• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Detecting Stopping Advanced Attacks
 

Detecting Stopping Advanced Attacks

on

  • 336 views

DETECTING AND STOPPING ADVANCED ATTACKS: As cyber-attack techniques become more sophisticated your "digital gold" is increasingly vulnerable. Today's cyber threats have changed in sophistication, in ...

DETECTING AND STOPPING ADVANCED ATTACKS: As cyber-attack techniques become more sophisticated your "digital gold" is increasingly vulnerable. Today's cyber threats have changed in sophistication, in focus, and in their potential impact on your business.

Statistics

Views

Total Views
336
Views on SlideShare
336
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Detecting Stopping Advanced Attacks Detecting Stopping Advanced Attacks Presentation Transcript

    • Detecting and StoppingAdvanced AttacksFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailFrom Hackers’Gamesto CybercrimeFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailHacking used to be more of a game: showing off a hacker’sprowess, getting publicity — especially within the hacking community.Increasing value of information spawns well-funded for-profitcybercriminals and nation-states. Cyber attacks are“weaponized.”Advanced Threat Landscape: WhatOrganizations Need to Know- Frost & SullivanLearn More White PaperAccess Overt (Showing off) StealthyMotive Vandalism Profit, Espionageand/or DamageMethods One Stage/ComponentIndiscriminate, Mass DistributionCommon VulnerabilityTargetedMulti-faceted, PersistentZero DayExamples 1998: CIH1999: Melissa2000: ILOVEYOU2001: Code Red2003: SQL Slammer, Blaster, Sobig.F2004: Bagle, MyDoom, Sasser2006: Nyxem2007: Zeus2010: Stuxnet2011: Morto Worm2011: SpyEye2012: Gauss2012: Flame1990s Present2
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailLearn More by clicking on these“live”symbols when you see them.IntroductionToday’s cyber threat has changed in sophistication,in focus, and in its potential impact on your business.This eBook will tell you how today’s advanced attacksrequire automatic detection and incident response.You will learn how you can most effectively protectyour business.Who should read this eBook?•• CISO/IT Prepare a business case for effective security solutions.•• CFO Understand the financial implications posed by advanced threats.•• CXO Answer the concerns of your board and stockholders.3White Paper/Data SheetVideo WorkbookWebinar Threat Advisor InformationBlogFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailLearn Howto EffectivelyProtect YourBusiness.4Getting (and Staying) Ahead of AdvancedThreats: A Workbook for Assessing YourAdvanced Threat Protection PostureLearn More Workbook*2012 Cost of Cyber Crime Study: United States.Ponemon Institute, October, 2012.IndustryExamplesTypes of High-ValueInformation for SaleBusinessAssociatesHealthcare Patient health information Pharmacies, insurersTechnologyIntellectual property, tradesecrets, patents, designsLaw firmsGovernmentState secrets, Social SecurityinformationContractorsRetailCustomer data: personal andfinancialBanksAllCorporate data: contracts,business plans, staff dataBusiness processservice providersDigital GoldEvery enterprise hashigh-value informationvital to its success. Ascyber-attack techniquesbecome more sophisti-cated, this“digital gold”isincreasingly vulnerable.A study by the Ponemon Institute foundthat the average annualized cost ofcybercrime in 2012 is $8.9 million per year,with a range of $1.4 million to $46 million.*The cost of cybercrime includes morethan the value of the stolen information. Itincludes the costs of business disruption,lost opportunity, damage to brand, andrecovery efforts.It’s not just the primary owner of theinformation who is vulnerable — so arenetworked business associates and partnerswho represent additional attack surfaces.The High Cost of Cybercrime•• Sony estimated their costs from 2011data breaches were at least $171 million.•• A competing manufacturer stole sourcecode from a control-system supplier —the supplier’s stock dropped 83%.•• A metallurgical company lost to cyber-espionage technology built over 20 yearsat a cost of $1 billion.•• The Canadian government stopped a$38.6 billion takeover bid when attackscompromised sensitive information atgovernment agencies and law firms.