2004 2005 2007 2008 2010 2011 2013
Ghost
Net
Nortel
State
Dept.
US Naval
War College Commerce
Secretary
Estonia
2014 2015
*Many of these threat actor activities and campaigns are ongoing, often collaborating and working
with each other, sharing registrant information, malware, C2 domains, servers and general attack
infrastructure. Dates represent threat groups and malware variants based on dates of information
published by the security industry with thousands of organizations impacted. Putter Panda
Boleto
Backoff
Carbanak
Desert
Falcons
Safe GOZ
Dark
Seoul
Comment
Panda
Olympic
Games
Flame
Gauss
Stuxnet Shamoon
US Investigations
Services
Red October
Los Alamos
Oak Ridge
Night Dragon
PLA
Unit 61398
Aurora
Anunak
US Transport
Command
Equation
Group
Shady
RAT
VOHO
Shell
Crew
Vixen
Panda
Grey
Goose
ArachnophobiaMoonlight
Maze
Titan
Rain
Solar
Sunrise
Buckshot
Yankee
Ababil
Duqu
Australian
Mining
Dragonfly
Op. Pawn Storm
Shylock
Pitty Tiger
Regin
5
Threat Landscape
6
VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT
Attacker Capabilities
Time to Discovery
Attackers are Outpacing
Defenders Percent of breaches where time to compromise
(red)/time to Discovery (blue) was days or less
Time to compromise
Time to discovery
100%
75%
50%
25%
2006
2007
2008
2009
2011
2010
2012
2013
2014
2015
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
7
Defender’s ChallengesExisting strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes
must adapt to
today’s threats
Teams need
to increase experience &
efficiency
Security teams need
comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
8
Blind Spots in Threat Detection &
ResponseONLY 24%
Have Visibility into Attacks
ONLY 8% Can Quickly Detect Attacks
ONLY 11% Can Quickly Investigate Attacks
24%8% 11%
*Attacks = Multiple Incidents, Campaigns.
RSA Threat
Detection Effectiveness Survey,
February 2016
9
At first, there were HACKS Preventative controls filter known attack paths
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
10
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKSDespite increased investment in controls, including SIEM
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
SIEM
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Whitespace Successful ATTACKS
11
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network
sessions is required to eradicate the attacker opportunity.
Unified platform for advanced threat
detection & investigations
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network Visibility Network
Sessions
Fu
ll V
isib
ilit
y
12
Web Threat Landscape
• Layer 7 DDoS Attacks
• Man in the Middle/Browser
• Password Cracking/Guessing
• Parameter Injection
• New Account Registration Fraud
• Advanced Malware (e.g. Trojans)
• Account Takeover
• New Account Registration Fraud
• Promotion Abuse
• Unauthorized Account Activity
• Fraudulent Money Movement
Begin
Session Login Transaction LogoutIn the
Wild
• Phishing
• Rogue Mobile App
• Site Scraping
• Vulnerability Probing
Fraud: Attacks Designed to Defeat Traditional Defenses
Evolving Fraud Threat Landscape
13
T
T
P
actics
echniques
rocedures
How attackers work
to target,
compromise, and
exploit your
organization
14
THREAT ACTORS AND OBJECTIVES
$
IP
PII
Criminals
Nation States
Hacktivists
15
STAGE 1: ESTABLISH FOOTHOLDProbe external servers
and apps for
vulnerabilities
• Develop exploit
• Install webshell or other
remote access mechanism
(Spear-) Phish users
• Obtain credentials
• Deliver malware to obtain
remote access
(RATs, etc.)
16
• Relying on prevention is futile– Multiple methods for attackers to find initial foothold
• Not all attacks start with malware; identity is an attack vector
• Opportunities for early detection are limited– Lots of noise in data on external systems
– Up-to-date threat intel can help
• Opportunities exist to make attackers jobs harder– Patch vulnerabilities, especially those with known exploits
– User education
– Make their intelligence gathering more difficult
KEY POINTS: STAGE 1
17
STAGE 2: ENTRENCH, EXPAND,
EXPLORE
• Dump local credentials
• Install malware • Keyloggers, RATs
• Download cracking tools
• Control more machines, accounts• Privileged Accounts: esp. IT, Admin
• Domain Controllers, E-mail servers
• Map network
• Copy directory listings
• Dump databases
• Dump emails• Expand access methods
• VPN, RDP, Proxy
18
• Attackers move very quickly once they gain access
– Speed of detection and remediation are key
• Many more opportunities for detection
– Visibility to spot attacker activity is essential: network traffic, endpoint compromise,
elevation of privilege, anomalous Admin activity
• Need to be able to connect attacker activity
– Addressing disconnected alerts will not disrupt attacks
• Opportunities exist to make attackers jobs harder
– Strong authentication
– Network segmentation
KEY POINTS: STAGE 2
19
STAGE 3: EXFILTRATE, MAINTAIN
• Aggregate and stage data
• Obfuscate to avoid detection
• Exfiltrate data
• http / https,
SSH, FTP, email
• Use of Dyn DNS services to
rotate drop zones
• Periodically return to:
• Update malware
• Grab new data
(keylogs, emails, data)
• Option to use your
infrastructure to launch
other attacks
20
• Egress monitoring / visibility is essential
– What is leaving your network and why?
– Tools like DLP that search for un-altered data will not spot or stop exfiltration
• Detection will become harder as entrenched attackers switch to
maintenance mode and cover their tracks
– Have a greater ability to blend in
• Remediation once attackers reach this point is very complex
• If expelled at this point, most attackers will actively seek to return
– They will up their game
KEY POINTS: STAGE 3
21
• Know your enemy, be prepared
• Compromise is inevitable– Goal should be to detect and respond to attacks to minimize loss and damage
– Limit attacker free time inside your network
• Tools that provide visibility / forensic data are essential for detection and response
– Logs, Packets, Endpoint, Threat Inteligence
– Ability to spot anomalous / suspicious activity and investigate
– Ability to pivot and see the whole picture of the attack
• Experienced responders are required– In-house or on-call
CONCLUSIONS
22
23
People & Process
• Staffing Model & Shift Transition; Roles & Responsibilities
• Business Alignment & Risk Alignment
• Incident Prevention Planning
• Security Controls Implementation & Monitoring
Preparation
• Categorization & prioritization of Incident types
• Content, Analytic & Threat Intelligence; Malware Analysis
• L1, L2 & L3 SOPs; Incident Handling Workflow automation
• Generation of Alerts, Watchlists and Notifications and Reports
Detection & Analysis
• Proactive remediation and breaking the “kill-chain”
• Accumulation and protection of evidence and forensic data
• C-level Escalation and cross functional Rules of Engagement
• 3rd Party stakeholders, incl. Law Enforcement
Containment, Eradication & Recovery
• Updated Incident Metrics, Breach Reporting and Disclosure
• Systems Hardening; Updated Threat and Risk Profile
• Evidence Retention; attribution and hacker prosecution
• Lessons Learned and Training
Post Incident Activity
Reference: NIST Computer Security Incident Handling Guide & RSA Best Practices
NIST Incident Phase RSA Best Practices (sample)
24
Resource Shift Needed: Budgets & People
Today’s
Priorities
Prevention
80%
Monitoring
15%
Response
5%
Prevention
33%
Future
Requirements
Monitoring
33%
Response
33%