Your SlideShare is downloading. ×
0
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Stop Targeted Attackers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Stop Targeted Attackers

701

Published on

Company names mentioned herein are the property of, and may be trademarks of, their respective owners. …

Company names mentioned herein are the property of, and may be trademarks of, their respective owners.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
701
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. darkreading.com APRIL 2013 Targeted Attackers Previous Next Previous Next DownloadDownload RR SubscribeSubscribe Previous Next Previous Next PLUS Handling targeted attacks: Experts speak >> STOP All cyber-attackers aren’t equal. Focus more attention on exploits made just for you. >> By Ericka Chickowski DOWNLOAD PDF
  • 2. COVER STORY Stop Targeted Attackers The most dangerous attacks aren’t random, so focus on those that are created just for your company. p4 DARK DOMINION Handling Targeted Attacks: The Experts Speak Security pros offer tips on preventing targeted threats. p3 CONTACTS Editorial and Business Contacts p11 Digital Business Leaders Engage with Oracle presi- dent Mark Hurd, NFL CIO Michelle McKenna-Doyle, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in LasVegas, March 31 to April 1. IT Insights At Interop Get insights on BYOD security, cloud and virtual- ization, SDN, the Internet of things, Apple in the enterprise, and more at Interop LasVegas, the tech- nology conference and expo series designed to in- spire and inform the world’s IT community. March 31 to April 4. Security Smarts Our Security Services Tech Center provides the lat- est news, product information, analysis, and opin- ion on security services and outsourcing to help your organization make the right choices. PREVIOUS ISSUE Secure The Cloud Cloud security needn’t be an oxymoron. Here’s how to get it right. FOLLOW US ON TWITTER AND FACEBOOK @DarkReading darkreading.com/facebook darkreading.com Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next April 2014 2 CONTENTS April 2014 Issue 015 More From Dark Reading
  • 3. This month’s digital issue on targeted at- tacks isn’t the first time Dark Reading has looked at this topic. On March 6, in conjunc- tion with our sister publication Information- Week, we conducted a half-day conference in Boston on targeted attacks featuring the industry’s best-known experts. The following are the key messages from that event. Get to know your attacker. Most current defenses against targeted attacks focus on analyzing the unique malware used by the attackers. But there is a growing base of ven- dors that offers threat intelligence services that make it possible for your enterprise to not only identify the malware, but to isolate the methods and identities of the attacking group. “If you understand your attacker’s meth- ods, you can improve your defenses against those attacks exponentially,” says George Kurtz, CEO and co-founder of CrowdStrike, who keynoted the Boston event. A targeted attack isn’t necessarily a di- rect attack. Bad guys are discovering that the best way to gain entry into a targeted network is by compromising the systems of third parties that have access to that net- work. The huge data breach at the Target retail chain in late 2013 has been traced to a small heating and air conditioning company that worked with Target. “To build an effective defense, you also need to extend your visibility into your sup- ply chain,”says Kurtz. A targeted attack isn’t always a new at- tack. While some high-profile cases of tar- geted attacks have involved zero-day mal- ware developed specifically for the victim, the majority of these attacks exploit known vulnerabilities. “Many of these attacks involve years-old vulnerabilities that could have been pre- vented if the victims had just stayed up to date with their patches,” said JD Sherry, a security researcher from Trend Micro, in a presentation at the Boston event. Most targeted attacks leave fingerprints. Like conventional criminals, targeted attack- ers tend to develop “modus operandi” — a unique set of tools and practices they use over and over again. By identifying this M.O., enterprises can build customized defenses designed to stop these specific attacks. Ninety-nine percent of targeted attacks are manually operated, which gives them an almost human quality that is quite different from mass-produced malware, says Harry Sverdlove, CTO of Bit9. If you want to frustrate a targeted at- tacker,raisethecostofhisattack.It may not be possible for an enterprise to “hack back” against a cyber-criminal, but you may be able to frustrate the bad guys by repeatedly expos- ing and interrupting their methods. “The bad guy has to pull off an entire pro- cess without being detected,” says Tim “TK” Keanini, CTO at Lancope. “Interrupting this ‘kill chain’ is the key to making it more dif- ficult to complete the process.” Tim Wilson is editor of DarkReading.com. Write to him at timothy.wilson@ubm.com. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next April 2104 3darkreading.com DARK DOMINION Handling Targeted Attacks: Experts Speak TIM WILSON @darkreadingtim Table of Contents DOWNLOAD PDF RegisterRegister Previous Next Previous Next NextWave Of BusinessTech Engage with Oracle president Mark Hurd, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, former Netflix cloud architect Adrian Cockcroft, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. Click here for full agenda.
