RSA@NYTHUN 2017 D E L L E M C T E C H N O LY F O R U M

2

Top Enterprise Risks

3

Cyber attacks are real and growing Cybercrime & Espionage*: Hi anonymity; Low attribution Olympic Games

Solar Sunrise US Naval War College

Moonlight Maze

Commerce Secretary State Dept.

Titan Rain

>2004

Buckshot Yankee

2005

Flame

Op. Pawn Storm Duqu

Red October US Investigations Equation Services Arachnophobia Group

Black Tulip

Gauss Grey Goose

Estonia

Taidoor

Stuxnet

Comodo

Shamoon

Attacks on Government

2006

2007

2008

2009

2010

2011

2012

US Transport Desert Command Falcons

Dark Seoul

2014

2013

2015

Attacks on Industry PLA Unit 61398

Nortel

APT1

Shady RAT

Oak Ridge

Los Alamos

Ghost Net

Aurora

Night Dragon

*Many of these threat actor activities and campaigns are ongoing, often collaborating and working with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and malware variants based on dates of information published by the security industry with thousands of organizations impacted.

Nitro

Australian Mining Dragonfly

IMF

Safe

RSA

VOHO

Lockheed Martin

Ababil

Comment Panda Vixen Panda Shell Crew

GOZ

Carbanak

Anunak

Regin

Boleto Backoff Putter Panda Shylock

4

Pitty Tiger

Threat Landscape

5

Attackers are Outpacing Defenders

Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less

100%

Attacker Capabilities

Time to compromise 75%

50%

Time to discovery

VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT

6 © Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

2015

2014

2013

2012

2011

2010

2009

2008

2007

Time to Discovery

2006

25%

Defender’s Challenges The attack surface is expanding

Attackers are becoming more sophisticated

Security teams need comprehensive visibility from endpoint to cloud

Teams need to increase experience & efficiency

7 © Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Existing strategies & controls are failing

Tools & processes must adapt to today’s threats

Blind Spots in Threat Detection & Response ONLY 8% ONLY 11% ONLY 24%

Have Visibility into Attacks

Can Quickly Detect Attacks

Can Quickly Investigate Attacks

8%

24%

*Attacks = Multiple Incidents, Campaigns.

8

RSA Threat Detection Effectiveness Survey, February 2016

11%

Evolution of Threat Actors & Detection Implications

Threat Actors Firewall

At first, there were HACKS Preventative controls filter known attack paths

IDS/IPS AntiVirus Malicious Traffic Successful HACKS

Whitespace

Corporate Assets 9

Evolution of Threat Actors & Detection Implications

Threat Actors Firewall

Blocked Session

IDS/IPS

Blocked Session

AntiVirus Malicious Traffic

Blocked Session

More Logs

S I E M

Alert

Successful ATTACKS

Whitespace

Corporate Assets

10

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKS Despite increased investment in controls, including SIEM

Evolution of Threat Actors & Detection Implications

Threat Actors Blocked Session

IDS/IPS

Blocked Session

AntiVirus

Blocked Session

Malicious Traffic Logs

Alert

Endpoint Visibility

Process

Network Visibility

Corporate Assets

11

Network Sessions

Now, successful ATTACK CAMPAIGNS target any and all whitespace. Full Visibility

Firewall

Complete visibility into every process and network sessions is required to eradicate the attacker opportunity.

Unified platform for advanced threat detection & investigations

Evolving Fraud Threat Landscape Fraud: Attacks Designed to Defeat Traditional Defenses In the Wild

Begin Session

Login

Transaction

Logout

Web Threat Landscape • • • •

• • • • • •

Phishing Rogue Mobile App Site Scraping Vulnerability Probing

12

Layer 7 DDoS Attacks Man in the Middle/Browser Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans)

• • • • •

Account Takeover New Account Registration Fraud Promotion Abuse Unauthorized Account Activity Fraudulent Money Movement

T actics T echniques P rocedures 13

How attackers work to target, compromise, and exploit your organization

THREAT ACTORS AND OBJECTIVES

$

Criminals

IP

Nation States

PII

Hacktivists 14

STAGE 1: ESTABLISH FOOTHOLD Probe external servers and apps for vulnerabilities • •

