More Related Content Similar to Targeted attacks (20) Targeted attacks2. Agenda
Compromised Insider
Incident Analysis
Anatomy of an Attack
Current Controls
Reclaiming Security
2
© 2013 Imperva, Inc. All rights reserved.
Confidential
3. Today’s Speaker - Barry Shteiman
Director of Security Strategy
Security Researcher working
with the CTO office
Author of several application
security tools, including HULK
Open source security projects
code contributor
CISSP
Twitter @bshteiman
3
© 2013 Imperva, Inc. All rights reserved.
Confidential
5. ―There are two types of companies: companies
that have been breached and companies that
don’t know they’ve been breached.‖
Shawn Henry, Former FBI Executive Assistant Director
NY Times, April 2012
5
© 2013 Imperva, Inc. All rights reserved.
Confidential
6. Insider Threat Defined
Risk that the access rights of a
trusted person will be used to view,
take or modify data or intellectual
property.
Possible causes:
Accident
Malicious intent
Compromised device
6
© 2013 Imperva, Inc. All rights reserved.
Confidential
7. Compromised Insider Defined
A person with no malicious
motivation who becomes an
unknowing accomplice of third
parties who gain access to their
device and/or user credentials.
7
© 2013 Imperva, Inc. All rights reserved.
Confidential
8. Malicious vs Compromised Potential
1% < 100%
Source: http://edocumentsciences.com/defend-against-compromised-insiders
8
© 2013 Imperva, Inc. All rights reserved.
Confidential
9. Look who made the headlines
Hackers steal sensitive data related to a
planned 2.4B acquisition.
Hacker stole 4-million Social Security
numbers and bank account information from
state tax payers and businesses
9
© 2013 Imperva, Inc. All rights reserved.
Confidential
10. Evaluating Magnitude
California 2012 Data Breach Report:
• More than half of the breaches were the result of intentional
intrusions by outsiders or by unauthorized insiders.
Source: State of California Department of Justice, July 2013
Source: Verizon Data Breach Report, 2013
10
© 2013 Imperva, Inc. All rights reserved.
Confidential
11. Know your Attacker
Governments
•
•
Stealing Intellectual Property (IP) and raw data, Espionage
Motivated by: Policy, Politics and Nationalism
Industrialized hackers
•
•
Stealing IP and data
Motivated by: Profit
Hacktivists
•
•
11
© 2013 Imperva, Inc. All rights reserved.
Exposing IP and data, and compromising the infrastructure
Motivated by: Political causes, ideology, personal agendas
Confidential
12. What Attackers Are After
Source: Verizon Data Breach Report, 2013
12
© 2013 Imperva, Inc. All rights reserved.
Confidential
13. Two Paths, One Goal
Online
Application
User with access
rights (or his/her
device)
Malware (40%)
Social Engineering (29%)
Users (devices) 71%
People 29%
Hacking (various) used
in 52% of breaches
Servers 54%
Data & IP
Source: Verizon Data Breach Report, 2013
13
© 2013 Imperva, Inc. All rights reserved.
Confidential
16. A Targeted Database Attack
Attacker steals
login credentials
via phishing email
& malware
13-Aug-12
16
Attacker logs in
remotely and
accesses the
database
27-Aug-12
© 2013 Imperva, Inc. All rights reserved.
Additional
reconnaissance,
more credentials
stolen
29-Aug-12 11-Sept-12
Confidential
Attacker steals the
entire database
12-Sept-12 14-Sept-12
17. The Anatomy of an Attack
How does it work
17
© 2013 Imperva, Inc. All rights reserved.
Confidential
18. Anatomy of an Attack
Spear
Phishing
18
© 2013 Imperva, Inc. All rights reserved.
Confidential
19. Anatomy of an Attack
Spear
Phishing
19
C&C
Comm
© 2013 Imperva, Inc. All rights reserved.
Confidential
20. Anatomy of an Attack
Spear
Phishing
20
C&C
Comm
© 2013 Imperva, Inc. All rights reserved.
