society protection best practices from industry...governing the use of ibm software. references in...
TRANSCRIPT
© 2014 IBM Corporation 1
© 2014 IBM Corporation 1 © 2015 IBM Corporation
Society Protection – Best
Practices from Industry The Nuts and Bolts
of the Dynamic Attack Chain
October 2015
© 2014 IBM Corporation 2
© 2014 IBM Corporation 2 © 2015 IBM Corporation
IT Security Manager (and a father
of three teenagers – his wife is
working in GOV site) at a
an entity with 20 remote locations.
Managing a team of personnel
that are responsible for
maintaining remote/network
operations & maintenance for his
entity website and few
applications.
Other areas have credentials for
various applications to enable
them to conduct business.
You are an...
© 2014 IBM Corporation 3
© 2014 IBM Corporation 3 © 2015 IBM Corporation
Over a cup of tea, he gets a
phone call from a well-known
security blogger that your
Internet-accessible server
addresses showed up on an
underground forum known for
trading stolen information.
What is next … is your take
home exercise
Monday 8:30am
© 2014 IBM Corporation 4
© 2014 IBM Corporation 4 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
The previous Saturday
Investigating the server logs from
the weekend shows a connection
from a POS server to an external
ABC server you don’t recognize,
hosted at the dynamic domain
1337.myABC-ftp.biz.
The attacker must have manually
copied excerpts of the data
from the FTP
server to the
underground
forum.
© 2014 IBM Corporation 5
© 2014 IBM Corporation 5 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
The previous week
You find evidence in
the log files of
transfers of DEF in the
previous week from
POS servers to a single
internal server, the
server that connected
to the external FTP
server.
© 2014 IBM Corporation 6
© 2014 IBM Corporation 6 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
The previous 2-3 weeks
In the 2-3 week prior, that malware (and ransomware) hunted for additional POS servers, copying toolchains and password crackers to them, and infiltrating the network.
You find a
copy of the file
ccper.exe on each
of the POS servers
that sent DEF to
the server that
made the external
connection.
© 2014 IBM Corporation 7
© 2014 IBM Corporation 7 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
28 days earlier
Probing further, you find a RAT (Remote Access Trojan) named svch0st.exe, which acted as a dropper to secretly install, execute, and avoid anti-virus detection.
This program downloaded ccper.exe from an external server located at IP Address XXX.XXX.73.32 and copied it to the POS servers.
© 2014 IBM Corporation 8
© 2014 IBM Corporation 8 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
29 days earlier
While working in a coffee shop, Mr. X, in Development, receives an email from a Client requesting quotation verification.
He clicked the link, but didn’t notice it was to fake website named acccount-verify.com, which launched a zero-day exploit to his browser and downloaded the trojan svch0st.exe to his system.
Mr. X drives to work where he logs into the network, allowing svch0st.exe to slip into the network and start the chain of events leading to the breach.
© 2014 IBM Corporation 9
© 2014 IBM Corporation 9 © 2015 IBM Corporation
Let's start from the beginning to
see how the attack could have
been disrupted...
© 2014 IBM Corporation 10
© 2014 IBM Corporation 10 © 2015 IBM Corporation
IBM Threat Protection System
Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network
Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights
Continuous Response Quickly understand incidents and use findings to strengthen real-time defenses
Open Integrations Share context between domains and third party products using an open platform and ecosystem
A dynamic, integrated system to disrupt
the entire lifecycle of advanced attacks
© 2014 IBM Corporation 11
© 2014 IBM Corporation 11 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
29 days earlier Mr. X is the subject of a scam
and more
IBM Security Advanced Malware Protection stops the zero-
day exploit from attacking his web browser and executing
the RAT named “svch0st.exe”
© 2014 IBM Corporation 12
© 2014 IBM Corporation 12 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
28 days earlier The RAT downloads ccper.exe and the
malware starts to replicate
IBM Security Network Protection prevents C&C activity on
the server by blocking the remote IP 91.216.73.32 hosting
ccper.exe based on IP reputation
© 2014 IBM Corporation 13
© 2014 IBM Corporation 13 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
28 days earlier The RAT downloads ccper.exe and the
malware starts to replicate
IBM technologies detects the RAT install from system event
logs, giving it a magnitude score of 8 and raising a flag in
the security analyst’s dashboard
© 2014 IBM Corporation 14
© 2014 IBM Corporation 14 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
The previous week PII was transferred from infected
POS servers to a single server
IBM Security Network Protection and communication
behavior technologies detects and
blocks the transfer of the credit card number files
Tag Name Status
Content_Analyzer_Credit_Card_Num Detected event
© 2014 IBM Corporation 15
© 2014 IBM Corporation 15 © 2015 IBM Corporation
Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
S M T W T F S
x
Prevent
Detect
Respond
IBM Threat Protection System:
The previous Saturday
IBM technologies would detect anomalous flow out from a
server that never connected outbound before with a
“Connection Outbound to Internet from Critical Asset” flag
A POS server connects to an unknown
external FTP server and the PII is exfiltrated.
© 2014 IBM Corporation 16
© 2014 IBM Corporation 16 © 2015 IBM Corporation
Where is the Society Protection Story? 1. 2. 3.
© 2014 IBM Corporation 17
© 2014 IBM Corporation 17 © 2015 IBM Corporation
IBM Technologies to protect our Kids’ access …
Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network
Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights
Continuous Response Quickly understand incidents and use findings to strengthen real-time defenses
Open Integrations Share context between domains and third party products using an open platform and ecosystem
A dynamic, integrated system to disrupt
the entire lifecycle of advanced attacks
© 2013 IBM Corporation
IBM Security Systems
18
DRAFT
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.