Insights on it risks cyber attacks


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insights on it risks cyber attacks

  1. 1. Insights on IT risk March 2011 Countering cyber attacks
  2. 2. Although companies worldwide have been dealing with opportunistic cyber attacks for years, many now find themselves the target of the advanced persistent threat (APT), which is characterized by more sophisticated and concentrated efforts. APT attacks are focused on a single target, lasting until they are in, and are meant to collect information over a long period of time. They leave few signs of their success, wanting to stay hidden for as long as possible in order to acquire large amounts of sensitive information. The information targeted is specific. Attackers are not looking to just grab anything they come across — the target is an organization’s valuable intellectual property. No single technology or process will stop the APT, and traditional security methods are proving to be ineffective against these threats. While many organizations are vulnerable to attack because they have under-invested in security in the past, simply shoring up existing and conventional defenses is not enough; new approaches and increased vigilance are required. Protecting against these types of threats requires several layers of defense, knowledge of the threat, and advanced skills to detect and react to ongoing and successful attacks. • Recent high-profile attacks have gained the attention of many executives of large, global companies. • These attacks are sophisticated and targeted against specific companies and often target specific employees to gain entry. • The goal is unnoticed infiltration with a long-term presence to steal as much information as possible. • Countering these attacks is complex and must involve prevention, detection and response. • We are not aware of any organizations that have successfully stopped these threats. Smart organizations focus on effective detection and fast response. • It takes time to develop a mature program. • The threat landscape is changing, risks are increasing and companies need to change their mind-set and approach toward information security (i.e., establish a “new normal”).Insights on IT risk | March 2011 1
  3. 3. The evolving threat landscapeDespite its roots as a collaboration between defense and research, the early internet was a place where users trusted each other. Badbehavior was generally more mischief than attack, and it typically was motivated by challenge or glory. But as the internet grew, iteventually came to resemble the real world, containing friends and business associates, playgrounds and workplaces, and good guys andbad guys.Today’s internet serves as critical infrastructure for both Recent high-profile attacks against several enterprises havegovernment and commerce, and it has attracted a new class been a wake-up call for organizations and information securityof attacker. State-sponsored entities are now targeting specific professionals alike in recognizing this new level of threat.organizations, as opposed to the more opportunistic attacks thatwe’ve seen in the past. If one attack fails, another one will be tried— again and again. This persistent nature makes these groups moredangerous and defenses against them more important than ever.Threat — target landscape Unsophisticated attackers; Increasing sophistication and targets are anyone with a organization; criminally Corporate espionage Advanced persistent threat vulnerability motivated Risk Resources and sophistication of attacks “Hobbyists” Organized crime Corporate espionage Advanced persistent threat (APT) ► Fun ► Criminal intent ► Economically motivated ► Long-term pattern of targeted, ► Challenge ► More coordinated attacks ► Theft of intellectual sophisticated attacks aimed at ► Financially motivated (e.g., theft property governments, companies and of credit card numbers for use political activists or sale) ► Politically and economically motivated ► Well-funded, sophisticated resources2 Insights on IT risk | March 2011
  4. 4. The evolving threat landscapeTwo main types of threats have established themselves: the opportunistic threat and the continuous and orchestrated APT. While theresults may be similar — infiltration, unauthorized access and theft — the motivation behind each is entirely different.Opportunistic threats: Opportunistic threats may be motivated Advanced persistent threat: The APT collects information from afinancially, or simply by a desire for vandalism, but they strike at specific group of organizations. The population of target victims hasthe softest targets available. Often initiated by simple vulnerability clearly grown over the last several years, and the attackers will usescanning, access to stolen passwords or discovery of misconfigured any means possible to exploit the target. The APT is characterizedapplications, the attacks are usually indiscriminate and strike once by substantial reconnaissance to identify individuals within theand move on. Denial of service attacks, web defacement and even organization, long periods of persistence (measured in years) and athe theft of financial information are types of opportunistic threats. desire to remain undetected for as long as possible.Who is a target?Originally, the APT targeted military and government entities before moving to softer targets that had military or intelligence value —namely western defense contractors. More recently, the APT has expanded to a new set of targets, including manufacturing, financial,energy and high-tech engineering companies. We have assisted numerous APT victims that are not defense contractors, but producetechnology with an economic value — particularly to developing nations. The APT targets any company with useful intellectual property. Target industries Motivation • Theft of intellectual property (e.g., equipment test data) Government contractors • Theft of government classified information • Theft of intellectual property to bring competing products to market with less R&D time and investment Technology providers • Theft of corporate secrets to gain competitive advantage in negotiating contract and buying terms • Theft of intellectual property to bring competing products to market with less R&D time and investment Manufacturing • Theft of corporate secrets to gain competitive advantage in negotiating contract and buying terms Any organization with intellectual property that would be useful in a growing economy is a potential target of the APT. Insights on IT risk | March 2011 3
