With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security. Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including: 1. State-sponsored espionage and sabotage of computer networks 2. Monster DDoS attacks 3. The loss of visibility and control created by IT consumerization and the cloud 4. The password debacle 5. Insider threats

1. 5 Cyber Security Challenges
for 2013
Tom Cross, Director of Security Research
tcross@lancope.com
(770) 225-6557

2. 5 CyberSecurity Challenges for 2013
 Stated Sponsored Computer Intrusions
 Monster DDOS Attacks
 Loss of Visibility and Control created by IT Consumerization and the Cloud
 The Password Debacle
 The Insider Threat

3. State Sponsored Computer Intrusions
 Sykipot
– Spread by spear phishing emails with malicious attachments
– Targets smartcard credentials
 Flame
– Extremely complicated malware
– Used a counterfeit digital certificate to impersonate Windows Update
– Certificate was generated with a previously unknown MD5 collision attack
 Shamoon
– Targeted the energy sector
– Destroyed infected systems
 Gauss
– Related to Stuxnet, Duqu, and Flame
 Council on Foreign Relations Waterhole
– Targeted victims with specific language settings
 Red October
– More that 1,000 modules!
© 2012 Lancope, Inc. All rights reserved.3

4. 0-Day Vulnerabilities
 A Zero Day vulnerability is a security vulnerability that attackers have access to
before it is publicly disclosed.
– Sophisticated attackers often search for previously unknown vulnerabilities
– Because these vulnerabilities are not publicly disclosed, they cannot be patched, and
Intrusion Prevention Systems usually cannot detect attacks that target them.
 Research paper by Symantec Research labs published in October, 2012
– Retrospective look at a large archive of old binary files from Anti-Virus customers
– Identified 18 0-Day vulnerabilities that were exploited in the wild
– 11 were previously not known to have been exploited before public disclosure
– The vulnerabilites were exploited for up to 30 months before public disclosure
– On average, the vulnerabilities were exploited for 312 days before public disclosure
© 2012 Lancope, Inc. All rights reserved.4

5. Protection Strategies
© 2012 Lancope, Inc. All rights reserved.5
Less Sophisticated:
Downloads publicly available attack tools
Targets known/disclosed vulnerabilities
Uses off the shelf malware toolkits
More Sophisticated:
Discovers 0-day vulnerabilities
Attacks tested against IDS products
Malware tested against A/V products
Audit, Patch, and Protect
Close known vulnerabilities
Block known attacks
Detect known malware
Safety in Numbers
T
A
R
G
E
T
E
D
M
O
R
E
Sophisticated, Targeted
Attacks?

6. Visibility through out the Kill Chain
 A sophisticated attack on a network involves a series of steps
 Traditional thinking views any system compromise as a successful breach
 Any successful action taken to stop an infection prior to data exfiltration can be
considered a win
 This is the Kill Chain concept introduced by Mike Cloppert at Lockheed
 Controls should be put in place at each stage of the chain
© 2012 Lancope, Inc. All rights reserved.6
Recon
Exploitation
(Social Engineering?)
Initial
Infection
Internal
Pivot
Data
Preparation
& Exfiltration
Command
and
Control

7. Monster DDOS Attacks
 IBM X-Force – 300% Increase in DDOS Backscatter from ‘08 to ’11
 Prolexic (Q3 2011 to Q3 2012):
– 88% increase in total attacks
– 230% increase in average attack bandwidth
 DDoS Attacks against US Banks
– 60 GBPS
– itsoknoproblembro
– Launched from servers
– Claimed by Izz ad-Din al-Qassam Cyber Fighters
– Attacker?
Financial Criminals?
Protest Rally?
Statecraft?
© 2012 Lancope, Inc. All rights reserved.7

8. Addressing Monster DDOS Attacks
 Have a plan in place before the day that attacks begin!
– Plan should cover different classes of DDoS attacks
– Quick reactions require visibility and process
– Test human processes and not just technology
 Large DDoS Attacks must be cleaned in the network and not at the customer
premise
 Application Layer DDoS Attacks can be difficult to mitigate with network based
services
– Lack of application awareness
– Traffic evades scrubber’s heuristics
© 2012 Lancope, Inc. All rights reserved.8

9. IT Consumerization and the Cloud
 We used to have a three tiered strategy:
– Establish and protect the perimeter (Firewalls, IPS, etc)
Inbound attacks from the Internet
Drive by Downloads
– Focus on hardening servers with critical data
– Protect the endpoint (HIDS/AV)
Mobile Laptops
USB Keys
 Employee owned devices can’t be protected with endpoint agents
 Applications with critical data are moving outside the Perimeter
– Loss of visibility into who accessed what, when and how
© 2012 Lancope, Inc. All rights reserved.9