  • 4. April 2014 4 Not so long ago, the main threats in cyber-security were random: viruses and worms that crawled across the entire Internet, or malware buried in spammy email blasts. Enterprises coped with the problem with protective screens that recognized and blocked these random attacks, as an umbrella keeps off the rain. Today, the most dangerous attacks are no longer random. They are targeted specifi- cally to steal or damage data from a specific organization, or even from specific systems and people in that organization. The tar- gets aren’t always large companies or gov- ernment agencies; targeted attacks can be launched against government contractors, media firms, or even small businesses. Tar- geted attacks are the attack vector of choice COVER STORY Table of Contents Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next All cyber-attackers aren’t equal. Focus more attention on exploits made just for you. Stop Targeted Attackers darkreading.com By Ericka Chickowski @ErickaChick DOWNLOAD PDF
  • 5. April 2014 5 COVER STORYSTOP TARGETED ATTACKERS Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com for sophisticated cyber-criminals, and against certain exploits, existing enter- prise defenses are about as effective as an umbrella against a surprise Super Soaker attack. Targeted attackers sometimes spend months, even years, scouting their targets. They’ll probe for weaknesses and pinpoint vulnerabilities that can be used in a tailored attack.That first vulnerability may get them the crown jewels right away, but typically, targeted attacks are a multistep process. Attackers start by gaining a foothold in the target’s infrastructure. Once inside, they’ll quietly scope out the network, looking for further points of attack and ways to access specific information. The recent breach at retailer Target is a prime example of a targeted attack. Attack- ers were able to gain enough access within the retailer’s network to install malicious software on its point-of-sale (POS) systems to collect the credit and debit card data of millions of customers as the transactions were being made. The initial route into the network was circuitous, according to news reports. At- tackers got a foothold in Target’s network through a phishing attack against the company’s heating and air conditioning vendor. From there, the attackers used limited administrative connections from the vendor into Target’s network to worm their way further into the network of systems. The criminals running the attack did enough legwork to learn which ven- dors Target did business with and found one that would eventually give them the keys to a side door into the Target infrastructure. This is just one very public example. “We’re losing this war, to be blunt about it,” says Dan Kaminsky, a noted security re- searcher and chief scientist for fraud detec- tion firm White Ops. “Five hundred of the Fortune 500 are under targeted attack. It’s a constant cat and mouse game.” Targeted attacks test enterprise de- fenses because they defeat the old “um- “We’re losing this war, to be blunt about it. Five hundred of the Fortune 500 are under targeted attack. It’s a constant cat and mouse game.” — Dan Kaminsky, White Ops Previous Next RegisterRegister Previous Next Previous Next Education And Networking Learn how cloud computing, software-defined networking, virtualization, wireless, and other key technologies work together to drive business at Interop Las Vegas. It happens March 31 to April 4. Table of Contents
  • 6. April 2014 6 brella” defense, which was designed to stop widespread, random attacks. Companies can no longer treat all types of attacks the same. They must instead prioritize defenses against the methods that targeted attackers are likely to levy against their businesses. “We’re treating everything as if it were the same level of threat, whether it’s a targeted attack, a criminal, a teenager trying to port scan your network. They’re all getting simi- lar levels of attention, and that’s not a sus- tainable model,” says Dmitri Alperovitch, co- founder and CTO of Crowdstrike, a threat detection vendor focusing on advanced and targeted attacks.