Develop exploit Install webshell or other remote access mechanism

(Spear-) Phish users • •

Obtain credentials Deliver malware to obtain remote access (RATs, etc.) 15

KEY POINTS: STAGE 1 • Relying on prevention is futile – Multiple methods for attackers to find initial foothold

• Not all attacks start with malware; identity is an attack vector • Opportunities for early detection are limited – Lots of noise in data on external systems – Up-to-date threat intel can help

• Opportunities exist to make attackers jobs harder – Patch vulnerabilities, especially those with known exploits – User education – Make their intelligence gathering more difficult 16

STAGE 2: ENTRENCH, EXPAND, EXPLORE

• •

Dump local credentials Install malware •

•

•

• •

Keyloggers, RATs

Download cracking tools 17

Control more machines, accounts

•

Privileged Accounts: esp. IT, Admin Domain Controllers, E-mail servers

Expand access methods •

VPN, RDP, Proxy

• • • •

Map network Copy directory listings Dump databases Dump emails

KEY POINTS: STAGE 2 • Attackers move very quickly once they gain access – Speed of detection and remediation are key

• Many more opportunities for detection – Visibility to spot attacker activity is essential: network traffic, endpoint compromise, elevation of privilege, anomalous Admin activity

• Need to be able to connect attacker activity – Addressing disconnected alerts will not disrupt attacks

• Opportunities exist to make attackers jobs harder – Strong authentication – Network segmentation

18

STAGE 3: EXFILTRATE, MAINTAIN

•

•

Aggregate and stage data

•

Obfuscate to avoid detection 19

• Exfiltrate data • http / https, SSH, FTP, email • Use of Dyn DNS services to rotate drop zones

Option to use your infrastructure to launch other attacks

•

Periodically return to: • Update malware • Grab new data (keylogs, emails, data)

KEY POINTS: STAGE 3 • Egress monitoring / visibility is essential – What is leaving your network and why? – Tools like DLP that search for un-altered data will not spot or stop exfiltration

• Detection will become harder as entrenched attackers switch to maintenance mode and cover their tracks – Have a greater ability to blend in

• Remediation once attackers reach this point is very complex • If expelled at this point, most attackers will actively seek to return – They will up their game 20

CONCLUSIONS • Know your enemy, be prepared

• Compromise is inevitable – Goal should be to detect and respond to attacks to minimize loss and damage – Limit attacker free time inside your network

• Tools that provide visibility / forensic data are essential for detection and response – Logs, Packets, Endpoint, Threat Inteligence – Ability to spot anomalous / suspicious activity and investigate – Ability to pivot and see the whole picture of the attack

• Experienced responders are required – In-house or on-call

21

22

People & Process NIST Incident Phase

Preparation

RSA Best Practices (sample) • Staffing Model & Shift Transition; Roles & Responsibilities • Business Alignment & Risk Alignment • Incident Prevention Planning • Security Controls Implementation & Monitoring

Detection & Analysis

• Categorization & prioritization of Incident types • Content, Analytic & Threat Intelligence; Malware Analysis • L1, L2 & L3 SOPs; Incident Handling Workflow automation • Generation of Alerts, Watchlists and Notifications and Reports

Containment, Eradication & Recovery

• Proactive remediation and breaking the “kill-chain” • Accumulation and protection of evidence and forensic data • C-level Escalation and cross functional Rules of Engagement • 3rd Party stakeholders, incl. Law Enforcement

Post Incident Activity

• Updated Incident Metrics, Breach Reporting and Disclosure • Systems Hardening; Updated Threat and Risk Profile • Evidence Retention; attribution and hacker prosecution • Lessons Learned and Training

Reference: NIST Computer Security Incident Handling Guide & RSA Best Practices

23

Resource Shift Needed: Budgets & People Monitoring 15%

Response 5%

Monitoring 33%

Response 33%

Prevention 80%

Prevention 33%

Today’s Priorities

Future Requirements

24

Thank You

25