The Lazy Attacker: Defending Against Broad-based Cyber Attacks

Uploaded on

Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. However, this …

Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. However, this unilateral mindset ignores a much less interesting reality.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Which of the following are you most concerned about?APTsBroad-based attacksInsider threats Failed audits
  • Automated Correlation is a critical success factor for defending against broad-based attacks. With AlienVault’s Unified Security Management, we combine all of the essential security you need in a single platform, and give you a way to evaluate, respond and manage it all. This includes:Asset Discovery- in terms of active and passive network scanning, building dynamic asset inventories that include detailed information about the software that lives on each host.Vulnerability Assessment – you can schedule scans across your network – again both active and passive probing – to identify and remediate application and system vulnerabilities. Threat Detection – network IDS, host-based IDS, wireless IDS, and file integrity monitoring gives you ability to detect known threats whether it’s a rogue insider accessing unauthorized data on a database server or someone trying to access your wireless network.Behavioral Monitoring will give you the coverage you need for unknown threats – typically exemplified by strange or anomalous network or system behavior – this includes netflow analysis, service availability and of course log collection and analysis for in-depth forensic investigations.Finally, aggregation, correlation and analysis of this information provides the security intelligence you need in order to manage threats and maintain and demonstrate compliance.
  • Based on today’s discussion, which of the following do you think is easiest for your organization to implement?Reputation data monitoring (file-based, web, email, etc.)SIEM / event correlationLog managementI have already done all of the above


  • 1. Defending Against Broad-BasedCyber Attacks with Unified & Collaborative DefensesTHE LAZY ATTACKER:A CONVERSATION WITH JAIME BLASCO, DIRECTOR OF ALIENVAULT LABSJUNE 2013
  • 2. 2Meet today’s presentersINTRODUCTIONSSandy Hawke, CISSPModeratorVP, Product Marketing@sandybeachSFJaime BlascoPresenterDirector of Research, AlienVault Labs@jaimeblascob
  • 4. Meet the “Lazy Attacker”Image source: all of the attacks need tobe “advanced” / APTs to be successful.In fact, most aren’t.“Lazy” in terms of:Recycled attack platform:Same type of attacks against widesurface areaSame toolset (exploits and malware)Same set of source IP addresses4
  • 5. What are the differences between attack types?Image source: Image source: attacksAPTs5
  • 6. 6Broad-based Attacks vs. APTsBroad-based Attacks Advanced Persistent ThreatsAttacker Profile Opportunistic; uses thetactics of “script kiddies” butnot always a “script kiddie”Nation-state actorsOrganized criminal actorsCorporate espionage actorsAttacker Technique Non-stealthy; easy to identify Stealthy; difficult to detectAttack Surface Area Broad and dispersed Targeted and preciseAttack Tools Commonly used and oldexploits; automatedreconnaissance & probingZero-day exploits; “manual”social engineering vs.automated probes/scans
  • 7. Broad-based Attacks: Some ExamplesMalvertising; drive-by-downloadsHow it works: Websites and advertising networks are infected with malware,unsuspecting visitors get infectedHow to avoid it: URLQuery Chrome Extension plug-in*; browser patch updatesBotnetsHow they work: Bots are installed onto unsuspecting users’ devices and thenremotely controlled by attackers to execute more attacks, steal data, etc.How to avoid them: Keep devices patched, install endpoint security protection;implement egress filtering, threat detection and network monitoring toidentify/block connections to CnC servers.Phishing (vs. Spear-phishing)How it works: Emails sent to victims to lure them to infectedwebsites to steal credentials, data, etc.How to avoid it: User education; IP/domain reputation data7*For more info:
  • 8. Lazy Attacker: Tools of the TradeBlack HoleSakuraPhoenixRedKitSweet Orange8
  • 10. HOW TO DEFEND AGAINSTTHESE ATTACKSCollaboration, Correlation, Context and Simplified Security10
  • 11. Use the Power of Collaboration:Shared Threat IntelligenceThe “lazy attacker” is using(and reusing) the sameexploits against others (andyou).Sharing (and receiving)collaborative threatintelligence makes us allmore secure.Using this data, identify, flagand block known attackersby source IP addresses.11
  • 12.  8,000+ contributors 120+ countries 17M URLs analyzedAlienVault Open Threat Exchange (OTX)12
  • 13. AssetDiscoveryVulnerabilityAssessmentThreatDetectionBehavioralMonitoringSecurityIntelligenceAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseUse the Power of Automated Correlation: USM13
  • 14. The Need for Context…Which alert do I need to worry about?Adware-HotBar.f!886F6F2A1226FILE-PDF PDF with largeembedded JavaScript - JSstring attemptFILE-IDENTIFY Microsoft OfficeAccess file magic detected14
  • 15. Use the Power of Simplified Security:AlienVault Intuitive Alarm Taxonomy (4.3 “preview”)Alarm Type Description ExamplesReconnaissance &ProbingBehavior indicating an actorattempting to discover informationabout the organization• Port scans• Social engineeringDelivery & Attack Behavior indicating an attempteddelivery of an exploit• Malicious emailattachments• Network-based and analysis-based detection ofknown attacks and attack payloads (e.g. SQLinjection)Exploitation &InstallationBehavior indicating a successfulexploit of a vulnerability orbackdoor/RAT being installed on asystem• RAT installation• Bot installationSystemCompromiseBehavior indicating acompromised system• Data exfiltration attempts• Outbound traffic to CnC hostInformational:EnvironmentalAwarenessObserved behavior and statusabout the environment beingmonitored• Information about runningservices• User activity and behavior 15FILE-IDENTIFY Microsoft OfficeAccess file magic detectedAdware-HotBar.f!886F6F2A1226FILE-PDF PDF with large embeddedJavaScript - JS string attempt
  • 16. AlienVault Threat Intelligence:Stay Ahead of Basic & Advanced AttacksNetwork and host-based IDS signatures – detects thelatest threats in your environmentAsset discovery signatures – identifies the latest OS’es,applications, and device typesVulnerability assessment signatures – dual databasecoverage to find the latest vulnerabilities on all yoursystemsCorrelation rules – translates raw events intoactionable remediation tasksReporting modules – provides new ways of viewing dataabout your environmentDynamic incident response templates – deliverscustomized guidance on how to respond to each alertNewly supported data source plug-ins – expands yourmonitoring footprint16
  • 18. SUMMARY18
  • 19. AlienVault: Unified and collaborative securityAlienVault Open Threat Exchange (OTX) helps you:Know who the attackers areBased on a diverse set of global threat dataAlienVault Labs Threat Intelligence:Tells you what to do, when and howBased on rich set of security research, best practices,and guidanceAlienVault USM provides the foundation to:Leverage this intelligence to prioritize incidentresponse effortsPlus… it’s easy to deploy and manage over timeAlienVault Community serves and supports:Experienced and aspiring cyber security professionals around the worldShared intelligence makes us all more secure19
  • 20. Next Steps / Q&ARequest an AlienVault USM demo a free trial of AlienVault USM: quite ready for all that?Test drive our open source project - OSSIM more info to get started?Try our knowledge base here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@AlienVault#AlienIntel20
  • 21. #AlienIntel@AlienVault21