The Evolution of Advanced PersistentThreats: The Current Risks & MitigationStrategiesSponsored by
Webcast LogisticsOptimize your experience today•   Enable pop-ups within your browser•   Turn on your system’s sound to he...
Featured PresentersOur knowledgeable speakers today are:           Tom Parker                      Paul Zimski         Chi...
Tom Parker - CTO
About the Presenter..• Tom Parker: CTO & VP Security Services      – Dark Reading: Advanced Threats SME/Blogger      – Ove...
Threat-Scape Today• 2012 estimated: $338B cost to Global Economy• US “Hemorrhaging” Intellectual Property• Online Hacktivi...
Threat Time Line                             2001: EP3 Spy      2001:            2003: SQL            2000: I Love U      ...
Change in Technical Focus                    1990’s:                   Network                 Based Attacks              ...
Attackers Response to Defense• Broad use of firewall products      – Focus on ‘hard outer shell’• Microsoft focus on secur...
APT Who?•   Originated from US Air Force (circa 2006)•   Originally Intended for use regarding China•   Public recognition...
Dissecting APT Today• Advanced:     – Utilizes ‘above average’ TTP’s     – Not necessarily just technically advanced• Pers...
P        A    T
Challenges Understanding Advanced Threats• ‘Advanced’ is Subjective     – Typically contingent on ones experiences     – A...
Defining ‘Advanced’• Sophistication (‘advanced-ness’) is not a 1 or a 0     – Shades of grey• Different attributes of thre...
It’s good to be SPECIFIC• This is a complex subject area• Generalizations, acronyms etc. counterproductive• Beware of silv...
Threat Spectrum: Tactical Cyber Threats•   Surgical By Nature•   Highly Specific Targeting•   Technologically Sophisticate...
Threat Spectrum: Strategic Cyber Threats• Highly Repeatable• General Targeting:     – Broad Industry (Energy, Defense etc....
Threat Spectrum Today• Espionage     – Highly Strategic     – Industrial Attacks     – Government (and DIB) Targets• Organ...
Strategic: Espionage• Highly Strategic• Industrial Attacks     – Gas & Oil     – Manufacturing• Government (and DIB) Targe...
Strategic: Organized Crime•   Strategic•   Financially motivated•   Civilian & Private Organization targets•   Who:     – ...
Tactical: Subversive Operations• Tactical     – Typically augmenting other activities (e.g. military)• Motivations vary, o...
Strategic: Socio-Political Attacks• Strategic:     – Often intended to elevate awareness of a topic• Relatively Unsophisti...
Threat Scape Summary• Critical not to generalize the threat• No two adversaries are identical     – Motivation     – Capab...
Adversaries Under the Microscope• Organized Crime     – Fairly well understood today           • Monetization Methods     ...
The C-word• Many companies/countries reluctant to call out the C-  Word: Largely due to operations/relationships at stake•...
Chinese Intelligence Doctrine• More is better!     – Large sums of data gathered     – Significance of data unrealized    ...
Chinese Hacker Communities• High Degree of Safety Behind the Monitor• Cultural Prioritization:     1. Country     2. Self ...
Finding a smoking gun• Not easy• ROI is not immediate     – May be tomorrow – could be in fifty years• Some real-world imp...
Adversary Success Factors• Organizations Forgetting the Basics     – Poor network segmentation     – Excessive account pri...
Direction of the Threat• If it isn’t broken..• While TTP’s arent static however     – overall approach remains• Status quo...
Once we do adapt• Lots left in the funded adversaries tool chest:     – Supply chain influences     – Insider placement   ...
Disrupting APTsat the Endpoint
What is the APT “Kill Chain”?The ―Kill Chain‖ is simply the phases of an attack progressionAs defined by security research...
Disrupting APT Payload Delivery on EndpointsDelivery - Transmission of the weaponto the targeted environment. The threemos...
Defense-in-Depth Strategy                                              Successful risk mitigation                       AV...
Layered Approach for Mitigation» Maintain strong patch management practices» Enable native memory security controls in Win...
End Users Are Your Weakest Link• Be Aware of What You Share – End User Resource Center  http://www.lumension.com/be-aware
More Information• Free Security Scanner Tools                    • Get a Quote (and more)                                 ...
