Your SlideShare is downloading. ×

Targeted  &  Persistent  Attacks  in  EU

458

Published on

Targeted  &  Persistent  Attacks  in  EU: The  need  for  coordination  and  information   sharing  between  EU  member  states. This is the recent speech given by Eoghan  Casey,  CASEITE  &  DFLabs …

Targeted  &  Persistent  Attacks  in  EU: The  need  for  coordination  and  information   sharing  between  EU  member  states. This is the recent speech given by Eoghan  Casey,  CASEITE  &  DFLabs at the annual ENFSI Conference in Rome

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
458
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Targeted  &  Persistent  Attacks  in  EU   The  need  for  coordination  and  information   sharing  between  EU  member  states     Eoghan  Casey,  CASEITE  &  DFLabs  
  • 2.       2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved   Attack  against  RSA  -­‐  http://blogs.rsa.com/rivner/anatomy-­‐of-­‐an-­‐attack/  
  • 3. Large-­‐scale  credit  card  robbery  Initial  intrusion  into  regional  office  Weak  internal  security   Servers  with  well  known  vulnerabilities   Unrestricted  access  to  central  servers  Weak  egress  filtering   File  transfer  permitted  from  central  servers  to  Internet  Weak  system  monitoring   Intruder  created  account  on  central  server   Installed  sniffer  on  server   Sniffer  and  file  transfer  log  files  created  on  server  Weak  network  monitoring   Network  level  logs  recorded  file  transfers   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 4. Coordinated  Linux  intrusions  Attackers  modus  operandi   Repository  of  stolen  SSH  credentials   Privilege  escalation   LKM  rootkits  &  tricky  backdoor   Trojanized  SSH  daemon   Resilient  C2  and  exfiltration   Destroy  digital  evidence   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 5. Common  mistakes  1)  Underestimating  the  adversary   Too  quick  to  containment    2)  Lack  of  evidence   No  centralized  logging  infrastructure    3)  Improper  evidence  handling   Update  antivirus  and  scan  compromised  systems   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 6. Know  the  adversary  Initial  intrusions  not  necessarily  sophisticated   Spear  phishing  or  vulnerable  servers  Once  inside,  they  spread  virulently  Inside  out  attacks  circumvent  egress  filtering  Undermine  security  monitoring   File  system  tampering   Multiple  malware  versions  with  custom  packing   Blend  in  with  normal  traffic   Encrypt  command,  control  and  exfiltration   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 7. Quick  containment?  Current  recommendation:  When an incident has been detected and analyzed, it isimportant to contain it before the spread of theincident overwhelms resources or the damage increases.Most incidents require containment, so it isimportant to consider it early in the course of handling eachincident.- NIST SP800-61 Rev. 1, page 3-19 2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 8. Managing  a  data  breach  effectively     2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 9. Effective  eradication  of  intruders     2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 10. Cross  border  information  sharing  Same  attackers  targeting    all  EU  member  states  >         Consolidate  adversary  knowledge   Trust  between  government  and  industry   Confidentiality  agreements   More  information  to  examine  the  better   Sanitize  what  is  shared  to  protect  victims   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  
  • 11. Information  exchange  standards  STIX    Structured  Threat  Information  eXpression   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved   STIX  Whitepaper  -­‐  makingsecuritymeasurable.mitre.org/docs/STIX-­‐Whitepaper.pdf  
  • 12. Get  in  touch     Eoghan  Casey   DFLabs  Business  Partner  Risk  Prevention  and  Response  Co-­‐manager     eoghan@dflabs.com   www.dflabs.com   2012  Copyright  Eoghan  Casey  and  CASEITE   All  rights  reserved  

×