Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

APT Webinar

834 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

APT Webinar

  1. 1. ADVANCED PERSISTENT THREATBREAKING THE ATTACK CYCLE Presented By: Joe Schorr Enterprise Security Practice Manager 800.747.8585 | help@cbihome.com
  2. 2. CBI IntroductionInformation Technology and Security Solutions Provider • Symantec Partner of the Year, Finalist • Symantec Platinum Partner • Globally capable, superior technical serviceExperienced Professionals • Operating for 20 years serving more than 500 clients world wide. • Broad customer base ranging from mid-size to Fortune 100Experienced in Variety of Industries • Healthcare • Government • Banking & Financial Services • Legal • Manufacturing • Retail • Education2 800.747.8585 | help@cbihome.com
  3. 3. Enterprise Security Practice Joe Schorr: Enterprise Security Practice Manager Managing Consultant for the BT Ethical Hacking Center of Excellence CIO for a large non-profit Global Program Manager – International Network Services Endpoint Enterprise Server Datacenter IT GRC Managemen Security Management Management t3 800.747.8585 | help@cbihome.com
  4. 4. APT Defined APT is a group of sophisticated, determined and coordinated attacks and attackers that have been systematically targeting, exploiting and compromising U.S. Government and private networks.4 800.747.8585 | help@cbihome.com
  5. 5. “APT” Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture. Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives. Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.5 800.747.8585 | help@cbihome.com
  6. 6. Security Trends CHALLENGING THREAT LANDSCAPE MALICIOUS INSIDERS TARGETED ATTACKS INCREASING EVOLVING COMPLEXITY INCREASING FINANCIAL INFRASTRUCTURE AND BRAND RISK DATA GROWTH COMPLIANCE REQUIREMENTS MOBILE VIRTUALIZATION VENDOR COMPLEXITY CLOUD6 800.747.8585 | help@cbihome.com
  7. 7. Recent Events & EvidenceA picture of the hackingsoftware shown duringthe Chinese militaryprogram. The largewriting at the top says"Select Attack Target."Next, the user choosean IP address to attackfrom (it belongs to anAmerican university).The drop-down box is alist of FalunGong websites, whilethe button on the leftsays "Attack."7 800.747.8585 | help@cbihome.com
  8. 8. RSA and .gov Contractors8 800.747.8585 | help@cbihome.com
  9. 9. Ever wonder?9 800.747.8585 | help@cbihome.com
  10. 10. RSA wasn’t alone. http://krebsonsecurity.com/10 800.747.8585 | help@cbihome.com
  11. 11. Smoking gun http://krebsonsecurity.com/11 800.747.8585 | help@cbihome.com
  12. 12. STUXNET + =12 800.747.8585 | help@cbihome.com
  13. 13. ‘Duqu’ the Son of STUXNET13 800.747.8585 | help@cbihome.com
  14. 14. Attack Cycle Step 4 • Obtain User Credentials • Install Tools • Escalate privs Step 6 Step 2 •Persistence Step 5 • Delivery of •Residency Expoit • Data Theft and • Enter target Exfltration Step 3 • Create Backdoor • Contact Command & Control (C&C) Step 1 servers • Reconnaissance14 800.747.8585 | help@cbihome.com
  15. 15. What does this look like? 1. Target selected from shopping list 2. Passive searching – ‘Google-Fu’ 3. Cyber-stalking via Facebook and Linked In 4. Select individuals for Spear-phishing attack 5. Social Engineer custom mail to targets 6. Payload deploys, begins harvest of credentials 7. ‘Owns’ servers and establishes backdoor, establishes tunnels, typically via Port 443 and 53 8. Take data, encrypt and compress and send it home 9. Dormancy until further orders15 800.747.8585 | help@cbihome.com
  16. 16. Some APT Attack components•Blended weaponized STUXNET clones•Endpoint Compromise•CA Attacks 800.747.8585 | help@cbihome.com
  17. 17. 6 recommendations MONITOR! Yes, this means SIM and it also means monitoring your monitor DAILY. If you have challenges in this area consider a MSS solution. MANAGE! access control systems. User management and passwords are not sexy but weak management of this important, basic operational task provides a HUGE attack vector. ENGINEER! your WHOLE network to be secure. The security architecture is not just routers and firewalls. Server, endpoint and application security are as important to a healthy, well-defended enterprise. PATCH! Don’t let the ‘I’ll wait for others to go first….’ mentality lead to inertia. Bad patch management has a direct role in most server and application exploits TEST! your security. Early and often. STOP! The leaks.17 800.747.8585 | help@cbihome.com
