михаил кондрашин


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Что придумала индустрия ИБ, чтобы заработать еще денег
  • Industrialized hackingJust as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability and profitability. What are the key characteristics of an industrialized attack?It's ROI focused. All involved parties work to increase the bottom line, similar to the way a business works to maximize gain with as little investment as possible. It's not personal. Automated attacks do not target specific individuals. Rather, they target the masses, both enterprises and users, using general selection criteria. For example, a botnet that drives mass SQL injection attacks or brute force password attacks will not discriminate between large or small organizations.It's multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.It's automated. Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe the web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results.Common attack types include:Data theft or SQL injections. Data theft is most commonly administered through SQL injection. Between January and June of 2009, IBM reported nearly 250,000 daily SQL injection attacks on websites around the world. Imperva researchers reported the use and deployment of SQL injections as the top chat topic on hacker forums. For example, the 2009 assault against Heartland Payment Systems, which resulted in 130 million dollars of lost records, was attributed to SQL injection.Business logic attacks. Recently, web application hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the application code. Business logic attacks often remain undetected. In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analyzers, and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests. A recent hack against Durex India highlights how this type of attack works.Denial of service attacks. This type of attack is usually executed as part of a blackmail scheme that forces application owners to pay a ransom to free their application from the invasion of useless traffic. For instance, attackers will threaten to shut-down online gambling sites for a particular ransom.
  • Advanced persistent threats (APT) are driven, usually, by government agencies or their terrorist counterparts. Rarely are APTs led by political or commercial organizations. However, in some cases, marginal threats do arise from obsessed individuals and legitimate commercial organizations. What are the key characteristics of APT hacking?It's very personal. The attacking party carefully selects targets based on political, commercial and security interests. Social engineering is often employed by an APT.It's persistent. If the target shows resistance, the attacker will not leave, but rather change strategy and deploy a new type of attack against the same target. The attacker may also decide to shift from an external threat to an internal threat.Control focused. APTs are focused on gaining control of crucial infrastructure, such as power grids and communication systems. APTs also target data comprised of intellectual property and sensitive national security information. Personal data, however, is of no interest. Surprisingly, APT hackers are not as concerned with costs or revenue. Thus, large budgets may be thrown against individual targets with no “financial” justification. How can you quantify state security?It's automated, but on a small scale. Automation is used to enhance the power of an attack against a single target, not to launch broader multi-target attacks.It's one layer. One party owns and controls all hacking roles and responsibilities. In fact, the most serious government organizations operate their own botnets (or at least take control of parts of botnets).
  • Advanced targeted threats can easily evade conventional perimeter and content security, software vulnerabilities are rampant, insider threats are a constant, and consumerization and mobility open the network even further to exploitation. Stuxnet, Wikileaks, RSA, Epsilon breaches are the latest demonstration of the advanced exploits and damages facing the modern enterprise
  • And this is what Fidelis XPS sees.In addition to fully decoding the protocols and applications traversing the network (and doing so in a completely port-independent way), the Fidelis XPS Deep Session Inspection architecture gives you full visibility into all content at every level so you can “see” sensitive and/or malicious content no matter how deeply encoded, embedded and/or compressed it might be. And our Deep Session Inspection architecture also lets you do something about it when you see it, such as taking a real-time, policy based alerting/recording, visualization or prevention action. The ability to see this deeply into applications and content as they are occurring on the network, make a policy decision based on that information, and take an enforcement action in real-time, before the session completes, is unique to Fidelis XPS.
  • All hell breaks loose. This is a very interesting PDF, with all kinds of unusual stuff. Let’s look at these alerts.
  • Mention access to raw packets, downloadable payloads/sessions and decoded forensic details
  • михаил кондрашин

    1. 1. NAV против APTNetworkAnalysis & Visualization— защита от AdvancedPersistentThreat<br />Михаил КондрашинAPL<br />
    2. 2. Оглавление<br />Advanced Persistent Threat (APT)<br />Примеры APT<br />Как защищаться?<br />Примерыиспользования средств защиты<br />
    3. 3. Advanced Persistent Threat<br />Изощренная постоянная угроза<br />
    4. 4. Индустрия взлома<br />ROI<br />Не нацелена на кого-либо персонально<br />Множество участников<br />Автоматизация<br />
    5. 5. APT<br />Персонализация<br />Постоянство<br />Цель — контроль<br />Автоматизация в меньшем масштабе<br />Атакующий один<br />APT (Advanced Persistent Threat — Изощренная долгосрочная угроза)— это не «что», а «кто»<br />—ДжошКорман, The 451 Group<br />
    6. 6. Примеры<br />
    7. 7. Stuxnet<br />Честно…<br />это для <br />мирного<br />домашнего<br />использования…<br />
    8. 8. Aurora<br />
    9. 9. Атака на RSA<br />Штатные сотрудники получили сообщение с темой “2011 Recruitment Plan” (они попали, как спам в папки карантина);<br />К письмам был прикреплен файл Excel с внедренным Flash. В последнем был 0-day эксплоит (CVE 20110609), который использовался для загрузки трояна.<br />Троян начал поиск паролей доступа к все более и более значимым компьютерам, пока не получил привилегированный доступ к той системе, которая была изначальной целью.<br />Желаемые файлы были украдены и отправлены на внешний компьютер (это был взломанный компьютер у хостунг-провайдера).<br />
    10. 10. Защита<br />Не переход на последнюю версию AV/FW/IDS/IPS/DLP/…<br />Не еще одна «коробка с лампочками»NAV/NSM<br />Управление рисками в реальном времени!<br />
    11. 11. Управление рисками в реальном времени<br />DMZ<br />
    12. 12. Доверяй, но проверяй<br />
    13. 13. Какой разъем ведет в Интернет?<br />Доверенная сеть<br />Недоверенная сеть<br />Недоверенная сеть<br />
    14. 14.
