This document discusses the cyber attack lifecycle and strategies for advanced adversaries. It describes the typical stages an adversary goes through, including reconnaissance, exploitation, delivery, installation, command and control, and actions on objectives. The adversary's goal is to accomplish their task and exfiltrate information without detection. New strategic approaches are needed to detect threats across all points, including the network edge, endpoints, mobile devices, and clouds. Security controls must innovate faster to reduce the vulnerability gap against sophisticated global attackers.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
WannaCry Ransomware Attack: What to Do NowIBM Security
View on-demand webinar: http://bit.ly/2qoNQ8v
What you need to know and how to protect against the WannaCry Ransomware Attack, the largest coordinated cyberattack of its kind. WannaCry has already crippled critical infrastructure and multiple hospitals and telecommunications organizations, infecting 100s of thousands of endpoints in over 100 countries. In this on-demand webinar, we discuss the anatomy of this unprecedented attack and IBM Researchers share expert insights into what you can do now to protect your organization from this attack and the next one.
The Cyber Attack landscape is evolving with new attack vectors and dangerous trends that can affect the security of your business. Some attacks can take only minutes to complete, yet months to be discovered.
Determine your attack risk and learn what to look for in a quality cyber attack defense.
Please visit here: http://www.radware.com/social/amn/ for information on Radware's AMN (Attack Mitigation Network.
This is a presentation for small businesses as presented by Art Ocain of MePush during an SBDC presentation. This explains how and why ransomware exists as well as how to recover and prepare.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Recent ransomware cyberattack on a major oil pipeline caused gas prices to surge and gas stations in multiple states to experience shortages due to a several-day outage resulting from the attack.
Patents are a good information resource for obtaining the state of the art of AI technology innovations for defending against the ransomware attacks. Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
WannaCry Ransomware Attack: What to Do NowIBM Security
View on-demand webinar: http://bit.ly/2qoNQ8v
What you need to know and how to protect against the WannaCry Ransomware Attack, the largest coordinated cyberattack of its kind. WannaCry has already crippled critical infrastructure and multiple hospitals and telecommunications organizations, infecting 100s of thousands of endpoints in over 100 countries. In this on-demand webinar, we discuss the anatomy of this unprecedented attack and IBM Researchers share expert insights into what you can do now to protect your organization from this attack and the next one.
The Cyber Attack landscape is evolving with new attack vectors and dangerous trends that can affect the security of your business. Some attacks can take only minutes to complete, yet months to be discovered.
Determine your attack risk and learn what to look for in a quality cyber attack defense.
Please visit here: http://www.radware.com/social/amn/ for information on Radware's AMN (Attack Mitigation Network.
This is a presentation for small businesses as presented by Art Ocain of MePush during an SBDC presentation. This explains how and why ransomware exists as well as how to recover and prepare.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Recent ransomware cyberattack on a major oil pipeline caused gas prices to surge and gas stations in multiple states to experience shortages due to a several-day outage resulting from the attack.
Patents are a good information resource for obtaining the state of the art of AI technology innovations for defending against the ransomware attacks. Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
If ransomware hasn’t held your business data hostage yet, it’s only a matter of time. Since 2013, a particularly nasty variation of ransomware called CryptoLocker has infiltrated countless businesses, encrypted files and demanded a pound of flesh for their safe release. With no relief in sight and new variations emerging regularly, ransomware continues to be one of the most widespread and damaging threats to businesses today. Is your continuity platform positioned to eat ransomware for breakfast?
Join Unitrends for a live webinar to understand how a layered protection strategy (and the news rules of recovery) can keep your business running – no matter what. We’ll cover:
• The current state of ransomware today
• What you need to do when you get infected
• How a rock solid continuity strategy will get you up and running quickly without having to pay a ransom
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
Get an overview the threat groups targeting the legal and professional services industries, as well as the top 5 malware and crimewave families detected.
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
FireEye, Inc. is the leader in network malware control, dedicated to eradicating malware from the world's networks. FireEye provides the world's only malware control system designed to secure networks from targeted malware. Our solutions bring advanced network security together with state-of-the-art virtualization technology to combat crimeware and protect customer data, intellectual property and company resources, solving critical business needs without taxing your IT administration. FireEye is based in Menlo Park, CA and backed by Sequoia Capital and Norwest Venture Partners. For more details, visit http://www.fireeye.com.
