Advanced Presisten Threats conference Mile2

Uploaded on

Raymond Friedman Conferencia en México Septiembre de 2013

Raymond Friedman Conferencia en México Septiembre de 2013

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • OutlineAPT?Impact of APTVerizon Report 201297/3 ruleCounter-measuresPenetration TestingEducation
  • They are persistent because their methods are Tenaciously calculated, not easily detoured. Looking for new ways to get in. Stealth and avoids detection… Long term and big reward.They are looking for: that new formula for 1 ground-breaking drug, the source code for 1 new cutting edge application, the plans for 1 state-of-the-art engine,  This is a far cry from the so-called amateur hacker who steals CC’s: The kiddy hacker doesn’t care if their plot or exploit is discovered, they just moves on to the next victim looking for a short term gain.
  • It’s a threat because the perpetrators have resources and motivation to succeed. And when they do, it’s a colossal financial gain for them and a massive financial blow for their targeted company.
  • As a starting point, we’ll say that APT can be described as “slow and low” cyber attack against servers containing valuable intellectual property.Most targets tend to focus on US and European companies. Although we have seen similar attacks which targeted government and military computers as well as global business enterprises. This IP can be just about anywhere, but in most cases it’s on back-end systems. So how can we really characterize and ATP? Unauthorized software usually resident on the targeted system, Dormant and undetected for a long period of time, All the while, they are randomly sending information to servers operated by criminal enterprises or foreign governments. So why are these the targets? Because that’s where the valuable intellectual property is. Example 1 – Avoid Costly ResearchThey steal this information so they can get their products out to the market before there competitors, at a lower cost and they can do this because they’ve skipped the research, they have avoided the costly development stage… thanks to your stolen intellectual property.  Example 2 – Steal classified and sensitive dataThese thieves are sometimes more interested in utility grid plans or sensitive information to national defense. That’s why some security experts suggest that the term APT should be reserved for state-sponsored cyber-espionage that supports military or economic warfare. Just a few days ago I tweeted that the US Government confirmed a Chinese hack attack on the White House computer through means of Spearphishing. Why did China do this? Because that’s where the classified and sensitive data is.. That’s where the military trade secrets are.
  • So the question is, Should we be concerned?Does it apply to me? Yes it does because the threats are real. The issue that we are facing is the ever growing skill of the hacker. Their skill is Multifaceted, innovative, they are more creative and resourceful. The internet has given them so much more access, so much more availability to the worlds resources. And that’s why the term provides such insight to APTs.AdvancedPersistentThreats
  • They are advanced because They’re black hat professionals, experts in this discipline, not so-called kiddy hackers. They tend to be very skilled and utilize a sophisticated logistics infrastructure. They also have extensive resources available to them and are usually lucratively financed and each campaign is intelligently managed. Their objective is to compromise government and commercial entities.Who are these agencies? They are hostile states, organized crime… they have the time, equipment, resources. They are no longer the guy in a basement somewhere w/ a 6 pack of Red bull and a bag of Doritos. They aren't doing this for fun.. They are doing this because this is their job. This is how they make a living. This is their career.
  • APT has a Life CyclePlayers behind advanced persistent threats are creating a growing and changing risk to organizations’ financial assets, intellectual property, and reputation by following a continuous process:1. Target specific organizations for a singular objective2. Attempt to gain a foothold in the environment, common tactics include spear phishing emails.3. Once they are in, they use the compromised systems as access into the targeted network4. Then they deploy additional tools that help accomplish the attack objective5. And all the while, they Cover tracks, so that they can continue to maintain access for future initiatives
  • In many cases the companies weren't breached because the hackers were skillfulThey were breached because they simply were not prepared. In the Verizon Data Reports showed that:97% of attacks were avoidable through simple or intermediate controls. In many cases, the work that needed to be done was something that was simply ignored. Over 60% of attacks were targets of opportunity, not APTs.
  • On average, it takes months for a company to become aware that they have been compromised, and to add embarrassment, sadly, over 92% of the incidents were discovered by a third party (Verizon 2012) even though, in most cases, evidence of the intrusion was clearly present in the company's log files. Yes, it is so important that your company invest in IDS/Firewalls that are grounded in understanding what your networks should/shouldn’t do… BUT if you don’t look for the deviations, if you don’t look at the logs, then what good are they? It is even more important that your security team develops controls that such policies are being adhered to. You just can't buy a product that replaces that analysis.
  • We don’t control the associated risk. In many cases its not the technology that is the problem, its that we have not put into place the proper controls to ensure technology is not compromised. We know that social engineering is often the key towards a security breach. Its so easy to manipulate someone and its so difficult to stop this. The only way to stop this is through security awareness training. And you cant tell them only once. It has to be told to them and reminded to them over and over again, almost like children. You have to find new and innovative ways to get the point across. Its about keeping security in the for-front of their mind. Its not about a fairy tale and walking around and saying that every thing is bad and that the evil guy is out there some where.
