Download - 2012 Taking Complexity out of Information Security …allowing you to focus on your business
2012
Taking Complexity out of Information Security
…allowing you to focus on your business
Advanced Persistent Threats…the external enemy within
Advanced Persistent Threats
The Problem Landscape
APTs: a Hype or Reality
• Google• RSA• Juniper• DuPont• IMF• Lockheed Martin• … 762 companies were
hit during the RSA attack
Regardless of the definition, 99.999% they adhere to the following characteristics:◦ Nature
Targeted attacks Blended Threats (multiple attack vectors) “Low and Slow”
◦ Tactics: Social Engineering, Attacking the user (most of the times) Establishing a foothold (e.g. Remote Access Trojans) Attack Escalation & Metastasis – Access to critical data and services Retaining persistence (different RATs, multiple footholds, etc.)
◦ Results: Data leakage, Sabotage, Fraud…
In essence is the attack method of choice of Professional Attackers
Defining Advanced Persistent Threats (APT)
Advanced Persistent Threats (APT) - An Illustration
Step 1
• Reconnaissance
Step 2
• Initial Intrusion into the Network
Step 3
• Establish a Backdoor into the Network
Step 4
• Obtain User Credentials
• Install Various Utilities
Step 5
• Privilege Escalation
• Attack Escalation
• Metastasis
Step 7
• Maintain Persistence
• Data Exfiltration/Other objectives realization
Internal Users
Web Applications
Data Center
Attacker
Advanced Persistent Threats – Is it a problem?
ORGANIZATIONS MUST LEARN TO LIVE IN A STATE OF COMPROMISE
Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor…, a Bloomberg Government study found
APT Tops Security Risks to Corporate IP in 2012,
"I'm meeting more CSO's saying 'all I care about is APT…’”
Bruce Schneier, CTO of BT Counterpane
ENCODE Extrusion Testing™:◦ Security Assessment via APT Simulation◦ Running Extrusion Tests from 2003!...8 years of hands-on
experience◦ Proprietary tools and methodologies◦ Attacking “outside-in and inside-out”
Our own Experience on APTS
44%
3%2%2%6%
17%
15%
13%Finance
Automotive
IT
Manufacturing
Services
Telecom
Transportation
Public Sector
Digital Forensics◦ Performed Forensics on
APT cases on various organisations
Why APTs are succeedingBecause Controls fail
“Medieval approach to IT Security” - Building “castles/perimeters” around the network and trying to be “Preventive”
Single “attack vector” controls
“Evolved versions” of ones designed for the 90’s
Reactive approach
Why Controls Fail
While Security Programs are focused in Compliance◦ However: Compliant ≠Secure
And at the same time even Specialized Security Controls are not adequate on their own (or even combined)
“Traditional” Controls fail◦ Firewalls, IPS, Secure Web Gateways, AV/Endpoint Security…◦ They are totally blind, due to a misfit paradigm for APTs
But also “less traditional” ones◦ Data Leak Prevention – Designed for human actions, not for leakages by a
piece of advanced software (malware, Trojans)◦ 24x7 Security Monitoring - “Garbage IN, Garbage OUT”, No Monitoring in
context, Not having the right tools for the job
Advanced Persistent Threats
Addressing APTs
Solving a Problem
One quite clever guy once said that
“if he had one hour to save the world he would spend fifty-five minutes defining the problem and only five minutes finding the solution”
Is it a Malware problem
Is it an adversary problem
Is it a Forensics Problem
Is it a Visibility Problem
Is it a zero-day exploit Problem
Is it a Botnet detection and/or takedown problem
Is it a lack of Security skills problem
Is it a lack of Defense in Depth problem
…
Defining the APT Problem
…the short answer is NO
Each one of them is a piece of the problem, but not the problem!
We believe it is 2-fold problem:
A “Name Problem”
A “Complexity Problem”
Defining the APT Problem
What is the “Name Problem” of APTs
Threat
• Of course and actually a Threat that really matters!• Motive, Opportunity, Capabilities!
Persistent
• For sure…the attacker is committed and persistent • And is here to stay!
Advanced
• …hmmm
Are APTs really Advanced?
ENCODE Extrusion Testing Facts:
Infection vectors used - Total
14%
77%
2%
7%
Browser or other Exploit
Non-exploit (File)
Media-born
Other (VPN, Web App)
Because
they are considered “Advanced” for “traditional” but also for “less traditional” security controls
they are also “Advanced” for “Single-vector” specialized security controls
they are not “advanced enough” for some specialized security controls trying to be “very advanced”, missing KISS APT
organizations (used to) underplay/underestimate the Threat saying “this is too advanced… it won’t happen to us”
Why is “Advanced” the problem
What is the “Complexity Problem” of APTs
Complexity:◦ Complex IT environments & Business process, supporting Business
Agility◦ Complex Threat Landscape◦ Complexity of the Internet
Attackers are taking advantage of this Complexity to achieve their goals, along with the fact that Business must be agile to remain in business!
However to solve a “complexity problem” or a complex problem you have to:◦ Take out complexity, where you can◦ Focus on the parts of the problem that really mater and
solve them
Solving the “Complexity Problem” of APTs
You cannot reduce complexity, at least from every part of your business…period
As Complexity increases the good old “Preventive” controls get less and less effective or impair Business
Nonetheless you have to be “Proactive”
Proactive Security ≠ Preventive Controls alone◦ Early Warning & Response is the “preventive” control of choice
for Complex environments and Threats
You have to focus on APT
Focus on APTIf Early Warning is what we need, let’s think “What cannot be evaded”
Behavior ◦ An IT environment under attack does not behaves as normal◦ Each attack, APT included, has its own signs in behavior change
True Visibility – at all (relevant) Levels◦ Network: Internet Access (incoming/outgoing)◦ Endpoint: System state & Data Access/Use
Expertise – the human factor◦ Encapsulated expertise◦ Expert view and analysis
Advanced Persistent Threats
Conclusion
APT goes mainstream
APTs are becoming the weapon of choice:
from Government and Defense
to companies with Intellectual Property or Critical Infrastructure
to other “high-value” targets◦ Finance◦ …
APT : Targets
“…if professional attackers didn’t use such techniques they should have been sued for negligence…”
is not a matter of What
is not a matter of Who
is a matter of When!
APTs…Revisited
Attorney David Navetta: … but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding
www.encodegroup.com_