advanced persistent threats · advanced persistent threats evaluating effective responses...
Post on 16-Jul-2020
26 Views
Preview:
TRANSCRIPT
Advanced Persistent ThreatsEvaluating Effective Responsesstrategies for organizations and their impactMichael ColsonSecurity Products
© 2013 NetIQ Corporation. All rights reserved.2
Persistence“Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.”
Calvin Coolidge
© 2013 NetIQ Corporation. All rights reserved.3
Introduction
• Today we will:–Examine why Advanced Persistent Threats (APTs) are a problem (really)
–Look at what has NOT worked–Examine what can work–Provide some practical next steps
What is an APT?
© 2013 NetIQ Corporation. All rights reserved.5
Advanced Means…
They have a plan…
© 2013 NetIQ Corporation. All rights reserved.6
P is for Persistent
Long haul…
© 2013 NetIQ Corporation. All rights reserved.7
Just choose a target…
All your base are belong to us…
© 2013 NetIQ Corporation. All rights reserved.8
What Are APTs?
• They are highly targeted attacks
• A long-term pattern of unauthorized computer system intrusions
• Advanced – not necessarily leading edge, – Sophisticated
– With structure
– They have a plan
• Persistent – the perpetrators are in no rush– Patient
• Threat – establish a beachhead or ex-filtrate information– Successfully infiltrating your defenses is their trophy
– Your data is their pay-off
© 2013 NetIQ Corporation. All rights reserved.9
Not Every Attack is an APT
• Don’t confuse them with random thieves– Smash and grab– Dude check out the new Metasploit
• Important to understand the difference between opportunistic attackers and APTs
© 2013 NetIQ Corporation. All rights reserved.10
Not Always State-Sponsored
© 2013 NetIQ Corporation. All rights reserved.11
The Mandiant Study
http://intelreport.mandiant.com/
“Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006.”
“Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual ...”
© 2013 NetIQ Corporation. All rights reserved.12
Loss of Intellectual Property
The loss of industrial information and intellectual property through cyber espionage constitutes the "greatest transfer of wealth in history,"
General Keith Alexander, NSA Director
© 2013 NetIQ Corporation. All rights reserved.13
What Do They Look Like?
© 2013 NetIQ Corporation. All rights reserved.14
What Do They Look Like?
• Typical Attacks Utilize:• Email (phishing)• Community portals (“watering hole”)• Dropbox• Portable media (USB thumb drive)
© 2013 NetIQ Corporation. All rights reserved.15
Plausible Email Messages
© 2013 NetIQ Corporation. All rights reserved.16
Plausible Email Messages
© 2013 NetIQ Corporation. All rights reserved.17
Top Words Used in Spear Phishing Attacks
http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf
© 2013 NetIQ Corporation. All rights reserved.18
Unusual Activity
• Why is Jo on the system at 3 AM? I know she’s a hard worker and all…
• Why is the CPU usage spiking on the order-entry server?
• Is the sales team really using an open Dropboxaccount? Don’t we have a policy against that?
© 2013 NetIQ Corporation. All rights reserved.19
Low-Hanging Fruit First…• Attackers are not going to use a 0-day if they don’t have to
• Vulnerabilities against Java 7 Update 21 and Java 6 Update 45
• Already in exploit kits
© 2013 NetIQ Corporation. All rights reserved.20
Low-Hanging Fruit First…
Top 5 Exploited Vulnerabilities95% of all vulnerability-related attacks
in the first half of 2013 involved 5 vulnerabilities,4 of them in Java, 2 of
them were from the year 2011.
Source: F-Secure Threat Report for the first half of 2013
Examples
© 2013 NetIQ Corporation. All rights reserved.22
6 months in duration, ending in December, 2009
First publicly disclosed in January, 2012
Adobe Systems
Juniper Networks
Rackspace
Also targets, according to media reports
Yahoo
Symantec
Northrop Grumman
Morgan Stanley
Dow Chemical
Operation Aurora
© 2013 NetIQ Corporation. All rights reserved.23
Cyber Attacks Started in mid 2006
United Sates
Canada
South Korea
The UN
International Olympic Committee
12 US defense contractors
At least 72 organizations
Operation Shady RAT
© 2013 NetIQ Corporation. All rights reserved.24
Drone Contractor Breached
“Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.”
http://thinkprogress.org/security/2013/05/03/1958871/contractors-outsource-cybersecurity-hacked/
© 2013 NetIQ Corporation. All rights reserved.25
Why Are They A Problem?
