Defending Against Broad-BasedCyber Attacks with Unified & Collaborative DefensesTHE LAZY ATTACKER:A CONVERSATION WITH JAIM...
2Meet today’s presentersINTRODUCTIONSSandy Hawke, CISSPModeratorVP, Product Marketing@sandybeachSFJaime BlascoPresenterDir...
WHO ARE THESE PEOPLE AND WHAT ARE THEY DOING?WHAT DO WE MEAN BY A “LAZY” ATTACKER?3
Meet the “Lazy Attacker”Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/...
What are the differences between attack types?Image source: http://imgur.com/r/pics/r20GpFI Image source: http://www.guard...
6Broad-based Attacks vs. APTsBroad-based Attacks Advanced Persistent ThreatsAttacker Profile Opportunistic; uses thetactic...
Broad-based Attacks: Some ExamplesMalvertising; drive-by-downloadsHow it works: Websites and advertising networks are infe...
Lazy Attacker: Tools of the TradeBlack HoleSakuraPhoenixRedKitSweet Orange8
POLLING QUESTION
HOW TO DEFEND AGAINSTTHESE ATTACKSCollaboration, Correlation, Context and Simplified Security10
Use the Power of Collaboration:Shared Threat IntelligenceThe “lazy attacker” is using(and reusing) the sameexploits agains...
 8,000+ contributors 120+ countries 17M URLs analyzedAlienVault Open Threat Exchange (OTX)12
AssetDiscoveryVulnerabilityAssessmentThreatDetectionBehavioralMonitoringSecurityIntelligenceAsset Discovery• Active Networ...
The Need for Context…Which alert do I need to worry about?Adware-HotBar.f!886F6F2A1226FILE-PDF PDF with largeembedded Java...
Use the Power of Simplified Security:AlienVault Intuitive Alarm Taxonomy (4.3 “preview”)Alarm Type Description ExamplesRec...
AlienVault Threat Intelligence:Stay Ahead of Basic & Advanced AttacksNetwork and host-based IDS signatures – detects thela...
POLLING QUESTION
SUMMARY18
AlienVault: Unified and collaborative securityAlienVault Open Threat Exchange (OTX) helps you:Know who the attackers areBa...
Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault ...
#AlienIntel@AlienVault21
Upcoming SlideShare
Loading in …5
×

The Lazy Attacker: Defending Against Broad-based Cyber Attacks

1,886 views

Published on

Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. However, this unilateral mindset ignores a much less interesting reality.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,886
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Which of the following are you most concerned about?APTsBroad-based attacksInsider threats Failed audits
  • Automated Correlation is a critical success factor for defending against broad-based attacks. With AlienVault’s Unified Security Management, we combine all of the essential security you need in a single platform, and give you a way to evaluate, respond and manage it all. This includes:Asset Discovery- in terms of active and passive network scanning, building dynamic asset inventories that include detailed information about the software that lives on each host.Vulnerability Assessment – you can schedule scans across your network – again both active and passive probing – to identify and remediate application and system vulnerabilities. Threat Detection – network IDS, host-based IDS, wireless IDS, and file integrity monitoring gives you ability to detect known threats whether it’s a rogue insider accessing unauthorized data on a database server or someone trying to access your wireless network.Behavioral Monitoring will give you the coverage you need for unknown threats – typically exemplified by strange or anomalous network or system behavior – this includes netflow analysis, service availability and of course log collection and analysis for in-depth forensic investigations.Finally, aggregation, correlation and analysis of this information provides the security intelligence you need in order to manage threats and maintain and demonstrate compliance.
  • Based on today’s discussion, which of the following do you think is easiest for your organization to implement?Reputation data monitoring (file-based, web, email, etc.)SIEM / event correlationLog managementI have already done all of the above
  • The Lazy Attacker: Defending Against Broad-based Cyber Attacks

