Cognitive Security - Anatomy of Advanced Persistent Threats ('12)

3,661 views

Published on

Check out my blog "Multiscreen & OTT for the Digital Generation" @ gdusil.wordpress.com.

“Advanced Persistent Threats”, or APTs, refers low-level attacks used collectively to launch a targeted & prolonged attack. The goal is to gain maximum control into the target organization. APTs pose serious concerns to a security management team, especially as APT toolkits become commercially and globally available. Today’s threats involve polymorphic malware and other techniques that are designed to evade traditional security measures. Best-in-class security solutions now require controls that do not rely on signature-based detection, since APTs are “signature-aware”, and designed to bypass traditional security layers. New methods are needed to combat these new threats such as Behavioral Analysis. Network Behavior Analysis proactively detects and blocks suspicious behavior before significant damage can be done by the perpetrator. This presentation provides some valuable statistics in the growing threat of APTs.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,661
On SlideShare
0
From Embeds
0
Number of Embeds
1,515
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Cognitive Security - Anatomy of Advanced Persistent Threats ('12)

  1. 1. GabrielDusilVP, GlobalSales& Marketingwww.facebook.com/gdusilcz.linkedin.com/in/gabrieldusilgdusil.wordpress.comdusilg@gmail.com
  2. 2. Experts in Network Behavior AnalysisPage 2, www.cognitive-security.com© 2012, gdusil.wordpress.comDownload the native PowerPoint slides here: http://gdusil.wordpress.com/2012/04/15/anatomy-of-advanced-persistent-threats/Or, check out other articles on my blog: http://gdusil.wordpress.com
  3. 3. Experts in Network Behavior AnalysisPage 3, www.cognitive-security.com© 2012, gdusil.wordpress.comOld threats were IT Oriented Fame & Politics Boredom & Personal ChallengeNew threats focus on ROI Fraud & TheftCriminals now take a strategicapproach to cybercrime Companies now compensate bybuilding higher wallsBattles may have beenwon & lost on both sides……But the war is far from over.
  4. 4. Experts in Network Behavior AnalysisPage 4, www.cognitive-security.com© 2012, gdusil.wordpress.com4People + Process + Technology = Business Challenges
  5. 5. Experts in Network Behavior AnalysisPage 5, www.cognitive-security.com© 2012, gdusil.wordpress.com• A bug, glitch, hole, or flaw ina network, application ordatabase• Attack developed to takeadvantage of a vulnerability• Attack on a selection ofvulnerabilities to control anetwork, device, or asset• Software designed to fix avulnerability and otherwiseplug security holes• Attack against an unknownvulnerability, with no knownsecurity fix Methodical, long-term covert attacks, usingmany tools to steal info
  6. 6. Experts in Network Behavior AnalysisPage 6, www.cognitive-security.com© 2012, gdusil.wordpress.comBlendedThreats• Include embedded URLs that link toan infected Webpage• Employsocial engineering to encourage click-through.InfectedWebsites• Victim visits legitimate site infected by malware (eg. CrossSiteScripting, oriFramecompromise)MalwareTools• Back-door downloaders, keyloggers, scanners & PWstealers• Polymorphic design toescapeAV detectionInfectedPC(bots)• Onceinside the, infiltrating orcompromisingdata is easy• SomeDDoS attackscan originate frominternal workstationsCommand&Control(C2)• Remoteservers operated by attackercontrol victim PCs• Activity occursoutside ofthenormalhours, to evade detectionManagementConsole• Interface used tocontrol all aspects of theAPTprocess• Enables attackerstoinstall new malware &measuresuccess
  7. 7. Experts in Network Behavior AnalysisPage 7, www.cognitive-security.com© 2012, gdusil.wordpress.comAdvancedPersistentThreatsHeavy DNSUse &SophisticatedScans PeriodicPolling- Command& ControlUnexpectednew serviceor OutlierClientOutboundEncryptedsessions(eg. SSH)Peer 2 PeerNetworkBehaviorUnclassifiedBehavior -UnexpectedAnomaly
  8. 8. Experts in Network Behavior AnalysisPage 8, www.cognitive-security.com© 2012, gdusil.wordpress.comWeb Browsers IE, Firefox, Opera,Safari, PluginsApplications Adobe Flash,Codecs,QuickTimeRich ComplexEnvironments Java, Flash,Silverlight,.NET & J2EE % ofSecurityAttacks% ofSecuritySpending8.Web7.App • HTTP,SMTP, FTPPresentation • SSL,TLS5.Session • TCP,SIP4.Transport • TCP,UDP3.Network • IP2.Data • 802.11,FDDI,ATM1.Physical • 1000Base-T, E180%Apps10%App90%Network20%Network
  9. 9. Experts in Network Behavior AnalysisPage 9, www.cognitive-security.com© 2012, gdusil.wordpress.comIBM - X-Force (Mid-year Trend & Risk Report 11
