advanced cyber illness treatmant - it klinika...advanced threat protec0on block, isolate and remove...
TRANSCRIPT
AdvancedCyberIllnessTreatmant
Davor PeratSenior Technology Consultant
Agenda
2
1
2
3
4
5
6
7
AdvancedThreatProtec0onPreventadvancedpersistentthreats
AdvancedThreatProtec0onIden0fysuspiciousfiles
AdvancedThreatProtec0onSearchforIndicatorsofCompromise
AdvancedThreatProtec0onBlock,isolateandremovetheadvancedpersistentthreats
AdvancedThreatProtec0onMinimizeenvironmentalchanges
SymantecProductIntegra0onandSupport
Addi0onalResourcesandSummary
3
Let’sgetstarted!
WhatareAdvancedThreats?
Targeted
Targetsspecificorganiza0onsand/orna0onsforbusinessor
poli0calmo0ves
Stealthy
Usespreviouslyunknownzero-day
aJacks,rootkits,andevasivetechnologies
Persistent
Sophis0catedcommandandcontrolsystemsthatcon0nuouslymonitorandextractdatafromthespecifictarget
4Copyright©2014SymantecCorpora0on
HowTheyWork:AdvancedThreats
5Copyright©2014SymantecCorpora0on
Whatthelikelihoodisofbeingatarget
18%
31% 30% 34%
32% 19%31% 25%
50% 50% 39% 41%
2011 2012 2013 2014
1-250 251-2500 2501+Sizeoforganisa0on:
6Copyright©2014SymantecCorpora0on
Whattheresultsareofbeingatarget
66% Breaches
undetected for 30 days
or more
243 Is the average number of days before detection
4 Months is the
average time to remedy once detection has
occurred
Technically
7Copyright©2014SymantecCorpora0on
Whattheresultsareofbeingatarget(conJnued)
Commercially
Resource Opex Capex
Legal Fees Time
Money
Theft Intellectual Property
Money Customer Data Employee Data
Reputation Brand Reputation
can be affected if a breach is reported in
the press
8Copyright©2014SymantecCorpora0on
EvenwiththebestprevenJontechnologies,canyoustopadvancedpersistentthreats?
9
PREVENT
StoppingIncomingAJacks
WhileprevenJonissJllveryimportant….
…youneedtopreparetobebreached.
PREPARE
UnderstandingWhereImportantDataIs&WhoCanAccessIt
DETECT
FindingIncursions
RESPOND
Containing&Remedia0ngProblems
RECOVER
RestoringOpera0ons
Copyright©2014SymantecCorpora0on
Ifyouarebreached,howfastcanyoudetect,respondandrecover?
10
PREPARE
UnderstandingWhereImportantDataIs&WhoCanAccessIt
PREVENT
StoppingIncomingAJacks
DETECT
FindingIncursions
RESPOND
Containing&Remedia0ngProblems
RECOVER
RestoringOpera0ons
Copyright©2014SymantecCorpora0on
Copyright©2014SymantecCorpora0on11
IdenJfysuspiciousfilesATPSolu0on:
SymantecAdvancedThreatProtecJon:Modules
• Endpointvisibility(thefootholdinmosttargetedaJacks)
• Endpointcontext,suspiciousevents,&remedia0on
• RequiresSEP–nonewagent–anddeployedasavirtualorphysicalappliance
• Networkvisibilityintoalldevices&allprotocols
• Automatedsandboxing,webexploits,command&control
• DeployedoffaTAPorinlineasvirtualorphysicalappliance
• Emailvisibility(s0llthenumberoneincursionvector)
• Emailtrends,targetedaJackiden0fica0on,sandboxing
• Cloud-basedeasyaddontoEmailSecurity.cloud
12Copyright©2014SymantecCorpora0on
SymantecAdvancedThreatProtecJon:Cynic
13
ATP:ENDPOINT
ATP:NETWORK
ATP:EMAIL
Virtualsandbox
Cynic
Detec0onengines Physicalsandbox
Copyright©2014SymantecCorpora0on
Cynic-FileTypes• Windowsbinaries:EXE,DLL,SYS(drivers),OCX(Ac0veXcontrols),SCR(ScreenSavers)
• Officedocs:Word,Excel,PowerPoint
• Javaapplets
• Compressedfiles(rar,zip,7z)
• AdobeAcrobat
14
SkepJc:pseudoequaJonforheurisJcanalysis
Copyright©2014SymantecCorpora0on15
+ Ques'onablesource+ SuspectA3achment+ Suspiciouscodeina3achment(+ Evidenceofobfusca'on)(+Unexpectedencryp'on)______
Heuris'callydetectedmalcode
*Notallsuspiciouselementsrequiredforconvic0on
SONAR• Dynamicanalysis
• Doesnotmakedetec0onsonapplica0ontype,butonhowaprocessbehaves.
