1 #SmarterBiz
What’s Behind a Cyber Attack?
Presented by:
Darren Fox
Regional Sales Manager, QRadar Central and Western Canada
2 #SmarterBiz
Agenda
• What are we trying to Accomplish?
• How are we doing?
• What are we up against?
• How easy is this?
• How can a Security Intelligence Solution help me?
14 #SmarterBiz
What do they want?
Knock, Knock:
New Ransomware
Breaks In for
Bitcoins
Healthcare Fraud
15 #SmarterBiz
0
50000000
10000000
15000000
20000000
25000000
30000000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Total Records Lost Per Year
Quickview by Industry
15
0
100
200
300
400
500
600
700
800
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Number of Breaches Per year
Data: http://www.privacyrights.org/data-breach
19 #SmarterBiz
StepDesk
DEP/NXVirusTotal
Desk
AV
Proxy
Out
IPS
Out
In
reverse_https ✓ 36/47✘ ✘ ? ? ?
Encode it
Shell Code
Injection
Macro.doc
Replace &H4D
#H4D
20 #SmarterBiz
StepDesk
DEP/NXVirusTotal
Desk
AV
Proxy
Out
IPS
Out
In
reverse_https ✓ 36/47✘ ✘ ? ? ?
Encode it ✓ 0/47 ✓ ✘ ? ? ?
Shell Code
Injection
Macro.doc
Replace &H4D
#H4D
21 #SmarterBiz
StepDesk
DEP/NXVirusTotal
Desk
AV
Proxy
Out
IPS
Out
In
reverse_https ✓ 36/47✘ ✘ ? ? ?
Encode it ✓ 0/47 ✓ ✘ ? ? ?
Shell Code
Injection✓ 1/47 ✓ ✓ ✓ ✓ ✘
Macro.doc
Replace &H4D
#H4D
22 #SmarterBiz
StepDesk
DEP/NXVirusTotal
Desk
AV
Proxy
Out
IPS
Out
In
reverse_https ✓ 36/47✘ ✘ ? ? ?
Encode it ✓ 0/47 ✓ ✘ ? ? ?
Shell Code
Injection✓ 1/47 ✓ ✓ ✓ ✓ ✘
Macro.doc ✓ 11/47✘ ✘ ✓ ✓ ✘
Replace &H4D
#H4D
23 #SmarterBiz
StepDesk
DEP/NXVirusTotal
Desk
AV
Proxy
Out
IPS
Out
In
reverse_https ✓ 36/47✘ ✘ ? ? ?
Encode it ✓ 0/47 ✓ ✘ ? ? ?
Shell Code
Injection✓ 1/47 ✓ ✓ ✓ ✓ ✘
Macro.doc ✓ 11/47✘ ✘ ✓ ✓ ✘
Replace &H4D
#H4D✓ 1/47 ✓ ✓ ✓ ✓ ✓
26 #SmarterBiz
• Initial malicious activity missed
• Initial malicious activity missed
How it actually unfolded
27 #SmarterBiz
• First test of malware on network missed
• First test of malware on network missed
How it actually unfolded
28 #SmarterBiz
• Gateway Malware event
• False positive prone
Users don’t fully
trust
• No additional activity correlated information
What traffic
preceded and
followed, from and
to where ?
• Network and business context
Are these or can
they reach critical
assets
• No business process for triaging and analysing
• Ignored !
• Gateway Malware event
• False positive prone
Users don’t fully
trust
• No additional activity correlated information
What traffic
preceded and
followed, from and
to where ?
• Network and business context
Are these or can
they reach critical
assets
• No business process for triaging and analysing
• Ignored !
How it actually unfolded
29 #SmarterBiz
• More alerts
• Different areas of network
• Not correlated with other activity or vulnerabilities or in the context of the business or network
• Not enough visibility or context
• Still ignored !
• More alerts
• Different areas of network
• Not correlated with other activity or vulnerabilities or in the context of the business or network
• Not enough visibility or context
• Still ignored !
How it actually unfolded
30 #SmarterBiz
• Point of sale systems reached, data copied and exfiltrated
• Too Late
• Nightmare business scenario unfolds
• Point of sale systems reached, data copied and exfiltrated
• Too Late
• Nightmare business scenario unfolds
How it actually unfolded
32 #SmarterBiz
• No visibility into network anomalies or unauthorized Network Scans. Enthusiastic filtering result in lack of visibility for the analyst.
• No visibility into network anomalies or unauthorized Network Scans. Enthusiastic filtering result in lack of visibility for the analyst.
33 #SmarterBiz
• Test malware, used to scan and map the network, is not caught by Competition. Inability to collect and alert on flows limits competitive SIEM’s capabilities to detect network scanning activities.
• Test malware, used to scan and map the network, is not caught by Competition. Inability to collect and alert on flows limits competitive SIEM’s capabilities to detect network scanning activities.
33
34 #SmarterBiz
• Sure they see triggers on Malware alerts but generates an inordinate amount of alerts with the SIEM. Lack of alert chaining leaves analysts to trudge through a massive data flood with very little ability to surface insights
• Sure they see triggers on Malware alerts but generates an inordinate amount of alerts with the SIEM. Lack of alert chaining leaves analysts to trudge through a massive data flood with very little ability to surface insights
35 #SmarterBiz
Detection of the BreachAttacker phishes an employee (Apex stops
the malware and notifies Security Intelligence System)
Attacker phishes an employee (Apex stops the malware and notifies Security
Intelligence System)
Attacker finds & infects POS systems w/malware (Apex
stops the malware and notifies Security Intelligence
System)
Attacker finds & infects POS systems w/malware (Apex
stops the malware and notifies Security Intelligence
System)
Malware scrapes RAM for clear text CC stripe dataMalware scrapes RAM for clear text CC stripe data
Malware sends CC data to internal server; sends custom ping to
notify (Security Intelligence System detects Dark IP and
alerts, Detects anomalous traffic)
Malware sends CC data to internal server; sends custom ping to
notify (Security Intelligence System detects Dark IP and
alerts, Detects anomalous traffic)
Attacker finds & infects internal Windows file server (Flow Data
discovers UnAuthrorized Scan
of Environment)
Attacker finds & infects internal Windows file server (Flow Data
discovers UnAuthrorized Scan
of Environment)
Stolen data is exfiltrated to FTP servers (Incident Forensics Tool
detects Credit Card Data)
Stolen data is exfiltrated to FTP servers (Incident Forensics Tool
detects Credit Card Data)
Contractor portals
Retailer POS systems
Retailer Windows file server
Firewall
1
3a
4
5
6
Attacker uses stolen credentials
to access contractor portals
Attacker uses stolen credentials
to access contractor portals
2
Attacker FTP servers (external/Russia)
3b
internal network
37 #SmarterBiz
Learn more about IBM Security Intelligence and Analytics
Visit the
IBM Security Intelligence Website
Watch the videos on the
IBM Security Intelligence YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
38 #SmarterBiz
NEXT STEPS:
1. Visit me in the Social Hub9 Let’s Talk & Tweet #SmarterBiz
2. See our Security Representative in the Tech Showcase for detailed demonstrations
3. Please Sign up for MaaS360: http://www.maas360.com/
AppScan: http://www-03.ibm.com/software/products/en/appscan
4. For Additional Information
or type this URL into your browser: ibm.biz/sbs2015
39 #SmarterBiz
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.