  10. 10. Experts in Network Behavior AnalysisPage 10, www.cognitive-security.com© 2012, gdusil.wordpress.comIBM - X-Force (Mid-year Trend & Risk Report 11
  11. 11. Experts in Network Behavior AnalysisPage 11, www.cognitive-security.com© 2012, gdusil.wordpress.com“The Zeus Trojan…,….will continue to receivesignificant investmentfrom cybercriminalsin 2011.”“The aptly namedZeus,… …targetingeverything from bankaccounts to governmentnetworks, has becomeextremely sophisticatedand is much more.”Cisco - Annual Security Report 11
  12. 12. Experts in Network Behavior AnalysisPage 12, www.cognitive-security.com© 2012, gdusil.wordpress.com“Going into 2012,security expertsare watchingvulnerabilities inindustrial controlsystems &supervisorycontrol & dataacquisitionsystems, alsoknown asICS/SCADA.”Cisco - Annual Security Report 11
  13. 13. Experts in Network Behavior AnalysisPage 13, www.cognitive-security.com© 2012, gdusil.wordpress.comCisco - Annual Security Report 11
  14. 14. Experts in Network Behavior AnalysisPage 14, www.cognitive-security.com© 2012, gdusil.wordpress.com “[Hacking] Breaches… …can be becausethey may contain sensitive data on clients as well as employees that even anaverage attacker can sell on the underground economy.”Source: OSF DataLoss DB,Symantec – Internet Security Threat Report ‘11.Apr
  15. 15. Experts in Network Behavior AnalysisPage 15, www.cognitive-security.com© 2012, gdusil.wordpress.com*Verizon – ‘11 Data Breach Investigations Report
  16. 16. Experts in Network Behavior AnalysisPage 16, www.cognitive-security.com© 2012, gdusil.wordpress.com% breaches / % recordsfootprinting and fingerprinting) - automated scans for open ports &services
  17. 17. Experts in Network Behavior AnalysisPage 17, www.cognitive-security.com© 2012, gdusil.wordpress.comPrimarily targets are bank accountsMcAfee Threats Report, Q2 ‘10
  18. 18. Experts in Network Behavior AnalysisPage 18, www.cognitive-security.com© 2012, gdusil.wordpress.comUp to 6000 different botnetCommand & Control (C&C)servers are running every day Each botnet C&C controls anaverage of 20,000 compromisedbots Some C&C servers managebetween 10’s & 100,000’s of botsSymantec reported an averageof 52.771 new active bot-infected computers per dayArbor Networks Atlas - http://atlas.arbor.net/summary/botnetsShadowServer Botnet Charts - www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotnetCharts
  19. 19. Experts in Network Behavior AnalysisPage 19, www.cognitive-security.com© 2012, gdusil.wordpress.comFriday is the busiest day fornew threats to appearMay 13 - June 4, 2010 Increased Zeus &other botnet activityMcAfee Threats Report, Q1 ‘11
  20. 20. Experts in Network Behavior AnalysisPage 20, www.cognitive-security.com© 2012, gdusil.wordpress.com% breaches / % recordsVerizon – ‘11 Data Breach Investigations Report
  21. 21. Experts in Network Behavior AnalysisPage 21, www.cognitive-security.com© 2012, gdusil.wordpress.comGartner estimates that the global market for dedicated NBA revenuewill be approximately $80 million in 2010 and will grow toapproximately $87 million in 2011 GartnerCollecting “everything” is typically considered overkill. ThreatAnalysis at line speeds is expensive & unrealistic – NetFlow analysiscan scale to line speeds, & detect attacks Cisco“…attacks have moved from defacement and general annoyance toone-time attacks designed to steal as much data as possible.” HPCisco - Global Threat Report 2Q11Gartner - Network Behavior Analysis Market, Nov ’10HP – Cyber Security Risks Report (11.Sep)
  22. 22. Experts in Network Behavior AnalysisPage 22, www.cognitive-security.com© 2012, gdusil.wordpress.comCisco - Global Threat Report 2Q11
  23. 23. Experts in Network Behavior AnalysisPage 23, www.cognitive-security.com© 2012, gdusil.wordpress.comMcAfee – Revealed, Operation Shady RAT
  24. 24. Experts in Network Behavior AnalysisPage 24, www.cognitive-security.com© 2012, gdusil.wordpress.comhttp://dealbook.nytimes.com/2011/03/18/ex-goldman-programmer-sentenced-to-8-years-for-theft-of-trading-code/
  25. 25. Experts in Network Behavior AnalysisPage 25, www.cognitive-security.com© 2012, gdusil.wordpress.com
  26. 26. Experts in Network Behavior AnalysisPage 26, www.cognitive-security.com© 2012, gdusil.wordpress.comChallenges Integrate with SIEM Provide a way for automated blocking Handling of high bandwidth traffic Mapping IP addresses to subscribers Processing of incidents 5x7 and 24x7 support Handling links with minimum latency No additional point-of-failure No modifications of the existing infrastructure Integrate into the existing reporting