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
Chris and Sean from Veeam discuss Availability, Disaster Recovery, and updating records per PIPEDA legislation. Veeam also discusses their solution to ransomware.
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
A close look at how leveraging backup and recovery principals with Infrascale can help organizations beat ransomware attacks. Very cool technology which also augments DR/BC preparedness.
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
Sophisticated ransomware attacks on healthcare organizations by ruthless cybercriminals are on the rise. Savvy HIT leaders are taking immediate action to protect their IT systems and data. During this webinar you’ll gain insight into the 5 most important precautions that healthcare providers should take and what steps should be followed in event your system is compromised to minimize the impact on patient care and restore your systems as quickly as possible.
In this presentation you’ll learn:
- 5 most important ways to protect your organizations from a ransomware attack
- What steps to take in the event your system is compromised by a ransomware attack
Link to On-Demand Webinar: https://www.cleardata.com/knowledge-hub/5-ways-to-protect-your-healthcare-organization-from-a-ransomware-attack/
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
Presented at ISSA Cornerstones of Trust June 6, 2012.
No one wants to be the next cyber casualty. Collectively, organizations spend an enormous amount of resources deploying and managing security solutions to block malware, protect data, and keep critical business services operating.
Yet most organizations remain inadequately protected against evolving and dangerous cyber threats. In this session, we will learn to recognize common network attack scenarios and mitigate the combination of misconfigurations, vulnerabilities, access policy violations and other security gaps that can be exploited by sophisticated attackers.
High-profile breaches at Epsilon, Sony, and other enterprise and government networks have dominated the news lately, raising awareness of the need to design effective security strategies against sophisticated attacks and advanced persistent threats (APTs). Many companies struggle with where to begin to develop an effective plan of cyber defense.
During this session we will walk the audience through several attack scenarios using a visual attack explorer tool, highlighting the combination of security gaps that are often used and how to prevent them. Network modeling, vulnerability analysis, access path analysis, and attack simulation will all be introduced and we will show how these analytical tools can be used to quickly and automatically find exposed areas of a network.
Ransomware has not gone away. In fact, ransomware criminals have evolved their malware so they can encrypt more data before detection and increase the likelihood you will pay their ransom.
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
A guide for organizations faced with a ransomware
infection. This guide is split into several sections, with the most
critical and time-sensitive being in the initial response section.
If you are currently experiencing a ransomware incident, it is highly recommended you immediately review the containment section.
Nuts & Bolts of the Dynamic Attack ChainIBM Security
With significant breaches of personal and corporate data being announced regularly, there is even more value in understanding how the dynamic attack chain really works in addition to what tools your organization can use to disrupt it. From break-in to ex-filtration, you will be taken through a "real-world" scenario to understand how easy it is for attackers to infiltrate your network and steal sensitive data. We will review the technologies you can use to combat these threats and contain the impact of a breach as well as determine what protection strategy you should adopt to avoid being the next headline.
Join this live webinar, presented by Christopher Beier, IBM Security Senior Product Marketing Manager, to:
- Experience a "real world" step-by-step scenario from break-in to ex-filtration
- Learn in detail how the dynamic attack chain works
- Understand which network and endpoint protections your organization should have in place
View the on-demand recording: http://securityintelligence.com/events/nuts-bolts-dynamic-attack-chain/
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
If ransomware hasn’t held your business data hostage yet, it’s only a matter of time. Since 2013, a particularly nasty variation of ransomware called CryptoLocker has infiltrated countless businesses, encrypted files and demanded a pound of flesh for their safe release. With no relief in sight and new variations emerging regularly, ransomware continues to be one of the most widespread and damaging threats to businesses today. Is your continuity platform positioned to eat ransomware for breakfast?
Join Unitrends for a live webinar to understand how a layered protection strategy (and the news rules of recovery) can keep your business running – no matter what. We’ll cover:
• The current state of ransomware today
• What you need to do when you get infected
• How a rock solid continuity strategy will get you up and running quickly without having to pay a ransom
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
Get an overview the threat groups targeting the legal and professional services industries, as well as the top 5 malware and crimewave families detected.
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
FireEye, Inc. is the leader in network malware control, dedicated to eradicating malware from the world's networks. FireEye provides the world's only malware control system designed to secure networks from targeted malware. Our solutions bring advanced network security together with state-of-the-art virtualization technology to combat crimeware and protect customer data, intellectual property and company resources, solving critical business needs without taxing your IT administration. FireEye is based in Menlo Park, CA and backed by Sequoia Capital and Norwest Venture Partners. For more details, visit http://www.fireeye.com.