  • So what is reality?We have a lot of work to do. We have new skills. Technology is evolving.New vector attacks are on the up-rise. Malware is more sophisticated then ever. And In all of this, We cant slow down businessfrom moving forward. We will never say that IPADS and IPHONES cant be in the work place. Its quite the opposite. Technology continues to progress. The Verizon report not only gives us real eye opener but shows us what reality really is. Because we have not done the basics, the simple things we end up wasting a tremendous amount of resources and time on responding rather than simply focusing on preventative measures… What we need to do is build a mindset, company policies and controls that will protect us from the 97%. So how does this affect us when we simply do the basics? Now we have time to really focus on that 3% that really is an advance persistent threat. Educating our people is the most important resources.
  • Real Advance Persistent threats only entailed 3% of all the hacks according to the Verizon report.In more sophisticated attacks, malware’s foothold could easily evolve from a simple malware infection to a full blown network intrusion where attackers easily move through a compromised network, setting up exfiltration of sensitive data and planting additional remote access backdoors. It’s the latter point of backdoors which has given APT’s the reputation of being persistent.Many incident responders comment on the extreme difficulty of containing and eradicating advance threats within their network because of this persistence.That’s why a well-trained incident response and operations team armed with tools to assist with collecting, correlating, and processing security event data is the first step in surviving advanced attacks.
  • Do you have a plan? The worst time to put one together is when you are being bombarded or whenYou infrastructure has been compromised. It’s all about pre-planning. Having a manual and a process. So when it happens, your team is under control. Have an Incident Handling system.Locate The targeted or infected system.Isolate the system.Be sure to preserve all the logs… that’s what tells the story. Purge and clean the infected systems.Test and assess the network. See if you have any vulnerabilities.. Patch and protect. Implement new controls, new security measures.
  • Another important assessment is a penetration testPhase 1 – Plan and preparePhase 2- Assessment Gather info Map the network confirm the vulnerabilities Manual scrub the system and pen test Escalate any privileges Enumerate Compromise the site/user maintain Access Cover your tracks… keep the back door a secretPhase 3 – Report Clean up your mess Write the Report
  • 2011/2012 Verizon Data Breach Report states some simple things we can do:Eliminate - Get rid of unnecessary files/data that are not necessary (10 year old files/2007 files are old.. Don’t keep them, don’t store CVV from CC’s, they should not be stored anyway)Ensure – Many breaches come in through remote connections. Ensure that proper controls were implemented to stop unauthorized connections. Assess – and audit all of your remote access services. Who has these services available to them, when are they taking place, do terminated employees no longer have this access?Test and Review web applications - Hacking web applications are becoming more and more prevalent. Its only second to Social Engineering methods where hackers come through and compromise the organization’s networking infrastructure. Audit User privileges – ensure that the users have the proper privilege. Many of these breaches were simply because the user access controls were not checked and appropriately assigned to their job responsibility. Monitor logs – 85% of all the breaches were all along in the logs. And most companyies didn’t even know about it. Examine Payment Mediums/Devices - such as ATMs and other payment card input devices for tampering (this is not new…it has been done for years).
  • Be aware of what appears to be very familiar organizations or internal personal. Is that email or that web browser really pointing to what you expect. Instead of having users simply read and sign-off on the company computer usage policy, actually discuss computer security issues (picking strong passwords, malicious software, etc) in a face-to-face meeting.This should be habitually discussed. Their should be policy reminders by the IT division or by management either by email or by an initial log in. Security should come from the Top down. Management needs to be the standard or else, how can you expect such policies to be respected and adhered to?
  • Effective Security is Efficient Security-APTs are real but the main focus must be on the fundamentals of security first.Effective response to advanced threats requires the implementation of the basics of information security.Otherwise, time is wasted in addressing low- to medium-level attacks and the sophisticated attacks will be busy running data right through the back door. 2. Most attacks are avoidable - Most attacks which entail 97% of the them, are avoidable – whether they are advanced or not. It is important that we simply do the Simple things. Remember, sloppy security is not the same as “advancedreal threats3. Design, Develop, and Evaluate your security program continuouslySuccess comes when a security program is relevant, business aware, communicates using business language, and has established a balanced security posture.
  • mile2’s excellent reputation is based upon delivering expert and highly qualified IT-Security training with our courses and examinations being recognized by governments and private industries alike. We have and are currently training personnel from Defense departments globally, FBI, Police, United Nations, United States Air Force, Department of National Defence (Canada), NATO and Private Industry including EADS, Siemens, DaimlerChrysler, Maytag, KPMG, FedEx, Motorola and many more.Courseware was built with the highest standardCSWAE – BoeingCPTE – Air ForceCISSO – Canadian DND
  • Credibility - Mile2 is the industry leader in Cyber Security and has trademarked several IT Security processes as the “de facto standard”. In addition, mile2 has trained thousands of students in both the private and public sector with a consensus of mile2 “having a high standards”. mile2 is a certification governing body with certifications not only known globally but also well respected. Confidence - With technology emerging, Cyber War has become the most concerning issue that must be dealt with. With a mile2 Cyber Security certification behind your name, you will have the fortitude to tackle almost Security issues with confidence. Competence - Mile2 has invested years of embellishing industries best proven methodologies. With mile2’s IT Security certifications, you will have the competence to do job function… Successfully!
  • There is no better time than now to obtain an Cyber security certification. PayScale interviewed thousands of employees to find that an IT Security professional could make up to $131,521 annually.


