The document discusses advanced persistent threats and how traditional security methods are insufficient for dealing with them. It introduces Deep Discovery as a solution that provides specialized threat detection across the attack sequence through analyzing malicious content, suspect communications, and attack behaviors. Deep Discovery uses automated analysis, threat intelligence, and sandboxing to detect customized attacks and provides security updates, attack analysis and intelligence, and context-relevant views to guide rapid remediation responses.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
Panda Adaptive Defense is a new security model which can guarantee complete protection for devices and servers by classifying 100% of the processes running on every computer throughout the organization and monitoring and controlling their behavior.
More info: http://www.pandasecurity.com/enterprise/solutions/advanced-threat-protection/
Panda Endpoint Protection is the cloud based solution that allows you to manage the security of your network endpoints (Windows, Mac, Linux and Android), without interfering with the performance and with minimum cost.
More info: http://www.pandasecurity.com/enterprise/solutions/cloud-office-protection/
Panda Adaptive Defense 360 is the first and only product in the market to combine in a single solution Endpoint Protection (EPP) and Endpoint Detection & Response (EDR) capabilities.
Do you want to get to know more about Adaptive Defense 360?
- Test a demo: http://bit.ly/21jl4Bi
- Talk to an expert: http://bit.ly/1Ouzvve
- Get more info: http://bit.ly/21jljMu
Fortalecimiento de la seguridad combinando las capacidades de analíticos sobre logs y paquetes de red, además de las capacidades avanzadas de detección de malware,
With more to protect, fewer resources, and more data, scan failures, delays and false positives can impact response during critical incidents. View this presentation to learn how to overcome these challenges by building resiliency in your organization’s vulnerability management program.
Learn how Tripwire helps you to discover the assets on your network and quickly identify and tag the vulnerable assets while applying the appropriate policies and remediation to improve your security posture and efficiencies while reducing the overall cost to your organization.
In this presentation, Tripwire’s CTO, Dwayne Melançon, discusses how vulnerability scanning can produce vulnerability intelligence, and how that intelligence can be integrated with other sources of context from within information security to produce more effective and efficient detection, response and prevention.
SentinelOne was founded in 2013 by an elite group of cybersecurity and defense experts who share a strong passion for disruption, and a clear vision for a path forward in a post-antivirus era. Building on their experiences learned at Check Point Software Technologies, IBM, Intel Security, Palo Alto Networks, and White Hat Security, the team is committed to the mission of defeating advanced cyber threats and instilling confidence in our digital way of life.
Find out more at https://sentinelone.com
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
In the past two decades of tech booms, busts, and bubbles, two things have not changed - hackers are still nding ways to breach security measures in place, and the endpoint remains the primary target. And now, with cloud and mobile computing, endpoint devices have become the new enterprise security perimeter, so there is even more pressure to lock them down.
Companies are deploying piles of software on the endpoint to secure it - antivirus, anti- malware, desktop rewalls, intrusion detection, vulnerability management, web ltering, anti-spam, and the list goes on. Yet with all of the solutions in place, high pro le companies are still being breached. The recent attacks on large retail and hospitality organizations are prime examples, where hackers successfully used credit-card-stealing-malware targeting payment servers to collect customer credit card information.
Attacks are evolving and so must the response – but how? This presentation explores how you get beyond the APT hype and strike a sensible balance between security expenditure and commercial risk. We explain what do you need to just keep doing, what’s new and what’s no longer effective.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
Gainful Information Security is an information security and systems development firm established in Harare, Zimbabwe in 2007 to partner with African private and public sectors for a secure, efficient and cost-effective information lifecycle.
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
Similar to Targeted Attacks: Have you found yours? (20)
2. Traditional Security is Insufficient
Advanced Empowered Elastic
Persistent Threats Employees Perimeter
Trend Micro evaluations find over 90%
of enterprise networks contain active
malicious malware!
Copyright 2012 Trend Micro Inc.
4. Switch of mental approach
• Terrorist Paradox • Advanced Threats
– We have to win all the – Many steps have to
time to defend execute in turn to steal
– They only have to get it my data
right once to win – I only need to spot one
step to thwart them
Copyright 2012 Trend Micro Inc. 4
5. Custom Attacks
• Today’s most dangerous
attacks are those targeted
01010010
directly and specifically 100101001
10001100
at an organization —
00101110
1010101
its people, its systems,
its vulnerabilities,
its data.
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 5
6. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 6
7. APT Activity
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Suspect Communication
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Attack Behavior
• Malware activity: propagation,
downloading, spamming . . .