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
Chris and Sean from Veeam discuss Availability, Disaster Recovery, and updating records per PIPEDA legislation. Veeam also discusses their solution to ransomware.
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
A close look at how leveraging backup and recovery principals with Infrascale can help organizations beat ransomware attacks. Very cool technology which also augments DR/BC preparedness.
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
Sophisticated ransomware attacks on healthcare organizations by ruthless cybercriminals are on the rise. Savvy HIT leaders are taking immediate action to protect their IT systems and data. During this webinar you’ll gain insight into the 5 most important precautions that healthcare providers should take and what steps should be followed in event your system is compromised to minimize the impact on patient care and restore your systems as quickly as possible.
In this presentation you’ll learn:
- 5 most important ways to protect your organizations from a ransomware attack
- What steps to take in the event your system is compromised by a ransomware attack
Link to On-Demand Webinar: https://www.cleardata.com/knowledge-hub/5-ways-to-protect-your-healthcare-organization-from-a-ransomware-attack/
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
Presented at ISSA Cornerstones of Trust June 6, 2012.
No one wants to be the next cyber casualty. Collectively, organizations spend an enormous amount of resources deploying and managing security solutions to block malware, protect data, and keep critical business services operating.
Yet most organizations remain inadequately protected against evolving and dangerous cyber threats. In this session, we will learn to recognize common network attack scenarios and mitigate the combination of misconfigurations, vulnerabilities, access policy violations and other security gaps that can be exploited by sophisticated attackers.
High-profile breaches at Epsilon, Sony, and other enterprise and government networks have dominated the news lately, raising awareness of the need to design effective security strategies against sophisticated attacks and advanced persistent threats (APTs). Many companies struggle with where to begin to develop an effective plan of cyber defense.
During this session we will walk the audience through several attack scenarios using a visual attack explorer tool, highlighting the combination of security gaps that are often used and how to prevent them. Network modeling, vulnerability analysis, access path analysis, and attack simulation will all be introduced and we will show how these analytical tools can be used to quickly and automatically find exposed areas of a network.
Ransomware has not gone away. In fact, ransomware criminals have evolved their malware so they can encrypt more data before detection and increase the likelihood you will pay their ransom.
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
A guide for organizations faced with a ransomware
infection. This guide is split into several sections, with the most
critical and time-sensitive being in the initial response section.
If you are currently experiencing a ransomware incident, it is highly recommended you immediately review the containment section.
Nuts & Bolts of the Dynamic Attack ChainIBM Security
With significant breaches of personal and corporate data being announced regularly, there is even more value in understanding how the dynamic attack chain really works in addition to what tools your organization can use to disrupt it. From break-in to ex-filtration, you will be taken through a "real-world" scenario to understand how easy it is for attackers to infiltrate your network and steal sensitive data. We will review the technologies you can use to combat these threats and contain the impact of a breach as well as determine what protection strategy you should adopt to avoid being the next headline.
Join this live webinar, presented by Christopher Beier, IBM Security Senior Product Marketing Manager, to:
- Experience a "real world" step-by-step scenario from break-in to ex-filtration
- Learn in detail how the dynamic attack chain works
- Understand which network and endpoint protections your organization should have in place
View the on-demand recording: http://securityintelligence.com/events/nuts-bolts-dynamic-attack-chain/
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
Recorded Webinar at http://event.on24.com/wcc/r/1117340/BECF92C8BBDF5B51399A8FB934C97054
This Webinar has been hold in Italian language by Luigi Delgrosso and Fabrizio Patriarca.
Please contact them to get additional details and get a visit on site
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...PLUMgrid
After deployment and build-out of an OpenStack cloud, operators require a complete end to end single pane view of the SDN-based network overlay, all the associated workloads and hypervisors and physical infrastructure. Enterprises and cloud providers alike have aggressively adopted SDN visualization and monitoring platforms in addition to OpenStack horizon to keep their infrastructure running with 100% uptime. Additionally, new tools that aim at helping with proactive remediation of issues are being deployed and leveraged to quickly bring back the system to healthy conditions. In this session, attendees will discover:
How comprehensive visualization could help operations staff
How to correlate physical and virtual networks
How to immediately identify problems as they arise
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
In the world of cyber security, a single defeat can be extremely costly.Before you create a plan, it’s vital to learn about the anatomy of a data breach – and understand who your attackers are.
