Что придумала индустрия ИБ, чтобы заработать еще денег
Industrialized hackingJust as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability and profitability. What are the key characteristics of an industrialized attack?It's ROI focused. All involved parties work to increase the bottom line, similar to the way a business works to maximize gain with as little investment as possible. It's not personal. Automated attacks do not target specific individuals. Rather, they target the masses, both enterprises and users, using general selection criteria. For example, a botnet that drives mass SQL injection attacks or brute force password attacks will not discriminate between large or small organizations.It's multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.It's automated. Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe the web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results.Common attack types include:Data theft or SQL injections. Data theft is most commonly administered through SQL injection. Between January and June of 2009, IBM reported nearly 250,000 daily SQL injection attacks on websites around the world. Imperva researchers reported the use and deployment of SQL injections as the top chat topic on hacker forums. For example, the 2009 assault against Heartland Payment Systems, which resulted in 130 million dollars of lost records, was attributed to SQL injection.Business logic attacks. Recently, web application hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the application code. Business logic attacks often remain undetected. In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analyzers, and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests. A recent hack against Durex India highlights how this type of attack works.Denial of service attacks. This type of attack is usually executed as part of a blackmail scheme that forces application owners to pay a ransom to free their application from the invasion of useless traffic. For instance, attackers will threaten to shut-down online gambling sites for a particular ransom.
Advanced persistent threats (APT) are driven, usually, by government agencies or their terrorist counterparts. Rarely are APTs led by political or commercial organizations. However, in some cases, marginal threats do arise from obsessed individuals and legitimate commercial organizations. What are the key characteristics of APT hacking?It's very personal. The attacking party carefully selects targets based on political, commercial and security interests. Social engineering is often employed by an APT.It's persistent. If the target shows resistance, the attacker will not leave, but rather change strategy and deploy a new type of attack against the same target. The attacker may also decide to shift from an external threat to an internal threat.Control focused. APTs are focused on gaining control of crucial infrastructure, such as power grids and communication systems. APTs also target data comprised of intellectual property and sensitive national security information. Personal data, however, is of no interest. Surprisingly, APT hackers are not as concerned with costs or revenue. Thus, large budgets may be thrown against individual targets with no “financial” justification. How can you quantify state security?It's automated, but on a small scale. Automation is used to enhance the power of an attack against a single target, not to launch broader multi-target attacks.It's one layer. One party owns and controls all hacking roles and responsibilities. In fact, the most serious government organizations operate their own botnets (or at least take control of parts of botnets).
Advanced targeted threats can easily evade conventional perimeter and content security, software vulnerabilities are rampant, insider threats are a constant, and consumerization and mobility open the network even further to exploitation. Stuxnet, Wikileaks, RSA, Epsilon breaches are the latest demonstration of the advanced exploits and damages facing the modern enterprise
And this is what Fidelis XPS sees.In addition to fully decoding the protocols and applications traversing the network (and doing so in a completely port-independent way), the Fidelis XPS Deep Session Inspection architecture gives you full visibility into all content at every level so you can “see” sensitive and/or malicious content no matter how deeply encoded, embedded and/or compressed it might be. And our Deep Session Inspection architecture also lets you do something about it when you see it, such as taking a real-time, policy based alerting/recording, visualization or prevention action. The ability to see this deeply into applications and content as they are occurring on the network, make a policy decision based on that information, and take an enforcement action in real-time, before the session completes, is unique to Fidelis XPS.
All hell breaks loose. This is a very interesting PDF, with all kinds of unusual stuff. Let’s look at these alerts.
Mention access to raw packets, downloadable payloads/sessions and decoded forensic details
NAV против APTNetworkAnalysis & Visualization— защита от AdvancedPersistentThreat<br />Михаил КондрашинAPL<br />
Атака на RSA<br />Штатные сотрудники получили сообщение с темой “2011 Recruitment Plan” (они попали, как спам в папки карантина);<br />К письмам был прикреплен файл Excel с внедренным Flash. В последнем был 0-day эксплоит (CVE 20110609), который использовался для загрузки трояна.<br />Троян начал поиск паролей доступа к все более и более значимым компьютерам, пока не получил привилегированный доступ к той системе, которая была изначальной целью.<br />Желаемые файлы были украдены и отправлены на внешний компьютер (это был взломанный компьютер у хостунг-провайдера).<br />
Защита<br />Не переход на последнюю версию AV/FW/IDS/IPS/DLP/…<br />Не еще одна «коробка с лампочками»NAV/NSM<br />Управление рисками в реальном времени!<br />
Управление рисками в реальном времени<br />DMZ<br />
NAV & NSM<br />Сканирование сети<br />Анализ потоков данных<br />Расследование сетевых инцидентов<br />Анализ сетевых метаданных<br />Захват и анализ сетевых пакетов<br />Network Analysis & VisualizationNetwork Security Monitoring <br />
Жизненный цикл<br />Установить базовый уровень защиты<br />Обновить информацию об угрозах<br />Контролировать и изучать сетевой трафик<br />Расследовать возможную угрозу<br />Инициировать процесс реакции на инцидент или обновить защиту<br />Перейти к шагу 1. <br />
Секретный ингредиент: Deep Session Inspection®<br />
Полностью очищенная луковица<br />Вот, что видит Deep Session Inspection:<br />Полное декодирование на всех портах, протоколах и приложениях<br />Полная видимость всего содержимого на всех уровнях<br />Уведомление, сохранение и блокировка на основе установленных правил в реальном времени<br />Стеваясессия<br />