a discussion of sophisticated cyber threats used by advanced ... · insiders are still the greatest...
TRANSCRIPT
![Page 1: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/1.jpg)
A discussion of sophisticated Cyber threats used by advanced adversaries The A discussion of sophisticated Cyber threats used by advanced adversaries. The primary objective is to draw a distinction between the current state of Cyber Security practices and our probable future. The present security posture is heavily reliant upon the use of tools and products to provide protection This presentation will discuss the the use of tools and products to provide protection. This presentation will discuss the flaws in present‐day methodologies and begin to contemplate workable concepts for increased security through a mature and sophisticated response to the threats against a network or against the data which it contains. Simply put: network attackers are g p y prapidly increasing in both technical and operational sophistication, comprehensive Computer Network Defense must keep pace in order to effectively mitigate the threat.
© Mike Saylor 2012
![Page 2: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/2.jpg)
We don’t have anything they want We don t have anything they want. Bandwidth Networks free from Government’s prying eyes Networks…free from Government s prying eyes “Lucrative” business proposals Intellectual Property Intellectual Property Hacktivism CEO/President with influence or clout CEO/President with influence or clout▪ Excellent source for “whale‐phishing”▪ Spoofed e‐mails to target the people who trust him/herSpoofed e mails to target the people who trust him/her
![Page 3: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/3.jpg)
Trusted Business Relationships Subcontractors/Peer connections Mergers, partnerships, etc.
Trusted Internal Networks Trusted Internal Networks “Internal” users assumed
trustworthytrustworthy
Use of ‘Valid’ Credentials
![Page 4: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/4.jpg)
Trusted E‐mailTrusted E mail Exploited by “Spear Phishing”
Trusted Internet WebsitesTrusted Internet Websites Cross site scripting Remote code executionRemote code execution
Trusted Applications Un‐patched programsUn patched programs▪ PDF, Word, Excel exploits
Unauthorized software▪ Media players▪ Mobile Apps
![Page 5: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/5.jpg)
Most Organizations do not have a formal, gstructured, and/or mature Information Security (InfoSec) Program.F O i i h h Fewer Organizations have a somewhat matureInfoSec Program; but rely heavily upon the tools and vendors for their sense of security with little or and vendors for their sense of security with little or no skilled / dedicated internal InfoSec personnel.
Even Fewer yet have a mature InfoSec Program Even Fewer yet have a mature InfoSec Program that incorporates technology solutions, training / awareness, and dedicated, skilled InfoSec, ,personnel.
![Page 6: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/6.jpg)
The majority of organizations work towards The majority of organizations work towards Compliance‐based Security (SOX, PCI, HIPAA, GLBA, FFIEC, FERC, etc).GLBA, FFIEC, FERC, etc).
Most InfoSec groups operate in a responsive / tactical mode, further hindered by a disconnect tactical mode, further hindered by a disconnect from business strategy.
The focus of most InfoSec programs is still the The focus of most InfoSec programs is still the Network Perimeter (Firewalls, IDS/IPS, Email Filter, Internet Filter, etc).Internet Filter, etc).
![Page 7: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/7.jpg)
NETWORK PERIMETER
INTERNAL
DMZWeb Sites
NETWORK
CORESYSTEMSWeb Applications
Social Engineering
SYSTEMSWeb Applications
![Page 8: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/8.jpg)
Most InfoSec Programs include numerous security g ytools. Firewalls Intrusion Detection / Prevention Anti‐Virus Email / Spam Filters
Intrusion Detection / Prevention Data Leakage Prevention (DLP) Anti‐MalwareEmail / Spam Filters
Internet Filtering SIM / SEIM
Anti‐Malware End Point Security Encryption SIM / SEIM
Does simply implementing these tools and their associated Policy and Procedures make them
Encryption
associated Policy and Procedures make them secure today? Tomorrow?
![Page 9: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/9.jpg)
By definition – the intrusion has already happenedy y pp Most InfoSec personnel struggle with root cause and focus primarily on stopping the attack.p y pp g In one personal experience, I asked a Firewall Administrator why he didn’t think several days of after y yhours bandwidth spikes were suspicious. His response, “after the second day I thought it was normal”.
Almost all Social Engineering and Facility Breach k f l d d dAttacks are successful and go undetected.
![Page 10: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/10.jpg)
Unexpected emails—particularly emails from US‐based Unexpected emails particularly emails from US based companies like Hotmail but with a foreign source IP
HTTP traffic that has more outbound than inbound
Late‐night traffic—particularly login failures
Continuous, periodic “beaconing” activity—may , p g y yrepresent Trojan activity to “calling card” addresses
Domain names which resolve to “reserved” networks 192.168.X.X, 255.255.255.X
0.0.0.0, 1.1.1.1, 127.X.X.X
10.X.X.X
![Page 11: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/11.jpg)
Verizon Reportp 48% of compromises take less than a day 75% of intrusions are not detected for at least a week 94% require 7 to 31 days for containment
Attackers have a lot of time to operatep Defenders are inherently disadvantaged
Insiders are still the greatest threat
In 2011, U.S. companies spent ~$130 Billion combating data breaches (Lanscope)data breaches (Lanscope).