Questions?Submit questions to the presenters via the on-screen text box           Tom Parker                         Paul ...
Thank you for attendingPlease visit our sponsor and any of the resources below:•   www.darkreading.com/event•   www.lumens...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation Strategies
Upcoming SlideShare
Loading in …5
×

The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation Strategies

1,334 views

Published on

APTs have become a major topic of conversation – and in some cases, a critical threat – among IT security departments. But the technology and motivation behind APTs has changed significantly since the introduction of Stuxnet, continuing to evolve rapidly to avoid detection.
In this special Dark Reading presentation, a leading expert on the origins and directions of APTs will discuss the changing nature of these sophisticated threats – and how you can prepare your enterprise security environment to detect and mitigate these complex and dangerous attacks.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,334
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation Strategies

  1. 1. The Evolution of Advanced PersistentThreats: The Current Risks & MitigationStrategiesSponsored by
  2. 2. Webcast LogisticsOptimize your experience today• Enable pop-ups within your browser• Turn on your system’s sound to hear the streaming presentation• Questions? Submit them to the presenters at anytime on the console• Technical problems? Click ―Help‖ or submit a question for assistance
  3. 3. Featured PresentersOur knowledgeable speakers today are: Tom Parker Paul Zimski Chief Technology Vice President Officer and VP Solution Marketing Security Services Lumension FusionX
  4. 4. Tom Parker - CTO
  5. 5. About the Presenter..• Tom Parker: CTO & VP Security Services – Dark Reading: Advanced Threats SME/Blogger – Over Fifteen Years Securing Multi-National Corporations and Government Institutions – Author of multiple publications on Information Security and Cyber Actor Profiling – Regular speaker at industry events including Blackhat Briefings and SANS Conferences3/28/2013 5
  6. 6. Threat-Scape Today• 2012 estimated: $338B cost to Global Economy• US “Hemorrhaging” Intellectual Property• Online Hacktivism has made significant comeback• Generally poor understanding of web based vulnerabilities and threats• Dynamic threat intent ranges from organized crime monetization to national strategic objectives3/28/2013 6
  7. 7. Threat Time Line 2001: EP3 Spy 2001: 2003: SQL 2000: I Love U Plane Code Red Slammer 2009: Operation 2004: MyDoom 2005: Zotob 2008: Conficker Aurora (Discovered) 2011: Operation 2010: Stuxnet 2010: Comment 2011: DuQu Shady Rat (Discovered) Crew Attacks (Discovered) (Discovered) 2013: Comment 2012: Flame Crew Report (Discovered) (Disclosed)3/28/2013 7
  8. 8. Change in Technical Focus 1990’s: Network Based Attacks 2001 (Code Red) 2003 (Slammer) 2009 (Aurora) 2011 (Shady Rat) 2012: Client Based Attacks3/28/2013 8
  9. 9. Attackers Response to Defense• Broad use of firewall products – Focus on ‘hard outer shell’• Microsoft focus on securing network services• Implementation of DEP/ASLR for Services• Lower Service Profile in Default Configurations – Resulting in less network attack surface• Authentication of MSRPC Services – And disabling of guest/default accounts3/28/2013 9
  10. 10. APT Who?• Originated from US Air Force (circa 2006)• Originally Intended for use regarding China• Public recognition in 2009 (Google/Aurora)• Loss of clear meaning due to marketing use3/28/2013 10
  11. 11. Dissecting APT Today• Advanced: – Utilizes ‘above average’ TTP’s – Not necessarily just technically advanced• Persistent: – Not a smash and grab effort• Threat – Attempts to coerce technology/users3/28/2013 11
  12. 12. P A T
  13. 13. Challenges Understanding Advanced Threats• ‘Advanced’ is Subjective – Typically contingent on ones experiences – And knowledge of the threat-spectrum• Sophistication Isn’t always a 1 or 0 – Sophisticated attack preparation – Target intelligence – Target coercion• Pesky Acronyms & Commercialization of Name Space – Clouds understanding of already murky waters3/28/2013 13
  14. 14. Defining ‘Advanced’• Sophistication (‘advanced-ness’) is not a 1 or a 0 – Shades of grey• Different attributes of threat differ in sophistication – Attack preparation – Initial entry vector – Exfiltration method – Persistence technologies3/28/2013 14