In a standard data breach, the type that occurs between 80 to 90 million times per year, there are roughly 6 essential steps, each of which will be outlined below. It’s time for a quick anatomy lesson to strengthen your cyber security program:
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
The Role of Application Control in a Zero-Day RealityLumension
With end users often downloading unwanted and unknown applications, more than 1.6 million new malware signatures appearing every month and a rising tide of zero-day attacks, there is more risk to your systems and information than ever before.
Find out:
* How to defend against zero-day threats - without waiting for the latest anti-virus signatures
* Why application control / whitelisting should be a central component of your security program
* How application control has evolved to enforce effective security in dynamic environments
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
The key differences between the MDR and IVDR in the EUAllensmith572606
In the European Union (EU), two significant regulations have been introduced to enhance the safety and effectiveness of medical devices – the In Vitro Diagnostic Regulation (IVDR) and the Medical Device Regulation (MDR).
https://mavenprofserv.com/comparison-and-highlighting-of-the-key-differences-between-the-mdr-and-ivdr-in-the-eu/
Recruiting in the Digital Age: A Social Media MasterclassLuanWise
In this masterclass, presented at the Global HR Summit on 5th June 2024, Luan Wise explored the essential features of social media platforms that support talent acquisition, including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok.
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
5. The Advanced Adversary
Majority of adversaries are just doing their job:
• Bosses, families, bills to pay.
• Want to get in, accomplish their task, and get out (un-detected).
• Goal isn’t making your life hard.
=
6. The Advanced Adversary
Adversaries have a set of tools
available to accomplish their task
Defenders need a combination of
people, process and technology
Increase the cost for adversaries.
10. Reconnaissance
Identify the tools used to protect an organization
Content from
corporate websites
Third-party sites to
identify key targets
Common search
techniques
12. Exploitation
Why use malware when you
have legitimate credentials?
Users are typically the
path of least resistance.
Exploiting the user
1
13. Exploitation
Exploit
Why use a 0-day when
2012-0158/2010-3333 still
open?
Old vulnerabilities may
not be patched.
Exploiting the software
2
14. Exploitation
Technology:
If you can’t patch systems, limit access via user-based policy.
Deploy solutions that can prevent exploitation on the endpoint and
network, even those that have not been seen before.
Use systems that learn from new exploits and can stop them in real-
time.
Process:
Keep software patched to reduce the attack surface.
People:
Training to recognize phishing attempts and be
careful with credentials.
16. Delivery
Delivering the Exploit or Malware
Attackers with a
specific target
Malicious USB Drives,
Network Exploitation,
etc.
Strategic Web
Compromise for attackers
targeting people with
specific interests
Phishing
Everything Else
Watering Hole
17. Phishing & Drive-by Download
User clicks on link to a
malicious website
Targeted malicious
email sent to user Malicious website silently
exploits client-side vulnerability
with Web Attack Toolkit
System infected,
attacker has full
access to steal data
Drive-by
download of
malicious
payload
22. The Underground Economy
“A tool for creating Botnets on Android […] $4,000”
• Easily purchase
tools.
• Discuss tactics with
other attackers.
Active marketplace
for attacks:
• Remote access
tools.
• Malware.
• Exploits.
• Etc.
24. Preventing Delivery and Installation
Technology:
Prevent
malware and
exploits at the
network level
Deploy a solution
that can detect
new exploits and
malware,
dynamically
updated your
protections
across AV, URL
and DNS.
Prevent exploits
that have never
been seen
before on the
endpoint
User-based
policy such as
limiting the
download of
executable files
from the
Internet
Block
commonly
exploited file-
types on your
network
25. Command and Control (CnC)
Communicating with infected hosts and providing instructions
http://...
Customized protocols,
with unique encryption
types are used for CnC.
HTTP is most common
for custom backdoors.
RealityMyth
26. Command and Control (CnC)
User Land
DMZ
Ingress/Egress
Data Center/Infrastructure
Internet
Adversary Infrastructure
Enterprise and adversary infrastructure
SMAC: Social, Mobile, Analytics, Cloud/Virtualization is creating advanced vulnerabilities and complexities to manage
Perfect storm: Apps create the attack horse to ride in on, mobility creates a massive increase in the number of points of entry, and cloud creates the chance to strike once and win a thousand points of access.
Change results in tremendous risk.
