2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist

Global APT Defense Summit Los Angeles
Matthew Rosenquist | Intel Corp
Understanding APT Threat Agent
Characteristics is Key to Prioritizing Risks
February 25, 2015 – Los Angeles, California

Global APT Defense Summit New York #APTSummit2
Agenda
1. The problems with vulnerability based security strategies
2. Threat Agents are the genesis of risks
3. Intersecting the most likely attacks is key
4. APTs present a special case, directed attacks
5. APTs use of Open Source Intelligence (OSINT)
6. Inclusion of Threat Agent Aspects into the Risk Picture
7. Prioritizing your most important exposures

About the Speaker
Matthew Rosenquist
Cybersecurity Strategist, Intel Corp
Matthew Rosenquist is passionate about cybersecurity! Benefiting from 20 years of
experience, he thrives at establishing strategic organizations and capabilities which
deliver cost effective security capabilities. His role is to champion the meaningfulness
of security, advise on emerging opportunities and threats, and advocate an optimal
balance of cost, controls, and productivity throughout the industry.
Mr. Rosenquist built and managed Intel’s first global 24x7 SOC, overseen internal
platform security products and services, was the first Incident Commander for Intel’s
worldwide IT crisis team, and managed security for Intel’s multi-billion dollar worldwide
M&A activities. He has conducted investigations, defended corporate assets,
established policies, developed strategies to protect Intel’s global manufacturing, and
owned the security playbook for the PC strategic planning group. Most recently,
Matthew worked to identify the synergies of Intel and McAfee as part of the creation of
the Intel Security Group, one of the largest security product organizations in the world.

History is Enlightening
“He who defends everything, defends nothing”
– Fredrick the Great

Problems with vulnerability based strategies
Vulnerabilities Exist Everywhere
• Never ending battle, not sustainable
• ‘Vulnerability’ is relative to the threat
• Not efficient on resources
How can we improve defenses?
The Impossible Challenge:
• Identify ALL vulnerabilities
• Close them before they are exploited
• Do it continuously, forever
• For all technology and users

History is Enlightening
“Know your enemy and know yourself and you can fight
a thousand battles without disaster”
– Sun Tsu

Threat Agents are the Genesis of Risks
• Threat Agent archetypes are collective
descriptions of attackers, representing
similar risk profiles
• Intelligent attackers whose Motivations
drive their Objectives
• Attributes such as skills, access, and
resources define their most likely Methods
• Not all archetypes represent a significant
threat to every organization
• Knowing your opposition is very valuable
Organized Criminals
Motivation: Personal Financial Gain
Objectives: Theft of digital assets,
including money & valuables
Methods:
• Compromise payment systems
• Access to financial assets
• Copying IP or resalable data
• Digital ransom (data or access)
• Fraudulent use of digital assets
External Threat Tech Skilled
Indirect AttacksDirect Attacks
Nation-State Cyberwarrior
Methods:
Digital Thief
Methods:

Intersecting the Most Likely Attacks is Key
Attack
Methods
Attacker
Objectives
Threat
Agents
Attack Methods
Attack Methods
Vulnerabilities without
Controls for these attacks
are likely Exposures
Areas of
highest
Exposure
All possible Threats,
Objectives, and Methods
Highest risk Threats,
Objectives, and Methods
Objectiv
es
Threat
Agents
Attack
Method
s
Optimizing
security resources

Targeting Victims…
“Two types of victims exist...
Those with something of value, and those who are easy
targets.
…therefore, don't be an easy target, and protect your
valuables.”

APT’s Present a Special Case
• Indirect Attacks
– Seeks easy targets based upon vulnerability
– Uses methods for widespread attacks for any victim
– “Spray and pray” mentality
– Seeks to satisfy objectives through whichever is the easiest target
• Direct Attacks – APT’s
– Target is selected based upon motivation and objectives
– Easiest path for that target is determined
– “Stalk and Sniper” mentality
– Attacks against target continue until objectives are met
CO N G R AT U L AT I O N S , YO U A R E A W I N N E R
O F T H E I NT E RG A L AC T I C LOT T E RY !
C L I C K O N T H E L I N K T O R E C E I V E Y O U R $ 5
M I L L I O N D O L L A R P R I Z E …
M i ke ,
W h a t a g a m e l a s t n i g ht ! G l a d yo u r s o n
Ro g e r h i t t h a t h o m e r u n ! I t o o k t h i s
v i d e o of h i s g ra n d s l a m i n t h e 6 t h i n n i n g .
C l i c k t h i s l i n k a n d c h e c k i t o u t ! S e e yo u
a t w o r k t o m o r ro w .
- S a m

Phases of a Social Engineering Attack
Source: Hacking the Human Operating System

APT’s use of Open Source Intelligence (OSINT)
APT’s stalk their prey using OSINT
– OSINT is the legal gathering of data without touching the target
– Advanced attackers are seeking the path-of-least resistance
– Understanding their target helps determine the method of attack
– Reconnaissance of a target begins early
– Search engines, social media, job boards, news stories, investor data,
company profiles, suppliers, domain and network ownership
– A wealth of information can be found…in as little as 20 minutes
Recommendation: understand what the world can determine about you

Open Source Intelligence (OSINT)
What could be learned
• Names and details of employees
& corporate officers
• Projects & reporting structure
• Roles and relationships
• Physical and logical locations
• HW, OS and Apps in use
• Security controls
• Trusted Vendors
How it could be used
• Phishing, spear-phishing
• Confidence scams/schemes
• Network & system targeting
• Software vulnerabilities
• Targeting security gaps
• Vendor impersonation/compromise
• Targeted malware
• Custom extortion & manipulation

Inclusion of Threat Agent Aspects into the Risk Picture
• Tools and process
form a sustainable
security capability
• Prediction of threats
feeds intelligent
decisions
• Smart security is the
key to success
Strategic
Cybersecurity
Capability Process
Prevention
Prevent or deter attacks so
no loss is experienced
Prediction
Predict the most likely attacks,
targets, and methods
Response
Rapidly address incidents to
minimize losses and return
to a normal state
Proactive measures to
identify attackers,
their objectives and
methods prior to
materialization of viable
attacks.
Secure the computing
environment with current
tools, patches, updates,
and best-known methods in
a timely manner. Educating
and reinforcing good user
behaviors.
Detection
Identify attacks not
prevented to allow for
rapid and thorough
response
Efficient management of
efforts to contain, repair,
and recover as needed,
returning the environment to
normal operations
Monitor key areas and
activities for attacks which
evade prevention. Identifies
issues, breaches, and attacks

Prioritizing your Most Important Exposures
• Understand the capabilities, methods, & objectives of your APT threats
• Combine threat characteristics with vulnerability analysis to find the
weak areas in your organization most likely to be exploited
• Counter these threats with proper
allocation of resources
Threat prediction can improve Prevention, Detection, and Response

2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to 2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist

Similar to 2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist (20)

More from Matthew Rosenquist

More from Matthew Rosenquist (20)

2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist