IBM Security, profile picture
Uploaded byIBM Security
PPTX, PDF1,098 views

Making Threat Management More Manageable

The document outlines a scenario involving a security breach at a global retail corporation, managed by an IT security manager facing a data exfiltration incident that includes credit card information. It details the attack's progression, highlighting how malware infiltrated the point of sale systems and the subsequent investigative measures taken to identify the breach's origin. Additionally, it emphasizes the importance of proactive threat management and advanced prevention techniques to mitigate such attacks, including behavioral-based defenses and incident response services offered by IBM.

Software
Related topics:
Cyber Threats

Embed presentation

Downloaded 63 times
Making Threat Management More Manageable The Nuts and Bolts of the Dynamic Attack Chain 1 © 2014 IBM Corporation 1 © 2014 IBM Corporation © 2014 IBM Corporation
You are an... IT Security Manager at a global retailer with 600 locations. You manage a team of IT analysts that are responsible for maintaining network operations for point of sale in retail locations, central servers, the company website and mobile applications. 2 © 2014 IBM Corporation Other areas of your company, like product management, have credentials for various applications to enable them to conduct business. 2 © 2014 IBM Corporation
Monday 8:30am Over a cup of coffee, you get a phone call from a well-known security blogger that your customer credit card numbers and one of your Internet-accessible server addresses showed up on an underground forum known for trading stolen information. 3 © 2014 IBM Corporation Within 10 minutes, you notify legal counsel, the CIO, and law enforcement and begin a forensics investigation to figure out how the breach occurred. 3 © 2014 IBM Corporation
IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on 4 © 2014 IBM Corporation Expand Gather Exfiltrate 4 © 2014 IBM Corporation x Prevent Detect Respond Investigating the server logs from the weekend shows a connection from a POS server to an external FTP server you don’t recognize, hosted at the dynamic domain 1337.my-ftp.biz. The attacker must have manually copied excerpts of the data from the FTP server to the underground forum.
IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 5 © 2014 IBM Corporation Expand Gather Exfiltrate 5 © 2014 IBM Corporation x Prevent Detect Respond You find evidence in the log files of transfers of PII in the previous week from POS servers to a single internal server, the server that connected to the external FTP server.
IBM Threat Protection System: The previous 2-3 weeks S M T W T F S Attack Chain Stage: Break-In Latch-on You find a copy of the file CardScraper.exe on each of the POS servers that sent PII to the server that made the external connection. 6 © 2014 IBM Corporation Expand Gather Exfiltrate 6 © 2014 IBM Corporation x Prevent Detect Respond In the 2-3 week prior, that malware hunted for additional POS servers, copying toolchains and password crackers to them, and infiltrating the network.
IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 7 © 2014 IBM Corporation Expand Gather Exfiltrate 7 © 2014 IBM Corporation x Prevent Detect Respond Probing further, you find a RAT (Remote Access Trojan) named svch0st.exe, which acted as a dropper to secretly install, execute, and avoid anti-virus detection. This program downloaded CardScraper.exe from an external server located at IP Address 91.216.73.32 and copied it to the POS servers.
IBM Threat Protection System: 29 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 8 © 2014 IBM Corporation Expand Gather Exfiltrate 8 © 2014 IBM Corporation x Prevent Detect Respond While working in a coffee shop, Dan, in Development, receives an email from a retailer requesting account verification. He clicked the link, but didn’t notice it was to fake website named acccount-verify.com, which launched a zero-day exploit to his browser and downloaded the trojan svch0st.exe to his system. Dan drives to work where he logs into the network, allowing svch0st.exe to slip into the network and start the chain of events leading to the breach.
Let's start from the beginning to see how the attack could have been disrupted... 9 © 2014 IBM Corporation 9 © 2014 IBM Corporation
IBM Threat Protection System Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights Continuous Response Quickly understand incidents and use findings to strengthen real-time A dynamic, integrated system to disrupt the entire lifecycle of advanced attacks 10 © 2014 IBM Corporation defenses Open Integrations Share context between domains and third party products using an open platform and ecosystem 10 © 2014 IBM Corporation