Visibility, as well as the controls involved to mitigate risk, must increase within a constantly changing landscape.
Dramatic increase in organized, well-funded organizations bent on causing harm through sophisticated, orchestrated, persistent attacks
Advanced suites of hackware readily available and shared/sold on the internet
Perimeter-based security is ineffective
Endpoint AV is ineffective
Proliferation of security solutions is ineffective and difficult to manage
Detect approach is ineffective
Sandboxes are not created equal
Talking Points:
Cyber is in front of all of these as a reminder that these motivations are not new, it is just a matter of the medium the attacker is using
Motivations as “hats” an attacker can wear
Some fuzzy areas between motivations; an attacker might wear two or more “hats” for a single attack (opportunistic or other shifting factor)
Although motivations may shift for a single actor, that actor will often employ the same TTPs, tools and other resources in all of their attacks
Concept: Defending against the adversary operating in the aggregate (not just an incident, but a series of events leading to that objective)
Advanced adversaries aren’t these mythic figures or groups with unlimited resources, crafting every piece in a custom made attack, there are only 3-5 groups like this in the entire world, and they are the .01%. 99.9% of attackers are just like you and me.
Humans are responsible for all of the attacks you experience.
They have bosses, families, bills to pay.
They want to get in, accomplish their task, and get out (un-detected)
Their goal isn’t making your life hard
The media and others may try to convince you differently – but these assumptions are wrong!
Adversaries have a set of tools available to accomplish their task
Use the right tool for the job, no need to use a bazooka if a lock-pick will open the door.
Functionality can be extended
Exfiltration
Command & Control
Post-Operation
Defenders need a combination of people, process and technology
Having only one of the components invalidates the other. For instance, the greatest security products in the world can’t prevent attacks if they are not configured and monitored correctly. The also cannot stop a user from revealing sensitive information.
Ensure adversaries NEED the bazooka, not the lock-picks or
Don’t be the low-hanging fruit
Most of us have the means to stop known attacks, but what’s been historically difficult is stopping unknown attacks.
To gain a better understanding of adversaries and the stages that each attack follows, here’s a quick look at the Attack Kill Chain.
The Attack Kill Chain is a sequence of events that an attacker goes through to successfully infiltrate a network and exfiltrate data from it. The good news is that blocking just one step in this chain is all that is needed to protect a company’s network and data from attack.
We’ve borrowed from the pioneering work that Lockheed Martin did when they created the Cyber Kill Chain and here is how we view each stage in the kill chain:
Reconnaissance: Just like burglars and thieves, attackers carefully plan their attacks. They research, identify, and select targets, oftentimes using phishing tactics or extracting public information from an employee’s LinkedIn profile or corporate websites. These criminals also scan for network vulnerabilities and services or applications they can exploit.
Weaponization & Delivery: Next, the attackers determine which methods to use. They may choose to embed intruder code within seemingly innocuous files like a PDF or Word document or email message. Or, for highly-targeted attacks, attackers may craft deliverables to catch specific interests of an individual.
Exploitation: Once attackers gain access “inside” an organization, they can activate attack code on the victim’s host and ultimately take control of the target machine.
Installation: Attackers will seek to establish privileged operations, root kit, escalate privileges, and establish persistence.
Command-and-Control: Attackers establish a command channel back through the Internet to a specific server so they can communicate and pass data back and forth between infected devices and their server.
Actions on the Objective: Attackers may have many different motivations for attack, and it’s not always for profit. Their reasons could be data exfiltration, destruction of critical infrastructure, or to deface web property or create fear/extortion.
They get in via Hr or finance, for example….
Target Organization Website
PDFs, Powerpoint, XLS, etc
Conference/Event Websites
Attendee Lists, Presentations
Google Foo
filetype:xls inurl:attendees
Social Networks/Job Postings
Identify technologies in Used
This isn’t about “spray-and-pray” attacks
Corp websites: , which may include email addresses, customer lists, partner lists, etc.
Google Search reveals XLS spreadsheets containing names, titles, e-mail addresses and phone numbers of attendees to a “National Defense Industrial Association” event.
Job posting for a firewall engineer reveals which products this company is deploying.
LinkedIn Profile for security analyst at a large company reveals which products they are using.
Does this fit in weapon? I’m going to buy a weapon that can defeat these.
This is your wake-up call for basic training and good process!
