society protection best practices from industry...governing the use of ibm software. references in...

18
© 2014 IBM Corporation 1 © 2015 IBM Corporation Society Protection Best Practices from Industry The Nuts and Bolts of the Dynamic Attack Chain October 2015

Upload: others

Post on 20-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 1

© 2014 IBM Corporation 1 © 2015 IBM Corporation

Society Protection – Best

Practices from Industry The Nuts and Bolts

of the Dynamic Attack Chain

October 2015

Page 2: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 2

© 2014 IBM Corporation 2 © 2015 IBM Corporation

IT Security Manager (and a father

of three teenagers – his wife is

working in GOV site) at a

an entity with 20 remote locations.

Managing a team of personnel

that are responsible for

maintaining remote/network

operations & maintenance for his

entity website and few

applications.

Other areas have credentials for

various applications to enable

them to conduct business.

You are an...

Page 3: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 3

© 2014 IBM Corporation 3 © 2015 IBM Corporation

Over a cup of tea, he gets a

phone call from a well-known

security blogger that your

Internet-accessible server

addresses showed up on an

underground forum known for

trading stolen information.

What is next … is your take

home exercise

Monday 8:30am

Page 4: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 4

© 2014 IBM Corporation 4 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

The previous Saturday

Investigating the server logs from

the weekend shows a connection

from a POS server to an external

ABC server you don’t recognize,

hosted at the dynamic domain

1337.myABC-ftp.biz.

The attacker must have manually

copied excerpts of the data

from the FTP

server to the

underground

forum.

Page 5: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 5

© 2014 IBM Corporation 5 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

The previous week

You find evidence in

the log files of

transfers of DEF in the

previous week from

POS servers to a single

internal server, the

server that connected

to the external FTP

server.

Page 6: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 6

© 2014 IBM Corporation 6 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

The previous 2-3 weeks

In the 2-3 week prior, that malware (and ransomware) hunted for additional POS servers, copying toolchains and password crackers to them, and infiltrating the network.

You find a

copy of the file

ccper.exe on each

of the POS servers

that sent DEF to

the server that

made the external

connection.

Page 7: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 7

© 2014 IBM Corporation 7 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

28 days earlier

Probing further, you find a RAT (Remote Access Trojan) named svch0st.exe, which acted as a dropper to secretly install, execute, and avoid anti-virus detection.

This program downloaded ccper.exe from an external server located at IP Address XXX.XXX.73.32 and copied it to the POS servers.

Page 8: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 8

© 2014 IBM Corporation 8 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

29 days earlier

While working in a coffee shop, Mr. X, in Development, receives an email from a Client requesting quotation verification.

He clicked the link, but didn’t notice it was to fake website named acccount-verify.com, which launched a zero-day exploit to his browser and downloaded the trojan svch0st.exe to his system.

Mr. X drives to work where he logs into the network, allowing svch0st.exe to slip into the network and start the chain of events leading to the breach.

Page 9: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 9

© 2014 IBM Corporation 9 © 2015 IBM Corporation

Let's start from the beginning to

see how the attack could have

been disrupted...

Page 10: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 10

© 2014 IBM Corporation 10 © 2015 IBM Corporation

IBM Threat Protection System

Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network

Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights

Continuous Response Quickly understand incidents and use findings to strengthen real-time defenses

Open Integrations Share context between domains and third party products using an open platform and ecosystem

A dynamic, integrated system to disrupt

the entire lifecycle of advanced attacks

Page 11: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 11

© 2014 IBM Corporation 11 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

29 days earlier Mr. X is the subject of a scam

and more

IBM Security Advanced Malware Protection stops the zero-

day exploit from attacking his web browser and executing

the RAT named “svch0st.exe”

Page 12: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 12

© 2014 IBM Corporation 12 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

28 days earlier The RAT downloads ccper.exe and the

malware starts to replicate

IBM Security Network Protection prevents C&C activity on

the server by blocking the remote IP 91.216.73.32 hosting

ccper.exe based on IP reputation

Page 13: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 13

© 2014 IBM Corporation 13 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

28 days earlier The RAT downloads ccper.exe and the

malware starts to replicate

IBM technologies detects the RAT install from system event

logs, giving it a magnitude score of 8 and raising a flag in

the security analyst’s dashboard

Page 14: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 14

© 2014 IBM Corporation 14 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

The previous week PII was transferred from infected

POS servers to a single server

IBM Security Network Protection and communication

behavior technologies detects and

blocks the transfer of the credit card number files

Tag Name Status

Content_Analyzer_Credit_Card_Num Detected event

Page 15: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 15

© 2014 IBM Corporation 15 © 2015 IBM Corporation

Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

S M T W T F S

x

Prevent

Detect

Respond

IBM Threat Protection System:

The previous Saturday

IBM technologies would detect anomalous flow out from a

server that never connected outbound before with a

“Connection Outbound to Internet from Critical Asset” flag

A POS server connects to an unknown

external FTP server and the PII is exfiltrated.

Page 16: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 16

© 2014 IBM Corporation 16 © 2015 IBM Corporation

Where is the Society Protection Story? 1. 2. 3.

Page 17: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2014 IBM Corporation 17

© 2014 IBM Corporation 17 © 2015 IBM Corporation

IBM Technologies to protect our Kids’ access …

Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network

Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights

Continuous Response Quickly understand incidents and use findings to strengthen real-time defenses

Open Integrations Share context between domains and third party products using an open platform and ecosystem

A dynamic, integrated system to disrupt

the entire lifecycle of advanced attacks

Page 18: Society Protection Best Practices from Industry...governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will

© 2013 IBM Corporation

IBM Security Systems

18

DRAFT

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.