IBM Threat Protection System: 29 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 11 © 2014 IBM Corporation Expand Gather Exfiltrate 11 © 2014 IBM Corporation x Prevent Detect Respond Dan is the subject of a phishing scam and inadvertently downloads malware IBM Security Trusteer Apex Advanced Malware Protection stops the zero-day exploit from attacking his web browser and executing the RAT named “svch0st.exe”
IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 12 © 2014 IBM Corporation Expand Gather Exfiltrate 12 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate Trusteer Apex blocks command & control (C&C) activity on the endpoint, stopping the RAT from communicating with the server to download CardScraper.exe
IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 13 © 2014 IBM Corporation Expand Gather Exfiltrate 13 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate IBM Security Network Protection prevents C&C activity on the server by blocking the remote IP 91.216.73.32 hosting CardScraper.exe based on IP reputation
IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 14 © 2014 IBM Corporation Expand Gather Exfiltrate 14 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate IBM QRadar SIEM detects the RAT install from system event logs, giving it a magnitude score of 8 and raising a flag in the security analyst’s dashboard
IBM Threat Protection System: 2-3 weeks earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 15 © 2014 IBM Corporation Expand Gather Exfiltrate 15 © 2014 IBM Corporation x Prevent Detect Respond CardScraper.exe is copied to POS servers throughout the business IBM QRadar SIEM detects file transfers based on network events, and reports a policy violation on unauthorized access to a POS server
IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 16 © 2014 IBM Corporation Expand Gather Exfiltrate 16 © 2014 IBM Corporation x Prevent Detect Respond PII was transferred from infected POS servers to a single server IBM Security Network Protection (XGS) detects and blocks the transfer of the credit card number files Tag Name Status Content_Analyzer_Credit_Card_Num Detected event
IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 17 © 2014 IBM Corporation Expand Gather Exfiltrate 17 © 2014 IBM Corporation x Prevent Detect Respond PII was transferred from infected POS servers to a single server IBM QRadar SIEM detects communication behavior that deviates from corporate and compliance policies
IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on 18 © 2014 IBM Corporation Expand Gather Exfiltrate 18 © 2014 IBM Corporation x Prevent Detect Respond A POS server connects to an unknown external FTP server and the PII is exfiltrated. IBM Security Network Protection XGS would block the outbound connection based on the URL reputation of remote FTP server “1337.my-ftp.biz”
IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on A POS server connects to an unknown external FTP server and the PII is exfiltrated. 19 © 2014 IBM Corporation Expand Gather Exfiltrate 19 © 2014 IBM Corporation x Prevent Detect Respond IBM QRadar SIEM would detect anomalous flow out from a server that never connected outbound before with a “Connection Outbound to Internet from Critical Asset” flag
IBM Threat Protection System: How do you conduct this forensics investigation? S M T W T F S Attack Chain Stage: Break-In Latch-on IBM Security QRadar Incident Forensics 20 © 2014 IBM Corporation Expand Gather Exfiltrate 20 © 2014 IBM Corporation x Prevent Detect Respond With a solution like QRadar Incident Forensics, you can…  Query external server addresses found on the underground forum  Report internal connections  Show external file transfers  Identify malware transferred by the attacker  Discover connection histories and extended relationships with internal assets and identities …via deep analysis and reconstruction of recorded packet capture files. Directly from the QRadar console.
IBM Threat Protection System: Early detection and rapid response are also critical S M T W T F S Attack Chain Stage: Break-In Latch-on It can take just minutes to compromise your network, but months to discover and recover. IBM offers Emergency Response Services to help. 21 © 2014 IBM Corporation Expand Gather Exfiltrate 21 © 2014 IBM Corporation x Prevent Detect Respond  A team of incident response and forensics experts ready to respond globally  120 staff hours per year, which can be utilized for emergency response services or preventative services  Unlimited emergency declarations  Access to the X-Force Threat Analysis Service backed by global intelligence research  Quarterly checkpoint, support, and update on threat landscape
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY © 2014 IBM Corporation IBM Security 22 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