  5. 5. Countering the evolving threat landscapeDrive security strategy based on the “new normal”Given the continuous and persistent threat posed by the new wave of attack channels and malicious actors, now is the time for businessesto establish a “new normal,” i.e., instill a new mind-set and approach into driving the organization’s security strategy. Traditional approach The new normal Response to security incidents • Organizations must answer the questions “what?” and “why?”. Start with a threat-centric analysis by limited to the “how?” (“How understanding the attacker, and therefore identifying what data the attacker wants to collect. did the attacker get into the • Start by focusing your protection, detection and response efforts around this highest-risk data. network?”) Assumption that the corporate • It should be assumed that there are pockets of the corporate infrastructure that have already been infiltrated. infrastructure is secure until • This shift in mind-set will drive an intelligence-based approach that is necessary to build a solid strategy to evidence is presented to prove identify and combat the continuous threat of the new wave of malicious actors. otherwise • Develop detection mechanisms that go beyond AV (antivirus) and IDS (intrusion detection systems), and proactively seek evidence of compromise. Outcome of projects in the • Well-trained, expert incident detection and response staff provide a defense against today’s complex threats. security portfolio is based on the Ongoing security efforts must continuously incorporate actionable intelligence from the threat team to engineer procurement and deployment of and fine-tune automation achieved by assessment and identification tools. security tools • Projects in the security portfolio must be justifiable based on results presented by the threat team. “Red Team” is another term for Red Teams add new value when used to validate existing detection and response mechanisms. When conducted the capability to counter routine regularly, they can serve as a gauge for effectiveness and a way to measure improvement. attack and penetration • The scope of Red Team activities should go beyond technical assets to include the protection of high-risk personnel and executives. • Red Team efforts must not be hindered by corporate bureaucracy. Executive leadership should grant Red Team activities greater autonomy to investigate, assess and respond to critical events and suspicious activity. Emerging attack vectors are an The tactics used by the more sophisticated attackers are increasingly geared toward channels that bypass perimeter academic endeavor controls. These tactics are no longer an academic projection of the future but a current reality. As such, the following should be included in the portfolio of security projects: • Hardening of web browser, laptop and mobile device configurations, especially for high-risk personnel, including executives. • Further enhancement of application security assessment and developer training efforts, incorporating emerging attack vectors that aim to create channels to bypass perimeter controls. • A solid approach to security controls and monitoring of cloud applications and services.4 Insights on IT risk | March 2011
  6. 6. Countering the evolving threat landscape Disconnection from internet Advanced Sensitive data “airgapped” Counterintelligence operation Outbound gateway consolidation PC virtualizationThreat level Intermediate Proprietary email scanning Sensitive data/networks segregated Proxy authentication Constant phishing simulation Improved access control Refocused patching and configuration management efforts Searchable event repository Basic Network instrumentation Build incident response capability Degree of response The new normal • Organizations should strive to identify why particular elements of the business are of interest to the enemy. • It should be assumed that there are pockets of the corporate infrastructure that have already been infiltrated. • Red Team efforts must not be hindered by corporate bureaucracy. Executive leadership should grant Red Team activities greater autonomy to investigate, assess and respond to critical events and suspicious activity. • The tactics used by the more sophisticated attackers are increasingly geared toward channels that bypass perimeter controls. These tactics are no longer an academic projection of the future, but a current reality. Insights on IT risk | March 2011 5
