Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Targeted attacks

511 views

Published on

Imperva webinar 7/16/2013, Updated 11/7/2013
Covers insider threats and the compromised/malicious insider problem.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Targeted attacks

  1. 1. Targeted Attacks Barry Shteiman Director of Security Strategy 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  2. 2. Agenda  Compromised Insider  Incident Analysis  Anatomy of an Attack  Current Controls  Reclaiming Security 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  3. 3. Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  CISSP  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  4. 4. Compromised Insider Defining the Threat Landscape 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  5. 5. ―There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.‖ Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  6. 6. Insider Threat Defined Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property. Possible causes:  Accident  Malicious intent  Compromised device 6 © 2013 Imperva, Inc. All rights reserved. Confidential
  7. 7. Compromised Insider Defined A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials. 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  8. 8. Malicious vs Compromised Potential 1% < 100% Source: http://edocumentsciences.com/defend-against-compromised-insiders 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  9. 9. Look who made the headlines Hackers steal sensitive data related to a planned 2.4B acquisition. Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  10. 10. Evaluating Magnitude California 2012 Data Breach Report: • More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders. Source: State of California Department of Justice, July 2013 Source: Verizon Data Breach Report, 2013 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  11. 11. Know your Attacker Governments • • Stealing Intellectual Property (IP) and raw data, Espionage Motivated by: Policy, Politics and Nationalism Industrialized hackers • • Stealing IP and data Motivated by: Profit Hacktivists • • 11 © 2013 Imperva, Inc. All rights reserved. Exposing IP and data, and compromising the infrastructure Motivated by: Political causes, ideology, personal agendas Confidential
  12. 12. What Attackers Are After Source: Verizon Data Breach Report, 2013 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  13. 13. Two Paths, One Goal Online Application User with access rights (or his/her device) Malware (40%) Social Engineering (29%) Users (devices) 71% People 29% Hacking (various) used in 52% of breaches Servers 54% Data & IP Source: Verizon Data Breach Report, 2013 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  14. 14. Incident Analysis The South Carolina Data Breach 14 © 2013 Imperva, Inc. All rights reserved. Confidential
  15. 15. What Happened? 4M Individual Records Stolen in a Population of 5M 80%. 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  16. 16. A Targeted Database Attack Attacker steals login credentials via phishing email & malware 13-Aug-12 16 Attacker logs in remotely and accesses the database 27-Aug-12 © 2013 Imperva, Inc. All rights reserved. Additional reconnaissance, more credentials stolen 29-Aug-12 11-Sept-12 Confidential Attacker steals the entire database 12-Sept-12 14-Sept-12
  17. 17. The Anatomy of an Attack How does it work 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  18. 18. Anatomy of an Attack Spear Phishing 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  19. 19. Anatomy of an Attack Spear Phishing 19 C&C Comm © 2013 Imperva, Inc. All rights reserved. Confidential
  20. 20. Anatomy of an Attack Spear Phishing 20 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Confidential
  21. 21. Anatomy of an Attack Spear Phishing 21 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential
  22. 22. Anatomy of an Attack Spear Phishing 22 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential Main Data Dump
  23. 23. Anatomy of an Attack Spear Phishing 23 C&C Comm © 2013 Imperva, Inc. All rights reserved. Data Dump & Analysis Broaden Infection Confidential Main Data Dump Wipe Evidence
  24. 24. Searching on Social Networks… 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  25. 25. …The Results 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  26. 26. Next: Phishing and Malware Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing. How easy is it?  A three-month BlackHole license, with Support included, is US$700 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  27. 27. Drive-by Downloads Are Another Route September 2012 ―iPhone 5 Images Leak‖ was caused by a Trojan Download Drive-By 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  28. 28. Cross Site Scripting Is Yet Another Path Persistent XSS Vulnerable Sites provide the Infection Platform GMAIL, June 2012 TUMBLR, July 2012 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  29. 29. The Human Behavior Factor Source: Google Research Paper ―Alice in Warningland‖, July 2013 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  30. 30. Current Controls Wont the NGFW/IPS/AV Stop It? 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  31. 31. What Are the Experts Saying? ―Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.‖ Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/ 31 © 2013 Imperva, Inc. All rights reserved. Confidential
  32. 32. Security Threats Have Evolved… 2001 2013 AntiVirus Firewall IPS AntiVirus Firewall IPS Sources: Gartner, Imperva analysis 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  33. 33. Security Redefined Forward Thinking 33 © 2013 Imperva, Inc. All rights reserved. Confidential
  34. 34. The DISA Angle ―In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data‖ Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012 34 © 2013 Imperva, Inc. All rights reserved. Confidential
  35. 35. Rebalance Your Security Portfolio 35 © 2013 Imperva, Inc. All rights reserved. Confidential
  36. 36. Assume You Can Be Breached 36 © 2013 Imperva, Inc. All rights reserved. Confidential
  37. 37. Incident Response Phases for Targeted Attacks Reduce Risk Size Up the Target Prevent Compromise Compromise A User Detection Initial Exploration Containment Solidify Presence Impersonate Privileged User Insulate sensitive data Password Remediation Steal Confidential Data Device Remediation Cover Tracks Post-incident Analysis 37 © 2013 Imperva, Inc. All rights reserved. Confidential
  38. 38. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 38 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
  39. 39. Questions? www.imperva.com 39 © 2013 Imperva, Inc. All rights reserved. Confidential
  40. 40. Thank You! 40 © 2013 Imperva, Inc. All rights reserved. Confidential

×