Modern Cyber Threat Protection techniques for Enterprises

Information Technology Services Division , ITSD

ModernCyber Threat

ProtectionTechniques for Enterprises

ECIL

- Abhinav BiswasAlt. CISO, NKN Data Centre,

Electronics Corporation of India Limited, ECILDepartment of Atomic Energy.


Agenda

ECIL

Basic Terminologies Contemporary Threat Environment

• Corporate Threat Landscape Advanced Persistent Threats (APT) Traditional Defense Mechanism

• Signature Based Next-Gen Advanced Threat Protection

• Analytics based (Sandboxing & GTI ) Security Incident & Event Management (SIEM) Systems

• Log Correlation & Big Data Analysis Virtualization & Cloud Security Vulnerability Assessment & Penetration Testing (VA/PT)

• Nessus, Acunetix Other Security Goals & Technologies Security Guidelines for End Users


Terminologies

ECIL

Spyware - Gathers information secretly and sends to another entity without the user's consent.

Ransomware - Stops from using your PC until you pay a certain amount of money (the ransom). e.g. Encryption Ransomware, CryptoLocker

Social Engineering - Psychological manipulation of people into performing actions or divulging confidential information.

Phishing / Spear-Phishing - Act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Vishing - Voice-over Phishing


Terminologies

ECIL

Vulnerability - A weakness which allows an attacker to reduce a system's information assurance.

Threat - A possible danger that might exploit a vulnerability to breach security and thus cause possible harm.

Exploit - A piece of software or a sequence of commands that takes advantage of a bug or vulnerability.

Attack - An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.

(A realized Threat using an Exploit on Vulnerability is an Attack.)

Event - An observable change to the normal behavior of a system, environment, process, workflow or person.

Incident - An event attributable to a root cause. All incidents are events but many events are not incidents.

(An Attack is a series of security incidents.)


Contemporary Threat Environment

ECIL

Rise in Coordinated Advanced Cyber Attacks like - Advanced Persistent Threats (APT) - Zero-day Attacks (ZDA) - Smart Mobile Malware (SMM) - Web-based Plug-in Exploits (WPE)

New avenues for Cyber-fraud - Free availability of Root-kits, SpamBots, Phishing Tools etc. - Digital Currencies (BitCoin) & Anonymous Payment Services.

State-Sponsored Data Exfiltration Attacks - Strategic Government institutions.

Challenges due to new technologies/Needs - Polymorphism, Dynamic URLs, Virtualization, Cloud, Smart Phone/ Mobiles, Social Sites, BYOD, Internet Of Things (IOT/IPv6)


Advanced Persistent Threats (APT)

ECIL

Lure Redirect ExploitKit

DropperFile

CallHome

DataTheft

Recon

7 Stage Process


Victims funneled to the Web

ECIL

7

Social Media

Email

Mobile

Attack Vectors

Web Redirects

Malware

Recon

XSS

Dropper Files

CnCExploit

Kits

Phishing

ECIL Information Technology Services Division , ITSD

Watering Hole Attacks• 1a) Identify target• 1b) Determine browsing

habits

• 2) Select favorite website

• 3) Compromise and host exploits

• 3)Drop malware

• 4)Determine target profile• 4)Wait for opportunity to

further compromise


Attack on ADSL Routers

ECIL

Internet

Customer

Attacker

Vuln. ADSL Router

Changes the DNS server entries in the modem to rogue DNS servers and changes the password of the DSL router

Rogue DNS Server

Attacker scans for the DSL router and logs onto Admin console via WAN interface by exploiting vulnerabilities in the router firmware or configuration flaws; or by infecting connected computer


Traditional Defense Mechanism

ECIL

3 FORWARD FACING ONLY, LACK OUTBOUND PROTECTION

No contextual analysis of Internal Threats.