Data Dump
& Analysis
Confidential
21. Anatomy of an Attack
Spear
Phishing
21
C&C
Comm
© 2013 Imperva, Inc. All rights reserved.
Data Dump
& Analysis
Broaden
Infection
Confidential
22. Anatomy of an Attack
Spear
Phishing
22
C&C
Comm
© 2013 Imperva, Inc. All rights reserved.
Data Dump
& Analysis
Broaden
Infection
Confidential
Main Data
Dump
23. Anatomy of an Attack
Spear
Phishing
23
C&C
Comm
© 2013 Imperva, Inc. All rights reserved.
Data Dump
& Analysis
Broaden
Infection
Confidential
Main Data
Dump
Wipe
Evidence
26. Next: Phishing and Malware
Specialized Frameworks and Hacking tools, such as BlackHole
2.0, allow easy setup for Host Hijacking and Phishing.
How easy is it?
A three-month BlackHole license,
with Support included, is US$700
26
© 2013 Imperva, Inc. All rights reserved.
Confidential
27. Drive-by Downloads Are Another Route
September 2012 ―iPhone 5 Images Leak‖ was caused by a
Trojan Download Drive-By
27
© 2013 Imperva, Inc. All rights reserved.
Confidential
28. Cross Site Scripting Is Yet Another Path
Persistent XSS Vulnerable Sites provide the Infection Platform
GMAIL, June 2012
TUMBLR, July 2012
28
© 2013 Imperva, Inc. All rights reserved.
Confidential
29. The Human Behavior Factor
Source: Google Research Paper ―Alice in Warningland‖, July 2013
29
© 2013 Imperva, Inc. All rights reserved.
Confidential
31. What Are the Experts Saying?
―Flame was a failure for the antivirus industry. We really should have been able
to do better. But we didn’t. We were out of our league, in our own game.‖
Mikko Hypponen, F-Secure, Chief Research Officer
Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
31
© 2013 Imperva, Inc. All rights reserved.
Confidential
32. Security Threats Have Evolved…
2001
2013
AntiVirus
Firewall
IPS
AntiVirus
Firewall
IPS
Sources: Gartner, Imperva analysis
32
© 2013 Imperva, Inc. All rights reserved.
Confidential
34. The DISA Angle
―In the past, we’ve all been about protecting our
networks—firewall here, firewall there, firewall
within a service, firewall within an organization,
firewalls within DISA. We’ve got to remove those
and go to protecting the data‖
Lt. Gen. Ronnie Hawkins JR – DISA.
AFCEA, July 2012
34
© 2013 Imperva, Inc. All rights reserved.
Confidential
36. Assume You Can Be Breached
36
© 2013 Imperva, Inc. All rights reserved.
Confidential
37. Incident Response Phases for Targeted Attacks
Reduce Risk
Size Up the Target
Prevent Compromise
Compromise A User
Detection
Initial Exploration
Containment
Solidify Presence
Impersonate
Privileged User
Insulate sensitive
data
Password
Remediation
Steal Confidential Data
Device Remediation
Cover Tracks
Post-incident
Analysis
37
© 2013 Imperva, Inc. All rights reserved.
Confidential
38. Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Post-Webinar
Discussions
Webinar
Recording Link
38
Answers to
Attendee
Questions
Join Group
© 2013 Imperva, Inc. All rights reserved.
Confidential
Editor's Notes Barry: “Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be compromised insiders.” 2013 VDBIRMalware 40% of breachesSocial 29%Hacking 52%Assets compromisedServers 54User (devices) 71People 29 Anna Kournikova virus author stands trialLenient sentence in prospectBy John LeydenPosted in Security, 14th September 2001 13:58 GMTThe author of the infamous Anna Kournikova email worm has appeared in court in the Netherlands with prosecutors calling for a lenient sentence for his admitted crime.Lawyers for 20-year old Jan de Wit have called for the dismissal of charges against him, arguing that the worm caused minimal damange. The FBI submitted evidence to the Dutch court, suggesting that $166,000 in damages was caused by the worm, based on reports of damage from 55 firms