  15. 15. It’s good to be SPECIFIC• This is a complex subject area• Generalizations, acronyms etc. counterproductive• Beware of silver-bullet marketing3/28/2013 15
  16. 16. Threat Spectrum: Tactical Cyber Threats• Surgical By Nature• Highly Specific Targeting• Technologically Sophisticated• High Cost Development• Repeatability Less Significant3/28/2013 16
  17. 17. Threat Spectrum: Strategic Cyber Threats• Highly Repeatable• General Targeting: – Broad Industry (Energy, Defense etc.) – Groups of Individuals (Politicians, Executives)• Must Have Long-Term Staying Power• Less Sophisticated in Comparison• Low Cost to Develop & Maintain3/28/2013 17
  18. 18. Threat Spectrum Today• Espionage – Highly Strategic – Industrial Attacks – Government (and DIB) Targets• Organized Crime – Strategic – Financially motivated – Civilian & Private Organization targets3/28/2013 18
  19. 19. Strategic: Espionage• Highly Strategic• Industrial Attacks – Gas & Oil – Manufacturing• Government (and DIB) Targets – Defense Contractors – Research Organizations – Political & Other High Ranking Figures• Examples: Shady Rat, Aurora, Night Dragon3/28/2013 19
  20. 20. Strategic: Organized Crime• Strategic• Financially motivated• Civilian & Private Organization targets• Who: – Eastern European Crime Rings – US/Domestic Crime Groups – Mexican Cartels3/28/2013 20
  21. 21. Tactical: Subversive Operations• Tactical – Typically augmenting other activities (e.g. military)• Motivations vary, often force multiplier• Examples: Estonia, Georgia, Stuxnet• Who? Well funded private entities & governments – US, UK, Israel, Germany, France + ???3/28/2013 21
  22. 22. Strategic: Socio-Political Attacks• Strategic: – Often intended to elevate awareness of a topic• Relatively Unsophisticated – Currently favoring lower-hanging fruit via: • SQL Injection, [D]DoS, etc• Examples: – Anonymous, Radical Muslim Groups, Others..3/28/2013 22
  23. 23. Threat Scape Summary• Critical not to generalize the threat• No two adversaries are identical – Motivation – Capabilities3/28/2013 23
  24. 24. Adversaries Under the Microscope• Organized Crime – Fairly well understood today • Monetization Methods • Enterprise organizational structures – Bot herders, skimmers, cash-outs, vuln acquisition • Linkage back to conventional crime rings • And links to state’s & radical groups• Espionage much less well understood3/28/2013 25
  25. 25. The C-word• Many companies/countries reluctant to call out the C- Word: Largely due to operations/relationships at stake• Large sums of credible evidence in public domain implicating Chinese Adversaries• Little public diplomatic activity between US/China• China Economic and Security Review Commission “Techniques appear consistent with authoritative Chinese military writings“ USCC "This report is untrue and has ulterior motives. Its not worth a comment“ Chinese foreign Ministry spokesperson• Attacks attributed to Chinese Actors – State level participation not publicly proven3/28/2013 26
  26. 26. Chinese Intelligence Doctrine• More is better! – Large sums of data gathered – Significance of data unrealized – Future analytical efforts realize use of stolen data• Strategy: – Fifty Year Plan – not eight years3/28/2013 27
  27. 27. Chinese Hacker Communities• High Degree of Safety Behind the Monitor• Cultural Prioritization: 1. Country 2. Self 3. Employer• Extremely active research community – Forums, code sharing, IRC, etc3/28/2013 28
  28. 28. Finding a smoking gun• Not easy• ROI is not immediate – May be tomorrow – could be in fifty years• Some real-world impacts do exist – Such as M&A activity leveraging stolen data3/28/2013 29
  29. 29. Adversary Success Factors• Organizations Forgetting the Basics – Poor network segmentation – Excessive account privileges – Third party software patching – Poor asset management practices – Insecure or non existent system base lines – Insecure remote access solutions (end points) – Over reliance on silver bullet solutions3/28/2013 30
  30. 30. Direction of the Threat• If it isn’t broken..• While TTP’s arent static however – overall approach remains• Status quo will remain until defensive posture changes – This process will likely take years• Offence is generally easier than defense – Adversary can adapt more quickly than todays technology3/28/2013 31