    15. 15. NAV & NSM<br />Сканирование сети<br />Анализ потоков данных<br />Расследование сетевых инцидентов<br />Анализ сетевых метаданных<br />Захват и анализ сетевых пакетов<br />Network Analysis & VisualizationNetwork Security Monitoring <br />
    16. 16. Жизненный цикл<br />Установить базовый уровень защиты<br />Обновить информацию об угрозах<br />Контролировать и изучать сетевой трафик<br />Расследовать возможную угрозу<br />Инициировать процесс реакции на инцидент или обновить защиту<br />Перейти к шагу 1. <br />
    17. 17. Trend Micro Threat Intelligence Manager<br />
    18. 18. Традиционной защитынедостаточно!<br />EmpoweredEmployees<br />& Wikileaks<br />AdvancedTargeted Threats<br />De-Perimeterization<br />Virtualization, Cloud, Consumerization & Mobility<br />i.e., Stuxnet, Epsilon, Aurora, Mariposa, Zeus,<br />Sony PlayStation, etc.<br />
    19. 19. Threat Intelligence Manager<br />Office Scan<br />Incident Discovery<br />Threat Discovery Appliance<br />Suspicious Network Behavior<br />Threat Intelligence Manager<br />Threat Analysis and Response<br />Deep Security<br />System Integrity<br />
    20. 20. Панель управления<br />
    21. 21. Статистика Smart Protection Network<br />
    22. 22. Fidelis XPS<br />
    23. 23. Секретный ингредиент: Deep Session Inspection®<br />
    24. 24. Полностью очищенная луковица<br />Вот, что видит Deep Session Inspection:<br />Полное декодирование на всех портах, протоколах и приложениях<br />Полная видимость всего содержимого на всех уровнях<br />Уведомление, сохранение и блокировка на основе установленных правил в реальном времени<br />Стеваясессия<br />
    25. 25. Что такое правила?<br />ЧТО?(содержимое)<br />КАК?(атрибуты сессии)<br />КТО?<br />(местоположение, репутация)<br />И/ИЛИ/НЕ<br />Блокировка<br />Запись<br />Визуализация<br />Перенаправление<br />Карантин<br />Сигнал<br />Шифрование<br />Уведомление<br />Экспорт<br />Ограничение скорости<br />
    26. 26. Какие правила возможны?<br />Все, что можно сформулировать словами:<br /><ul><li>“Блокировать приложения в социальных сетях”
    27. 27. “Предупреждать о передаче наружу любых персональных данных вне регламентированных бизнес-процессов”
    28. 28. “Передачу персональных данных на известные фишинговые и вредоносные сайты”
    29. 29. “Предупреждать о использовании шифрования SSL/TLS с подозрительными странами в нерабочие часы”
    30. 30. “Предупреждать об исполняемых файлах, у которых подменено расширение”
    31. 31. “Предупреждать о PDF-файлах с внедренным исполняемым кодом”
    32. 32. “Предупреждать о зашифрованном трафике с неправильным алгоритмом или стойкостью”
    33. 33. “Предупреждать о сессиях с неизвестным протоколом”</li></li></ul><li>Правила (выдержка из обновления за май)<br />
    34. 34. Что мы хотим найти?<br /><ul><li>JavaScript in PDF
    35. 35. JavaScript “unescape” in PDF
    36. 36. Executable in PDF
    37. 37. Flash in Excel/Word/PowerPoint
    38. 38. .exe or .scr in .zip or .rar over SMTP
    39. 39. X in Y under Z circumstances
    40. 40. THINK FIDELIS!</li></ul>28<br />
    41. 41.
    42. 42.
    43. 43. FSS_Suspicious Executable<br />
    44. 44. Что поймали наши сети?<br />32<br />
    45. 45. 33<br />Файл формата tar<br />Нет“.tar”<br />
    46. 46. 34<br />Ну и спрятался!<br />
    47. 47. 35<br />Что у нас в кустах?<br />Это исполняемый файл!<br />
    48. 48. 36<br />(?!/JavaScript)(?:/|#2f|#2F)(?:J|#4a|#4A)(?:a|#61)(?:v|#76)(?:a|#61)(?:S|#53)(?:c|#63)(?:r|#72)(?:i|#69)(?:p|#70)(?:t|#74)<br />
    49. 49. 37<br />Это не просто поиск подстроки!<br />
    50. 50. Мартовская уязвимость нулевого дня во Flash<br />38<br />“Show me Flash in XLS”<br />
    51. 51. Апрельская уязвимость в Flash “Show me Flash in Doc”<br />39<br />
    52. 52. А теперь…<br />
    53. 53. Competitive Pricing<br /><ul><li>Pricing scenario is for 2,500 employee organization with 70 servers, and management of events from all devices.
    54. 54. Pricing does not include database licenses, server clusters and more, which are required for all but the Trend Micro offering.</li>