APT Webinar

ADVANCED PERSISTENT THREAT
BREAKING THE ATTACK CYCLE

Presented By:
Joe Schorr
Enterprise Security Practice Manager

800.747.8585 | help@cbihome.com

CBI Introduction

Information Technology and Security Solutions Provider
• Symantec Partner of the Year, Finalist
• Symantec Platinum Partner
• Globally capable, superior technical service

Experienced Professionals
• Operating for 20 years serving more than 500 clients world wide.
• Broad customer base ranging from mid-size to Fortune 100

Experienced in Variety of Industries
• Healthcare • Government
• Banking & Financial Services • Legal
• Manufacturing • Retail
• Education

2 800.747.8585 | help@cbihome.com

Enterprise Security Practice

Joe Schorr: Enterprise Security Practice Manager
Managing Consultant for the BT Ethical Hacking Center of Excellence
CIO for a large non-profit
Global Program Manager – International Network Services

Endpoint
Enterprise Server Datacenter
IT GRC Managemen
Security Management Management
t


APT Defined

APT is a group of sophisticated,
determined and coordinated attacks
and attackers that have been
systematically targeting, exploiting
and compromising U.S. Government
and private networks.


“APT”

Advanced means the adversary can operate in the full spectrum
of computer intrusion. They can use the most pedestrian publicly
available exploit against a well-known vulnerability, or they can
elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target’s posture.

Persistent means the adversary is formally tasked to
accomplish a mission. They are not opportunistic
intruders. Like an intelligence unit they receive directives
and work to satisfy their masters. Persistent does not
necessarily mean they need to constantly execute
malicious code on victim computers. Rather, they
maintain the level of interaction needed to execute their
objectives.

Threat means the adversary is not a piece of mindless code. This point is
crucial. Some people throw around the term “threat” with reference to
malware. If malware had no human attached to it (someone to control the
victim, read the stolen data, etc.), then most malware would be of little
worry (as long as it didn’t degrade or deny data). Rather, the adversary
here is a threat because it is organized and funded and motivated. Some
people speak of multiple “groups” consisting of dedicated “crews” with
various missions.

Security Trends

CHALLENGING
THREAT LANDSCAPE

MALICIOUS INSIDERS
TARGETED ATTACKS

INCREASING
EVOLVING COMPLEXITY
INCREASING FINANCIAL
INFRASTRUCTURE AND BRAND RISK

DATA GROWTH COMPLIANCE
REQUIREMENTS
MOBILE VIRTUALIZATION

VENDOR COMPLEXITY
CLOUD


Recent Events & Evidence

A picture of the hacking
software shown during
the Chinese military
program. The large
writing at the top says
"Select Attack Target."
Next, the user choose
an IP address to attack
from (it belongs to an
American university).
The drop-down box is a
list of Falun
Gong websites, while
the button on the left
says "Attack."


RSA and .gov Contractors


Ever wonder?


RSA wasn’t alone.

http://krebsonsecurity.com/

Smoking gun

http://krebsonsecurity.com/

STUXNET

+
=

‘Duqu’ the Son of STUXNET


Attack Cycle

Step 4
• Obtain User
Credentials
• Install Tools
• Escalate privs
Step 6
Step 2 •Persistence
Step 5
• Delivery of •Residency
Expoit • Data Theft and
• Enter target Exfltration
Step 3
• Create
Backdoor
• Contact
Command &
Control (C&C)
Step 1 servers
• Reconnaissance


What does this look like?

1. Target selected from shopping list
2. Passive searching – ‘Google-Fu’
3. Cyber-stalking via Facebook and Linked In
4. Select individuals for Spear-phishing attack
5. Social Engineer custom mail to targets
6. Payload deploys, begins harvest of credentials
7. ‘Owns’ servers and establishes backdoor,
establishes tunnels, typically via Port 443 and 53
8. Take data, encrypt and compress and send it
home
9. Dormancy until further orders


Some APT Attack components

•Blended
weaponized
STUXNET
clones
•Endpoint
Compromise
•CA Attacks


6 recommendations

MONITOR! Yes, this means SIM and it also means
monitoring your monitor DAILY. If you have challenges
in this area consider a MSS solution.

MANAGE! access control systems. User management
and passwords are not sexy but weak management of
this important, basic operational task provides a HUGE
attack vector.