“You have to prioritize.” Understand The Attacker’s Mentality Developing a defense for targeted attacks starts by understanding who these attackers are and how they operate. Now, that doesn’t necessarily mean working to identify your attackers specifically. That’s a rabbit hole that won’t reap enough rewards for the effort, Ka- minsky warns. “Even if you knew exactly who your attack- ers were, there’s a limited number of sce- narios in which you can do anything about it,”he says. You’re not seeking out a specific name or identity. Instead, you’re identifying attack patterns common in your industry and look- ing to protect yourself from attacks against the data that a targeted attacker would want to steal. And that means understanding how attackers operate. For example, some opportunistic financial attackers go after mom-and-pop point-of- sale systems by scanning the Internet looking for open pcAnywhere, virtual network com- puting, or remote desktop connections, says Lucas Zaichkowsky, enterprise defense archi- tect for the forensics and security firm AccessData. Many of these merchants and their POS vendors set these systems up and do port forwarding so the POS vendor can help the merchant troubleshoot remotely. Using that as a jumping-off point, targeted attackers of- ten have enough information to understand common POS systems and know where credit card data is likely stored. “Most POS systems are encrypted these days, but it’s all about knowing where the keys are,” says Zaichkowsky. “Or they’ll just drop in keystroke recorders or memory scrapers to grab the data as it’s in transit without even relying on it being stored any- where, and then it’s just automatically up- loaded or uploaded through batch to some COVER STORY Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com STOP TARGETED ATTACKERS 19% 19% of all attacks analyzed in a 2013 Verizon report were perpetrated by state-affiliated actors — in other words, a form of espionage. Data: Verizon 2013 Data Breach Investigations Report Every company needs to remember that it has an advantage over the targeted attacker because the company has an insider’s knowledge of its own environment. Click HereClick Here Get Smart Our Threat Intelligence Tech Center provides in-depth information on collecting and analyzing data on emerging cyber-security threats. Table of Contents
  • 7. April 2014 7 FTP server somewhere. And a lot of that stuff is done in a matter of minutes.” Meanwhile, other extremely sophisti- cated attackers may target specific finan- cial organizations to “jackpot millions out of ATM machines,” says Zaichkowsky. Nation- state attackers may go after specific industrial companies to gain intelligence information. At the lower level of sophistication, such as the POS example, attackers target common vulnerability opportunities. At the higher end, they target a specific organization’s weak- nesses by doing a lot of reconnaissance. “The more targeted the attack, the fewer obvious mistakes your attacker is going to make, because his attack is tailored to a particular environment,”White Ops’s Kamin- sky says. To understand how targeted attack tech- niques apply to your industry or business, finger-in-the-wind Internet research won’t cut it. Instead, gather true threat intelligence about attacks occurring in near or real time within real world environments. “Intelligence can help you identify both the risk to assets — by looking at the adversaries that may be motivated to go after your data —and can provide you with the understand- ing of the trade craft and the capabilities of those actors, so that you can start thinking about how to adjust your defense model to specifically meet the capabilities of those ad- versaries,”Alperovitch says. Zaichkowsky explains how threat intelli- gence can help. “Let’s say, for example, you know the state- sponsored Chinese guys are coming after you. You’ve got some intellectual property you know they want,” he says. “They tend to operate by spearphishing most of the time for initial point of entry. So being able to make sure certain file attachment types COVER STORY Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com STOP TARGETED ATTACKERS Threat Intelligence data is most effective when it is integrated directly with other security efforts. The data can inform both tactical security efforts,as well as more strategic governance and risk management processes. Threat Intelligence Integration Table of Contents