More Related Content

PDF
Nuts & Bolts of the Dynamic Attack Chain
byIBM Security
 
PDF
Using Massively Distributed Malware in APT-Style Attacks
byIBM Security
 
PPTX
Industry reactions to wanna cry ransomware attacks
bykevinmass30
 
PDF
Security A to Z: Glossary of the most important terms
byF-Secure Corporation
 
PDF
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
byIRJET Journal
 
PPT
Network security
by-jyothish kumar sirigidi
 
PDF
Fortinet_FortiDDoS_Introduction
byswang2010
 
PDF
IBM X-Force Threat Intelligence Quarterly Q4 2015
byAndreanne Clarke
 
Nuts & Bolts of the Dynamic Attack Chain
byIBM Security
 
Using Massively Distributed Malware in APT-Style Attacks
byIBM Security
 
Industry reactions to wanna cry ransomware attacks
bykevinmass30
 
Security A to Z: Glossary of the most important terms
byF-Secure Corporation
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
byIRJET Journal
 
Network security
by-jyothish kumar sirigidi
 
Fortinet_FortiDDoS_Introduction
byswang2010
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
byAndreanne Clarke
 

What's hot

PPT
Ch08 Microsoft Operating System Vulnerabilities
byphanleson
 
PDF
Palestra realizada no S4x17 - Miami - EUA (em Inglês)
byTI Safe
 
PDF
AI for Ransomware Detection & Prevention Insights from Patents
byAlex G. Lee, Ph.D. Esq. CLP
 
PDF
From velvet to silk there is still a lot of sweat
byStefano Maccaglia
 
PDF
Ransomware Prevention Guide
byBrian Honan
 
PDF
Cyber Client Alert
byGraeme Cross
 
PPT
Ns
byDeepenti123
 
DOCX
Conficker worm
byssuser1eca7d
 
PDF
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
byClearDATACloud
 
PPTX
Hacking by Pratyush Gupta
byTenet Systems Pvt Ltd
 
PDF
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
byVijay Sarathy Rangayyan
 
Ch08 Microsoft Operating System Vulnerabilities
byphanleson
 
Palestra realizada no S4x17 - Miami - EUA (em Inglês)
byTI Safe
 
AI for Ransomware Detection & Prevention Insights from Patents
byAlex G. Lee, Ph.D. Esq. CLP
 
From velvet to silk there is still a lot of sweat
byStefano Maccaglia
 
Ransomware Prevention Guide
byBrian Honan
 
Cyber Client Alert
byGraeme Cross
 
Ns
byDeepenti123
 
Conficker worm
byssuser1eca7d
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
byClearDATACloud
 
Hacking by Pratyush Gupta
byTenet Systems Pvt Ltd
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
byVijay Sarathy Rangayyan
 

Similar to Making Threat Management More Manageable

PDF
Presentation defend your company against cyber threats with security solutions
byxKinAnx
 
PDF
Security Solution - IBM Business Connect Qatar Defend your company against cy...
byDalia Reda
 
PPTX
Attack Autopsy: A Study of the Dynamic Attack Chain
byIBM Security
 
PPTX
Exfiltration slides-v1-release
byEric Koeppen
 
PPTX
Anatomy of an Advanced Retail Breach
byIBM Security
 
PDF
Tecnologie a supporto dei controlli di sicurezza fondamentali
byJürgen Ambrosi
 
PPTX
Follow the Money, Follow the Crime
byIBM Security
 
PPTX
7 Ways to Stay 7 Years Ahead of the Threat
byIBM Security
 
PPT
Ibm q radar_blind_references
byMaarten Werff
 
PPT
Five critical conditions to maximizing security intelligence investments
byIBM Security
 
PDF
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
byIBM Security
 
PDF
Chris neely the future of cyber security events 3
byRedazione InnovaPuglia
 
PPTX
Defending Your IBM i Against Malware
byPrecisely
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PPTX
2015 Cybercrime Trends – Things are Going to Get Interesting
byIBM Security
 
PPTX
IBM Security QRadar
byVirginia Fernandez
 
PPTX
Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
byIBM Sverige
 
PDF
Luncheon - 2016-05-19 IBM Security - Threat Intelligence by Michael Montecillo
byNorth Texas Chapter of the ISSA
 
PPTX
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
PPSX
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
Presentation defend your company against cyber threats with security solutions
byxKinAnx
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
byDalia Reda
 
Attack Autopsy: A Study of the Dynamic Attack Chain
byIBM Security
 
Exfiltration slides-v1-release
byEric Koeppen
 
Anatomy of an Advanced Retail Breach
byIBM Security
 
Tecnologie a supporto dei controlli di sicurezza fondamentali
byJürgen Ambrosi
 
Follow the Money, Follow the Crime
byIBM Security
 
7 Ways to Stay 7 Years Ahead of the Threat
byIBM Security
 
Ibm q radar_blind_references
byMaarten Werff
 
Five critical conditions to maximizing security intelligence investments
byIBM Security
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
byIBM Security
 
Chris neely the future of cyber security events 3
byRedazione InnovaPuglia
 
Defending Your IBM i Against Malware
byPrecisely
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
2015 Cybercrime Trends – Things are Going to Get Interesting
byIBM Security
 
IBM Security QRadar
byVirginia Fernandez
 
Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
byIBM Sverige
 
Luncheon - 2016-05-19 IBM Security - Threat Intelligence by Michael Montecillo
byNorth Texas Chapter of the ISSA
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 

More from IBM Security

PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
PDF
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
PPTX
Integrated Response with v32 of IBM Resilient
byIBM Security
 