•• Civil penalties for ePHI breaches can beup to $250,000, with repeat/uncorrectedviolations reaching $1.5 million perviolation, per year.From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailLearn Howto EffectivelyProtect YourBusiness.5Gone in 15 Minutes…Protect Your Domain Controllers fromAdvanced ThreatLearn More WebinarAdvanced attacks typicallyare not“smash-and-grab”events. The AdvancedPersistent Attack (APT)involves stealthy infiltrationof endpoints and ongoingtheft of your digital goldover time.Gone in 15 MinutesA cybercriminal group may take monthsto identify key targets, develop specializedmalware to exploit specific vulnerabilities,and exercise remote command and controlduring the attack.Most advanced attacks are not detected,and certainly not stopped, in time to preventtheft or damage.Once infiltration is accomplished, theessence of the attack itself, the exfiltrationof data, can be as fast as 15 minutes.APTs are designed to remain undetected,compromising systems for months or evenyears. Attackers cover their tracks, trying toerase any evidence of having ever enteredthe system.Warp Speedof AttackStages in an Advanced AttackClick on each stage to learn more.1 Targeting2 Penetration via Endpoints3 Reconnaissance4 Mining for Digital Gold5 Exfiltration6 Persistence, Cleanup and Cover-upFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailTargetingLearn Howto EffectivelyProtect YourBusiness.6Considerable researchgoes into choosing targetsof APTs. Cybercriminalsknow well the value ofcredit card information,Personally IdentifiableInformation (PII), andintellectual property.Gone PhishingAttackers will use social media and publicsources to identify key individuals such asMichael, Director of Finance, and his boss,the CFO, or other department heads in alarge technology company, for example.They might learn they are a Microsoft®shop using Windows®-based Office andSQL Server® databases. It is not difficult toeven know the versions and patch levelsof these systems within the organization.They know the company runs on a fiscalcalendar year and that next year’s budgetswill be worked heavily in Q4.During that time frame, Michael would belikely to open an email with subject linesabout budget or headcount, particularly ifthey use familiar names and titles.To embellish the“lure”in this spear-phishingtactic, attackers will also use social media,industry events and the company websiteto gather information relevant to Michaelhimself. Perhaps they will even attendcorporate or industry events in whichMichael participates.The email lure with tailored subject lineand message will contain a malformeddocument or perhaps a spreadsheet, orit will prompt Michael to visit a dummywebsite or to run a program.If Michael doesn’t take the initial lure,organized cybercrime or nation-stategroups will continue to try him at differenttimes with tweaked subject lines, messagesand payload vehicles.And they won’t just target Michael — theywill also conduct WhoIs Internet searchesfor administrative contact phone numbersand emails.To avoid detection, an attacker might use DNSLookup for ISP details to make their emailsappear more legitimate and to hide their origin.They also switch among multiple networkproxies to try and remain anonymous.From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • Penetration viaEndpointsLearn Howto EffectivelyProtect YourBusiness.7Bi9 Whiteboard: Retail (Part I).Chris Strand, Bit9 Security andCompliance Practice ManagerLearn More VideoIndividual Desktop or LaptopWhen Michael opens up the spear-phishingemail, he downloads a malformed spread-sheet designed to take advantage of aknown, seemingly minor, desktopapplication vulnerability.Once the package is delivered to Michael’sdesktop, the attacker can manipulate byremote command and control and look forother“lateral”access points.One might be a print spooler or driver fromwhich the malware gets administrativepermissions.POS Terminal or ServerIt’s Black Friday, the biggest shoppingday of the year.Updates (particularly of AV with largelibraries that drag on systems) aredelayed to accommodate the highvolume of transactions.That’s the window attackers have beenpreparing for; they launch an attack thatpenetrates through known vulnerabilitiesin older POS terminals and servers.Via USB StickAn enterprise has a large mobile workforce,some of whom regularly transfer largeamounts of data between home and office.A file is downloaded from the worker’slaptop to a USB and, from there, to adesktop at work.Malware moves from the USB onto thedesktop (or server) and begins looking foradditional vulnerabilities.I N T E R N E TSource