©2010 hewlett-packard development company, l.p. the information contained herein is subject to...
Post on 02-Apr-2015
216 Views
Preview:
TRANSCRIPT
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
1
Rohan Kotian | Author, NSA IAM, CEHProduct Line Manager | Next Generation Security Platformsrohanrkotian@hp.com
Next Generation Cyber Threats
Shining the Light on the Industries' Best Kept Secret
“Achieving victory in Cyber Security is not going to be won at the traditional point product” -JP
2 Footer Goes Here2
– Next Generation Cyber Threats
– Advanced Persistent Threats
– Question and Answer
Agenda
3 Footer Goes Here
Next Generation Cyber Threats
"The wonderful thing about the Internet is that you're connected to everyone else. The terrible thing about the Internet is that you're connected to everyone else."Vint Cerf (Vice President and Chief Internet Evangelist Google)
4 Footer Goes Here4
Risks are Real & More Visible
Sophisticated worm attacks Iran’s Siemen’s SCADA & MS Windows industry control systems
Stuxnet Worm
The website of U.S Postal Service serving up malware
Blackhole Exploit Injected into USPS Website
77 million accounts
at risk of data theft
Sony PlayStation
Network Down
Applications and information are the business
The servers of RSA have
been breached and
sensitive information
from more than 40
million employees may
have been compromised.
RSA Hit By
Advanced
Persistent Threat
Confirmed that its
computer network
had been broken into
NASDAQ Stock
Market
5 Footer Goes Here5
If it Isn’t Secure, it is for Sale
6 Footer Goes Here6
If it Isn’t Secure, it is for Sale
7 Footer Goes Here7
Understanding data breaches
• Significant spike in 2011 for the number of data breaches
• Breaches are evolving from stolen laptops to more sophisticated techniques
2003 2004 2005 2006 2007 2008 2009 2010 2011 20120
200
400
600
800
1000
1200
*Data pulled from DataLossDB.com looking at incidents over time
8 Footer Goes Here8
Vulnerabilities Decreasing
• Vulnerabilities in commercial applications down 20 percent from 2010
• Spike in 2006, for most part steady decline
• But is not a good indicator or risk
*Vulnerabilities measured by OSVDB, 2000 - 2011
9 Footer Goes Here9
Vulnerability Severity Increasing
Mid level Severity (CVSS 5-7)
Low level Severity (CVSS 1-4)
High level Severity (CVSS 8-10)
• HS Vulnerabilities can cause remote code execution
• Percentage of HS vulnerabilities has increased by 17 percent in 5 years
*Data pulled from OSVDB, 2000 - 2011
10 Footer Goes Here10
Web applications – the “new” frontier• 4 of the 6 most
popular OSVDB vulnerabilities are exploitable via the Web
• Web application vulnerabilities (categorically) account for 36 percent of all vulnerabilities
• Further complicated by customization and add-ons – increased vulnerabilities *Data pulled from OSVDB, 2000 - 2011
11 Footer Goes Here11
The number and costs of breaches continue to rise
Web Applications Remain a Leading Issue
– 80% of successful attacks target the application layer (Gartner)
– 86% of applications are in trouble• Web App Security Consortium studied security tests across 12,186 applications
• 13% of applications could be compromised completely automatically
• 86% had vulnerabilities of medium or higher severity found by completely automated scanningX ~~
Total average cost of a data breach per
compromised record*
$202
Average # of compromised
records per breach^
30,000
Average Total Cost
per breach*
$6.65 M
* Ponemon Institute, 2008 Annual Study: $U.S. Cost of a Data Breach ^Source: The Open Security Foundation
The Cost of a Compromised Web Application/Server• Sony Play Station Network (PSN) Breach
• LulzSec claimed it only took a single SQL Injection
• What was compromised:– Usernames
– Passwords
– Credit card details
– Security answers
– Purchase history
– Address information
• Estimated Damages– $177 Million (USD)
Sony’s official earning forecast and we quote:
13 Footer Goes Here13
– Your Adversaries Count On Your Subscription and Resistance Toward Change
– Traditional security is a suckers bet as well!• ACLs
• AV / AS
• FW
• SMTP / Web Gateways
• HIPS
• Encryption
• IDS / IDS
• Logging / SIEM / SEM
• THEY COUNT ON YOUR ORGANIZATION BEING COMPLIANT AND THEY DON’T CARE!!!!