• Ifitbehavesmaliciously,regardlessofitstype,itwilltriggeradetec0on
16Copyright©2014SymantecCorpora0on
VirtualExecuJon• VMexecu0onwithmimickedenduserbehavior
• RangeofOSandapps• VMexecu0onrangeofOSandapplica0ons
• VMcommunica0onanalysis
VirtualMachines
OSAPPS
OSAPPS
OSAPPS
OSAPPS
Apps
VirtualMachines
OSAPPS
OSAPPS
OSAPPS
OSAPPS
VirtualMachines
OSAPPS
OSAPPS
OSAPPS
OSAPPS
17Copyright©2014SymantecCorpora0on
PhysicalExecuJon
• Physicalhardware• Baremetalexecu0on
– NoVirtualiza0on
18Copyright©2014SymantecCorpora0on
Copyright©2014SymantecCorpora0on19
SearchforIndicatorsofCompromise
ATPSolu0on:
Copyright©2014SymantecCorpora0on20
ConsoleHome
21Copyright©2014SymantecCorpora0on
OverviewInforma0on
22Copyright©2014SymantecCorpora0on
Clickablelinksforfurtherinves0ga0on
23
24
Furtherac0ons
EnJtyPointPages
25
FileEnJtypageRelatedIncidentsRelatedEventsSeenonEndpointsFilesdownloadedOriginsFilesnamedassociatedwithHashCynicResults
DomainEnJtyPageRelatedIncidentsFilesdownloadedEndpointsthatcommunicatedIP’sAssociatedwithDomain
EndpointEnJtyPageRelatedIncidentsRelatedEventsMaliciousFilesMaliciousConnec0ons
26Copyright©2014SymantecCorpora0on
IncidentManager
27
28Copyright©2014SymantecCorpora0on
IncidentTracking
29Copyright©2014SymantecCorpora0on
Searches
TypesofSearches
• Inline(Datastore)– Searcheslocaldatastoreforar0facts– Secondstoreturnresults– Ar0factsaregeneratedfromendpointandnetworksensorevents– Examples(file,hash,domainname,hostname,username,IP)– PEFiletypes(exe,dll,com,scr,msi,drv,sys,ocx,cpl)
• EndpointInterroga0on– Searchesendpointforar0facts– Resultscanbedelayedbasedonfactors– Examples(file,hash,registry)– Allfiletypes(PE,NonPE)
.
30Copyright©2014SymantecCorpora0on
Searches
Filesusing– Filename– FileHash(SHA256,MD5)
Endpointsusing– Hostname– IPAddress(v4)– Logonuser
Externaldomainsusing– Domainname– DomainURL– DomainIPaddress
• Wecheckiftheprovidedvalueispresentanywhereintheabovefieldsi.e.filename,MD5,sha2,hostnameetc.i.e.containsmatch.
31Copyright©2014SymantecCorpora0on
SymantecAdvancedThreatProtecJon:Synapse
32
ATP:ENDPOINT
ATP:NETWORK
ATP:EMAIL
Correla0onandPriori0za0on Remedia0onRepor0ngand
Inves0ga0on
Synapse
Copyright©2014SymantecCorpora0on
Copyright©2014SymantecCorpora0on33
Block,isolateandremovetheadvancedpersistentthreats
ATPSolu0on:
Firstlineofdefense:ATP:Email
Anythingwithoutaverdictwillbe
scannedbyCynicforacustomer
configureddura0on(≤20mins)
Maliciousmailisquaran0nedand
loggedassoonasadetec0onmethod
flagsit
Copyright©2014SymantecCorpora0on34
ConnecJonleveldetecJon Signatures
SkepJcHeurisJcsandLinkFollowing
Cynic
ATP:Network&Endpoint
SEPM
Sweep,Hunt,Collect,Fix
Sweep,Hunt,Collect,Fix
35Copyright©2014SymantecCorpora0on
ATPAppliance
Cynic
ATP:Network&Endpoint
SEPM
Sweep,Hunt,Collect,Fix
Sweep,Hunt,Collect,Fix
36Copyright©2014SymantecCorpora0on
ATPAppliance
Cynic
QUARANTINE
ATP:Network&Endpoint
SEPM
Sweep,Hunt,Collect,Fix
Sweep,Hunt,Collect,Fix
37Copyright©2014SymantecCorpora0on
ATPAppliance
Cynic
QUARANTINE
Blacklist
Domainwww.google.com.gov.ca
URL
gov.ca/dmvhJp://stanford.edu/newshJp://gość.pl/a
IP/IPSubnet
fe80::250:56ff:fe99:390310.10.10.10/2410.10.10.10/255.255.255.0
SHA256Hash
e3b0c44298fc1c149asf4c8996s92427ae41e4649b934ca495991b7852b854MD5hash
fe58cec593d7cdf2e0e9d13dfe1020b838
