Webcast
Transcript of Webcast
1
APT: It is T ime to Act
Dr. Eric Cole
© 2012 Secure Anchor Consulting. A ll rights reserved.
APT Defined The APT is a cyber-adversary displaying advanced logistical and operational capability for long-term intrusion campaigns with the goal of exploiting information in a covert manner
Primary goal is long-term occupation for data mining, malicious activities and to ensure future use Based on current shared industry knowledge and experience, a large number of global organizations that deal with sensitive information are currently compromised
Most commercial organizations have little experience dealing with these advanced threats Sophisticated and well-funded APT adversaries do not necessarily need to breach perimeter security controls to access networks
APT is a sophisticated global threat posing serious information security challenges and implications
APT adversaries are changing the game identification, detection, analysis and remediation must evolve to keep pace with new challenges
Just a small sample of breaches Aurora Night Dragon RSA Breach Shady RAT
The Future is Ours to Decide
Two roads diverged in a wood, and I - I took the one less traveled by, and that has made
all of the difference Robert Frost
Why is this Happening?
PrivacyRights.org (updated weekly) Here are some that are reported (most are not) Just a small sample (financial records breached): Heartland Payment Systems (130+ million) Oklahoma Dept of Human Services (1 million) International Finance Agency (22 million) University of California (160,000 ) Network Solutions (5 million) European Military Veterans Administration (76 million) Australian BlueCross BlueShield Assn. (987,000)
Data Driven Threats
2001 End of 2010 Mid 2012
Vulnerabilities 440 28,500 34,100
Password Stealers (Main variants)
400 80,000 380,000
Potentially Unwanted Programs
1 24,000 26,000
Malware (families) (DAT related)
17,000 358,000 484,000
Malware (main variants) 18,000 (?) 586,000 2,700,000
Malware Zoo (Collection)
30,000 (?) 5,800,000 16,300,000
Were Security Measures in Place?
Oversight
Compliance
Firewalls /
Proxy
Servers
Host
Auditing Enabled
Anti-virus
IDS
Endpoint Softw
are Managem
ent
Government
CDC 1
CDC 2
Manufacture
Law Firm
Traditional and common information security defenses are not effective in the detection and
prevention
While traditional countermeasures can be implemented, they often prove ineffective requiring more advanced approaches
5 Step to a Secure Future
Step 1: Identify Critical Data
Align critical assets with threats and vulnerabilities to focus on risk
Risk Based Thinking
1) What is the risk?
2) Is it the highest priority risk?
3) Is it the most cost effective way of reducing the risk?
Step 2: Align the Defense with the Offense
1) Reconnaissance 2) Scanning 3) Exploitation 4) Creating backdoors 5) Covering tracks
Step 3: Know thy Organization If the offense knows more than the defense you will lose
Requirements: a) Accurate up to date network diagram
b) Network visibility map c) Configuration management and change control
You Cannot Protect What You Do Not Know About
10.10.5.3 10.10.5.9 10.10.5.10
80 443 53 80 25 21
Sendmail 8.12.10 Apache 1.3.26
10.10.5.x
10.10.5.3 10.10.5.9 10.10.5.10
80 443 53 80 25 21
Sendmail 8.12.10 Apache 1.3.26
Step 4: Defense in Depth
There is no such thing as an unstoppable adversary
Requirements: a) Inbound prevention b) Outbound Detection c) Log correlation d) Anomaly detection
Step 5: Common Metrics
Everyone must be using the same playbook in order to win
Requirements: a) Utilize the critical controls i. Offense informing the defense ii. Automation and continuous monitoring of security
iii. Metrics to drive measurement and compliance
Dr. Eric Cole
T H A N K Y O U for your time
Twitter: drericcole [email protected] [email protected] www.securityhaven.com