Defending against persistent threats in a time of skill shortage - A.N. Ananth | Secure Bermuda - 2016

1. Defending against persistent threats in a time of skill shortage

2. Threatscape 2016 Big problem Expensive Detection Deficit Insider? Outsider?

3. Market feedback Security Gap Compliance ≠ Security Stakeholders personally affected by breaches Compliance is a must, but Help reduce cost Skill shortage Impacting ROI on IT Security projects Machine learning, less rules tweaking

4. Why are they attacking?

5. Existing defenses? Anti Virus Catches “some” malware based on signatures Attackers are “hip to its jive” IDS Detects network borne attacks Can’t see the endpoint or out “legitimate” traffic DLP Can catch data movement to/from removable media SIEM See all logs but is everything logged?

6. How are they attacking? Malware based Example: C-Suite doesn’t get paid Threat: Establish Beachhead Threat: Lateral Movement Threat: Exfiltrate data Example: Piracy in the back office Compromised credentials based Congrats from CIO Threat: Valid programs for invalid purpose Threat: Out of ordinary Army out of SHAPE on Facebook

7. Threat: Establish beachhead Malware lands on the endpoint As e-mail attachment? From infected USB? Evades Anti Virus Defense Detect launch of every process Compare hash against safe list (local and NSRL) Alert if first-time-seen and not on safe list Caveat: Requires framework & a watcher

8. Threat: Lateral movement Move from less to more valuable systems From desktop to server/firewall Defense User behavior, location affinity Trace files from endpoint (pre-fetch, default.rdp etc.) Valid but unusual EXE presence (e.g. route.exe) Caveat: Requires framework + machine learning

9. Threat: Ex-filtrate data Hide as normal traffic Avoid detection by proxy, network monitor Defense Monitor network activity (esp north/south) for out of ordinary behavior IDS is useful but can’t say which process was responsible Combination of unknown process connecting to low reputation outside address is a strong advantage

10. Attacks from Insiders At Black Hat Aug 2016 by Elie Burzstein of Google 297 USBs dropped at U of Illinois, Urbana Parking lots, common rooms, lecture halls, hallways No label, Confidential, Exam answers 45% plugged in; clicked on links; within 10 hours

11. Myth #1 Myth: Hackers carefully select targets, then hit them with a zero day attack Reality Most attacks are indiscriminate, opportunistic and exploit known vulnerabilities More than 85% of successful exploits leverage top 10 vulnerabilities.

12. Myth #2 Myth: Attackers are fast but good guys are catching up Reality Gap is widening – detection deficit disorder 4 of 5 victims don’t realize they’ve been attacked for weeks

13. Myth #3 Myth: No one falls for phishing anymore Reality More than 30% of phishing emails are opened 12% clicked on links

14. Endpoint Threat Detection & Response What is required to defend today’s network? A framework to collect endpoint data Running processes, network connections, windows services, users, registry entries, more A central repository which can receive, store and index the data An expandable ruleset to baseline and analyze the data And (wait for it...) an analyst to triage/review/escalate for remediation

15. EventTracker Framework Central Console Data Collection Indexing Analysis Storage Sensor for Windows MS Gold certified Runs in user space Tiny footprint Options for IDS, Vuln. Assess, Packet inspection

16. SIEM Simplified Co-Managed Services for Success TUNE COMPLY RUN WATCH Correlation Alerts & Analysis Attackers & Targets Real Time Dashboards Endpoint Threat Detection & Response (ETDR/DFIR) DATA MART Advanced Security Center Managed Integrated Threat Feeds Managed SNORT IDS Incident Investigations “SANS” Log Book User Behavior Affinity & Analysis Compliance Center Log Search & Forensics Streamlined Compliance Workflow & Reporting PCI- DSS | HIPAA | FFIEC FISMA | Gov. | Military Configuration Assessment Hardened Centralized Log Management Vulnerability Assessment File Integrity Monitoring ISO 27001(2) GPG 13 Diligent

17. SIEM Simplified Services to get expert help with EventTracker software installed on premise or in the cloud… EventTracker Alerts Reports Dashboards Search Auditing Changes Your Staff Your IT Assets Remote Access to EventTracker (only) We provide remote Managed Services: 1. RUN: Basic ET Admin – Threat Feeds 2. WATCH: Analytics/Remediation Recos 3. COMPLY: Compliance Services 4. TUNE: Advanced ET Tuning 5. ET VAS – Vulnerability Assessment Service 6. ET IDS – Managed SNORT – signature updates EventTracker Control Center

18. Gartner View of Cyber Security Market Maturity

19. Secure your Network Your Challenge: Growing attack frequency and sophistication Your Need: Cost effective threat remediation. Scalable & Smart

21. Scenario Win 7 desktop; user is with marketing dept Required to visit external websites regularly Defenses Up to date platform (win updates) DHCP address Next Gen firewall Up to date, brand name Anti Virus IDS with updated signatures scanning north/south

22. What was seen New Windows service created Persists on logoff or reboot Invisible to the normal user Connects to an external site Avoids proxy detection by using IP address Avoid blocking by using port 80 Trace back showed phishing e-mail, apparently from HR About 14 hours later, anti malware signatures updated and a deep scan suggested it was “Blakamba” Three days later, Anti Malware showed other files in temp folders with same signature