Cyber Threat Jujitsu101: Acknowledge.Assess. Avoid.Address.

Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.Dr. Eric ColeSecure Anchor Consulting, LLC

IT SECURITY & COMPLIANCE AUTOMATION

Today’s Speaker

Dr. Eric Cole

Founder/President

Secure Anchor Consulting LLC

4

You Can’t Stop Stupid -- Revisited

Dr. Eric ColeSecure Anchor Consulting, LLC

© 2010 Secure Anchor Consulting. All rights reserved.

Why Is This Happening? – People

Low Risk + High Reward Opportunity=

OutsidersCyberTerror

CyberCrime

ScriptKiddies

PhonePhreakers

CyberWarfare

© 2010 Secure Anchor Consulting. All rights reserved.

Why Is This Happening? – Technology

© 2010 Secure Anchor Consulting. All rights reserved.

What Is the Outlook?

© 2010 Secure Anchor Consulting. All rights reserved.

Threat Landscape

Malware

Attacks

• 500% increase• 80% for $$• 20% > malicious• 25K sample/day

© 2010 Secure Anchor Consulting. All rights reserved.

Threat Landscape

Web

Attacks

Malware

Attacks

• 1.5M sites/month• DNS attacks• Cross Site Scripting• Defacing

© 2010 Secure Anchor Consulting. All rights reserved.

Threat Landscape

DDOS

Attacks

Web

Attacks

Malware

Attacks

• 400K zombies a day• Conficker / Korea• Critical Infrastructure

© 2010 Secure Anchor Consulting. All rights reserved.

Threat Landscape

Data

Attacks

• $1 trillion/year• Autorun.exe• USB & phones• Compliance

DDOS

Attacks

Web

Attacks

Malware

Attacks

© 2010 Secure Anchor Consulting. All rights reserved.

Threat Landscape

DDOS

Attacks

Web

Attacks

Email

Attacks

Malware

Attacks

Data

Attacks

• Spam = malware• Up 10% a year• Spear phishing• New protocols

© 2010 Secure Anchor Consulting. All rights reserved.

Data Driven Threats

1997 End of 2007 Mid 2010

Vulnerabilities 440 28,500 34,100

Password Stealers(Main variants)

400 80,000 380,000

PotentiallyUnwanted Programs

1 24,000 26,000

Malware (families)(DAT related)

17,000 358,000 484,000

Malware (main variants) 18,000 (?) 586,000 2,700,000

Malware Zoo(Collection)

30,000 (?) 5,800,000 16,300,000

© 2010 Secure Anchor Consulting. All rights reserved.

c

While it is a hard problem, many attackers make

mistakes

• Leaving a footprint on the system• Trying to target and find key information• Making an outbound connection for command and control• Sending out sensitive information• Utilizing encryption to hide• Cutting edge or not so cutting edge

• Running standard tools and techniques

© 2010 Secure Anchor Consulting. All rights reserved.

User receives email/IM with malicious link

User clicks on link

Browser downloads/executes malicious javascript

Back door is set up and connects to C&C servers

Binary disguised as an image is

downloaded and executes

Attackers have completed access to

internal systems

Sophisticated – Yes and No

Cyber Jujitsu 101

• Know thy system by base lining your environment• Rapid base lining and continuous monitoring

• It is 10pm, do you know where your data is?• Focus on outbound traffic

• Firewall filtering• Dropped packets• Clipping levels

• Understand the entry point for attack• It has and will always be about the user• While you cannot stop stupid, you can contain it

© 2010 Secure Anchor Consulting. All rights reserved.

Trend 1: More focus on Data Correlation

© 2010 Secure Anchor Consulting. All rights reserved.

Trend 2: Threat intelligence analysis will become more

important

© 2010 Secure Anchor Consulting. All rights reserved.

Trend 3: Endpoint security becomes foundation

Trend 4: Focusing in on proactive forensics instead

of being reactive

© 2010 Secure Anchor Consulting. All rights reserved.

Trend 5: Moving beyond signature detection

© 2010 Secure Anchor Consulting. All rights reserved.

IT SECURITY & COMPLIANCE AUTOMATION

VulnerabilityAssessment

Switches& RoutersFirewalls, IDS & IPSDatabasesApplications

Must Make Better Use Of Existing Data

“We consistently find that nearly 90% of the time logs are available but discovery

[of breaches] via log analysis remains under 5% ”

2010

IT SECURITY & COMPLIANCE AUTOMATION

Raw Log Data

Events of Interest!

change event

log event

Am I Secure? Is Policy Impacted?

Correlation of Change Events & Log Events

IT SECURITY & COMPLIANCE AUTOMATION

Example: Correlating Log & Change Events

5 failed logins

Logging turned off

Host not generating events

Windows event log cleared

Login successful

Policy test fails

IT SECURITY & COMPLIANCE AUTOMATION

VISIBILITY Across the entire IT infrastructure

INTELLIGENCEEnable better, faster decisions

AUTOMATIONReduce manual, repetitive tasks

25

Tripwire VIA

IT SECURITY & COMPLIANCE AUTOMATION

Tripwire VIA: IT Security & Compliance Automation

Correlate to Bad Changes

Correlate to Suspicious Events

Policy EngineEvent Database

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

THANK YOU!

Dr. Eric ColePresident

Secure Anchor Consulting, LLCE-mail :

drcole@secure-anchor.com