Blacklist/WhitelistValidEntries
Copyright©2014SymantecCorpora0on
Copyright©2014SymantecCorpora0on39
Minimizeenvironmentalchanges
ATPSolu0on:
WAN
LAN
EmailSecurity.cloud
WAN
LANInsight
ATP:Endpoint+Manager
EmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
ATP:Endpoint+Manager
EmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
Networktraffic
ATP:Endpoint+ManagerATP:Network
EmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
Networktraffic
Synapse
ATP:Endpoint+ManagerATP:Network
EmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
Networktraffic
SynapseCynic
ATP:Endpoint+ManagerATP:Network
EmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
Networktraffic
SynapseCynic
ATP:Endpoint+ManagerATP:Network
ATP:EmailEmailSecurity.cloud
WAN
LANInsight
Logs&Remedia0on
Networktraffic
SynapseCynic
ATP:Endpoint+ManagerATP:Network
ATP:EmailEmailSecurity.cloud
ATP:Emailcorrela0on
SymantecAdvancedThreatProtecJon
48
ATP:ENDPOINT
ATP:NETWORK
ATP:EMAIL
Correla0onandPriori0za0on
Virtualsandbox
Remedia0on
Cynic
Repor0ngandInves0ga0on
Detec0onengines Physicalsandbox
Synapse
Copyright©2014SymantecCorpora0on
49
SymantecServicesHelpingyouwithallofyourproductneeds
Copyright©2015SymantecCorpora0on
SupportServices
ConsulJngServices
EducaJonServices
Premier(ValueBased
Services)RemoteProductSpecialist(RPS)
BusinessCriJcalServices
HelpmeDESIGNit,INSTALLit,ENHANCEit
HelpmeLEARNaboutit&USEit
HelpmeUNLOCKVALUE&
OPTIMIZEitHelpmeFIXit
50
SymantecTechnicalServicesSupportsYou
EducaJonServices
Abroadrangeoftrainingsolu0onstohelpyougetthemostoutof
Symantecproducts.
Copyright©2015SymantecCorpora0on
• Achieveexpectedvalueforyourproducts.• LearnhowSymantecproductscansolveyourbusiness
problemstodayandtomorrow.• Gainbestprac0ceinsighttokeepyourinvestments
runningsmoothlylong-term.
• Formoreinforma0onvisittraining.symantec.com
51
SymantecEducaJonServicesOffersEffecJveProductTraining
ServicesforATP–morehelp,moresuccess!Whattosellandwhotocontact
Copyright©2015SymantecCorpora0on
Service Whatitis Availablewhen?
GlobalContacts WebsiteEducaJonCourseOffering
ATPIncidentResponseCourseavailableas
InstructorLedTrainingorviaVirtualAcademy
[email protected];[email protected];[email protected]
Educa0onServiceswebsite
BCSPremier
forATP
Symantec’spremiumSupportServicesoffering,
designedtosimplifysupport,maximizereturn
andprotectITinfrastructure.
AtProductGA
ContactBCSteammembersfromtheinternalSAVOpageorPartnerNet
BCSContactPage
BCSProacJveServicesfor
ATP
Reviewofcustomer’sATPconfigura0onandini0al
repor0ngfromATPconsoleAtProductGA
ContactBCSteammembersfromtheinternalSAVOpageorPartnerNet
BCSContactPage
ConsulJngServicesfor
ATP
On-siteImplementa0onServices,Solu0on
Assessment&Op0miza0on&
ResidencyServices
AtProductGA
[email protected][email protected]
Consul0ngwebsite
AddiJonalResourcesandSummary
53
RESOURCES
IfyouwouldliketoknowmoreaboutAdvancedThreatProtec0onpleasevisit:hJps://www.symantec.com/advanced-threat-protec0on/
SUMMARYDuringthispresenta0onwehavediscussedhowAdvancedThreatProtec0onenablesacustomertopreventadvancedpersistentthreats,iden0fysuspiciousfilesandsearchforIndicatorsofCompromise.WealsolearnedhowATPcanblock,isolateandremovetheadvancedpersistentthreatswhileminimizingenvironmentalchangesbyleveragingacompany’sexis0ngSymantecsecurityinvestment.
54