  27. 27. Experts in Network Behavior AnalysisPage 27, www.cognitive-security.com© 2012, gdusil.wordpress.comProtect critical networkinfrastructure Legacy network Traffic going to the Internet Internal VOIP trafficProtect Cable & GPRSsubscribers Botnets DNS attacks Zero-day attacks Low-profile attacks SYN flood & ICPM attacks Service misuseProtection againstAPT, zero-day attacks, botnetsand polymorphic malware
  28. 28. Experts in Network Behavior AnalysisPage 28, www.cognitive-security.com© 2012, gdusil.wordpress.comProtection of design secrets Throughout the R&D process High-end databases from theftDatabases containdevelopment & testing of newcompounds & medicines. Theft of Intellectual Property Secrets lost to competitors orforeign governmentsSecurity is needed to protectCorporate Assets Sales Force Automation, ChannelManagement, CRM systems,Internet MarketingC-T.P.A.T - Customs & Trade Partnership Against Terrorism,http://www.cbp.gov/xp/cgov/import/commercial_enforcement/ctpat/
  29. 29. Experts in Network Behavior AnalysisPage 29, www.cognitive-security.com© 2012, gdusil.wordpress.comA Global Industry Exposed to security risks fromcompetitors or governmentsponsored attacksSupply Chain Security R&D  chemicals  production sales channels Cross-Country & Cross-Company Indian & Chinese emergence Chemicals used for terrorismMandatory retention of data Protection from APT attacks Unauthorized access from bothinternal and external agentsREACH - Registration, Evaluation, Authorization and Restriction ofChemicals is a European Union law, regulation 2006/1907 of 18December 2006. - REACH covers the production and use of
  30. 30. Experts in Network Behavior AnalysisPage 30, www.cognitive-security.com© 2012, gdusil.wordpress.comCybersquatting Registration of domainnames containing a brand,slogan or trademark towhich the registrant hasno rightsUnderstanding thetopology acrossthe Supply Chaincan assist securityexperts inidentifying potentialweak spotsUKSPA - What are the top security threats facing the research sector? -http://www.ukspa.org.uk/news/content/2562/what_are_the_top_security_threats_facing_the_research_sector
  31. 31. Experts in Network Behavior AnalysisPage 31, www.cognitive-security.com© 2012, gdusil.wordpress.comBehavioralAnalysisCyber-Attack DetectionAttack LocationIDIPorAS blockingSecurity MonitoringMaximizeQoSRiskAnalysisIncident ResponseAttack ValidationBlockingPoliciesInformSubscriberIP = Internet Protocol, AS = Autonomous System, QoS =Quality of Service, SRMB = Security Risk MinimalBlocking
  32. 32. Experts in Network Behavior AnalysisPage 32, www.cognitive-security.com© 2012, gdusil.wordpress.comCombining the above approaches can help security teams morequickly identify and remediate intrusions and help avoid potentiallosses.Cisco - Global Threat Report 2Q11Collaborate& shareknowledge.Baseline, todetectanomalousevents.Use locationIDs so alertsare more“human-readable,”Take ananalyticalapproach todetectingAPTs.UsingNetFlow tosupportincidentresponse
  33. 33. Experts in Network Behavior AnalysisPage 33, www.cognitive-security.com© 2012, gdusil.wordpress.com
  34. 34. Experts in Network Behavior AnalysisPage 34, www.cognitive-security.com© 2012, gdusil.wordpress.com“Advanced Persistent Threats”, orAPTs, refers low-level attacks usedcollectively to launch a targeted & prolonged attack. The goal is to gainmaximum control into the target organization.APTs pose serious concernsto a security management team, especially asAPT toolkits becomecommercially and globally available. Today’s threats involve polymorphicmalware and other techniques that are designed to evade traditionalsecurity measures. Best-in-class security solutions now require controlsthat do not rely on signature-based detection, sinceAPTs are “signature-aware”, and designed to bypass traditional security layers. New methodsare needed to combat these new threats such as BehavioralAnalysis.Network BehaviorAnalysis proactively detects and blocks suspiciousbehavior before significant damage can be done by the perpetrator. Thispresentation provides some valuable statistics in the growing threat ofAPTs.
  35. 35. Experts in Network Behavior AnalysisPage 35, www.cognitive-security.com© 2012, gdusil.wordpress.comNetwork Behavior Analysis, NBA, Cyber Attacks, ForensicsAnalysis,Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, IncidentResponse, Security as a Service, SaaS, Managed Security Services,MSS, Monitoring & Management,Advanced Persistent Threats,APT,Zero-Day attacks, Zero Day attacks, polymorphic malware, ModernSophisticatedAttacks, MSA, Non-Signature Detection,ArtificialIntelligence,A.I., AI, Security Innovation, Mobile security, CognitiveSecurity, Cognitive Analyst, Forensics analysis, Gabriel Dusil

×