PDF
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
PDF
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
PDF
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
PPTX
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
PPTX
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PPTX
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
PPTX
IBM QRadar UBA
byIBM Security
 
PDF
Mobile Vision 2020
byIBM Security
 
PDF
Retail Mobility, Productivity and Security
byIBM Security
 
PDF
Close the Loop on Incident Response
byIBM Security
 
PDF
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
Integrated Response with v32 of IBM Resilient
byIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
IBM QRadar UBA
byIBM Security
 
Mobile Vision 2020
byIBM Security
 
Retail Mobility, Productivity and Security
byIBM Security
 
Close the Loop on Incident Response
byIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 

Recently uploaded

PDF
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PPTX
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 

Making Threat Management More Manageable

  • 1.
    Making Threat Management More Manageable The Nuts and Bolts of the Dynamic Attack Chain 1 © 2014 IBM Corporation 1 © 2014 IBM Corporation © 2014 IBM Corporation
  • 2.
    You are an... IT Security Manager at a global retailer with 600 locations. You manage a team of IT analysts that are responsible for maintaining network operations for point of sale in retail locations, central servers, the company website and mobile applications. 2 © 2014 IBM Corporation Other areas of your company, like product management, have credentials for various applications to enable them to conduct business. 2 © 2014 IBM Corporation
  • 3.
    Monday 8:30am Overa cup of coffee, you get a phone call from a well-known security blogger that your customer credit card numbers and one of your Internet-accessible server addresses showed up on an underground forum known for trading stolen information. 3 © 2014 IBM Corporation Within 10 minutes, you notify legal counsel, the CIO, and law enforcement and begin a forensics investigation to figure out how the breach occurred. 3 © 2014 IBM Corporation
  • 4.
    IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on 4 © 2014 IBM Corporation Expand Gather Exfiltrate 4 © 2014 IBM Corporation x Prevent Detect Respond Investigating the server logs from the weekend shows a connection from a POS server to an external FTP server you don’t recognize, hosted at the dynamic domain 1337.my-ftp.biz. The attacker must have manually copied excerpts of the data from the FTP server to the underground forum.
  • 5.
    IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 5 © 2014 IBM Corporation Expand Gather Exfiltrate 5 © 2014 IBM Corporation x Prevent Detect Respond You find evidence in the log files of transfers of PII in the previous week from POS servers to a single internal server, the server that connected to the external FTP server.
  • 6.
    IBM Threat Protection System: The previous 2-3 weeks S M T W T F S Attack Chain Stage: Break-In Latch-on You find a copy of the file CardScraper.exe on each of the POS servers that sent PII to the server that made the external connection. 6 © 2014 IBM Corporation Expand Gather Exfiltrate 6 © 2014 IBM Corporation x Prevent Detect Respond In the 2-3 week prior, that malware hunted for additional POS servers, copying toolchains and password crackers to them, and infiltrating the network.
  • 7.
    IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 7 © 2014 IBM Corporation Expand Gather Exfiltrate 7 © 2014 IBM Corporation x Prevent Detect Respond Probing further, you find a RAT (Remote Access Trojan) named svch0st.exe, which acted as a dropper to secretly install, execute, and avoid anti-virus detection. This program downloaded CardScraper.exe from an external server located at IP Address 91.216.73.32 and copied it to the POS servers.
  • 8.
    IBM Threat Protection System: 29 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 8 © 2014 IBM Corporation Expand Gather Exfiltrate 8 © 2014 IBM Corporation x Prevent Detect Respond While working in a coffee shop, Dan, in Development, receives an email from a retailer requesting account verification. He clicked the link, but didn’t notice it was to fake website named acccount-verify.com, which launched a zero-day exploit to his browser and downloaded the trojan svch0st.exe to his system. Dan drives to work where he logs into the network, allowing svch0st.exe to slip into the network and start the chain of events leading to the breach.
  • 9.
    Let's start fromthe beginning to see how the attack could have been disrupted... 9 © 2014 IBM Corporation 9 © 2014 IBM Corporation
  • 10.
    IBM Threat ProtectionSystem Smarter Prevention Stop unknown threats with behavioral-based defenses on both the endpoint and network Security Intelligence Automatically detect weaknesses and anomalies with enterprise-wide visibility and insights Continuous Response Quickly understand incidents and use findings to strengthen real-time A dynamic, integrated system to disrupt the entire lifecycle of advanced attacks 10 © 2014 IBM Corporation defenses Open Integrations Share context between domains and third party products using an open platform and ecosystem 10 © 2014 IBM Corporation