Complacency Is a Suckers Bet
14 Footer Goes Here14
– You have to think beyond tradition
– Abandon those ideas which may be promoted by analysts and / or cleverly crafted reports
– You must get outside the norms
– Embrace ulterior technology and philosophy
– Cannot fight a symmetrically wwhen the war requires asymmetric approaches be embraced, employed and acted out n
Traditional Security Is a Suckers Bet
15 Footer Goes Here
None(Normal End-User)
Classifying the Cyber Actor(The technical threat telemetry is endless)
Fame
Destruction
MotivationExpertise Result
Moral Agenda
Money
Notoriety
Theft
Espionage
Corporate/Government
Fun
Unwitting
Compromise of an Asset/Policy and/or
Intellectual Property
Novice(Script Kiddie)
Intermediate(Hacker for Hire)
Expert(Foreign Intel Service, Terrorist Organization
and/or Organized Crime)
Intentional ActNon-Intentional Act
Attack Vector
IM,IRC,P2P
Open Ports
Web Browsers
Email and
Attachments
VulnerableOperating System
+ + =
16 Footer Goes Here16
– Non-traditional intelligence acquisition and digestion
– Aggressive, pro-active forensic analytic analysis
– Baseline establishment and monitoring
– Cyber Reputation Management ® techniques
– Advanced & aggressive adoption and deployment of new, innovative, purpose built solutions
Embracing Asymmetry
17 Footer Goes Here17
– What’s in a name and MS Tuesday
– Hacking as a Service
– Botnetting as a Service
– Spamming as a Service
– DDoSing as a Service
– Opportunistic Targets (Retail -> Critical Infrastructure)
Next Generation Cyber Threats
(Here Today, Gone Tomorrow)
18 Footer Goes Here18
– People• Underestimate threat introduce risk• Lack InfoSec knowledge and experience • Often not empowered by stake holders due
to lack of alignment with business
– Process • What Gets Measured Is Supposed
To Get Results
− Horrible IT metrics at best• Focus on compliance vs. security
– Technology • Deep holes in network visibility that must be addressed
Threats Have Advanced
19 Footer Goes Here19
Focus on Compliance Versus Security
Compliance Security
20 Footer Goes Here20
Network Visibility and Situational Awareness (Gaps Are Critical)
• Firewalls
• Intrusion Detection/Prevention
• Content Monitoring
• Anomaly Detection
• End-Point Protection
• SIEM
Defense in Depth
Expecting different results using the same technology
Massive Gaps
Without insight/visibility…what you don’t know will
hurt you.
21 Footer Goes Here
Advanced Persistent Threat’s
22 Footer Goes Here22
– Slow, silent and deadly
– What’s in not having a name: Encryption, Beacon’s, Custom, Blended…
– Recent Examples
Advanced Persistent Threat(Selective, Sophisticated and Silent)
23 Footer Goes Here23
Historic Overview:
Solar Sunrise
Eligible Receiver
MoonlightMaze
Titan Rain
Byzantine Foothold
US PowerGrid
OperationShockwave
The Classics The Subversives
Aurora
Exxon
The Subversives
1997 1998 1999 2004 2007 2009 2010
Ghostnet
Stuxnet
2011
“The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools.“
"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."
24 Footer Goes Here24
Advanced Persistent Threat Lifecycle
25 Footer Goes Here
Lifecycle Similarities & DifferencesThreat APT Botnet
Initial Entry Recon & social engineering perhaps via e-mail (phishing, link, or attachment)
Spam, phishing, malicious links (all perhaps leveraging social engineering)
Intrusion Vulnerability, obfuscation, exploitation
Vulnerability, obfuscation, exploitation,
Infection Malware – custom, off the shelf, DIY
Malware – custom, off the shelf, DIY
Repeat Lateral movement, data extrusion, persistence
Zombie used to send more spam or drive by web application attacks
26 Footer Goes Here26
– What Happened• Verified in 103 countries
▫ Over 1,295 infected hosts identified▫ Impacts + / - a dozen computers on a weekly basis
• Commonly Used Tools (Not Too Sophisticated):▫ Remote access tool called gh0st RAT (Remote Access Tool)▫ Data harvest▫ Email siphoning▫ Listening / Recording of Conversations via microphone and / or webcams
Public APT Activity(Ghost Net) aka Byzantine Foothold
27 Footer Goes Here27
•Known Current Solutions Not Good Enough
•Regulatory Compliance != Security
•Advanced Persistent Threat Will Become Pervasive
•What are you doing to tackle the problem?
Key Point’s
28 Footer Goes Here
Outcomes that matter.
top related