10. 2013 is the year to demand our visibility back!
 Cloud Services can provide authentication logs, netflow
– They may not have architected their services this way, but it is technically feasible
 Netflow can provide visibility into private clouds
 Identity aware Netflow provides a way to monitor mobile devices
10
User Name MAC Address Device Type
Bob.Smith
8c:77:12:a5:64:05
(Samsung
Electronics Co.,Ltd)
Android
John.Doe
10:9a:dd:27:cb:70
(Apple Inc)
Apple-iPhone
When a mobile device is
acting up it is critical to be
able to connect network
transactions with the person
who has the physical device.

11. The Password Debacle
 2012 was a banner year for breaches that disclosed large numbers of
usernames and passwords or password hashes
– LinkedIn, eHarmony, Formspring, Adobe, Yahoo, Nvidia, Gamigo, etc…
– Millions of passwords had to be reset
 Cloud services make it easy to spin up large brute force password cracking
efforts
– www.cloudcracker.com
 Passwords are too short!
– Minimum secure password length in 2010 = 12 Characters (GTRI)
 Passwords are not going anywhere soon.
– Multifactor auth isn’t foolproof either!
© 2012 Lancope, Inc. All rights reserved.11

12. Living with Passwords
 Our policies are killing us!
– Password policies can be complied with in meaningless ways
– Passphrases are easier to remember if they don’t need special characters
– Some systems have maximum password lengths!
– The way to find weak passwords is to actually crack your hashes
 Personal Solutions
– Password Vaults (Eggs in one basket)
– Different passwords for different classes of services (Work, Sensitive, Fun)
– A physical notebook?
 Be prepared for attackers to enter the network with valid credentials
– Mandiant M-Trends Report – 100% of attackers used valid credentials
– Are you monitoring the behavior of legitimate users?
© 2012 Lancope, Inc. All rights reserved.12

13. The Insider Threat
• Internal Threats was ranked the #1 security concern closely followed by APT
o Respondents who ranked Insider Threats as their #1 security concern also had the
highest increase in network traffic due to additional mobile devices.
Security Concern Ranking
Insider Threats 1
APTs (DirectedAttacks) 2
IT Consumerization/ User Mobility / BYOD 3
Virtualization/ CloudComputing 4
Compliance 5

14. CERT Research on Insider Threat
14
CERT Insider Threat Research
 12 years of history
 Over 700 insider threat
cases
 IT Sabotage
– Average: $1.7 million
– Median: $50,000
 IP Theft
– Average: $13.5 million
– Median: $337,000

15. Combating Insider Threat is a multidisciplinary challenge
IT
HR Legal
 IT cannot address insider threat by itself
– People have a tendency to think that IT is solely responsible for all computer security issues.
 Legal: Are policies in place? Are they realistic? Does legal support IT practices?
 HR: Who is coming and going? Who has workplace issues? Are there soft solutions?
 IT: Is the privacy of end users adequately protected?
 What impact on workplace harmony are policies, monitoring, and enforcement having?
 Are you applying policies consistently?
15

16. 5 Recommendations for Managing Insider Threats
1. IT cannot resolve insider threat problems alone.
2. Create checks and balances for system and network administrators.
3. Work with management to identify disgruntled employees.
4. Have a comprehensive process for terminating employee access to the
network.
5. Pay attention to audit trails of system accesses and network activity around
employment termination.
© 2012 Lancope, Inc. All rights reserved.16

17. Thank You
Tom Cross
Director of Security Research
tcross@lancope.com
(770) 225-6557

18. StealthWatch Labs Intelligence Center
© 2012 Lancope, Inc. All rights reserved.18
http://lancope.com/SLIC @stealth_labs

19. Get Engaged with Lancope
Follow us at
@Lancope and
@NetFlowNinjas
Subscribe to Lancope
updates at
http://feeds.feedburner.com/N
etflowNinjas
Attend
complimentary
Seminars
http://www.lancope.com/ne
ws-events/university-of-
netflow/
Join NetFlow Ninjas
http://www.linkedin.com/grou
ps/NetFlow-Ninjas-
2261596/about
Access StealthLabs
Intelligence Center
(SLIC) Reports
http://lancope.com/SLIC
Download “NetFlow
Security Monitoring for
Dummies”
http://www.lancope.com/netflow-
for-dummies/
© 2012 Lancope, Inc. All rights reserved.19
Please email sales@lancope.com or