  • 1. Preventing Advanced Persistent Threats, the Future of IT Security Ray Friedman CEO, Mile2
  • 2. Introduction What is an APT? Impact of APT Verizon Report 2012 97% - 3% Counter- measures Penetration testing User Education Mile2 Discussion Topics
  • 3. APT´s
  • 4. ATP - Persistent Black Hat Professional • They are persistent because of their methods • Tenaciously calculated • Stealth • Long term gain • Financially lucrative reward Amateur Kiddy Hacker • Focuses on short term gain • Sloppy with their methods • Usually detected
  • 5. ATP - Threat It’s a threat because the perpetrators have: • Resources • Motivation to succeed • Financial gain is great • Sizeable financial blow to their competitors
  • 6. Advanced Persistent Threats APT is characterized as: “slow and low” cyber attacks against servers containing valuable intellectual property. • Unauthorized software • Dormant and undetected • Information is sent remotely to servers Value of data retrieved by APTs • Avoid costly research • Procure sensitive utility/military information
  • 7. APTs The threats are real because these hackers are just that… • Advanced • Persistent • Threats Should we be concerned? Does it apply to me?
  • 8. APT - Advanced Not Hackers – Black hat professionals Skilled Resourceful Sophisticated supporting infrastructure Intelligently managed
  • 9. APT Life Cycle Advanced persistent threats create a growing and changing risk to organizations‟ financial assets, intellectual property, and reputation by following a continuous process: Target organizations Gain foothold in the environment through spear phishing emails. Use compromised systems Deploy tools to attack Cover tracks
  • 10. Verizon Report
  • 11. Verizon Report 2011/2012 • Verizon Data Breach 97% of attacks were avoidable through simple or intermediate controls. • Over 60% of attacks were targets of opportunity, not APTs.
  • 12. Verizon Case Study 97% - Ignorance is Bliss • On average, it takes months for a company to become aware that they have been compromised. • 92% of the incidents were discovered by a third party. • In most cases, evidence of the intrusion was clearly present in the company's log files.
  • 13. The Real Threat • Company Technology or Social Engineering? • Awareness is key • Repetition is necessary
  • 14. So What is REALITY? • We have a lot of work to do • New skills • New vectors • Focus on the 97% -basics
  • 15. What is the 3% APT • Real Advance Persistent threats only entailed 3% of all the hacks according to the Verizon report • Example: Sophisticated Malware Attack • Remote access backdoors • Persistent reputation
  • 16. Countermeasures
  • 17. What happens when you are attacked?  Locate the system or systems under attack.  Find and preserve all log files.  Purge and clean the infected network.  Test the entire network for potential future attacks.  If needed, implement new security measures.
  • 18. Penetration Test Phase 1 Planning & Preparation Phase 2 Assessment Phase 3 Report • Info Gather • Network Mapping • Vulnerability ID • Penetration Testing • Privilege Escalation • Enumeration • Compromise User/Sites • Maintaining Access • Cover Tracking • Clean up • Reporting
  • 19. What Should You Do Overall? Verizon Data Breach Report states that we should: • Eliminate unnecessary data; keep tabs on what‟s left • Ensure essential controls are met • Assess remote access services • Test and review web applications • Audit user accounts and monitor privileged activity • Monitor event logs • Examine Payment Mediums / Devices of ATMs • Educate- Personal
  • 20. Countermeasure: User Education It is extremely important to inform end-users about the dangers of running software obtained from untrusted sources. Instead of having users simply read and sign-off on the company computer usage policy, actually discuss computer security issues (picking strong passwords, malicious software, etc) in a face-to-face meeting. Remember, there is no „patch‟ for stupidity!
  • 21. Summary Effective Security is Efficient Security Most attacks are avoidable Design, develop, and evaluate your security program continuously
  • 22. Count on Mile2 Mile2 will help you: • Protect your company, network and system from attacks. • Protect your intellectual property. • Enforce acceptable use policies and investigate offenders. • Learn how to plan, implement, build & maintain a complete security strategy. • Stay abreast of the most current information and methods relating to IT Security. • Gain CPE credits: mile2 classes can be submitted to other certification organizations for continuing professional education (CPE) credits.
  • 23. What Makes Mile2 Superior? • Mile2's famous penetration testing and IT Security training classes have become the de facto standard for the US Military; US Air Force, Marines, Army and National Guard. • Mile2 has also taught personnel from the United Nations, DND, DOD, NATO, NASA foreign Military and Government personnel and a large number of fortune 100 companies. • Traditionally, student participation has also come from a wide spectrum ranging from charities, banking, insurance, health, communication s, transport, and law enforcement. • We practice what we preach!
  • 24. • Mile2 is a certification governing body with certifications not only known globally but also well respected. • With a Mile2 Cyber Security certification behind your name, you will be recognized! • You will have the competence to do your job function… Successfully! C Competence C onfidence redibility
  • 25. Career Income Income range: $45,000 - $131,000
  • 26. Mile2 Course Road Map