Desktop or Laptop POS Terminal or Server USB StickFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailReal-Time Remote Commandand Control“This attack is interactive with areal person sitting at the otherend. You can see this in thetiming and occasional typosand extra spaces in commands.You can also sense the increasein frustration as the attackprogresses — or, rather, failsto progress.The total attack took close toan hour, after which the attackerprobably moved on to a differenttarget. But it is safe to assumethat if the compromised systemremained in place, the attackerwould try again after analyzingthis failure.That’s the very real persistent inadvanced persistent threat.”Anatomy of a Server Attack. Chris Lord,Systems Architect, Bit9. October 2012.Having penetrated an endpoint, APTmalware establishes remote commandand control so that the attacker canperform stealthy reconnaissance; that is,map the network topology and look for anyobstacles and opportunities.A commonly used tool to map smallernetworks or subnets is nmap; a collectionof tools (like Paketto Keiretsu) can maplarger networks with discovery and networkpath tracers.Nmap uses port numbers to show whatapplications are running on a specificport and can correctly identify manyapplications by their banners.The banner also provides version informationwhich allows attackers to identify applicationvulnerabilities (i.e., outdated patches) thatcan be exploited to gain further access.Once the network topology has beenmapped and applications identified —including security measures — attackerscan use real-time command and controlto execute their strategy.The goal of reconnaissance is to locateservers with the high-value data —and/or to establish routes to administrativecredentials that give attackers access tothese assets.ReconnaissanceLearn Howto EffectivelyProtect YourBusiness.8Remote Commandand ControlDomain Controllers File Servers App/Web ServersFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailPaths of AttackLearn Howto EffectivelyProtect YourBusiness.9Having performed their reconnaissanceand decided on a route of attack, the realattack begins. From Michael’s desktopthey may appropriate local admin rightsto gain “legitimate”access to the local printserver. With admin permissions on the localprint server, it is likely he can advance to acorporate print server or a server locatedin a department of interest (i.e., finance,development, legal). This route wouldcircumvent firewalls and intrusion detectionsystems because the communicationswould appear to be normal print commu-nications. There would be no reasonto suspect malware at this point.Once in the targeted domain, it would bemuch easier to look for out-of-date systempatches, or known vulnerabilities fromprevious reconnaissance, on file servers ordomain controllers. At this point, you havebeen effectively compromised.Bit9 Whiteboard: Server Security.Michael Bilancieri,Director of Product ManagementLearn More VideoPath Of An Advanced AttackMichael’s DesktopPrint Server in His DepartmentCorporate Print ServerCorporate File Server or Domain ControllerCompromised!From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailMining forDigital GoldLearn Howto EffectivelyProtect YourBusiness.10The Keys to the KingdomFor attackers taking the long view, domaincontrollers are a high-value target becausethey contain the set of passwords andadministrative permissions that enablestealthy access on an ongoing basis.But attackers can also be opportunistic.Having penetrated the system, they quicklylook for unencrypted, high-value databasesand file servers containing credit card or PIIdata, IP and trade secrets.Protecting Domain Controllers,Bit9 Threat AdvisorLearn More Threat AdvisorStrategy: Attack Domain ControllersSteal the “keys to the kingdom”:passwords and permissions.Gives attacker“legitimate”access to resources atwill for as long as needed.Strategy: Attack Databases, File ServersEspecially if data is not encrypted or ifattacker spots target of opportunity.Files/folder names may be revealing: Patents,Legal, etc.Domain ControllersDB and File ServersFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailAttackers decide the timeand speed of exfiltration.The most dramaticscenario: downloading anentire database of PII orcorporate IP in minutes.APTs reside on your system for a long time.One technique is to schedule tasks to run ata later time at a higher permission. They cansmuggle out data hidden in packets