ENGINEER! your WHOLE network to be secure. The
security architecture is not just routers and firewalls.
Server, endpoint and application security are as
important to a healthy, well-defended enterprise.

PATCH! Don’t let the ‘I’ll wait for others to go first….’
mentality lead to inertia. Bad patch management has a
direct role in most server and application exploits

TEST! your security. Early and often.

STOP! The leaks.


Symantec DLP Overview

Storage Endpoint Network

Symantec™
Data Loss Prevention Symantec™ Symantec™
Network Discover Data Loss Prevention Data Loss Prevention
Endpoint Discover Network Monitor
Symantec™
Data Loss Prevention
Data Insight
Symantec™ Symantec™
Symantec™ Data Loss Prevention Data Loss Prevention
Data Loss Prevention Endpoint Prevent Network Prevent
Network Protect

Management Platform

Symantec™ Data Loss Prevention Enforce Platform


DLP Progress Model

Baseline Remediation Notification Prevention
1000

Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week

Business Unit
Processes
600 Communication

Fix Broken
Enable EDM/IDM Business
Processes
400

Sender Auto
Notification
200

Business Unit
Risk Scorecard
0

Risk Reduction Over Time
Client Company

EndPoint Progress

1000

Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week

Business Unit
Processes
600 Communication

Fix Broken
Processes
400

Sender Auto
Notification
200

Business Unit
Risk Scorecard
0

Client Company

Network Progress

1000

Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week

Business Unit
Processes
600 Communication

Fix Broken
Processes
400

Sender Auto
Notification
200

Business Unit
Risk Scorecard
0

Client Company

Storage Progress

1000

Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week

Business Unit
Processes
600 Communication

Fix Broken
Processes
400

Sender Auto
Notification
200

Business Unit
Risk Scorecard
0

Client Company

Desired State for Data Loss

The primary goals of using Symantec’s DLP solution are to:

1. Protect confidential and regulated data from leaking or misuse based
on corporate business practices
2. Meet or exceed all government regulatory data protection
requirements
3. Protect the Client Company brand and image.


Desired State for Data Loss

The DLP solution should perform the following functions:
1. Identify data based on current government regulations and
company policies
2. Tuned to minimize false positives
3. Educate Users on proper data handling policies.
4. Notify appropriate parties of data leakage or misuse.
5. Block data leakage or misuse
6. Find sensitive data in file shares and SharePoint
7. Determine who is using data


Examples of Successful DLP Outcomes

1. Internet traffic is monitored and incidents are created when
suspected or confidential data leaves via email or other web
process.
2. Endpoint activity is monitored and incidents are created when
suspected or confidential data is transferred to USB drives.
3. Manual searches on datastores can be performed if needed
4. General process for handling data breach incidents is established


Recommendations

1. Upgrade to Symantec Data Loss Prevention version 11.1
2. Refine Existing Policies and Responses
3. Run Network Discover scans
4. Begin using notifications
5. Deploy Email Network Prevent with Symantec Messaging
Gateway
6. Deploy Web Network Prevent with Symantec Web Gateway or
other ICAP proxy server.
7. Deploy Data Insight


Global Intelligence Network
Identifies more threats, takes action faster & prevents impact

Calgary, Alberta Dublin, Ireland

Reading, England

Tokyo, Japan
San Francisco, CA
Mountain View, CA Austin, TX Chengdu, China
Alexandria, VA
Culver City, CA
Taipei, Taiwan
Chennai, India
Pune, India
Chennai, India

Sydney, Australia

Worldwide Coverage Global Scope and Scale 24x7 Event Logging

Rapid Detection
Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing
• 240,000 sensors • 150M client, server, • 35,000+ vulnerabilities • 5M decoy accounts
• 200+ countries and gateways monitored • 11,000 vendors • 8B+ email messages/day
territories • Global coverage • 80,000 technologies • 1B+ web requests/day

Preemptive Security Alerts Information Protection Threat Triggered Actions


Next Steps

Security and Advisory Assessments
– In-depth, consultative engagements
– Evaluate and improve your overall security program
– Address specific concerns (e.g. PCI/ mobile security issues)


THANK YOU
jschorr@cbihome.com
@JoeSchorr


APT Webinar

More Related Content

What's hot

Viewers also liked

Similar to APT Webinar

Recently uploaded

APT Webinar