  • 8. can’t be opened and installing next-gen solutions in line mode, you can [take actions that] actually prevent things as much as possible.” Understand Your Own Environment Of course, understanding who’s likely to attack you and how is only a part of the puzzle. Internal data and system knowl- edge is just as important as knowing your enemy, to paraphrase Chinese military philosopher Sun Tzu. This means identifying what information assets your organization has — and what assets are most important to your business — because each company has different pain points and risk factors. “Coordinate across business units to identify the information that would be critical if my competitor or a threat actor were to take it,”says Jen Weedon, manager for the intelligence team at FireEye. “That gets you down the path of being able to know,‘OK, I should protect X, Y, Z informa- tion with higher levels of security.’” In other words, targeted threat protec- tion really starts with a targeted, internal risk assessment. “Info about a negotiation on a multi- billion-dollar deal is probably a lot more valuable than info about a $200,000 sales opportunity,”Alperovitch says. Similarly, organizations must under- stand what’s going on within their IT en- vironments, correlating that with the data protection priorities they’ve made and the threat intelligence feeds they receive about external dangers. This is why or- ganizations are investing more heavily in detection technologies than in traditional umbrella prevention techniques. Detection is much more effective than prevention, says Kaminsky.The notion that vulnerabilities are instantly exploited and that all useful data is instantly removed simply isn’t true. “There’s a period of time it takes to find COVER STORY Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com STOP TARGETED ATTACKERS April 2014 8 “We’re treating everything as the same level of threat – whether it’s a targeted attack, a criminal, a teenager trying to port scan your network – and that’s not a sustain- able model.” — Dmitri Alperovitch, Crowdstrike Table of Contents
  • 9. your target and determine how to exploit it,” Kaminsky says. “And it turns out that there are specific things that show up in the logs after the vulnerability has been found but before it’s been successfully exploited — and they can serve as a great signal [of an attack in progress].” Every company needs to remember that it has an advantage over the targeted at- tacker because the company has an in- sider’s knowledge of its own environment. “You don’t have to discover the proper- ties of your environment in real time the same way that an attacker does,”Kaminsky says. “We do not use honeypots enough. We do not attempt enough to exploit the attackers’ real-time discovery of the net- works that they’re breaking into.” Too often, says Zaichkowsky, organiza- tions “burn” the intelligence they may have about attackers rather than using it to identify their methods and stop them. For example, if a business learns from threat intelligence service providers Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com COVER STORYSTOP TARGETED ATTACKERS April 2014 9 How concerned is your organization about advanced cyber-espionage,nation-state or other types? 9% 24% 30% 13% 24% Cyber-Espionage Concern Data:InformationWeek 2013 Strategic Security Survey of 1,029 business technology and security professionals at organizations with 100 or more employees,March 2013 1 2 3 4 5 6 7 89 Not at all concerned Slightly concerned Moderately concerned Very concerned Extremely concerned Table of Contents
  • 10. that a list of IP addresses is being used to attack the business, its first instinct may be to just configure the firewall to block those addresses. But when you’re dealing with targeted attackers, as soon as they try to connect to you and it’s not working, they’ll just go to another IP ad- dress — and you’ve essentially burned your intelligence. Instead, take that tactical intelligence and lay down “tripwires” to watch the at- tackers’ activity and remediate a little fur- ther down the line. “Then when you actually remediate and you kick them out,”says Zaichkowsky,“you haven’t burned any of your intelligence. They’ll have to start guessing, ‘Well, how did they find me?’” Frustrate Your Attacker Ultimately, the goal is to make life very hard for the targeted attacker and also to buy your organization enough time to respond to targeted attacks before the crown jewels leave the building. “Think of infrastructure hardening like building a maze,” says Zaichkowsky. “You’re making that maze more and more complex, which buys you time. In a tar- geted attack, they’re going to get to what they’re after — it’s just a matter of time. So make that maze as difficult as possible and set up little tripwires everywhere to identify attackers as they’re progressing through it.” Your team needs enough audit logs, fo- rensics artifacts, and monitoring tools in place to quickly scope out an attack when a tripwire has been tripped. But even more than that, companies should constantly adjust their defenses to make it expensive for the attacker to operate within their envi- ronments, Kaminsky warns. While creating a puzzle may make things more difficult for attackers, the reward might be great enough that the attacker will invest the time and resources to figure out that puzzle. “You have to play a chess game,” Kamin- sky says. “You have to make sure there’s a cost to the attacker for getting detected, but you have to make sure the attacker thinks maybe it will work. But when it doesn’t work, they’re going to lose what they have within your network. If you don’t play the game, if you just try to make a puzzle, you’ve already lost.” Writetousateditors@darkreading.com. Table of Contents Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next darkreading.com COVER STORYSTOP TARGETED ATTACKERS April 2014 10
