Targeted attacks

275
-1

Published on

Imperva webinar 7/16/2013, Updated 11/7/2013
Covers insider threats and the compromised/malicious insider problem.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
275
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Barry: “Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be compromised insiders.”
  • 2013 VDBIRMalware 40% of breachesSocial 29%Hacking 52%Assets compromisedServers 54User (devices) 71People 29
  • Anna Kournikova virus author stands trialLenient sentence in prospectBy John LeydenPosted in Security, 14th September 2001 13:58 GMTThe author of the infamous Anna Kournikova email worm has appeared in court in the Netherlands with prosecutors calling for a lenient sentence for his admitted crime.Lawyers for 20-year old Jan de Wit have called for the dismissal of charges against him, arguing that the worm caused minimal damange. The FBI submitted evidence to the Dutch court, suggesting that $166,000 in damages was caused by the worm, based on reports of damage from 55 firms
  • Targeted attacks

    1. 1. Targeted Attacks Barry Shteiman Director of Security Strategy 1 © 2013 Imperva, Inc. All rights reserved. Confidential
    2. 2. Agenda  Compromised Insider  Incident Analysis  Anatomy of an Attack  Current Controls  Reclaiming Security 2 © 2013 Imperva, Inc. All rights reserved. Confidential
    3. 3. Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  CISSP  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
    4. 4. Compromised Insider Defining the Threat Landscape 4 © 2013 Imperva, Inc. All rights reserved. Confidential
    5. 5. ―There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.‖ Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012 5 © 2013 Imperva, Inc. All rights reserved. Confidential
    6. 6. Insider Threat Defined Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property. Possible causes:  Accident  Malicious intent  Compromised device 6 © 2013 Imperva, Inc. All rights reserved. Confidential
    7. 7. Compromised Insider Defined A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials. 7 © 2013 Imperva, Inc. All rights reserved. Confidential
    8. 8. Malicious vs Compromised Potential 1% < 100% Source: http://edocumentsciences.com/defend-against-compromised-insiders 8 © 2013 Imperva, Inc. All rights reserved. Confidential
    9. 9. Look who made the headlines Hackers steal sensitive data related to a planned 2.4B acquisition. Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses 9 © 2013 Imperva, Inc. All rights reserved. Confidential
    10. 10. Evaluating Magnitude California 2012 Data Breach Report: • More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders. Source: State of California Department of Justice, July 2013 Source: Verizon Data Breach Report, 2013 10 © 2013 Imperva, Inc. All rights reserved. Confidential
    11. 11. Know your Attacker Governments • • Stealing Intellectual Property (IP) and raw data, Espionage Motivated by: Policy, Politics and Nationalism Industrialized hackers • • Stealing IP and data Motivated by: Profit Hacktivists • • 11 © 2013 Imperva, Inc. All rights reserved. Exposing IP and data, and compromising the infrastructure Motivated by: Political causes, ideology, personal agendas Confidential
    12. 12. What Attackers Are After Source: Verizon Data Breach Report, 2013 12 © 2013 Imperva, Inc. All rights reserved. Confidential
    13. 13. Two Paths, One Goal Online Application User with access rights (or his/her device) Malware (40%) Social Engineering (29%) Users (devices) 71% People 29% Hacking (various) used in 52% of breaches Servers 54% Data & IP Source: Verizon Data Breach Report, 2013 13 © 2013 Imperva, Inc. All rights reserved. Confidential
    14. 14. Incident Analysis The South Carolina Data Breach 14 © 2013 Imperva, Inc. All rights reserved. Confidential
    15. 15. What Happened? 4M Individual Records Stolen in a Population of 5M 80%. 15 © 2013 Imperva, Inc. All rights reserved. Confidential
    16. 16. A Targeted Database Attack Attacker steals login credentials via phishing email & malware 13-Aug-12 16 Attacker logs in remotely and accesses the database 27-Aug-12 © 2013 Imperva, Inc. All rights reserved. Additional reconnaissance, more credentials stolen 29-Aug-12 11-Sept-12 Confidential Attacker steals the entire database 12-Sept-12 14-Sept-12
    17. 17. The Anatomy of an Attack How does it work 17 © 2013 Imperva, Inc. All rights reserved. Confidential
    18. 18. Anatomy of an Attack Spear Phishing 18 © 2013 Imperva, Inc. All rights reserved. Confidential
    19. 19. Anatomy of an Attack Spear Phishing 19 C&C Comm © 2013 Imperva, Inc. All rights reserved. Confidential
    20. 20. Anatomy of an Attack Spear Phishing 20 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Confidential
    21. 21. Anatomy of an Attack Spear Phishing 21 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential
    22. 22. Anatomy of an Attack Spear Phishing 22 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential Main Data Dump
    23. 23. Anatomy of an Attack Spear Phishing 23 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential Main Data Dump Wipe Evidence
    24. 24. Searching on Social Networks… 24 © 2013 Imperva, Inc. All rights reserved. Confidential
    25. 25. …The Results 25 © 2013 Imperva, Inc. All rights reserved. Confidential
    26. 26. Next: Phishing and Malware Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing. How easy is it?  A three-month BlackHole license, with Support included, is US$700 26 © 2013 Imperva, Inc. All rights reserved. Confidential
    27. 27. Drive-by Downloads Are Another Route September 2012 ―iPhone 5 Images Leak‖ was caused by a Trojan Download Drive-By 27 © 2013 Imperva, Inc. All rights reserved. Confidential
    28. 28. Cross Site Scripting Is Yet Another Path Persistent XSS Vulnerable Sites provide the Infection Platform GMAIL, June 2012 TUMBLR, July 2012 28 © 2013 Imperva, Inc. All rights reserved. Confidential
    29. 29. The Human Behavior Factor Source: Google Research Paper ―Alice in Warningland‖, July 2013 29 © 2013 Imperva, Inc. All rights reserved. Confidential
    30. 30. Current Controls Wont the NGFW/IPS/AV Stop It? 30 © 2013 Imperva, Inc. All rights reserved. Confidential
    31. 31. What Are the Experts Saying? ―Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.‖ Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/ 31 © 2013 Imperva, Inc. All rights reserved. Confidential
    32. 32. Security Threats Have Evolved… 2001 2013 AntiVirus Firewall IPS AntiVirus Firewall IPS Sources: Gartner, Imperva analysis 32 © 2013 Imperva, Inc. All rights reserved. Confidential
    33. 33. Security Redefined Forward Thinking 33 © 2013 Imperva, Inc. All rights reserved. Confidential
    34. 34. The DISA Angle ―In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data‖ Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012 34 © 2013 Imperva, Inc. All rights reserved. Confidential
    35. 35. Rebalance Your Security Portfolio 35 © 2013 Imperva, Inc. All rights reserved. Confidential
    36. 36. Assume You Can Be Breached 36 © 2013 Imperva, Inc. All rights reserved. Confidential
    37. 37. Incident Response Phases for Targeted Attacks Reduce Risk Size Up the Target Prevent Compromise Compromise A User Detection Initial Exploration Containment Solidify Presence Impersonate Privileged User Insulate sensitive data Password Remediation Steal Confidential Data Device Remediation Cover Tracks Post-incident Analysis 37 © 2013 Imperva, Inc. All rights reserved. Confidential
    38. 38. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 38 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
    39. 39. Questions? www.imperva.com 39 © 2013 Imperva, Inc. All rights reserved. Confidential
    40. 40. Thank You! 40 © 2013 Imperva, Inc. All rights reserved. Confidential
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×