  18. 18. Symantec DLP Overview Storage Endpoint Network Symantec™ Data Loss Prevention Symantec™ Symantec™ Network Discover Data Loss Prevention Data Loss Prevention Endpoint Discover Network Monitor Symantec™ Data Loss Prevention Data Insight Symantec™ Symantec™ Symantec™ Data Loss Prevention Data Loss Prevention Data Loss Prevention Endpoint Prevent Network Prevent Network Protect Management Platform Symantec™ Data Loss Prevention Enforce Platform18 800.747.8585 | help@cbihome.com
  19. 19. DLP Progress Model Baseline Remediation Notification Prevention 1000 Establish Initial Policies 800 Identify Broken Employee and Business Incidents Per Week Business Unit Processes 600 Communication Fix Broken Enable EDM/IDM Business Processes 400 Sender Auto Notification 200 Business Unit Risk Scorecard 0 Risk Reduction Over Time Client Company19 800.747.8585 | help@cbihome.com
  20. 20. EndPoint Progress Baseline Remediation Notification Prevention 1000 Establish Initial Policies 800 Identify Broken Employee and Business Incidents Per Week Business Unit Processes 600 Communication Fix Broken Enable EDM/IDM Business Processes 400 Sender Auto Notification 200 Business Unit Risk Scorecard 0 Risk Reduction Over Time Client Company20 800.747.8585 | help@cbihome.com
  21. 21. Network Progress Baseline Remediation Notification Prevention 1000 Establish Initial Policies 800 Identify Broken Employee and Business Incidents Per Week Business Unit Processes 600 Communication Fix Broken Enable EDM/IDM Business Processes 400 Sender Auto Notification 200 Business Unit Risk Scorecard 0 Risk Reduction Over Time Client Company21 800.747.8585 | help@cbihome.com
  22. 22. Storage Progress Baseline Remediation Notification Prevention 1000 Establish Initial Policies 800 Identify Broken Employee and Business Incidents Per Week Business Unit Processes 600 Communication Fix Broken Enable EDM/IDM Business Processes 400 Sender Auto Notification 200 Business Unit Risk Scorecard 0 Risk Reduction Over Time Client Company22 800.747.8585 | help@cbihome.com
  23. 23. Desired State for Data LossThe primary goals of using Symantec’s DLP solution are to:1. Protect confidential and regulated data from leaking or misuse based on corporate business practices2. Meet or exceed all government regulatory data protection requirements3. Protect the Client Company brand and image.23 800.747.8585 | help@cbihome.com
  24. 24. Desired State for Data LossThe DLP solution should perform the following functions: 1. Identify data based on current government regulations and company policies 2. Tuned to minimize false positives 3. Educate Users on proper data handling policies. 4. Notify appropriate parties of data leakage or misuse. 5. Block data leakage or misuse 6. Find sensitive data in file shares and SharePoint 7. Determine who is using data24 800.747.8585 | help@cbihome.com
  25. 25. Examples of Successful DLP Outcomes1. Internet traffic is monitored and incidents are created when suspected or confidential data leaves via email or other web process.2. Endpoint activity is monitored and incidents are created when suspected or confidential data is transferred to USB drives.3. Manual searches on datastores can be performed if needed4. General process for handling data breach incidents is established25 800.747.8585 | help@cbihome.com
  26. 26. Recommendations1. Upgrade to Symantec Data Loss Prevention version 11.12. Refine Existing Policies and Responses3. Run Network Discover scans4. Begin using notifications5. Deploy Email Network Prevent with Symantec Messaging Gateway6. Deploy Web Network Prevent with Symantec Web Gateway or other ICAP proxy server.7. Deploy Data Insight26 800.747.8585 | help@cbihome.com
  27. 27. Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact Calgary, Alberta Dublin, Ireland Reading, England Tokyo, Japan San Francisco, CA Mountain View, CA Austin, TX Chengdu, China Alexandria, VA Culver City, CA Taipei, Taiwan Chennai, India Pune, India Chennai, India Sydney, Australia Worldwide Coverage Global Scope and Scale 24x7 Event Logging Rapid Detection Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing• 240,000 sensors • 150M client, server, • 35,000+ vulnerabilities • 5M decoy accounts• 200+ countries and gateways monitored • 11,000 vendors • 8B+ email messages/day territories • Global coverage • 80,000 technologies • 1B+ web requests/day Preemptive Security Alerts Information Protection Threat Triggered Actions 800.747.8585 | help@cbihome.com
  28. 28. Next Steps Security and Advisory Assessments – In-depth, consultative engagements – Evaluate and improve your overall security program – Address specific concerns (e.g. PCI/ mobile security issues)28 800.747.8585 | help@cbihome.com
  29. 29. THANK YOUjschorr@cbihome.com @JoeSchorr 800.747.8585 | help@cbihome.com

×