• Attacker activity: scan, brute
force, tool downloads.
• Data exfiltration communication
8. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Attack Analysis & Intelligence
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 9
9. Automated Analysis
Bandwidth
Live Cloud
Lookup
Advanced
Heuristics
Threat
Intelligence
Sandbox
Analysis
Focused
Manual
Investigation
Output to SIEM Copyright 2012 Trend Micro Inc. 10
10. Deep Discovery Advisor
Threat Intelligence Center
• In-Depth Contextual Analysis including simulation
results, asset profiles and additional security events
• Integrated Threat Connect Intelligence included in
analysis results
• Enhanced Threat Investigation and Visualization
capabilities
• Highly Customizable Dashboard, Reports & Alerts
• Centralized Visibility and Reporting across Deep
Discovery Inspector units
Threat Connect
Intelligence
11. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Adaptive Security
Updates Containment
& Remediation
Attack Analysis & Intelligence
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 12
12. The Custom Defense
Specialized Threat Deep analysis Custom security Context-relevant
Detection at network based on custom blacklists & views & intel guide
and protection sandboxing and signatures block rapid remediation
points relevant global intel further attack response
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 13
13. The Custom Defense In Action
Advanced Email Protection
InterScan Messaging Security
or ScanMail
Anti-spam Threat Threat Security
Analyzer Intelligence Update
Anti-phishing Center Server
Web Reputation Deep Discovery Advisor
Anti-malware • Blocking of targeted spear phishing
emails and document exploits via
Advanced Threat Detection custom sandboxing
• Central analysis of detections
• Automated updates of malicious
quarantine IP/Domains
• Search & Destroy function
10/19/2012 Confidential | Copyright 2012 Trend Micro Inc. 14
14. So what does that look like in context?
Outer Perimeter
Valuable Server
Inner Perimeters
Valuable Server
Endpoint
Valuable Server
Endpoint
15. Deep Discovery
Simulate
Analyze
Out of band
network data
feed of all
Correlate
network traffic
Detect Malicious Content
and Communication
Identify Attack Behaviour
& Reduce False Positives
Visibility – Real-time Dashboards
Insight – Risk-based Analysis
Action – Remediation Intelligence
16. DeepSecurity
Inner Perimeter for valuable assets
Deep Packet Inspection
Firewall
Security
Anti-Virus VM VM VM VM VM VM
Log Inspection Hypervisor
Integrity Monitoring
Traditional Security works against Traditional Threats. It’s not designed to cope with Targeted attacks. Partly because they are unique and so harder to spot. Partly because charges in how we are using IT such as cloud and mobile make the perimeter less effective than it used to be.
But… Don’t throw the baby out with the bath water! Spotting a targeted attack on your network is like finding a needle in a haystack. The way to do it isn’t to start with the biggest haystack possible and throw in lots of pins that look very like needles to confuse the situation. It’s all about filtering. Eliminate standard threats as close to source as you can to make it easier to spot the really clever stuff.
We need a switch of mental approach
Deep Discovery specialized threat detection focuses on 3 key areas to discovery attacks during every phase of activity Malicious Content (steps 2,3): Deep Discovery detects zero-day and advanced malware – including document exploits and drive-by downloads – used during the initial compromise or later C&C downloadsSuspect Communications (step 3):Deep Discovery detects the C&C communications used by modern malware, as well as backdoor manipulations by remote attackers Attack Behavior (steps 4,5,6): Deep Discovery detects both malware and hacker network behaviors that indicate propagation, scanning, irregular activity, and suspect data access and transmission Today you hear of products that find malware by sandboxing executables or detecting some botnet traffic, but only Deep Discovery indentifies the malicious content, communications and behaviors of malware and human attacker activity across all phases of the attack cycle.
Fingerprinting uses relevance rules to match known characteristics and patterns of communicationJack the Ripper, Dark Comet, Pass-the-Hash, Poison Ivy
Centralized management of all deployed Deep Discovery units provides consolidated threat management and enhanced analysis and reportingin a single console.Centralized Visibility and Reporting over multiple instances of Deep DiscoveryEnhanced Threat Investigation and Visualization capabilitiesHighly Customizable Dashboard, Reports & AlertsContext-based Risk Assessment by enriching events with location and asset severity information
This one shows which bits like to what – need to keep either this one or the previous one but not both.
Can we get this one drawn into the same style as the rest of the deck please. It links to the section of slide 18 that I’ve copied off to the right of the slide. If we can show that linkage that would be great