Targeted Defense for Malware & Targeted Attacks

2,984 views

Published on

Sophisticated attacks leverage social engineering techniques and malware to compromise those individuals already on the inside of your enterprise, and then steal your data. By targeting your trusted employees, attackers can circumvent conventional defenses like firewalls and IPS solutions to penetrate your network and compromise your data center. This presentation will examine why attackers looking to steal sensitive data targeted your data center; explain how targeted attacks, often using spear phishing and malware, consistently defy perimeter and endpoint defenses; and present an eight step incident response model to help prevent, detect, and respond to targeted attacks.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,984
On SlideShare
0
From Embeds
0
Number of Embeds
916
Actions
Shares
0
Downloads
48
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Barry: “Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be compromised insiders.”
  • 2013 VDBIRMalware 40% of breachesSocial 29%Hacking 52%Assets compromisedServers 54User (devices) 71People 29
  • Anna Kournikova virus author stands trialLenient sentence in prospectBy John LeydenPosted in Security, 14th September 2001 13:58 GMTThe author of the infamous Anna Kournikova email worm has appeared in court in the Netherlands with prosecutors calling for a lenient sentence for his admitted crime.Lawyers for 20-year old Jan de Wit have called for the dismissal of charges against him, arguing that the worm caused minimal damange. The FBI submitted evidence to the Dutch court, suggesting that $166,000 in damages was caused by the worm, based on reports of damage from 55 firms
  • Targeted Defense for Malware & Targeted Attacks