Know what the adversary knows on your corporate website and third-party content sources with regular checks
Preform “red-team” exercises to identify possible targets within your organization
Pay special attention the training and access of privileges or highly visibility users
Configure hardware and software not to give away any unnecessary information, like type and version number
Technology can only prevent a few recon techniques, like port scans and host sweeps.
This phishing page was used in one of the attack’s Trend Micro calls “Operation Pawn Storm”. Phishing using fake Outlook Web Access pages is commonly used against businesses because nearly everyone uses it and the log-in pages look almost the same. This attack was on Academi, a security training organization. The attackers registered a similar domain for this attack.
Phishing (OWA)
Why use malware when you have credentials?
Spam with email link to fake site, exploit kits, etc.
Old Vulnerabilities
Why use an 0-day when 2012-0158/2010-3333 still open?
0-Days are the Bazooka
Printers – can be used to break into an org. They never patch these things.
Not all exploits are created equal
Zero days
Sudden, widespread impact
Targets trending to lower patch rates
Opportunistic — 99% of exploited vulnerabilities are more than 1 year old (discovery)
Software security patches (attempt to) fix vulnerabilities that might be exploited
Talking points:
Zero days are the height of exploitation, as they target vulnerabilities for which there is little or no awareness and for which there are no patches
Add to that sudden, widespread vulnerabilities when they are disclosed. Recent years have been full of these. Heartbleed anyone?
Then think about some of those production systems for various organizations where the fear of loss of availability or just poor patch management has historically led to a ripe platform for exploitation. ColdFusion is a great historical example of this.
Often, when an exploit is disclosed, the associated vulnerability is fixed through a patch
But think about the points above and you can see why exploitation thrives in the wild
Also bear in mind that sometimes patches don’t actually fix the vulnerability and that patches are software as well. In other words, they may introduce additional vulnerabilities of their own.
DBIR 99.9% of attacks used CVE more than 1 year old
Exploited in the Wild?
Patch it now
Can’t patch this system?
Limit web/email access to minimum using policies.
Eliminate the old gaps, catch the 0-days.
Something about WildFire and/or Traps.
This is your wake-up call for basic training and good process!
Assume you’ve done everything right, trained your people and instituted processes to mitigate risk
As we move to new stages of the cyber kill-chain, Technology becomes even more critical to preventing advanced attacks
Phishing, including spear phishing, is by far the most-common tactic used because it’s simple and effective. It relies on good information gathered during the recon phase. Users are conditioned to read e-mails and open attachments if they seem relevant to their positions, training them to do otherwise isn’t really feasible. Watering Hole attacks are harder to pull off because they require compromising a web server, but that’s really just a 2-stage attack. Attack the website owner first (through spear phishing) then take over the web server. If these two primary mechanisms fail, the pragmatic adversary might start getting creative but typically only if they couldn’t get in using the simpler methods.
Note to audience: You can always use Direct malware via email. Skip the exploitation.
Off-the-shelf tools Common
Advantage: Highly capable tools, freely available.
Disadvantage: Common use means AV may detect
Complete control over infected system, easy to use.
Many Options
PoisonIvy, gh0st RAT, NetWire, Dark Comet, CyberGate, XtremeRAT…
Used by all levels of attacker.
Custom Tools
Disadvantage: Larger investment up front
Advantage: Very unlikely to be detected by AV
Normally much simpler than OTS RATs, remote shell is the goal.
Often only used as initial implant to gain a foothold.
Poison Ivy exploit kit
HTTP is most common for custom backdoors
Passes through proxies, blends in, unlikely to be blocked.
29/40 named in APT1 report use HTTP for CnC (“WEBC2”)
Dynamic DNS Domains
Free, harder to correlate
SSL helps evade detection
Talking points:
Now we’ve reached the malware Command and Control (CnC) phase
This slide and the next one describe some visual components that will be used
The first is this conceptual view of a notional enterprise
There is userland where the standard users perform their work
The data center and infrastructure components house core servers like the domain controllers, IS platforms and data repositories
There is a DMZ, which also might include any other public facing portals or services extended to remote users
Finally, there is an ingress / egress point (which may be broken out by the above conceptual groupings) that allows access to and from the Internet
Talking points:
Now, let’s put this all together and start looking at some common CnC patterns
Something to keep in mind for the following CnC slides is that a defender ultimately needs to focus on breaking an attacker’s CnC before Actions on Objectives are met
As a convention, objects in red represent malicious activity
So, let’s get started with the first CnC pattern.