• Difficult (if not impossible to keep out)• Target saleable information• Very good at long term penetration• Traditional techniques do not keep them out
© 2013 NetIQ Corporation. All rights reserved.26
This isn’t working…
© 2013 NetIQ Corporation. All rights reserved.27
What Hasn’t Worked?
• Perimeter based defenses• Malware scanning• Anti-virus• Employee Training• IDS• In reality -
© 2013 NetIQ Corporation. All rights reserved.28
What Hasn’t Worked?
• Perimeter based defenses• Malware scanning• Anti-virus• Employee Training• IDS• In reality -
YOU WILL NOT KEEP THEM OUT
© 2013 NetIQ Corporation. All rights reserved.29
Better Approach
• Plan on being compromised• Get the basics right• Have a policy and a response plan• Look for activity and changes, not tools
– Build a baseline
– Harden systems (patch and best practice configurations)
– Manage your privileged users
– Monitor for activity that looks suspicious*
© 2013 NetIQ Corporation. All rights reserved.30
A Recipe…
Implement policies/plans
Enforce with
technology
Know what you’ve got
Know how it’s at risk
Refine and repeat
Know what you’ve got
Understand how it’s at risk
Implement reasonable policies & processes
Enforce with technology
Refine and repeat over time
© 2013 NetIQ Corporation. All rights reserved.31
Identify and Protect Critical Data
• Finding the data– Data may be in files, on physical media, in databases, or in
the cloud.
– Most breaches involve data that the victim did not know was there.
• Categorizing data– What data is sensitive and at risk?
• Monitoring access– Can I identify abnormal access?
– Who is really accessing the information?
© 2013 NetIQ Corporation. All rights reserved.32
Control and Monitor Privileged Access
• Monitor system and file integrity– Changes to key system files.
– Modification of rarely accessed data.
• Investigate unusual changes– Changes to key system files.
– Modification of rarely accessed data.
• Audit individual actions– Focus on privileged and “high risk”
users/accounts.
© 2013 NetIQ Corporation. All rights reserved.33
Capture and Monitor Log Data
• Security and network devices generate lots of data– OS, Network, Virtual, P&A, User Activity, DAM, IAM.
• Compliance mandates capture and review of logs• Logs can often provide early warning signs
– 82% of the time, evidence was visible in logs beforehand.
• Failure to monitor is costly– Breaches often go undiscovered and uncontained for weeks
or months.
© 2013 NetIQ Corporation. All rights reserved.34
What We See
Organizations are most successful when they:– Adopt a pragmatic approach– Prioritize monitoring around data – data centricity is key– Include identity and access monitoring– Tie as much together as possible to integrate information– Filter and enrich monitoring of activity
© 2013 NetIQ Corporation. All rights reserved.35
• Develop policy• Understand what critical data you need to protect and where it is stored
• Focus resources around protecting inside the perimeter
• Layer defenses inside to slow down attackers• Monitor for unusual activity• Reduce your privileged user attack surface• Create, agree, and OWN a response plan
Next Steps
© 2013 NetIQ Corporation. All rights reserved.36
NetIQ Can Help
• Provide expertise and experience in Identity, Access Management and Security Management
• Help reduce number of privileged users• Reduce and manage privileges• Monitor users and look for unusual activity• Provide visibility into access rights to critical resources• Harden systems against attackers
© 2010 NetIQ Corporation. All rights reserved.
Security & Compliance
Identity & Access
Performance & Availability
3737 © 2010 NetIQ Corporation. All rights reserved.
Our Areas of Focus and Expertise
• Manage and audit user entitlements• Track privileged user activity• Protect the integrity of key systems and files• Monitor access to sensitive information• Simplify compliance reporting • Monitor and manage
heterogeneous environments including custom applications
• IT Service validation and end-user performance monitoring
• Dynamic provisioning of large-scale monitoring with exceptions
• Functional and hierarchical incident escalation
• Deliver and manage differentiated service levels
• User Provisioning Lifecycle Management• Centralize Unix account management
through Active Directory• Reduce number of privileged users• Secure delegated administration• Windows and Exchange migration
top related