  • 11. April 2014 11darkreading.com Table of Contents Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next Online, Newsletters, Events, Research READER SERVICES DarkReading.com The destination for the latest news on IT security threats, technology, and best practices Electronic Newsletters Subscribe to Dark ­Reading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe Events Get the latest on our live events and Net events at informationweek.com/events Reports reports.informationweek.com for original research and strategic advice How to Contact Us createyournextcustomer.techweb.com/ 2014-editorial-calendars/ Editorial Calendar informationweek.com/edcal Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com List Rentals Merit Direct E-mail: svigliotti@meritdirect.com Phone: 914-368-1088 Media Kits and Advertising Contacts createyournextcustomer.com/contact-us Letters to the Editor E-mail editors@darkreading.com. Include name, title, ­company, city, and daytime phone number. Subscriptions E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) TimWilson Dark Reading Site Editor timothy.wilson@ubm.com 703-262-0680 KellyJackson-Higgins Dark Reading Senior Editor kelly.jackson.higgins@ubm.com 434-960-9899 IT TARGET: INFORMATIONWEEK, DARK READING, NETWORK COMPUTING Western US (Pacific and Mountain states), Central/ Midwest VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (interim contact, N.M., Ariz.) 415-947-6922, sandra.kupiec@ubm.com Wash., Ore., Mont., Wyo., Idaho, Nev., and So. Calif. — Account Director, Matthew Cohen-Meyer 415-947-6214, matthew.meyer@ubm.com No. Calif., Utah, Colo. — Account Director,Vesna Beso 415-947-6104, vesna.beso@ubm.com Texas — Strategic Accounts Director, Michele Hurabiell 415-378-3540, michele.hurabiell@ubm.com Central/Midwest, Account Executive, Silas Chu 415-947-6105, silas.chu@ubm.com Account Executive, Lynn Van 415-947-6157, lynn.van@ubm.com South, Northeast US; Canada and International VP & National Co-Chair, BusinessTechnology Media Sales, Mary Hyland 516-562-5120, mary.hyland@ubm.com Eastern Regional Sales Director, Michael Greenhut 516-562-5044, michael.greenhut@ubm.com Southeast — District Manager, Jenny Hanna 516-562-5116, jenny.hanna@ubm.com Northeast, Eastern Canada — District Manager, Stephen Sorhaindo 212-600-3092, stephen.sorhaindo@ubm.com Mid-Atlantic, R.I. — Account Director, Matt Payne 415-489-6307, matt.payne@ubm.com Fla., Western Canada, International — Account Executive, Anna Maria Charalambous 212-600-3193, annamaria.charalambous@ubm.com Sales Associate, Joseph Van Scyoc 212-600-3387, joseph.vanscyoc@ubm.com Strategic Accounts Strategic Account Director, Vanessa Tormey 805-252-4357, vanessa.tormey@ubm.com Strategic Account Director, Jennifer Gambino 516-562-7169, jennifer.gambino@ubm.com Strategic Account Director, Amanda Oliveri 212-600-3106, amanda.oliveri@ubm.com SALES CONTACTS—CREATE MARKETING SERVICES Director of Client Marketing Strategy, Jonathan Vlock 212-600-3019, jonathan.vlock@ubm.com Senior Manager, Client Marketing Strategy, Blake Cohlan 415-947-6379, blake.cohlan@ubm.com SALES CONTACTS—EVENTS VP, Events, Robyn Duda 212-600-3046, robyn.duda@ubm.com MARKETING VP, Marketing, Winnie Ng-Schuchman 631-406-6507, winnie.ng@ubm.com Director of Marketing, Monique Luttrell 415-947-6958, monique.luttrell@ubm.com Marketing Assistant, Hilary Jansen 415-947-6205, hilary.jansen@ubm.com UBM TECH Paul Miller CEO Marco Pardi President, Events Kelley Damore Chief Community Officer Tom Spaeth CFO David Michael CIO Simon Carless Exec. VP, Game & App Development and Black Hat Lenny Heymann Exec. VP, New Markets Angela Scalpello Sr. VP, People & Culture Copyright 2014 UBM LLC. All rights reserved. RobPreston VP and Editor In Chief rob.preston@ubm.com 516-562-5692 JimDonahue Managing Editor james.donahue@ubm.com 516-562-7980 ChrisMurphy Editor chris.murphy@ubm.com 414-906-5331 ShaneO’Neill Managing Editor shane.oneill@ubm.com 617-202-3710 LornaGarey Content Director, Reports lorna.garey@ubm.com 978-694-1681 DebeeRommel Senior Art Director debee.rommel@ubm.com Business Contacts

×