    1. 1. © 2013 Imperva, Inc. All rights reserved. Targeted Defense for Malware and Targeted Attacks Confidential1 Barry Shteiman Senior Security Strategist
    2. 2. © 2013 Imperva, Inc. All rights reserved. Contents Confidential2 §  Compromised Insider §  Incident Analysis §  Anatomy of an Attack §  Current Controls §  Reclaiming Security
    3. 3. © 2013 Imperva, Inc. All rights reserved. Compromised Insider Confidential3 Defining the Threat Landscape
    4. 4. © 2013 Imperva, Inc. All rights reserved. Confidential4 “There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.” Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012
    5. 5. © 2013 Imperva, Inc. All rights reserved. Insider Threat Defined Confidential5 Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property. Possible causes: §  Accident §  Malicious intent §  Compromised device
    6. 6. © 2013 Imperva, Inc. All rights reserved. A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials. 6 Compromised Insider Defined Confidential
    7. 7. © 2013 Imperva, Inc. All rights reserved. Malicious Vs. Compromised Potential Confidential7 1% < 100% Source: http://edocumentsciences.com/defend-against-compromised-insiders
    8. 8. © 2013 Imperva, Inc. All rights reserved. Look Who Made the Headlines Confidential8 Hackers steal sensitive data related to a planned 2.4B acquisition. Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses
    9. 9. © 2013 Imperva, Inc. All rights reserved. Know Your Attacker Confidential9 Governments •  Stealing Intellectual Property (IP) and raw data, Espionage •  Motivated by: Policy, Politics and Nationalism Industrialized hackers •  Stealing IP and data •  Motivated by: Profit Hacktivists •  Exposing IP and data, and compromising the infrastructure •  Motivated by: Political causes, ideology, personal agendas
    10. 10. © 2013 Imperva, Inc. All rights reserved. What Attackers Are After Confidential10 Source: Verizon Data Breach Report, 2013
    11. 11. © 2013 Imperva, Inc. All rights reserved. Data & IP 11 Two Paths, One Goal User with access rights (or his/her device) Hacking (various) used in 52% of breaches Online Application Malware (40%) Social Engineering (29%) Servers 54% Confidential Users (devices) 71% People 29% Source: Verizon Data Breach Report, 2013
    12. 12. © 2013 Imperva, Inc. All rights reserved. Incident Analysis Confidential12 The South Carolina Data Breach
    13. 13. © 2013 Imperva, Inc. All rights reserved. What Happened? Confidential13 4M Individual Records Stolen in a Population of 5M 80%.
    14. 14. © 2013 Imperva, Inc. All rights reserved. A Targeted Database Attack Confidential14 12-Sept-12 - 14-Sept-12 Attacker steals the entire database 27-Aug-12 Attacker logs in remotely and accesses the database 13-Aug-12 Attacker steals login credentials via phishing email & malware 29-Aug-12 - 11-Sept-12 Additional reconnaissance, more credentials stolen
    15. 15. © 2013 Imperva, Inc. All rights reserved. The Anatomy of an Attack How Does It Work 15 Confidential
    16. 16. © 2013 Imperva, Inc. All rights reserved. Anatomy of an Attack Confidential16 Spear Phishing
    17. 17. © 2013 Imperva, Inc. All rights reserved. Anatomy of an Attack Confidential17 Spear Phishing C&C Comm
    18. 18. © 2013 Imperva, Inc. All rights reserved. Anatomy of an Attack Confidential18 Spear Phishing C&C Comm Data Dump & Analysis
    19. 19. © 2013 Imperva, Inc. All rights reserved. Anatomy of an Attack Confidential19 Spear Phishing C&C Comm Data Dump & Analysis Broaden Infection
    20. 20. © 2013 Imperva, Inc. All rights reserved. Anatomy of an Attack Confidential20 Spear Phishing C&C Comm Data Dump & Analysis Broaden Infection Main Data Dump
    21. 21. © 2013 Imperva, Inc. All rights reserved. Wipe Evidence Anatomy of an Attack Confidential21 Spear Phishing C&C Comm Data Dump & Analysis Broaden Infection Main Data Dump
    22. 22. © 2013 Imperva, Inc. All rights reserved. Searching on Social Networks… Confidential22
    23. 23. © 2013 Imperva, Inc. All rights reserved. …The Results Confidential23
    24. 24. © 2013 Imperva, Inc. All rights reserved. Next: Phishing and Malware Confidential24 How easy is it? §  A three-month BlackHole license, with Support included, is US$700 Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.
    25. 25. © 2013 Imperva, Inc. All rights reserved. Drive-by Downloads Are Another Route Confidential25 September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By
    26. 26. © 2013 Imperva, Inc. All rights reserved. Cross Site Scripting Is Yet Another Path Confidential26 Persistent XSS Vulnerable Sites provide the Infection Platform GMAIL, June 2012 TUMBLR, July 2012
    27. 27. © 2013 Imperva, Inc. All rights reserved. The Human Behavior Factor Confidential27 Source: Google Research Paper “Alice in Warningland”, July 2013
    28. 28. © 2013 Imperva, Inc. All rights reserved. Current Controls Confidential28 Won’t the NGFW/IPS/AV Stop It?
    29. 29. © 2013 Imperva, Inc. All rights reserved. What Are the Experts Saying? Confidential29 “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
    30. 30. © 2013 Imperva, Inc. All rights reserved. Security Threats Have Evolved… Confidential30 20132001 AntiVirus Firewall IPS AntiVirus Firewall IPS Sources: Gartner, Imperva analysis
    31. 31. © 2013 Imperva, Inc. All rights reserved. Security Redefined Confidential31 Forward Thinking
    32. 32. © 2013 Imperva, Inc. All rights reserved. The DISA Angle Confidential32 “In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data” Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012
    33. 33. © 2013 Imperva, Inc. All rights reserved. Rebalance Your Security Portfolio Confidential33
    34. 34. © 2013 Imperva, Inc. All rights reserved. Assume You Can Be Breached Confidential34
    35. 35. © 2013 Imperva, Inc. All rights reserved. Incident Response Phases for Targeted Attacks Confidential35 Reduce Risk Prevent Compromise Detection Containment Insulate sensitive data Password Remediation Device Remediation Post-incident Analysis Size Up the Target Compromise A User Initial Exploration Solidify Presence Impersonate Privileged User Steal Confidential Data Cover Tracks
    36. 36. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 36 Confidential

    ×