    1. 1. Defending Against Broad-BasedCyber Attacks with Unified & Collaborative DefensesTHE LAZY ATTACKER:A CONVERSATION WITH JAIME BLASCO, DIRECTOR OF ALIENVAULT LABSJUNE 2013
    2. 2. 2Meet today’s presentersINTRODUCTIONSSandy Hawke, CISSPModeratorVP, Product Marketing@sandybeachSFJaime BlascoPresenterDirector of Research, AlienVault Labs@jaimeblascob
    3. 3. WHO ARE THESE PEOPLE AND WHAT ARE THEY DOING?WHAT DO WE MEAN BY A “LAZY” ATTACKER?3
    4. 4. Meet the “Lazy Attacker”Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/Not all of the attacks need tobe “advanced” / APTs to be successful.In fact, most aren’t.“Lazy” in terms of:Recycled attack platform:Same type of attacks against widesurface areaSame toolset (exploits and malware)Same set of source IP addresses4
    5. 5. What are the differences between attack types?Image source: http://imgur.com/r/pics/r20GpFI Image source: http://www.guardian.co.uk/commentisfree/2013/mar/17/dont-judge-me-i-love-sniping-gamesVS.Broad-based attacksAPTs5
    6. 6. 6Broad-based Attacks vs. APTsBroad-based Attacks Advanced Persistent ThreatsAttacker Profile Opportunistic; uses thetactics of “script kiddies” butnot always a “script kiddie”Nation-state actorsOrganized criminal actorsCorporate espionage actorsAttacker Technique Non-stealthy; easy to identify Stealthy; difficult to detectAttack Surface Area Broad and dispersed Targeted and preciseAttack Tools Commonly used and oldexploits; automatedreconnaissance & probingZero-day exploits; “manual”social engineering vs.automated probes/scans
    7. 7. Broad-based Attacks: Some ExamplesMalvertising; drive-by-downloadsHow it works: Websites and advertising networks are infected with malware,unsuspecting visitors get infectedHow to avoid it: URLQuery Chrome Extension plug-in*; browser patch updatesBotnetsHow they work: Bots are installed onto unsuspecting users’ devices and thenremotely controlled by attackers to execute more attacks, steal data, etc.How to avoid them: Keep devices patched, install endpoint security protection;implement egress filtering, threat detection and network monitoring toidentify/block connections to CnC servers.Phishing (vs. Spear-phishing)How it works: Emails sent to victims to lure them to infectedwebsites to steal credentials, data, etc.How to avoid it: User education; IP/domain reputation data7*For more info: http://labs.alienvault.com/labs/index.php/2013/urlquery-chrome-extension/
    8. 8. Lazy Attacker: Tools of the TradeBlack HoleSakuraPhoenixRedKitSweet Orange8
    9. 9. POLLING QUESTION
    10. 10. HOW TO DEFEND AGAINSTTHESE ATTACKSCollaboration, Correlation, Context and Simplified Security10
    11. 11. Use the Power of Collaboration:Shared Threat IntelligenceThe “lazy attacker” is using(and reusing) the sameexploits against others (andyou).Sharing (and receiving)collaborative threatintelligence makes us allmore secure.Using this data, identify, flagand block known attackersby source IP addresses.11
    12. 12.  8,000+ contributors 120+ countries 17M URLs analyzedAlienVault Open Threat Exchange (OTX)12
    13. 13. AssetDiscoveryVulnerabilityAssessmentThreatDetectionBehavioralMonitoringSecurityIntelligenceAsset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software InventoryVulnerability Assessment• Network Vulnerability TestingThreat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity MonitoringBehavioral Monitoring• Log Collection• Netflow Analysis• Service Availability MonitoringSecurity Intelligence• SIEM Correlation• Incident ResponseUse the Power of Automated Correlation: USM13
    14. 14. The Need for Context…Which alert do I need to worry about?Adware-HotBar.f!886F6F2A1226FILE-PDF PDF with largeembedded JavaScript - JSstring attemptFILE-IDENTIFY Microsoft OfficeAccess file magic detected14
    15. 15. Use the Power of Simplified Security:AlienVault Intuitive Alarm Taxonomy (4.3 “preview”)Alarm Type Description ExamplesReconnaissance &ProbingBehavior indicating an actorattempting to discover informationabout the organization• Port scans• Social engineeringDelivery & Attack Behavior indicating an attempteddelivery of an exploit• Malicious emailattachments• Network-based and analysis-based detection ofknown attacks and attack payloads (e.g. SQLinjection)Exploitation &InstallationBehavior indicating a successfulexploit of a vulnerability orbackdoor/RAT being installed on asystem• RAT installation• Bot installationSystemCompromiseBehavior indicating acompromised system• Data exfiltration attempts• Outbound traffic to CnC hostInformational:EnvironmentalAwarenessObserved behavior and statusabout the environment beingmonitored• Information about runningservices• User activity and behavior 15FILE-IDENTIFY Microsoft OfficeAccess file magic detectedAdware-HotBar.f!886F6F2A1226FILE-PDF PDF with large embeddedJavaScript - JS string attempt
    16. 16. AlienVault Threat Intelligence:Stay Ahead of Basic & Advanced AttacksNetwork and host-based IDS signatures – detects thelatest threats in your environmentAsset discovery signatures – identifies the latest OS’es,applications, and device typesVulnerability assessment signatures – dual databasecoverage to find the latest vulnerabilities on all yoursystemsCorrelation rules – translates raw events intoactionable remediation tasksReporting modules – provides new ways of viewing dataabout your environmentDynamic incident response templates – deliverscustomized guidance on how to respond to each alertNewly supported data source plug-ins – expands yourmonitoring footprint16
    17. 17. POLLING QUESTION
    18. 18. SUMMARY18
    19. 19. AlienVault: Unified and collaborative securityAlienVault Open Threat Exchange (OTX) helps you:Know who the attackers areBased on a diverse set of global threat dataAlienVault Labs Threat Intelligence:Tells you what to do, when and howBased on rich set of security research, best practices,and guidanceAlienVault USM provides the foundation to:Leverage this intelligence to prioritize incidentresponse effortsPlus… it’s easy to deploy and manage over timeAlienVault Community serves and supports:Experienced and aspiring cyber security professionals around the worldShared intelligence makes us all more secure19
    20. 20. Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault USM:http://www.alienvault.com/free-trialNot quite ready for all that?Test drive our open source project - OSSIM here:communities.alienvault.com/Need more info to get started?Try our knowledge base here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@AlienVault#AlienIntel20
    21. 21. #AlienIntel@AlienVault21

    ×