suchthat they are very hard to spot — even ifyou know you were compromised.As additional data becomes available,attackers will return again and again toaccess and exfiltrate more gold.A study of 200 data breaches in 24 differentcountries showed that the most commonmethod of extracting data is through thesame remote access application used forentry. Services such as native FTP and HTTPclient functionality were also frequentlyleveraged for data extraction. Whenmalware was utilized for data extraction,FTP, SMTP and IRC functionality were allobserved. (In reverse analysis of custommalware, binaries sometimes disclosed theexistence of FTP functionality, includinghardcoded IP addresses and credentials.)Off-the-shelf malware, such as keystrokeloggers, most often used built-in FTP andemail capabilities to exfiltrate data.When email services were employed,the attackers often brazenly installed amalicious SMTP server directly on thecompromised system —to ensure the datawas properly routed!ExfiltrationLearn Howto EffectivelyProtect YourBusiness.11Cyber Threats Target Intellectual Property,Bit9 Threat AdvisorData Exfiltration: How Data Gets Out – CSO Online –Security and Risk. 2009 study published in 2010.Domain Controllers DB and File ServersLearn More Threat AdvisorPercentage of Methods Used to Exfiltrate DataFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email28% Microsoft Windows Network Shares27% Native Remote Access Application17% Malware Capability: FTP10% Native FTP Client6% SQL Injections4% Malware Capability: SMTP2% Malware Capability: IRC<1.5% Others
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailPersistence, Cleanupand Cover-upLearn Howto EffectivelyProtect YourBusiness.12Bit9 Whiteboard: Protecting VirtualDesktops and Critical ServersLearn More VideoMost advanced attacks are not overt, one-time smash-and-grab events. They aredesigned to persist and remain undetected,even as they communicate back to thecommand-and-control center for malwareupdates and modifications.One tactic is the creation of “dummy”administrative accounts that“fly under theradar”of regular IT monitoring.Another is leaving behind“back doors”incompromised applications for future accessand exfiltration of valuable information.Besides these“crumbs,”the advancedattacker cleans up and erases most tracesof itself. The use of forensics to understandan attack and take action to prevent futureattacks are challenging.What’s needed is technology in situ that canin fact pick up the crumbs that attackerscannot erase.These include information on who wrote asuspicious file, when it was written, whereit went on the network, and if it wrote any-thing else (the spawn of the spawn). Thistype of information can be extracted — ifyou know what you are looking for — evenif the files themselves have been deleted.The security technology needs to be able toshow you everything that arrived on yoursystem in, say, the last 24 hours or even thelast three months. Where was this file, andwhat was the related activity? It needs to beable to help find and follow the crumbs.This is key to remediation and, ultimately,prevention.Domain Controllers DB and File Servers App/Web ServersFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailConventional Defensesare too SlowLearn Howto EffectivelyProtect YourBusiness.13Bi9 Whiteboard: Early Detection andContinuous Auditing– Harry Sverdlove, Bit9 CTOLearn More VideoNo matter how dedicated and talented,security staff cannot keep up with thevolume of data flowing through theenterprise architecture. Security systemslike SIEM, IPS/HIPS, and firewalls can in factadd to the data overload.Quantity of information is one thing, but thereal problem for securing your data is thespeed with which things happen.The problem with traditional solutions isthey all try to do the same thing: detectand reject malware with a known signature.They look outside your enterprise and tryto identify and stop all the malware in theworld coming into your enterprise. But thatapproach isn’t sufficient any more.If you cannot keep track of all executableson your system, whether they run or not,you will never be able to reconstruct theelements of an attack.By changing your focus from the malwareyou’re trying to keep outside your organiza-tion to the software your want inside yourorganization, you can determine whatsoftware you trust and only allow that torun in your organization. Everything else, bydefault, is untrusted and can be automati-cally denied or