Modern Cyber Threat Protection techniques for Enterprises
-
Upload
abhinav-biswas -
Category
Technology
-
view
1.191 -
download
1
Transcript of Modern Cyber Threat Protection techniques for Enterprises
Information Technology Services Division , ITSD
ModernCyber Threat
ProtectionTechniques for Enterprises
ECIL
- Abhinav BiswasAlt. CISO, NKN Data Centre,
Electronics Corporation of India Limited, ECILDepartment of Atomic Energy.
Information Technology Services Division , ITSD
Agenda
ECIL
Basic Terminologies Contemporary Threat Environment
• Corporate Threat Landscape Advanced Persistent Threats (APT) Traditional Defense Mechanism
• Signature Based Next-Gen Advanced Threat Protection
• Analytics based (Sandboxing & GTI ) Security Incident & Event Management (SIEM) Systems
• Log Correlation & Big Data Analysis Virtualization & Cloud Security Vulnerability Assessment & Penetration Testing (VA/PT)
• Nessus, Acunetix Other Security Goals & Technologies Security Guidelines for End Users
Information Technology Services Division , ITSD
Terminologies
ECIL
Spyware - Gathers information secretly and sends to another entity without the user's consent.
Ransomware - Stops from using your PC until you pay a certain amount of money (the ransom). e.g. Encryption Ransomware, CryptoLocker
Social Engineering - Psychological manipulation of people into performing actions or divulging confidential information.
Phishing / Spear-Phishing - Act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Vishing - Voice-over Phishing
Information Technology Services Division , ITSD
Terminologies
ECIL
Vulnerability - A weakness which allows an attacker to reduce a system's information assurance.
Threat - A possible danger that might exploit a vulnerability to breach security and thus cause possible harm.
Exploit - A piece of software or a sequence of commands that takes advantage of a bug or vulnerability.
Attack - An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.
(A realized Threat using an Exploit on Vulnerability is an Attack.)
Event - An observable change to the normal behavior of a system, environment, process, workflow or person.
Incident - An event attributable to a root cause. All incidents are events but many events are not incidents.
(An Attack is a series of security incidents.)
Information Technology Services Division , ITSD
Contemporary Threat Environment
ECIL
Rise in Coordinated Advanced Cyber Attacks like - Advanced Persistent Threats (APT) - Zero-day Attacks (ZDA) - Smart Mobile Malware (SMM) - Web-based Plug-in Exploits (WPE)
New avenues for Cyber-fraud - Free availability of Root-kits, SpamBots, Phishing Tools etc. - Digital Currencies (BitCoin) & Anonymous Payment Services.
State-Sponsored Data Exfiltration Attacks - Strategic Government institutions.
Challenges due to new technologies/Needs - Polymorphism, Dynamic URLs, Virtualization, Cloud, Smart Phone/ Mobiles, Social Sites, BYOD, Internet Of Things (IOT/IPv6)
Information Technology Services Division , ITSD
Advanced Persistent Threats (APT)
ECIL
Lure Redirect ExploitKit
DropperFile
CallHome
DataTheft
Recon
7 Stage Process
Information Technology Services Division , ITSD
Victims funneled to the Web
ECIL
7
Social Media
Mobile
Attack Vectors
Web Redirects
Malware
Recon
XSS
Dropper Files
CnCExploit
Kits
Phishing
ECIL Information Technology Services Division , ITSD
Watering Hole Attacks• 1a) Identify target• 1b) Determine browsing
habits
• 2) Select favorite website
• 3) Compromise and host exploits
• 3)Drop malware
• 4)Determine target profile• 4)Wait for opportunity to
further compromise
Information Technology Services Division , ITSD
Attack on ADSL Routers
ECIL
Internet
Customer
Attacker
Vuln. ADSL Router
Changes the DNS server entries in the modem to rogue DNS servers and changes the password of the DSL router
Rogue DNS Server
Attacker scans for the DSL router and logs onto Admin console via WAN interface by exploiting vulnerabilities in the router firmware or configuration flaws; or by infecting connected computer
Information Technology Services Division , ITSD
Traditional Defense Mechanism
ECIL
3 FORWARD FACING ONLY, LACK OUTBOUND PROTECTION
No contextual analysis of Internal Threats.
