1 / 28

Advanced Persistent Threats (APT)s

Advanced Persistent Threats (APT)s. Srini Uppugonduri ISACA Baton Rouge, Nov 16 th 2011. Agenda. What are APTs? Why talk about them? Should we be concerned? What can we do? Conclusion. What are APTs ?. Advanced Persistent Threats. A dvanced – Attacker adapts to defenders’ efforts

sine
Download Presentation

Advanced Persistent Threats (APT)s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Persistent Threats (APT)s Srini Uppugonduri ISACA Baton Rouge, Nov 16th 2011.

  2. Agenda • What are APTs? • Why talk about them? • Should we be concerned? • What can we do? • Conclusion

  3. What are APTs?

  4. Advanced Persistent Threats • Advanced • – Attacker adapts to defenders’ efforts • – Can develop or buy Zero-Day exploits • – Higher level of sophistication • Persistent • – Attacks are objective and specific • – Will continue until goal is reached • – Intent to maintain long term connectivity • Threats • – Entity/s behind the attack • – Not the malware/exploit/attack alone

  5. APT Defined • Key contributors to popularity of APTs • Nation States • Organized crime groups • Hactivist Groups

  6. Why talk about them?

  7. – Gain awareness • – Constantly in the News • – Understand the Risk to your Organization • – Organizational Impact • – Prioritize Information Security investments • – Communicate Risk more effectively

  8. APT in the news • RSA Google Johnson & Johnson • DuPont General Electric Walt Disney • Sony Adobe Systems Intel Corp • Baker Hughes Exxon British Petroleum • Marathon Chevron King & Spalding • CareFirst BCBS QinetiQ Alliant Techsystems • Northrup Grumman Lockheed Martin Citi Cards • Oak Ridge Labs IMF Yahoo • And many, many more …..

  9. Should we be concerned?

  10. – Not applicable to Military / Defense alone • –Organized Crime & ‘Hactivist’ groups • – Looking for Intellectual Property – M&A, Trade Secrets, Engineering Designs, Application Code, Business Plans, etc. • – Can Bypass Anti Virus & Anti Malware software • – Low and slow attacks • – Can easily move across the network

  11. Additionally.. • – Focus on Social Engineering and Spear phishing • – Trend is to exploit End Users & thereby End Points • – Ineffective IT processes • – Vulnerability Management • – Threat Management • – Incident Management • – Inherent weaknesses in IT • – Blessing and a Curse

  12. Typical Attack

  13. Observations ..

  14. Impact .. • Low profile attack • Extremely stealthy • Very low to zero downtime to systems • Many organizations operate for years, without knowing they are breached!

  15. What can we do?

  16. Understand the threat • Mandiant –Presentations • HBGary –APT • OWASP – Ross (NIST) • SANs InfoSec Reading Room – detailed analysis of APT • Others..

  17. Assume you are breached • Prepare for the inevitable • Start planning • Define your “Win” • Delay the ‘Threat’ from reaching its goal • Minimize the loss • Improvise as you go along • Are your approaches outdated?

  18. Awareness & Education • Executive Management • IT • All employees • Useful Resource: www.Phishme.com • Invest in Training SoC analysts

  19. SIEM • Audit logging • Event correlation • Real-time Analysis • Categorize your assets • Business Criticality • Business Impact • Data Classification • Ownership • Type – Structured and Unstructured

  20. Refine processes • Incident Management • Disaster Recovery • Table top exercises • Monitoring, identification & response Defense in Depth & Breadth Third Party connections Asset inventory

  21. Dual Protection Strategies • Boundary Protection Primary Consideration: Penetration Resistance Adversary Location: Outside the Defensive Perimeter Objective: Repelling the Attack • Agile Defense Primary Consideration: Information System Resilience Adversary Location: Inside the Defensive Perimeter Objective: Operating while under Attack OWASP - ROSS

  22. Agile Defense • Boundary protection is a necessary but not sufficient condition for Agile Defense • Examples of Agile Defense measures: • Compartmentalization and segregation of critical assets • Targeted allocation of security controls • Virtualization and obfuscation techniques • Encryption of data at rest • Routine reconstitution to known secure state OWASP - ROSS

  23. CONCLUSION • Be flexible and adaptable to changing threats! • Don’t ignore Information Security principles! • Mature your Threat and Vulnerability Mgmtprocess! • Conduct frequent incident response exercises! • Invest in people & training! • Delay the adversary!

  24. Questions?

More Related