flagged as suspicious.UpdatesDownloadsInstallsUpdatesOtherThreatsMemoryInfectionsSocialEngineeringZero-dayAttacksWebDriveByPhishingDownloadsInstallsIn a perfect world, there would only be “good”software (~25K executables per machine).In the real world, systems are under attackfrom 100 to 400 million variants.From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailThe volume of data andspeed of cyber attacksdictate that detectionmust be automated.Antivirus software, HIPS and conventionalapplication control or whitelistingsolutions are based on an after-the-fact,reactive model.What’s required is a proactive and trust-based model which provides rational,automatic filtering to cull and focus theexact information you must interpret.Detection Must beAutomaticLearn Howto EffectivelyProtect YourBusiness.14Reactive LimitationsToolsAntivirus Signature based (blacklist libraries); scan based; no sensorto analyze systems in real timeHIPS Information too shallow: doesn’t tell where .exe files werespawned; no historical data for time-based analysis to determinelevel and impact of potential threat; cannot apply latest indicatorsto historical data; cannot assess network effect or correlateacross all of your systemsLegacyApplicationControl/WhitelistingRelies on combination of AV and HIPS products — and thereforesuffers from same limitations as above; can’t continuouslymonitor for suspicious activity; doesn’t have the granularityto provide a time-based historical view of each system; noability to replay an event or attack to understand the threat,risk and impactFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailStopping Malwarefrom ExecutingLearn Howto EffectivelyProtect YourBusiness.15A Family Affair: Stopping Gauss,Bit9 Threat Advisor. December 2012.Learn More Threat AdvisorAutomatic detection, embedded in yoursecurity environment, is the first barrier toAPTs — but suspicious executables needto be stopped until the issue is resolved inorder to prevent any damage from beingdone.Let’s look at a real-world example. With aproactive trust-based model in place, asecurity team at a banking organization wasalerted that a new file had been written bysvchost.exe.Within seconds this file attempted toexecute, but because the file hashes wereuntrustworthy (and not because they wereon any AV blacklist — they were not untileight months later), execution was blockedautomatically.Alerts were sent and logged, but at thetime there was nothing else to suspect, andno malicious activity had been allowed tooccur.Indeed, it was not until months later whenthe larger community began to identifycomponents of the complex malware nowknown as Gauss that the bank realized ithad been automatically protected. Gausswas targeting Middle East banks and theirusers and was successful in compromisingmany other organizations.2. Execution Blocked5thFebruary 2012 Written by svchost.exe1. New File VariationFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailBit9’s AdvancedThreat IndicatorsLearn Howto EffectivelyProtect YourBusiness.16Bit9: A DVR for Your EndpointsLearn More BlogWhy Customers Need Bit9Advanced Threat DetectionIf a customer has devices notrunning Bit9, or if any Bit9-protected systems are not in highenforcement, there is a chancefor malware to get in. With ATIscontinuously monitoring systems’behaviors, administrators will bealerted to any sign of an attack,so they can respond faster.Even with high enforcement,trusted users can knowingly orunknowingly approve maliciousfiles. Bit9’s Detection Enhance-ment provides an additional layerof security.The bank that was automatically protectedfrom Gauss is an actual Bit9 customer. Bit9customers were also protected from therecent, highly sophisticated Flame malware.Bit9 Advanced Threat Detection combinesreal-time sensors, trust-based security,Advanced Threat Indicators (ATIs), and theBit9 Software Reputation Service to detectadvanced threats, malware and zero-dayattacks that typically evade blacklisting andsignature-based detection.ATIs provide a new detection technologyand intelligence. ATIs are a packaged set ofrules and views created by Bit9’s threatresearch team. ATIs monitor for suspiciousbehaviors and activities, examining manyfacets of your system — including files,registries, process and memory execution— to identify potential compromise orinfection.Examples of what ATIs can detect:•• A process attempting to harvest cachedpasswords•• A PDF file spawning an executable•• Processes injecting into