3. Advanced Persistent Threats
Real? Or vender hype?
What’s your perspective …
» Something new?
» Merely marketing hype?
» Limited to large companies?
» All about China?
» APT = Malware?
3
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
4. Targeted Threat Concerns
Ponemon Research: 2013 State of the Endpoint
Figure 4: IT security risks of most concern since 2010
More than three choice permitted in 2010 and 3 choices permitted in 2011 and 2012
47%
36%
Increased use of mobile platforms *
36%
24%
24%
Advanced persistent threats
Intrusion and data loss within a
virtual environment
22%
23%
13%
2012
2011
2010
* This choice was not available in all fiscal years
ISACA Research: Advanced Persistent Threats Are Real
»
»
»
»
93.6% feel APTs are a serious threat
63% think it is only a matter of time
79% feel this is the largest gap in APT prevention
1 in 5 have experienced an APT attack
4
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
6. Targeted Attacks by Organization Size
93%
2%
3%
5%
50%
In 2012
31%
In 2012
Source: Symantec
6
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
7. External Actors Responsible for Majority of Attacks
Source: Verizon 2013 databreach
7
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
8. Healthcare – Most frequent data breaches
8
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
9. Targeted Threats - Top 10 Industries Attacked in 2012
Source: Symantec
9
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
10. Threat Environment – Threat Trends
• User endpoints are consistently targeted
» 71% of attacks targeted user devices – Source Verizon
11. Common APT Characteristics
• Highly targeted and endpoint-focused
• Uses both sophisticated and low-tech techniques
» Delivery: USB keys, social engineering, watering hole, etc.
» Zero-day vs. “known” vulnerabilities
» Fraudulent certificates
• Centralized Command and Control
• Undetected for prolonged periods
» Exfiltration masking
» “Hiding in plain sight”
11
11
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
14. Discover
Essentially “casing the joint”
» Identify the Target
» Plan for Penetration
» Probe the Perimeter
14
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
15. Distribute
Design and develop not only the
payload but delivery vehicle
» Package the Payload
» Deliver the Payload
15
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
16. Exploit
Activation may not be immediate,
and may involve multiple
vulnerabilities
» Trigger the Payload
» Exploit the Vulnerability
16
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
17. Control
Often involves encrypted
communications channel and
manual interaction
» Install Malware on
System
» Connect Back to Attacker
» Command & Control
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
18. Execute
Taking action against
planned objectives
» Upset the CIA Triad
• Confidentiality
• Integrity
• Availability
» Obfuscate and Extend
18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
19. Targeted Threat Framework
Phase
Detect
Deny
Discover
Web analytics
Firewall ACL
Distribute
Vigilant end user Web filtering
Spearfish detection
AV
Exploit
Vigilant end user White listing
Memory protection
Patch Management
Sandboxing
Control
Next gen FW
NIPS
DNS
Execute
SIEM
Audit Logs
FW ACL
NIDS
19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Disrupt
21. Defense-in-Depth Strategy
AV
Device
Control
Successful risk mitigation starts with a solid
vulnerability management foundation, augmented
by additional layered defenses which include:
» Configuration Control
» Application Whitelisting
Hard Drive and
Media Encryption
» Memory Protection
» Data Encryption
» Port / Device Control
Application Control
Memory Protection
Patch and Configuration Management
21
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
» Antivirus
22. Endpoint Defense-in-Depth
Port / Device Control
Physical Access
Anti-Malware
Patch Management
Configuration Management
Network Access
Data
Encryption
22
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
23. Additional Information
• For End User Education
» “Be Aware of What You Share” at
www.lumension.com/be-aware
• For Security Pros (www.lumension.com/Resources)
» Whitepaper “The State of APT Preparedness” from UBM
Tech at ~/WhitePapers/The-State-of-APT-Preparedness
» On-Demand Webcast “Top 9 Mistakes of APT Victims” by
Ultimate Windows Security at
~/Webcasts/Top-9-Mistakes-of-APT-Victims
• More on APT issues and solutions in Optimal Security blog
at blog.lumension.com/tag/advanced-persistent-threat/
23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION