2012 Taking Complexity out of Information Security …allowing you to focus on your business.
-
Upload
walter-tamblyn -
Category
Documents
-
view
214 -
download
0
Transcript of 2012 Taking Complexity out of Information Security …allowing you to focus on your business.
![Page 1: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/1.jpg)
2012
Taking Complexity out of Information Security
…allowing you to focus on your business
Advanced Persistent Threats…the external enemy within
![Page 2: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/2.jpg)
Advanced Persistent Threats
The Problem Landscape
![Page 3: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/3.jpg)
APTs: a Hype or Reality
• Google• RSA• Juniper• DuPont• IMF• Lockheed Martin• … 762 companies were
hit during the RSA attack
![Page 4: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/4.jpg)
Regardless of the definition, 99.999% they adhere to the following characteristics:◦ Nature
Targeted attacks Blended Threats (multiple attack vectors) “Low and Slow”
◦ Tactics: Social Engineering, Attacking the user (most of the times) Establishing a foothold (e.g. Remote Access Trojans) Attack Escalation & Metastasis – Access to critical data and services Retaining persistence (different RATs, multiple footholds, etc.)
◦ Results: Data leakage, Sabotage, Fraud…
In essence is the attack method of choice of Professional Attackers
Defining Advanced Persistent Threats (APT)
![Page 5: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/5.jpg)
Advanced Persistent Threats (APT) - An Illustration
Step 1
• Reconnaissance
Step 2
• Initial Intrusion into the Network
Step 3
• Establish a Backdoor into the Network
Step 4
• Obtain User Credentials
• Install Various Utilities
Step 5
• Privilege Escalation
• Attack Escalation
• Metastasis
Step 7
• Maintain Persistence
• Data Exfiltration/Other objectives realization
Internal Users
Web Applications
Data Center
Attacker
![Page 6: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/6.jpg)
Advanced Persistent Threats – Is it a problem?
ORGANIZATIONS MUST LEARN TO LIVE IN A STATE OF COMPROMISE
Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor…, a Bloomberg Government study found
APT Tops Security Risks to Corporate IP in 2012,
"I'm meeting more CSO's saying 'all I care about is APT…’”
Bruce Schneier, CTO of BT Counterpane
![Page 7: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/7.jpg)
ENCODE Extrusion Testing™:◦ Security Assessment via APT Simulation◦ Running Extrusion Tests from 2003!...8 years of hands-on
experience◦ Proprietary tools and methodologies◦ Attacking “outside-in and inside-out”
Our own Experience on APTS
44%
3%2%2%6%
17%
15%
13%Finance
Automotive
IT
Manufacturing
Services
Telecom
Transportation
Public Sector
Digital Forensics◦ Performed Forensics on
APT cases on various organisations
![Page 8: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/8.jpg)
Why APTs are succeedingBecause Controls fail
“Medieval approach to IT Security” - Building “castles/perimeters” around the network and trying to be “Preventive”
Single “attack vector” controls
“Evolved versions” of ones designed for the 90’s
Reactive approach
![Page 9: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/9.jpg)
Why Controls Fail
While Security Programs are focused in Compliance◦ However: Compliant ≠Secure
And at the same time even Specialized Security Controls are not adequate on their own (or even combined)
“Traditional” Controls fail◦ Firewalls, IPS, Secure Web Gateways, AV/Endpoint Security…◦ They are totally blind, due to a misfit paradigm for APTs
But also “less traditional” ones◦ Data Leak Prevention – Designed for human actions, not for leakages by a
piece of advanced software (malware, Trojans)◦ 24x7 Security Monitoring - “Garbage IN, Garbage OUT”, No Monitoring in
context, Not having the right tools for the job
![Page 10: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/10.jpg)
Advanced Persistent Threats
Addressing APTs
![Page 11: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/11.jpg)
Solving a Problem
One quite clever guy once said that
“if he had one hour to save the world he would spend fifty-five minutes defining the problem and only five minutes finding the solution”
![Page 12: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/12.jpg)
Is it a Malware problem
Is it an adversary problem
Is it a Forensics Problem
Is it a Visibility Problem
Is it a zero-day exploit Problem
Is it a Botnet detection and/or takedown problem
Is it a lack of Security skills problem
Is it a lack of Defense in Depth problem
…
Defining the APT Problem
…the short answer is NO
Each one of them is a piece of the problem, but not the problem!
![Page 13: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/13.jpg)
We believe it is 2-fold problem:
A “Name Problem”
A “Complexity Problem”
Defining the APT Problem
![Page 14: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/14.jpg)
What is the “Name Problem” of APTs
Threat
• Of course and actually a Threat that really matters!• Motive, Opportunity, Capabilities!
Persistent
• For sure…the attacker is committed and persistent • And is here to stay!
Advanced
• …hmmm
![Page 15: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/15.jpg)
Are APTs really Advanced?
ENCODE Extrusion Testing Facts:
Infection vectors used - Total
14%
77%
2%
7%
Browser or other Exploit
Non-exploit (File)
Media-born
Other (VPN, Web App)
![Page 16: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/16.jpg)
Because
they are considered “Advanced” for “traditional” but also for “less traditional” security controls
they are also “Advanced” for “Single-vector” specialized security controls
they are not “advanced enough” for some specialized security controls trying to be “very advanced”, missing KISS APT
organizations (used to) underplay/underestimate the Threat saying “this is too advanced… it won’t happen to us”
Why is “Advanced” the problem
![Page 17: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/17.jpg)
What is the “Complexity Problem” of APTs
Complexity:◦ Complex IT environments & Business process, supporting Business
Agility◦ Complex Threat Landscape◦ Complexity of the Internet
Attackers are taking advantage of this Complexity to achieve their goals, along with the fact that Business must be agile to remain in business!
However to solve a “complexity problem” or a complex problem you have to:◦ Take out complexity, where you can◦ Focus on the parts of the problem that really mater and
solve them
![Page 18: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/18.jpg)
Solving the “Complexity Problem” of APTs
You cannot reduce complexity, at least from every part of your business…period
As Complexity increases the good old “Preventive” controls get less and less effective or impair Business
Nonetheless you have to be “Proactive”
Proactive Security ≠ Preventive Controls alone◦ Early Warning & Response is the “preventive” control of choice
for Complex environments and Threats
You have to focus on APT
![Page 19: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/19.jpg)
Focus on APTIf Early Warning is what we need, let’s think “What cannot be evaded”
Behavior ◦ An IT environment under attack does not behaves as normal◦ Each attack, APT included, has its own signs in behavior change
True Visibility – at all (relevant) Levels◦ Network: Internet Access (incoming/outgoing)◦ Endpoint: System state & Data Access/Use
Expertise – the human factor◦ Encapsulated expertise◦ Expert view and analysis
![Page 20: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/20.jpg)
Advanced Persistent Threats
Conclusion
![Page 21: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/21.jpg)
APT goes mainstream
![Page 22: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/22.jpg)
APTs are becoming the weapon of choice:
from Government and Defense
to companies with Intellectual Property or Critical Infrastructure
to other “high-value” targets◦ Finance◦ …
APT : Targets
“…if professional attackers didn’t use such techniques they should have been sued for negligence…”
![Page 23: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/23.jpg)
is not a matter of What
is not a matter of Who
is a matter of When!
APTs…Revisited
Attorney David Navetta: … but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding
![Page 24: 2012 Taking Complexity out of Information Security …allowing you to focus on your business.](https://reader038.fdocuments.us/reader038/viewer/2022110116/551b176d550346f70d8b6251/html5/thumbnails/24.jpg)
www.encodegroup.com_