1

APT: It is T ime to Act  

Dr.  Eric  Cole  

© 2012 Secure Anchor Consulting. A ll rights reserved.

 

APT  Defined  The  APT  is  a  cyber-­adversary  displaying  advanced  logistical  and  operational  capability  for  long-­term  intrusion  campaigns  with  the  goal  of  exploiting  information  in  a  covert  manner  

Primary goal is long-term occupation for data mining, malicious activities and to ensure future use Based on current shared industry knowledge and experience, a large number of global organizations that deal with sensitive information are currently compromised

Most commercial organizations have little experience dealing with these advanced threats Sophisticated and well-funded APT adversaries do not necessarily need to breach perimeter security controls to access networks

 

APT  is  a  sophisticated  global  threat  posing  serious  information  security  challenges  and  implications    

APT adversaries are changing the game identification, detection, analysis and remediation must evolve to keep pace with new challenges

     Just  a  small  sample  of  breaches  Aurora  Night  Dragon  RSA  Breach  Shady  RAT  

The  Future  is  Ours  to  Decide  

Two  roads  diverged  in  a  wood,  and  I  -­  I  took  the  one  less  traveled  by,  and  that  has  made  

all  of  the  difference    Robert  Frost  

Why  is  this  Happening?  

PrivacyRights.org  (updated  weekly)  Here  are  some  that  are  reported  (most  are  not)  Just  a  small  sample  (financial  records  breached):  Heartland  Payment  Systems  (130+  million)  Oklahoma  Dept  of  Human  Services  (1  million)  International  Finance  Agency  (22  million)  University  of  California  (160,000  )  Network  Solutions  (5  million)  European  Military  Veterans  Administration  (76  million)  Australian  BlueCross  BlueShield  Assn.  (987,000)  

Data  Driven  Threats    

2001 End of 2010 Mid 2012

Vulnerabilities 440 28,500 34,100

Password Stealers (Main variants)

400 80,000 380,000

Potentially Unwanted Programs

1 24,000 26,000

Malware (families) (DAT related)

17,000 358,000 484,000

Malware (main variants) 18,000 (?) 586,000 2,700,000

Malware Zoo (Collection)

30,000 (?) 5,800,000 16,300,000

We  cannot  solve  our  problems  with  the  same  thinking  we  used  when  we  created  them.      

 Albert  Einstein  

 

Were  Security  Measures  in  Place?  

Oversight  

Compliance  

Firewalls  /    

Proxy  

Servers  

Host  

Auditing  Enabled  

Anti-­virus  

IDS  

Endpoint  Softw

are  Managem

ent  

Government  

CDC  1  

CDC  2  

Manufacture  

Law  Firm  

Traditional  and  common  information  security  defenses  are  not  effective  in  the  detection  and  

prevention  

While  traditional  countermeasures  can  be  implemented,  they  often  prove  ineffective  requiring  more  advanced  approaches  

5  Step  to  a  Secure  Future  

Step  1:  Identify  Critical  Data  

Align  critical  assets  with  threats  and  vulnerabilities  to  focus  on  risk  

Risk  Based  Thinking  

1) What  is  the  risk?  

2) Is  it  the  highest  priority  risk?  

3) Is  it  the  most  cost  effective  way  of  reducing  the  risk?  

Step  2:  Align  the  Defense  with  the  Offense  

1) Reconnaissance  2) Scanning  3) Exploitation  4) Creating  backdoors  5) Covering  tracks  

Step  3:  Know  thy  Organization  If  the  offense  knows  more  than  the  defense  you  will  lose  

 Requirements:  a) Accurate  up  to  date  network  diagram  

b) Network  visibility  map  c) Configuration  management  and  change  control  

 

You  Cannot  Protect  What  You  Do  Not  Know  About  

10.10.5.3 10.10.5.9 10.10.5.10

80 443 53 80 25 21

Sendmail 8.12.10 Apache 1.3.26

10.10.5.x

10.10.5.3 10.10.5.9 10.10.5.10

80 443 53 80 25 21

Sendmail 8.12.10 Apache 1.3.26

Step  4:  Defense  in  Depth  

There  is  no  such  thing  as  an  unstoppable  adversary  

Requirements:  a) Inbound  prevention  b) Outbound  Detection  c) Log  correlation  d) Anomaly  detection  

Step  5:  Common  Metrics  

Everyone  must  be  using  the  same  playbook  in  order  to  win  

Requirements:  a) Utilize  the  critical  controls  i. Offense  informing  the  defense  ii. Automation  and  continuous  monitoring  of  security  

iii. Metrics  to  drive  measurement  and  compliance  

www.sans.org/critical-­security-­controls/  

 It  is  time  to  take  control  of  your  data  

adversary  

Final  Thought    

 

 

Dr.  Eric  Cole  

T H A N K Y O U for your time

Twitter:  drericcole  ecole@secureanchor.com  eric@sans.org  www.securityhaven.com