  7. 7. An example of an APT attackA recent APT attack analyzed by Ernst & Young was executed in • Compromising a user’s social network credentialstwo parts: 1. malicious software (malware) download and 2. hidden (e.g., MySpace, Facebook, LinkedIn), by posting URLs orexecution. The malicious code exploited an unknown vulnerability in TinyURLs that encourage friends to go to that linkthe Internet Explorer web browser known as a zero-day exploit. The The number of methods to induce a user to click on a link is limitednefarious aspect of a zero-day exploit is that traditional signature- only by the creativity of the attackers.based antivirus tools are unable to pick up the attack becauseattackers test their malware against commercial packages. To load Once the malware is in, it can take on different forms and functions.the malware, attackers rely on end users clicking on a hyperlink or In the example attack, it morphed and split itself into the finalopening an attachment in which the browser is forced to download version of the malware, maintaining itself in an encrypted formthe malware. While the company did not detail how the payload until it needed to be executed. The basic function of the malwarewas delivered, this part of the attack can be achieved in a number in this attack was similar to previous APTs: creation of a backdoorof ways: communications channel to the attacker’s home systems over an encrypted channel, retransformation of the malware, duplication,• Using specifically crafted emails (phishing or spear-phishing) to search of the enterprise and remote removal of targeted entice a recipient to click on a link in the message or open an information. attachment What should be noticed is that while the payload itself is advanced• Embedding hyperlinks (URLs) in instant messaging and extremely sophisticated, the means by which the malware is conversations inserted into the environment is not. Phishing, social engineering,• Compromising a website and replacing legitimate links with hacking a website and user credential theft were all issues long links that now contain the malware before the APT appeared.• Spoofing a website either by using a similar name (famous example: instead of or by hacking a victim’s DNS server such that legitimate hyperlinks now point to the attacker’s serverHow does the attack unfold? Reconnaissance Attack Run malware Pivot Exfiltrate • Recent conference • Phishing email • Add new accounts • Use stolen • Log onto target attendees • Vulnerability scan • Increase accounts to system remotely, • Executive permissions strengthen using stolen • Removable media foothold credentials How? biographies • Install back door • Web application • Attack newly • Package data in • Previously stolen • Exfiltrate SAM file emails discovered password-protected • Install scanning vulnerable devices archives tools and scan • Exfiltrate data to intermediate servers via company proxies • The APT probably • Although initial • From this point • The APT will lie • Malware is usually knows which users attacks are forward, APT low and pivot as not on the target Challenge hold sensitive data sophisticated, they can and will be needed. They devices. better than you are not frequently using legitimate will re-establish • Exfiltration is do. needed. accounts. IDS footholds if they staged carefully or AV will be detect their and executed very oblivious. presence is in quickly. • Malware can sleep jeopardy. to avoid detection.6 Insights on IT risk | March 2011
  8. 8. Ernst & Young’s incident response servicesErnst & Young has proven experience in handling advanced threats and building incident response capability. We assist clients in building asustainable in-house capability to plan for, protect against, detect and respond to cybersecurity incidents, and we provide investigation andremediation services in the event of a breach.We offer a proactive APT assessment to evaluate vulnerability to common APT attack vectors and to identify whether an APT or malwareattack has occurred. • Assess environment • Identify and remediate gaps • Develop incident response plan Plan • Computer Incident Response • Harden environment Team (CIRT) staffed and • Improve authentication trained t i d • Manage privileged accounts • CIRT chartered with authority Respond Protect • Limit unnecessary to drive response communication • Response and remediation • Potentially reduce user cycle times are measured privileges Detect D t t • Network security monitoring program in place — not just IDS • Key network egress points monitored • L Logs archived and analyzed hi d d l d • Key host information collectedNext steps Page 1 Useful PowerPoint graphicsGiven the continuous and persistent threat posed by the new If you think that you may be the target of an APT, consider thewave of attack channels and malicious entities, now is the time actions you should take. Remember that your security programfor businesses to establish a “new normal,” that is, to instill a new needs to include elements to protect against these threats, detectmind-set and approach toward the organization’s security strategy. an ongoing or successful attack, and be able to effectively respondOrganizations need to better understand the threats and their to the attack. Given the nature of the APT, no one control orpotential risks (e.g., are they a likely target for an APT or just an countermeasure is likely to be effective; a defense-in-depth strategyopportunistic threat?). Based on a better understanding of their is paramount.risks, companies should examine their current security strategy, Finally, if you are a high-risk organization, take action as if youcontrols, and maturity of controls to determine their gaps and have been compromised. Given the ability of APT malware to evadeweaknesses. This may seem like an obvious first step, but recent normal prevention and detection mechanisms, if you haven’t takenexperience shows that many companies have defined their security specific measures to protect yourself, you may already be a victimprograms and required controls based on compliance requirements and not know opposed to risk. A compliance-driven approach to security maynot only increase cost due to repetition of activities, but the corenotion of reducing enterprise risk is often absent. Organizationsthat merely focus on third-party requirements and regulationsin lieu of a holistic approach to business risk end up drivingcompliance, not security. Insights on IT risk | March 2011 7
