cyber threat jujitsu 101: acknowledge. assess. avoid. address
TRANSCRIPT
Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.Dr. Eric ColeSecure Anchor Consulting, LLC
IT SECURITY & COMPLIANCE AUTOMATION
Today’s Speaker
Dr. Eric Cole
Founder/President
Secure Anchor Consulting LLC
4
You Can’t Stop Stupid -- Revisited
Dr. Eric ColeSecure Anchor Consulting, LLC
© 2010 Secure Anchor Consulting. All rights reserved.
Why Is This Happening? – People
Low Risk + High Reward Opportunity=
OutsidersCyberTerror
CyberCrime
ScriptKiddies
PhonePhreakers
CyberWarfare
© 2010 Secure Anchor Consulting. All rights reserved.
Threat Landscape
Malware
Attacks
• 500% increase• 80% for $$• 20% > malicious• 25K sample/day
© 2010 Secure Anchor Consulting. All rights reserved.
Threat Landscape
Web
Attacks
Malware
Attacks
• 1.5M sites/month• DNS attacks• Cross Site Scripting• Defacing
© 2010 Secure Anchor Consulting. All rights reserved.
Threat Landscape
DDOS
Attacks
Web
Attacks
Malware
Attacks
• 400K zombies a day• Conficker / Korea• Critical Infrastructure
© 2010 Secure Anchor Consulting. All rights reserved.
Threat Landscape
Data
Attacks
• $1 trillion/year• Autorun.exe• USB & phones• Compliance
DDOS
Attacks
Web
Attacks
Malware
Attacks
© 2010 Secure Anchor Consulting. All rights reserved.
Threat Landscape
DDOS
Attacks
Web
Attacks
Attacks
Malware
Attacks
Data
Attacks
• Spam = malware• Up 10% a year• Spear phishing• New protocols
© 2010 Secure Anchor Consulting. All rights reserved.
Data Driven Threats
1997 End of 2007 Mid 2010
Vulnerabilities 440 28,500 34,100
Password Stealers(Main variants)
400 80,000 380,000
PotentiallyUnwanted Programs
1 24,000 26,000
Malware (families)(DAT related)
17,000 358,000 484,000
Malware (main variants) 18,000 (?) 586,000 2,700,000
Malware Zoo(Collection)
30,000 (?) 5,800,000 16,300,000
© 2010 Secure Anchor Consulting. All rights reserved.
c
While it is a hard problem, many attackers make
mistakes
• Leaving a footprint on the system• Trying to target and find key information• Making an outbound connection for command and control• Sending out sensitive information• Utilizing encryption to hide• Cutting edge or not so cutting edge
• Running standard tools and techniques
© 2010 Secure Anchor Consulting. All rights reserved.
User receives email/IM with malicious link
User clicks on link
Browser downloads/executes malicious javascript
Back door is set up and connects to C&C servers
Binary disguised as an image is
downloaded and executes
Attackers have completed access to
internal systems
Sophisticated – Yes and No
Cyber Jujitsu 101
• Know thy system by base lining your environment• Rapid base lining and continuous monitoring
• It is 10pm, do you know where your data is?• Focus on outbound traffic
• Firewall filtering• Dropped packets• Clipping levels
• Understand the entry point for attack• It has and will always be about the user• While you cannot stop stupid, you can contain it
© 2010 Secure Anchor Consulting. All rights reserved.
Trend 1: More focus on Data Correlation
© 2010 Secure Anchor Consulting. All rights reserved.
Trend 2: Threat intelligence analysis will become more
important
© 2010 Secure Anchor Consulting. All rights reserved.
Trend 4: Focusing in on proactive forensics instead
of being reactive
© 2010 Secure Anchor Consulting. All rights reserved.
Trend 5: Moving beyond signature detection
© 2010 Secure Anchor Consulting. All rights reserved.
IT SECURITY & COMPLIANCE AUTOMATION
VulnerabilityAssessment
Switches& RoutersFirewalls, IDS & IPSDatabasesApplications
Must Make Better Use Of Existing Data
“We consistently find that nearly 90% of the time logs are available but discovery
[of breaches] via log analysis remains under 5% ”
2010
IT SECURITY & COMPLIANCE AUTOMATION
Raw Log Data
Events of Interest!
change event
log event
Am I Secure? Is Policy Impacted?
Correlation of Change Events & Log Events
IT SECURITY & COMPLIANCE AUTOMATION
Example: Correlating Log & Change Events
5 failed logins
Logging turned off
Host not generating events
Windows event log cleared
Login successful
Policy test fails
IT SECURITY & COMPLIANCE AUTOMATION
VISIBILITY Across the entire IT infrastructure
INTELLIGENCEEnable better, faster decisions
AUTOMATIONReduce manual, repetitive tasks
25
Tripwire VIA
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire VIA: IT Security & Compliance Automation
Correlate to Bad Changes
Correlate to Suspicious Events
Policy EngineEvent Database
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Dr. Eric ColePresident
Secure Anchor Consulting, LLCE-mail :