Once malware lands on a box and is installed, it might execute preset commands, typically of a smash-and-grab variety
These communications normally use common ports and protocols (e.g., http, https) to increase the likelihood of successful communication
This is network traffic that can be detected and potentially blocked
Talking points:
This slide depicts another common pattern
More interesting malware reaches out for additional malware and/or commands from the attacker
This step is where second-stage malware might be downloaded and run
Once a suitable stage of malware is installed on the victim machine, like a Remote Administration Tool (RAT), it will then attempt to establish a CnC channel
This is the point at which a periodic phone home, typically referred to as a beacon, begins
Beacons are mainly used to obtain the next set of commands from an attacker
Beacons or other initial malware communication can also contain recon information from the compromised target, such as OS configuration, loaded software versions, and logged on user information.
Clever malware also moves beyond simple web requests for CnC and tries to emulate human behavior (e.g., Gmail, Pastebin, Twitter, Facebook) in receiving its attacker commands
Blocking sub-features, like file sharing or chat
Controlling access to and within SaaS applications
Goals Inside the Network
Find the target data
Access the target data
Exfiltrate the data
Avoid getting caught.
These are completed by an active operator:
An individual issuing commands through the malware
Operators have a goal, may follow a script and often make mistakes (typos)
Longest, most complex phase
May last days, weeks or months
Consists of many short-term goals, not necessarily linear
Often ignored phase of the Attack Lifecycle
“And then the bad guys steal all your data”
Talking points:
This slide focuses on what can happen once target assets are reached
A good rule of thumb for any environment is to operate under the assumption that the adversary is already inside the perimeter
The different kinds of objectives here map to motivations for different adversary types
Most environment will have their own blend on these threats that they must mitigate
Once they are in the network, the malware doesn’t matter.
The Pragmatic Adversary won’t create a custom tool to do what a built-in tool already can.
The takeaway here is the security organizations are not innovating fast enough, and attackers are becoming much more sophisticated in their planning, with their tactics continuously evolving as well.
This polarization creates a continuously widening vulnerability gap in an organization’s security.
And the stakes are even higher when the value of information is increasing.
Example: “Stolen medical and healthcare records are the ‘Rolls Royce’ with a black market value of approximately $200 per record as evidenced in hacker forums. As a comparison, credit card records sell for about $1 per record.” – Value from prescription (controlled substances) and access to bank account information.
Goal is to reduce threat exposure by strengthening controls.
Traditionally, businesses have focused on “detect and respond.” But inadequate - generally provide alerts on threats only and take a “detection-focused” approach, which requires manual intervention or costly Incidence Response once a breach occurs. Plus, these legacy solutions are a “patchwork” of point products that not only lack the ability to protect against all threat vectors, but also make it very difficult to coordinate and share intelligence among the various devices.
At Palo Alto Networks, we focus strongly on designing for prevention, preparing for remediation. We believe a security strategy must be formed from a philosophical position of “I can prevent attacks” with the correct implementation of best practices across people-process-technology.
As such, your architecture must be able to detect and prevent threats at every point across the organization:
Attacks targeting your mobile workers
Attacks targeting your perimeter
Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network
Attacks targeting the heart of your virtualized data center
Attacks targeting your cloud-based infrastructure, both private and public
Here’s an example of how a comprehensive security solution can work together to block an advanced cyberattack.
Each critical stage within the kill chain is covered - from the initial attempt to breach your perimeter, to delivering malware on the endpoint, then moving laterally through your network until they get to their ultimately target and attempt to exfiltrate data. Each of these steps is met with a multi-layered defense model that
Prevents known Delivery mechanisms from functioning (NGFW App-ID & SSL decryption, GlobalProtect, URL Filtering; Threat Prevention; Wildfire).
Prevents known malicious code from Installing (Threat Prevention, Wildfire, Traps).
Prevents known Command & Control channels from communicating (NGFW App-ID, Threat Prevention, URL Filtering, WildFire).
Prevents known Exfiltration schemes from sending sensitive information out of the enterprise (NGFW App-ID & SSL decryption, Threat Prevention, URL Filtering).
Detects unknown threats (WildFire and Traps) and automatically deploys new prevention controls across the platform, and to the global subscriber base, within minutes of discovery. Transforming the previously unknown into a known.
Many best of breed point products can detect and some can prevent at key elements in the kill chain, but they rely on the organization to manually integrate them into a seamless architecture.