  • 11.
    IBM Threat Protection System: 29 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 11 © 2014 IBM Corporation Expand Gather Exfiltrate 11 © 2014 IBM Corporation x Prevent Detect Respond Dan is the subject of a phishing scam and inadvertently downloads malware IBM Security Trusteer Apex Advanced Malware Protection stops the zero-day exploit from attacking his web browser and executing the RAT named “svch0st.exe”
  • 12.
    IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 12 © 2014 IBM Corporation Expand Gather Exfiltrate 12 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate Trusteer Apex blocks command & control (C&C) activity on the endpoint, stopping the RAT from communicating with the server to download CardScraper.exe
  • 13.
    IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 13 © 2014 IBM Corporation Expand Gather Exfiltrate 13 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate IBM Security Network Protection prevents C&C activity on the server by blocking the remote IP 91.216.73.32 hosting CardScraper.exe based on IP reputation
  • 14.
    IBM Threat Protection System: 28 days earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 14 © 2014 IBM Corporation Expand Gather Exfiltrate 14 © 2014 IBM Corporation x Prevent Detect Respond The RAT downloads CardScraper.exe and the malware starts to replicate IBM QRadar SIEM detects the RAT install from system event logs, giving it a magnitude score of 8 and raising a flag in the security analyst’s dashboard
  • 15.
    IBM Threat Protection System: 2-3 weeks earlier S M T W T F S Attack Chain Stage: Break-In Latch-on 15 © 2014 IBM Corporation Expand Gather Exfiltrate 15 © 2014 IBM Corporation x Prevent Detect Respond CardScraper.exe is copied to POS servers throughout the business IBM QRadar SIEM detects file transfers based on network events, and reports a policy violation on unauthorized access to a POS server
  • 16.
    IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 16 © 2014 IBM Corporation Expand Gather Exfiltrate 16 © 2014 IBM Corporation x Prevent Detect Respond PII was transferred from infected POS servers to a single server IBM Security Network Protection (XGS) detects and blocks the transfer of the credit card number files Tag Name Status Content_Analyzer_Credit_Card_Num Detected event
  • 17.
    IBM Threat Protection System: The previous week S M T W T F S Attack Chain Stage: Break-In Latch-on 17 © 2014 IBM Corporation Expand Gather Exfiltrate 17 © 2014 IBM Corporation x Prevent Detect Respond PII was transferred from infected POS servers to a single server IBM QRadar SIEM detects communication behavior that deviates from corporate and compliance policies
  • 18.
    IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on 18 © 2014 IBM Corporation Expand Gather Exfiltrate 18 © 2014 IBM Corporation x Prevent Detect Respond A POS server connects to an unknown external FTP server and the PII is exfiltrated. IBM Security Network Protection XGS would block the outbound connection based on the URL reputation of remote FTP server “1337.my-ftp.biz”
  • 19.
    IBM Threat Protection System: The previous Saturday S M T W T F S Attack Chain Stage: Break-In Latch-on A POS server connects to an unknown external FTP server and the PII is exfiltrated. 19 © 2014 IBM Corporation Expand Gather Exfiltrate 19 © 2014 IBM Corporation x Prevent Detect Respond IBM QRadar SIEM would detect anomalous flow out from a server that never connected outbound before with a “Connection Outbound to Internet from Critical Asset” flag
  • 20.
    IBM Threat Protection System: How do you conduct this forensics investigation? S M T W T F S Attack Chain Stage: Break-In Latch-on IBM Security QRadar Incident Forensics 20 © 2014 IBM Corporation Expand Gather Exfiltrate 20 © 2014 IBM Corporation x Prevent Detect Respond With a solution like QRadar Incident Forensics, you can…  Query external server addresses found on the underground forum  Report internal connections  Show external file transfers  Identify malware transferred by the attacker  Discover connection histories and extended relationships with internal assets and identities …via deep analysis and reconstruction of recorded packet capture files. Directly from the QRadar console.
  • 21.
    IBM Threat Protection System: Early detection and rapid response are also critical S M T W T F S Attack Chain Stage: Break-In Latch-on It can take just minutes to compromise your network, but months to discover and recover. IBM offers Emergency Response Services to help. 21 © 2014 IBM Corporation Expand Gather Exfiltrate 21 © 2014 IBM Corporation x Prevent Detect Respond  A team of incident response and forensics experts ready to respond globally  120 staff hours per year, which can be utilized for emergency response services or preventative services  Unlimited emergency declarations  Access to the X-Force Threat Analysis Service backed by global intelligence research  Quarterly checkpoint, support, and update on threat landscape
  • 22.
    Statement of GoodSecurity Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY © 2014 IBM Corporation IBM Security 22 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.