  31. 31. Once we do adapt• Lots left in the funded adversaries tool chest: – Supply chain influences – Insider placement – Resurgence of network based attacks • Particularly against cloud providers – Targeting of more obscure technologies3/28/2013 32
  32. 32. Disrupting APTsat the Endpoint
  33. 33. What is the APT “Kill Chain”?The ―Kill Chain‖ is simply the phases of an attack progressionAs defined by security researchers at Lockheed Martin, the ―kill chain‖ of APTs is amethodology comprised of seven links (or steps), according to researchers atglobal defense company Lockheed Martin Corp.:1. Reconnaissance—Identify targets.2. Weaponization— Create customized malware payload.3. Delivery—Transmit the payload, typically through an email attachment, website or USB drive.4. Exploitation—Trigger payload, usually via a vulnerability.5. Installation—Establish foothold to persist within the target.6. Command and control—―hands on the keyboard‖ access to the environment.7. Actions on objectives—Execute toward goals, typically to steal data.http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf3
  34. 34. Disrupting APT Payload Delivery on EndpointsDelivery - Transmission of the weaponto the targeted environment. The threemost prevalent delivery vectors for • USB blocking w/ Device Controlweaponized payloads by APT actors, as • File-type filtering from USB-to-Endpointobserved by the Lockheed Martin • AntiVirus with Heuristics EnabledComputer Incident Response Team (LM-CIRT) for the years 2004-2010, are email • Browser or gateway URL Filteringattachments, websites, and USBremovable media.Exploitation - After the weapon isdelivered to victim host, exploitationtriggers intruders’ code. Most often, • Patch Management, Configuration Managementexploitation targets an application or prevent known vulnerabilitiesoperating system vulnerability, but it couldalso more simply exploit the users • Memory /Buffer Overflow protection / DEPthemselves or leverage an operating • End User Security Awareness & Trainingsystem feature that auto-executesInstallation - Installation of a remoteaccess trojan or backdoor on the victim • Application Controlsystem allows the adversary to maintainpersistence inside the environment.3
  35. 35. Defense-in-Depth Strategy Successful risk mitigation AV Control the Bad starts with a solid vulnerability management foundation, Device Control Control the Flow augmented by additional layered defenses which go beyond the traditional blacklist HD and Media Encryption approach. Control the Data Application Control Control the Gray Patch and Configuration Management Control the Vulnerability Landscape36
  36. 36. Layered Approach for Mitigation» Maintain strong patch management practices» Enable native memory security controls in Windows including DEP and ASLR to limit the success of generic memory based attacks» Deploy advanced memory-injection attack protection including RMI and Skape/JT to interrupt advanced memory attacks» Utilize application control/whitelisting to defend against unknown payloads» Use Device control to block USB-borne malware» Blacklist outdated plugin versions» Adopt the concept of least privilege for end users
  37. 37. End Users Are Your Weakest Link• Be Aware of What You Share – End User Resource Center http://www.lumension.com/be-aware
  38. 38. More Information• Free Security Scanner Tools • Get a Quote (and more) http://www.lumension.com/endpoint- » Vulnerability Scanner – discover all OS and management-security-suite/buy-now.aspx#2 application vulnerabilities on your network » Application Scanner – discover all the apps being used in your network » Device Scanner – discover all the devices being used in your network http://www.lumension.com/special- offer/premium-security-tools.aspx• Lumension® Endpoint Management and Security Suite » Online Demo Video: http://www.lumension.com/Resources/Demo- Center/Vulnerability-Management.aspx » Free Trial (virtual or download): http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx39
  39. 39. Questions?Submit questions to the presenters via the on-screen text box Tom Parker Paul Zimski Chief Technology Vice President Officer and VP Solution Marketing Security Services Lumension FusionX
  40. 40. Thank you for attendingPlease visit our sponsor and any of the resources below:• www.darkreading.com/event• www.lumension.com/special-offer/premium-security-tools.aspx?rpLeadSourceId=L4224

×