  9. 9. Why Ernst & Young?Ernst & Young is the most globally integrated professional services Our IT risk and assurance professionals assist clients to useorganization in the world, with more than 141,000 professionals technology to achieve a competitive advantage. They adviseworking in 41 countries. World-renowned for our assurance, tax, on how to make IT more efficient and how to manage the riskstransaction and business advisory services, Ernst & Young is also a associated with running IT operations. They focus on helping clientsglobal leader in the field of information technology risk and security. improve and secure their technology so that it serves the business effectively and enhances results: this includes several focusedFor more than 20 years, our clients have benefited from an competency groups, including application controls and security,extensive portfolio of professional services in assessment, third-party reporting and IT risk advisory.remediation, design and implementation of effective enterprisesecurity services. Ernst & Young brings together an unparalleled Our privacy advisors assist clients with enabling the governance,team of highly experienced industry, security, privacy and risk risk and compliance efforts related to the use of personalmanagement professionals, to meet the complex needs of some information, assessing enterprise privacy risk, leading privacyof the most data-intensive organizations in the world. We have internal audits and inventorying the use of personal information indeveloped proven industry leading methods, tools and resources to business processes, technologies and third parties.address our clients’ information risk management challenges and to Our Information Security practice offers a wide range ofsupport the ongoing security, integrity and availability of our client’s management, assessment and improvement services. Ourinformation assets and processes. targeted security services help our clients maintain the appropriateAs a large established professional services organization, alignment between their security, IT and business strategies,Ernst & Young’s name and experience lend weight to each project enabling them to maintain their focus on their business needs whilewe undertake: we provide a broad business risk perspective that will addressing their security and risk issues.enhance a project’s value with your senior management and youraudit committee.Companies choose to work with us because of our intenseclient focus, and our deep technical and sector-based businessknowledge. We have earned a reputation as a leading innovatorbecause we invest heavily in our people, our processes and in ourtechnology capabilities.8 Insights on IT risk | March 2011
  10. 10. ContactsGlobalNorman Lonergan +44 20 7980 0596 Services Leader, London)Paul van Kessel +31 88 40 71271 Risk and Assurance Services Leader, Amsterdam)Advisory ServicesRobert Patton +1 404 817 5579 Leader, Atlanta)Andrew Embury +44 20 7951 1802, Middle East, India and Africa Leader, London)Doug Simpson +61 2 9248 4923 Leader, Sydney)Naoki Matsumura +81 3 3503 1100 Leader, Tokyo)IT Risk and Assurance ServicesBernie Wedge +1 404 817 5120 Leader, Atlanta)Paul van Kessel +31 88 40 71271, Middle East, India and Africa Leader, Amsterdam)Troy Kelly +85 2 2629 3238 Leader, Hong Kong)Giovanni Stagno +81 3 3503 1100 Leader, Chiyoda-ku) Insights on IT risk | March 2011 9
  11. 11. Ernst & YoungAssurance | Tax | Transactions | AdvisoryAbout Ernst & YoungErnst & Young is a global leader in assurance, tax,transaction and advisory services. Worldwide,our 141,000 people are united by our sharedvalues and an unwavering commitment to quality.We make a difference by helping our people, ourclients and our wider communities achieve theirpotential.Ernst & Young refers to the global organization ofmember firms of Ernst & Young Global Limited,each of which is a separate legal entity.Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide servicesto clients. For more information about ourorganization, please visit www.ey.comAbout Ernst & Young’s Advisory ServicesThe relationship between risk and performanceimprovement is an increasingly complex andcentral business challenge, with businessperformance directly connected to therecognition and effective management of risk.Whether your focus is on business transformationor sustaining achievement, having the rightadvisors on your side can make all the difference.Our 20,000 advisory professionals form one ofthe broadest global advisory networks of anyprofessional organization, delivering seasonedmultidisciplinary teams that work with ourclients to deliver a powerful and superiorclient experience. We use proven, integratedmethodologies to help you achieve your strategicpriorities and make improvements that aresustainable for the longer term. We understandthat to achieve your potential as an organizationyou require services that respond to your specificissues, so we bring our broad sector experienceand deep subject matter knowledge to bear in aproactive and objective way. Above all, we arecommitted to measuring the gains and identifyingwhere the strategy is delivering the value yourbusiness needs. It’s how Ernst & Young makes adifference.© 2011 EYGM Limited.All Rights Reserved.EYG no. AU0768This publication contains information in summary form and istherefore intended for general guidance only. It is not intended tobe a substitute for detailed research or the exercise of professionaljudgment. Neither EYGM Limited nor any other member of theglobal Ernst & Young organization can accept any responsibilityfor loss occasioned to any person acting or refraining from actionas a result of any material in this publication. On any specificmatter, reference should be made to the appropriate