2 LACK OF REAL-TIME INLINE CONTENT ANALYSIS

No Byte-Range Data Packet Analysis for Data Loss/ Theft Detection

4 LACK OF ADVANCED ANALYTICS& ANOMALY DETECTION

No Sandboxing in existing UTMs, NGFWs.No SSL packet inspection.

1 PRIMARILY BASED ON SIGNATURE & REPUTATION

Signature history cannot keep up with the dynamic future of threats


Basic Defense in Depth

ECIL


Advanced Solution Map

ECIL

WEBContent AnalysisMalware

SandboxForensic ReportsSSL InspectionVideo Controls

EMAILSpear-PhishingURL

SandboxingAnti-SpamTLS Encryption Image Analysis

DATAContent Aware DLPDrip Data Theft

DetectionOCR of Image TextGeo-Location

MOBILECloud ServiceMalicious AppsBYOD PolicyReporting/

Inventory

CUSTOMER LIST

NEW DESIGN

CONFIDENTIAL

Monitor

Discover

Classify

DISCOVER

MO

NITO

RCLAS

SIFY

PROTECT

WHERE

WHATWHO

HOW

ESSENTIALINFORMATIONPROTECTION

External Risks Internal Risks


Security Landscape

ECIL


New Threat Protection Techniques –Two key elements

ECIL

1.Sandboxing Systems (Similar to Bomb Detonation Sandbox) - Tightly controlled access to resources - URL sandbox/File sandbox - Isolated environment/network - Multiple Detection Environment (Virtual Machines) - Customizable & Realistic Virtual environment - Behavior based classification & Risk scoring - Instrumented Forensic Data Collection 2. Big-Data Analytics - SIEM Systems - Big log Data interpretation

- Post-incident data (SIEM - Security Incident Event Management) - Real-time Threat Intelligence (GTI)

- Integration with other sources (local/national/international) - PCAP (Packet Capture) & Replay


SIEM Components

ECIL

Log Data Collection - Content & Context Aware logs - Device & Application logs, Authentication & IAM log,

Endpoint security devices, user identity, location, VA scan data, Netwrk flows, OS events, DB transaction logs

Aggregation & Normalization - Remove redundancy.

Correlation Engine - Threat Intelligence & Risk Analysis - Behavior Profiling

Retention & Forensic Analysis Alert Reporting & Workflow Manager


SIEM Correlation Intelligence

ECIL


Virtualization & Cloud Security

ECIL

New Challenges - Concept of the network perimeter evaporates

- No Physical Segregation across VMs - Web access to all Resources - VM to VM vulnerability exploitation (Colocation of VMs) - Easy Reconfiguration (Lack of Persistence)

Solutions - Still a hot research topic - Instance Isolation in Software Defined Data Centre (SDDC) - Homo-morphic encryption based virtual disks. - Randomized Memory Mapping & Distributed Scheduling.


Vulnerability Assessment &Penetration Testing

ECIL


Summary of Security Goals & Technologies

ECIL


Security Guidelines for End UsersSecurity is Everybody’s Responsibility. It’s a moving Target.

It’s a race between the Good & the Bad.

• Use Legal software only • Keep upto-date patches and fixes of the Operating System

and Application Software• Exercise caution while opening unsolicited emails and do not

click on a link embedded within• Open only email attachments from trusted parties • Use latest browsers having capability to detect phishing/

malicious sites • Harden the Operating System• Whitelist the Applications • Deploy software for controlled use of USB Pen Drives.

ECIL

Thank You !


“Let us not look back in anger or look forward in fear, but look around in

awareness.”


Any Questions?


Abhinav Biswas

Contact details :

http://abhinav-biswas.appspot.com

Alt. CISO, NKN Data Centre, ITSD, IT&TG, ECIL Hyderabad,

Electronics Corporation of India Limited, Dept. of Atomic Energy.

Modern Cyber Threat Protection techniques for Enterprises

Technology

Transcript of Modern Cyber Threat Protection techniques for Enterprises