1 / 24

Advanced Persistent Threats … the external enemy within

Advanced Persistent Threats … the external enemy within. 2012. Taking Complexity out of Information Security …allowing you to focus on your business. Advanced Persistent Threats. The Problem Landscape. APTs: a Hype or Reality. Google RSA Juniper DuPont IMF Lockheed Martin

abdalla
Download Presentation

Advanced Persistent Threats … the external enemy within

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Persistent Threats…the external enemy within 2012 Taking Complexity out of Information Security…allowing you to focus on your business

  2. Advanced Persistent Threats The Problem Landscape

  3. APTs: a Hype or Reality • Google • RSA • Juniper • DuPont • IMF • Lockheed Martin • … 762 companies were hit during the RSA attack

  4. Defining Advanced Persistent Threats (APT) • Regardless of the definition, 99.999% they adhere to the following characteristics: • Nature • Targeted attacks • Blended Threats (multiple attack vectors) • “Low and Slow” • Tactics: • Social Engineering, Attacking the user (most of the times) • Establishing a foothold (e.g. Remote Access Trojans) • Attack Escalation & Metastasis – Access to critical data and services • Retaining persistence (different RATs, multiple footholds, etc.) • Results: • Data leakage, Sabotage, Fraud… • In essence is the attack method of choice of Professional Attackers

  5. Advanced Persistent Threats (APT) - An Illustration • Step 1 • Step 2 • Step 3 • Step 4 • Step 5 • Step 7 • Reconnaissance • Initial Intrusion into the Network • Establish a Backdoor into the Network • Obtain User Credentials • Install Various Utilities • Privilege Escalation • Attack Escalation • Metastasis • Maintain Persistence • Data Exfiltration/Other objectives realization Data Center Internal Users Web Applications Attacker

  6. Advanced Persistent Threats – Is it a problem? • ORGANIZATIONS MUST LEARN TO LIVE IN A STATE OF COMPROMISE • Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurityto prevent a digital Pearl Harbor…, a Bloomberg Government study found • APT Tops Security Risks to Corporate IP in 2012, • "I'm meeting more CSO's saying 'all I care about is APT…’” Bruce Schneier, CTO of BT Counterpane

  7. Our own Experience on APTS • ENCODE Extrusion Testing™: • Security Assessment via APT Simulation • Running Extrusion Tests from 2003!...8 years of hands-on experience • Proprietary tools and methodologies • Attacking “outside-in and inside-out” • Digital Forensics • Performed Forensics on APT cases on various organisations

  8. Why APTs are succeeding Because Controls fail • “Medieval approach to IT Security” - Building “castles/perimeters” around the network and trying to be “Preventive” • Single“attack vector” controls • “Evolved versions” of ones designed for the 90’s • Reactive approach

  9. Why Controls Fail • While Security Programs are focused in Compliance • However: Compliant ≠Secure • And at the same time even Specialized Security Controls are not adequate on their own (or even combined) • “Traditional” Controls fail • Firewalls, IPS, Secure Web Gateways, AV/Endpoint Security… • They are totally blind, due to a misfit paradigm for APTs • But also “less traditional” ones • Data Leak Prevention – Designed for human actions, not for leakages by a piece of advanced software (malware, Trojans) • 24x7 Security Monitoring - “Garbage IN, Garbage OUT”, No Monitoring in context, Not having the right tools for the job

  10. Advanced Persistent Threats Addressing APTs

  11. Solving a Problem One quite clever guy once said that “if he had one hour to save the world he would spend fifty-five minutes defining the problem and only five minutes finding the solution”

  12. Defining the APT Problem • Is it a Malware problem • Is it an adversary problem • Is it a Forensics Problem • Is it a Visibility Problem • Is it a zero-day exploit Problem • Is it a Botnet detection and/or takedown problem • Is it a lack of Security skills problem • Is it a lack of Defense in Depth problem • … …the short answer is NO Each one of them is a piece of the problem, but not the problem!

  13. Defining the APT Problem We believe it is 2-fold problem: A “Name Problem” A “Complexity Problem”

  14. What is the “Name Problem” of APTs

  15. Are APTs really Advanced? ENCODE Extrusion Testing Facts: Infection vectors used - Total

  16. Why is “Advanced” the problem Because • they are considered “Advanced” for “traditional” but also for “less traditional” security controls • they are also “Advanced” for “Single-vector” specialized security controls • they are not “advanced enough” for some specialized security controls trying to be “very advanced”, missing KISS APT • organizations (used to) underplay/underestimate the Threat saying “this is too advanced… it won’t happen to us”

  17. What is the “Complexity Problem” of APTs • Complexity: • Complex IT environments & Business process, supporting Business Agility • Complex Threat Landscape • Complexity of the Internet • Attackers are taking advantage of this Complexity to achieve their goals, along with the fact that Business must be agile to remain in business! • However to solve a “complexity problem” or a complex problem you have to: • Take out complexity, where you can • Focus on the parts of the problem that really mater and solve them

  18. Solving the “Complexity Problem” of APTs • You cannot reduce complexity, at least from every part of your business…period • As Complexity increases the good old “Preventive” controls get less and less effective or impair Business • Nonetheless you have to be “Proactive” • Proactive Security ≠ Preventive Controls alone • Early Warning & Response is the “preventive” control of choice for Complex environments and Threats • You have to focus on APT

  19. Focus on APT If Early Warning is what we need, let’s think “What cannot be evaded” • Behavior • An IT environment under attack does not behaves as normal • Each attack, APT included, has its own signs in behavior change • True Visibility – at all (relevant) Levels • Network: Internet Access (incoming/outgoing) • Endpoint: System state & Data Access/Use • Expertise – the human factor • Encapsulated expertise • Expert view and analysis

  20. Advanced Persistent Threats Conclusion

  21. APT goes mainstream

  22. APT : Targets APTs are becoming the weapon of choice: • from Government and Defense • to companies with Intellectual Property or Critical Infrastructure • to other “high-value” targets • Finance • … “…if professional attackers didn’t use such techniques they should have been sued for negligence…”

  23. APTs…Revisited • is not a matter of What • is not a matter of Who • is a matter of When! Attorney David Navetta: … but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding

  24. www.encodegroup.com _

More Related