2 LACK OF REAL-TIME INLINE CONTENT ANALYSIS
No Byte-Range Data Packet Analysis for Data Loss/ Theft Detection
4 LACK OF ADVANCED ANALYTICS& ANOMALY DETECTION
No Sandboxing in existing UTMs, NGFWs.No SSL packet inspection.
1 PRIMARILY BASED ON SIGNATURE & REPUTATION
Signature history cannot keep up with the dynamic future of threats
Information Technology Services Division , ITSD
Basic Defense in Depth
ECIL
Information Technology Services Division , ITSD
Advanced Solution Map
ECIL
WEBContent AnalysisMalware
SandboxForensic ReportsSSL InspectionVideo Controls
EMAILSpear-PhishingURL
SandboxingAnti-SpamTLS Encryption Image Analysis
DATAContent Aware DLPDrip Data Theft
DetectionOCR of Image TextGeo-Location
MOBILECloud ServiceMalicious AppsBYOD PolicyReporting/
Inventory
CUSTOMER LIST
NEW DESIGN
CONFIDENTIAL
Monitor
Discover
Classify
DISCOVER
MO
NITO
RCLAS
SIFY
PROTECT
WHERE
WHATWHO
HOW
ESSENTIALINFORMATIONPROTECTION
External Risks Internal Risks
Information Technology Services Division , ITSD
Security Landscape
ECIL
Information Technology Services Division , ITSD
New Threat Protection Techniques –Two key elements
ECIL
1.Sandboxing Systems (Similar to Bomb Detonation Sandbox) - Tightly controlled access to resources - URL sandbox/File sandbox - Isolated environment/network - Multiple Detection Environment (Virtual Machines) - Customizable & Realistic Virtual environment - Behavior based classification & Risk scoring - Instrumented Forensic Data Collection 2. Big-Data Analytics - SIEM Systems - Big log Data interpretation
- Post-incident data (SIEM - Security Incident Event Management) - Real-time Threat Intelligence (GTI)
- Integration with other sources (local/national/international) - PCAP (Packet Capture) & Replay
Information Technology Services Division , ITSD
SIEM Components
ECIL
Log Data Collection - Content & Context Aware logs - Device & Application logs, Authentication & IAM log,
Endpoint security devices, user identity, location, VA scan data, Netwrk flows, OS events, DB transaction logs
Aggregation & Normalization - Remove redundancy.
Correlation Engine - Threat Intelligence & Risk Analysis - Behavior Profiling
Retention & Forensic Analysis Alert Reporting & Workflow Manager
Information Technology Services Division , ITSD
SIEM Correlation Intelligence
ECIL
Information Technology Services Division , ITSD
Virtualization & Cloud Security
ECIL
New Challenges - Concept of the network perimeter evaporates
- No Physical Segregation across VMs - Web access to all Resources - VM to VM vulnerability exploitation (Colocation of VMs) - Easy Reconfiguration (Lack of Persistence)
Solutions - Still a hot research topic - Instance Isolation in Software Defined Data Centre (SDDC) - Homo-morphic encryption based virtual disks. - Randomized Memory Mapping & Distributed Scheduling.
Information Technology Services Division , ITSD
Vulnerability Assessment &Penetration Testing
ECIL
Information Technology Services Division , ITSD
Summary of Security Goals & Technologies
ECIL
ECIL Information Technology Services Division , ITSD
Security Guidelines for End UsersSecurity is Everybody’s Responsibility. It’s a moving Target.
It’s a race between the Good & the Bad.
• Use Legal software only • Keep upto-date patches and fixes of the Operating System
and Application Software• Exercise caution while opening unsolicited emails and do not
click on a link embedded within• Open only email attachments from trusted parties • Use latest browsers having capability to detect phishing/
malicious sites • Harden the Operating System• Whitelist the Applications • Deploy software for controlled use of USB Pen Drives.
ECIL
Thank You !
Information Technology Services Division , ITSD
“Let us not look back in anger or look forward in fear, but look around in
awareness.”
ECIL Information Technology Services Division , ITSD
Any Questions?
ECIL Information Technology Services Division , ITSD
Abhinav Biswas
Contact details :
http://abhinav-biswas.appspot.com
Alt. CISO, NKN Data Centre, ITSD, IT&TG, ECIL Hyderabad,
Electronics Corporation of India Limited, Dept. of Atomic Energy.