SlideShare a Scribd company logo

Doten apt presentaiton (2)

Jeff Green
Jeff Green

Chief Security Scientist at Lockheed Martin using Plants Vs. Zombies to illustrate his points. Government wants to eat our brains CONFIRMED!

1 of 18
Download to read offline
Demystifying Advance Persistent Threats: Reversing the Course of a Perceived Asymmetric Cyber Battle Rick Doten, CISSP, RKC Chief Scientist Lockheed Martin Center for Cyber Security Innovation INFORMATION SYSTEMS & GLOBAL SOLUTIONS 1
Cyber Security Is like… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Threat Characteristics: Advanced Characteristics: • Targeted at specific individuals and groups within Persistent Characteristics: an organization • Using unreported exploits (zero day) Advanced Persistent Threat • •• Advanced, custom foris typically the first step to an Social Engineering months or years Intrusions lasting malware that isn’t detected by • antivirus products manipulating people to ensure intrusion: people Adversaries install multiple backdoors • • Coordinated intrusions using a variety of vectors continuedthey know which information they are Assume access to the targets targeting • • Intruder will adjustpatient and dedicated (or Adversaries are actions based on • countermeasuresis a real person behind the actions, assigned) there target. Because to the they will respond quickly to countermeasures • Intruder will use least sophisticated exploits and techniques first and escalate only as required We Never Forget Who We’re Working For® … and neither do the bad guys! INFORMATION SYSTEMS & GLOBAL SOLUTIONS
What APT is Not... • Bot nets, Rogue antispyware, DOS and DDOS attacks • Categorized by the techniques of intrusion, and not considering the people or motive • Typically defined as: • Any intrusion not discovered by current security technology • Any intrusion that uses advanced techniques, such as zero day exploits One reason for confusion: Many Cyber Criminal teams are adopting (buying or bartering) APT-built techniques because of their effectiveness. INFORMATION SYSTEMS & GLOBAL SOLUTIONS
APT campaigns are not about being the anomaly, but part of the normal: • APT campaign will take advantage of trust relationship • APT campaign is low and slow, as opposed to broad attempts, aggressive, or obvious • APT campaign is patient and will take time to achieve their objectives • APT campaign will conceal actions by using legitimate accounts and protocols • APT campaign will utilize a current account and enumerate information with those privileges • APT campaign will attempt to create new accounts with administrative privilege INFORMATION SYSTEMS & GLOBAL SOLUTIONS
So, how is PvZ like APT campaigns? Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
“To protect our infrastructure, we have to be right every compromise our infrastructure, the bad guys have to step; the bad guys onlywe only have to be right once.” be right every step; have to be right once.” INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Cyber Threat Kill Chain Reconnaissance Weaponization Delivery Intrusion Exploit Installation Command and Control Act on Objectives INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Cyber Kill Chain Animation 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Act on Objectives • No matter where you block the sequence in the chain, you stop the attack. INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Threat-focused Risk Reduction Target Risk = Value x Vulnerability x Threat Opportunity Target Risk = Value x Vulnerability x Capability Intent Our Objectives: • Erode capability • Increase Cost of Intrusion • Understand intent INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Same Technique works on these Guys! Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Attack Vector Escalation Then Email spoofing Parking lot entry vector Fake sites that look real Compromised sites with Now Man-in-the-Mailbox Supply Chain embedded malware INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Benefits of Framework 1. Reconnaissance • Articulates Prioritization 2. Weaponization 3. Delivery 4. Exploitation • Articulates data collection 5. Installation requirements 6. Command & Control 7. Act on Objectives INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Putting them Together Detect Degrade Deny Disrupt Deceive Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Drives detection, mitigation measures INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Which is not unlike… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Because in the end, you don’t want… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Questions? INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Thank You! Rick Doten, CISSP, RKC Chief Scientist Lockheed Martin Center for Cyber Security Innovation eric.a.doten@lmco.com INFORMATION SYSTEMS & GLOBAL SOLUTIONS 18

Recommended

Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
certified ethical_hacker_sample
certified ethical_hacker_samplecertified ethical_hacker_sample
certified ethical_hacker_sampleAmbuj Sharma
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 

Recommended

Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
certified ethical_hacker_sample
certified ethical_hacker_samplecertified ethical_hacker_sample
certified ethical_hacker_sampleAmbuj Sharma
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case StudyLastline, Inc.
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2FRSecure
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
FireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атакFireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атакDialogueScience
 
Cyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle EastCyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle East3wv
 

More Related Content

What's hot

Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2FRSecure
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 

What's hot (20)

Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 

Viewers also liked

FireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атакFireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атакDialogueScience
 
Cyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle EastCyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle East3wv
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 

Viewers also liked (6)

FireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атакFireEye - система защиты от целенаправленных атак
FireEye - система защиты от целенаправленных атак
 
Cyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle EastCyber Activism And Online Campaigns In Middle East
Cyber Activism And Online Campaigns In Middle East
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Ransomware
Ransomware Ransomware
Ransomware
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 

Similar to Doten apt presentaiton (2)

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security BreakfastRackspace
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attackspoofyroot
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedKavin K
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson BritoSegInfo
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Clear and present danger: Cyber Threats and Trends 2017
Clear and present danger: Cyber Threats and Trends 2017Clear and present danger: Cyber Threats and Trends 2017
Clear and present danger: Cyber Threats and Trends 2017Morakinyo Animasaun
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 

Similar to Doten apt presentaiton (2) (20)

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
 
Iscsp apt
Iscsp aptIscsp apt
Iscsp apt
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
 
APT Webinar
APT WebinarAPT Webinar
APT Webinar
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented Programming
 
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Clear and present danger: Cyber Threats and Trends 2017
Clear and present danger: Cyber Threats and Trends 2017Clear and present danger: Cyber Threats and Trends 2017
Clear and present danger: Cyber Threats and Trends 2017
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 

Doten apt presentaiton (2)

  • 1. Demystifying Advance Persistent Threats: Reversing the Course of a Perceived Asymmetric Cyber Battle Rick Doten, CISSP, RKC Chief Scientist Lockheed Martin Center for Cyber Security Innovation INFORMATION SYSTEMS & GLOBAL SOLUTIONS 1
  • 2. Cyber Security Is like… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 3. Threat Characteristics: Advanced Characteristics: • Targeted at specific individuals and groups within Persistent Characteristics: an organization • Using unreported exploits (zero day) Advanced Persistent Threat • •• Advanced, custom foris typically the first step to an Social Engineering months or years Intrusions lasting malware that isn’t detected by • antivirus products manipulating people to ensure intrusion: people Adversaries install multiple backdoors • • Coordinated intrusions using a variety of vectors continuedthey know which information they are Assume access to the targets targeting • • Intruder will adjustpatient and dedicated (or Adversaries are actions based on • countermeasuresis a real person behind the actions, assigned) there target. Because to the they will respond quickly to countermeasures • Intruder will use least sophisticated exploits and techniques first and escalate only as required We Never Forget Who We’re Working For® … and neither do the bad guys! INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 4. What APT is Not... • Bot nets, Rogue antispyware, DOS and DDOS attacks • Categorized by the techniques of intrusion, and not considering the people or motive • Typically defined as: • Any intrusion not discovered by current security technology • Any intrusion that uses advanced techniques, such as zero day exploits One reason for confusion: Many Cyber Criminal teams are adopting (buying or bartering) APT-built techniques because of their effectiveness. INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 5. APT campaigns are not about being the anomaly, but part of the normal: • APT campaign will take advantage of trust relationship • APT campaign is low and slow, as opposed to broad attempts, aggressive, or obvious • APT campaign is patient and will take time to achieve their objectives • APT campaign will conceal actions by using legitimate accounts and protocols • APT campaign will utilize a current account and enumerate information with those privileges • APT campaign will attempt to create new accounts with administrative privilege INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 6. So, how is PvZ like APT campaigns? Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 7. “To protect our infrastructure, we have to be right every compromise our infrastructure, the bad guys have to step; the bad guys onlywe only have to be right once.” be right every step; have to be right once.” INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 8. Cyber Threat Kill Chain Reconnaissance Weaponization Delivery Intrusion Exploit Installation Command and Control Act on Objectives INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 9. Cyber Kill Chain Animation 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Act on Objectives • No matter where you block the sequence in the chain, you stop the attack. INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 10. Threat-focused Risk Reduction Target Risk = Value x Vulnerability x Threat Opportunity Target Risk = Value x Vulnerability x Capability Intent Our Objectives: • Erode capability • Increase Cost of Intrusion • Understand intent INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 11. Same Technique works on these Guys! Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 12. Attack Vector Escalation Then Email spoofing Parking lot entry vector Fake sites that look real Compromised sites with Now Man-in-the-Mailbox Supply Chain embedded malware INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 13. Benefits of Framework 1. Reconnaissance • Articulates Prioritization 2. Weaponization 3. Delivery 4. Exploitation • Articulates data collection 5. Installation requirements 6. Command & Control 7. Act on Objectives INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 14. Putting them Together Detect Degrade Deny Disrupt Deceive Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Drives detection, mitigation measures INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 15. Which is not unlike… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 16. Because in the end, you don’t want… Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 17. Questions? INFORMATION SYSTEMS & GLOBAL SOLUTIONS
  • 18. Thank You! Rick Doten, CISSP, RKC Chief Scientist Lockheed Martin Center for Cyber Security Innovation eric.a.doten@lmco.com INFORMATION SYSTEMS & GLOBAL SOLUTIONS 18