other processes•• Processes executing out of suspiciouslocationsAs new intelligence is gathered aroundadvanced threats by Bit9’s Threat ResearchTeam, new ATIs are developed, andcustomers receive them via the cloud-based Threat Indicator Service.Bit9 Advanced Threat Detection gives Bit9customers the ability to apply continuousreal-time and historical detection through-out their entire infrastructure — servers,desktops, laptops and fixed-functiondevices.Bit9 is the first security solution to applyATIs in both real time and to an historicalrecording of endpoint activity.From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailBit9’s ATIs in ActionLearn Howto EffectivelyProtect YourBusiness.17Bi9 Whiteboard: Bit9 StopsAdvanced Malware Flame.- Harry Sverdlove, Bit9 CTOLearn More VideoPrior to using a trust-based securityplatform, one company was seeingbetween 10 and 20 systems ofinterest (SOI) a day, each of whichwas routed to the InformationSecurity (IS) team by email.Engineering co-ops would thenreview the SOI, and, if required, amember of the IS team wasbrought in, and a threat assess-ment team of three got involved.If the malware had successfullygained command and control of asystem, a 1-3 person forensicsteam was brought in.None of this staff cost (up to 8people) would be incurred ifexecutables are stopped beforethey run — to say nothing of theultimate cost of the successfulattack!A precursor to Gauss, Flame is malwareaimed at industrial or fixed systems.Announced publicly in May 2012, Bit9’s firstencounter with Flame actually occurredmuch earlier.In October 2011, a small component ofwhat became known as Flame was seenas an unknown file blocked and preventedfrom executing by the Bit9 Trust-basedSecurity Platform.Flame variations have since been found atorganizations around the world. As of yet,however, there is no obvious conclusion asto the attackers’original motivation.Whenever new families or new attacktechniques are revealed, malicious actorsare more than happy to steal, adapt andemploy these techniques.Shamoon, a variant of Flame designed todestroy information, targeted oil and gascompanies in the Middle East withdevastating consequences.Customers of Bit9 receive an original setof ATIs as part of Detection Enhancement.Bit9 adds ATIs as intelligence is gatheredabout advanced threats, and Bit9 customersreceive updates via the Bit9 Threat IndicatorService.The Economics of Playing Catch-upFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailGet Ahead ofAdvanced ThreatsLearn Howto EffectivelyProtect YourBusiness.18Bit9 Security Platform Data SheetLearn More Data SheetBit9Detects and StopsAdvancedThreatsDesktop or Laptop POS Terminal or Server USB StickDomain Controllers DB and File Servers App/Web ServersBit9 Proven Reliability and Highest Scalability and Security forPhysical and Virtual EnvironmentsBit9 Immediate Visibility, Detection and ProtectionBit9 IT- and Cloud-Driven Trust PoliciesSoftware ReputationServiceFrom Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email
    • From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information EmailAbout Bit9Learn Howto EffectivelyProtect YourBusiness.19Bit9 is the Leader inTrust-based SecurityThe Bit9 Trust-based Security Platformcontinuously monitors and records allactivity on servers and endpoints todetect and stop cyber threats that evadetraditional security defenses. A cloud-basedsoftware reputation service, combinedwith policy-driven application control andwhitelisting, provides the most reliable formof security in a model that can be rapidlyimplemented with less maintenance thantraditional tools.The Bit9 5-Day Free TrialThe Bit9 5-Day Free Trial is designed forIT security and forensics professionalsinterested in closing the endpoint securitygap left open by traditional, reactive securitysolutions. This cloud-based trial is a completeworking deployment of the Bit9 securityplatform which includes the industry’sleading trust-based application control andwhitelisting solution. Sign up today atwww.bit9.com/freetrial.Follow us online:From Hackers’Gamesto CybercrimeIntroductionDigital GoldWarp Speed of AttackTargeting –Penetration via Endpoints –Reconnaissance –Paths of Attack –Mining for Digital Gold –Exfiltration –Persistence, Cleanup –and Cover-upConventional Defensesare too SlowDetection Must be AutomaticStopping Malwarefrom ExecutingBit9’s Advanced Threat IndicatorsBit9’s ATIs in ActionGet Ahead of Advanced ThreatsAbout Bit9Information Email