2009 Data Breach Investigations Report –Verizon Business RISK Team
![Page 12: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/12.jpg)
8% in ol ed pri ilege mis se ( 26%) 48% involved privilege misuse (+26%) 40% resulted from hacking (‐24%)38% utilized malware (<>) 38% utilized malware (<>)
28% employed social tactics (+16%)15% comprised physical attacks (+6%) 15% comprised physical attacks (+6%)
96% of breaches were avoidable through i l i di l ( %)simple or intermediate controls (+9%)
2010 Data Breach Investigations Report –Verizon Business RISK Team
![Page 13: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/13.jpg)
Covert Reconnaissance/Surveillance Obfuscated Exfiltration of Data
l f l k Exploitation of Internal Networks & Trust Persistent Presence of Advanced Adversary
ll f l d d l Illegitimate use of Valid Credentials Wholesale Loss of Trust/Information Fidelity
![Page 14: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/14.jpg)
Insider Insider
Ope
Insider Insider SupportSupport
erational So
Valid Credentials
PersistencePersistenceophisticatio
S i i l Si l
Scanning Intrusion
on
IDS
Firewall
Statistical Signal Analysis
Technical Sophistication
![Page 15: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/15.jpg)
Commercial Software and Vendor Developed Commercial Software and Vendor Developed Software is Secure. Adobe MS Office Internet Explorer Firefox etc Adobe, MS Office, Internet Explorer, Firefox, etc
For a User or Attacker to Escalate Privileges they must compromise the Administrator Accountmust compromise the Administrator Account. Any process running as Admin can be broken Privilege Escalation is inevitable Privilege Escalation is inevitable
Freshly installed Operating Systems, or newly re‐imaged systems are secure and can be trustedimaged systems are secure and can be trusted. Yes, if never connected to the Internet
![Page 16: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/16.jpg)
Most InfoSec Programs are ineffective Today and g ywill stand little chance tomorrow, for the following reasons: Budgets and Executive Management Support Tactical Approach, disconnected from Corp StrategyTactical Approach, disconnected from Corp Strategy Heavy Reliance on Tools and Vendors Overwhelmed by Alerts and emails from Security Tools Overwhelmed by Alerts and emails from Security Tools, most ignored Myopic view of what to protect, how to protect it, and Myopic view of what to protect, how to protect it, and why?
![Page 17: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/17.jpg)
l iAPT
Insider Threat
Employee Misuse
Malware
Industrialized AttacksAutomated Attacks
![Page 18: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/18.jpg)
NETWORK PERIMETERWeb Sites
INTERNAL
DMZ
NETWORK
CORESYSTEMSMobile Device / Media
Social EngineeringSocial NetworkingNetwork AttacksSYSTEMS
Internet Use Physical BreachMalwarePhishingInsiders
APT
Insiders
![Page 19: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/19.jpg)
C D tC D t
Phone Phone
Cloud Provider / Vendor
Company DataCompany Data
CallsCalls
EmailsEmails
Remote UsersRemote UsersUsersUsers
WirelessNetworksWirelessNetworks
InternetInternetInternetWirelessHomeNetworks
WirelessHomeNetworks Worms
Virus Worms Virus MalwareMalware
![Page 20: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/20.jpg)
Successful DefenseDefense
Attacker MotivationMotivation
![Page 21: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/21.jpg)
f Self‐Cleansing Intrusion Tolerance (SCIT) Policy Considerations
l Triumvirate Solution
![Page 22: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/22.jpg)
Assume a proactive posture
Ignores detection and preventionIgnores detection and prevention Certainty of intrusion is assumed
Based on research into real‐world intrusions Based on research into real‐world intrusions
Focuses on ‘self‐cleansing’ and ‘level of trust’
Off‐the‐shelf solutions are very limited i.e., I know of none, f
![Page 23: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/23.jpg)
90
100
70
80
st
50
60Potential Damage
el of T
rus
20
30
40Trust
Leve
0
10
20
1 2 3 4 5 6 7 8 9 10
Uptime / Runtime
![Page 24: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/24.jpg)
( ) Self‐Cleansing Intrusion Tolerance (SCIT) (1)
Works with HTTP and DNS servers Nightly shutdown/re‐image desktops Integrate with IDS and IPS systemsg y Maintain higher overall trust, over time
(1)(1)cs.gmu.edu/~asood/scit
![Page 25: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/25.jpg)
100%
50%of Trust
5
Leve
l o
0%
Uptime / Runtime
![Page 26: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/26.jpg)
More restrictive Internet usage More restrictive Internet usage Unpopular, but effective
Restrict email attachments Deny attackers their easiest point of entry Potential adverse effect to “normal” businessT o Factor A thentication Two‐Factor Authentication Makes it harder for attackers to operate Increase in corporate cost of operationsIncrease in corporate cost of operations
Mobile Device Management Smart Phones, Tablets, Laptops
Employee Training / Awareness
![Page 27: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/27.jpg)
PoliciesPolicies
ToolsTools Behavior
Security
![Page 28: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/28.jpg)
Reduce ‘Window of Exposure’ to RiskReduce Window of Exposure to Risk Proactive Measures, not event dependent Frequent Restore to the ‘Trusted State’ Frequent Restore to the Trusted State
Isolate sensitive dataWhat data truly needs to be on the Internet? What data truly needs to be on the Internet?
Wholesale Policy Changes More restrictive Information ‘Assurance’ over Information Security May result in political battles
![Page 29: A discussion of sophisticated Cyber threats used by advanced ... · Insiders are still the greatest threat In ... Insider Op e Support rational ... Proactive Measures, not event dependent](https://reader034.vdocument.in/reader034/viewer/2022043007/5f926cb4573a2573600d1a0c/html5/thumbnails/29.jpg)
f Attacking is much easier than defending The one who takes initiative has the advantage.
All networks are vulnerable Given time, APT actors will defeat defenses Currently, defenders incur nearly all of the risk If you are in business, you are a target.