RSA@NYTHUN 2017 D E L L E M C T E C H N O LY F O R U M
2
Top Enterprise Risks
3
Cyber attacks are real and growing Cybercrime & Espionage*: Hi anonymity; Low attribution Olympic Games
Solar Sunrise US Naval War College
Moonlight Maze
Commerce Secretary State Dept.
Titan Rain
>2004
Buckshot Yankee
2005
Flame
Op. Pawn Storm Duqu
Red October US Investigations Equation Services Arachnophobia Group
Black Tulip
Gauss Grey Goose
Estonia
Taidoor
Stuxnet
Comodo
Shamoon
Attacks on Government
2006
2007
2008
2009
2010
2011
2012
US Transport Desert Command Falcons
Dark Seoul
2014
2013
2015
Attacks on Industry PLA Unit 61398
Nortel
APT1
Shady RAT
Oak Ridge
Los Alamos
Ghost Net
Aurora
Night Dragon
*Many of these threat actor activities and campaigns are ongoing, often collaborating and working with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and malware variants based on dates of information published by the security industry with thousands of organizations impacted.
Nitro
Australian Mining Dragonfly
IMF
Safe
RSA
VOHO
Lockheed Martin
Ababil
Comment Panda Vixen Panda Shell Crew
GOZ
Carbanak
Anunak
Regin
Boleto Backoff Putter Panda Shylock
4
Pitty Tiger
Threat Landscape
5
Attackers are Outpacing Defenders
Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less
100%
Attacker Capabilities
Time to compromise 75%
50%
Time to discovery
VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT
6 © Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
2015
2014
2013
2012
2011
2010
2009
2008
2007
Time to Discovery
2006
25%
Defender’s Challenges The attack surface is expanding
Attackers are becoming more sophisticated
Security teams need comprehensive visibility from endpoint to cloud
Teams need to increase experience & efficiency
7 © Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Existing strategies & controls are failing
Tools & processes must adapt to today’s threats
Blind Spots in Threat Detection & Response ONLY 8% ONLY 11% ONLY 24%
Have Visibility into Attacks
Can Quickly Detect Attacks
Can Quickly Investigate Attacks
8%
24%
*Attacks = Multiple Incidents, Campaigns.
8
RSA Threat Detection Effectiveness Survey, February 2016
11%
Evolution of Threat Actors & Detection Implications
Threat Actors Firewall
At first, there were HACKS Preventative controls filter known attack paths
IDS/IPS AntiVirus Malicious Traffic Successful HACKS
Whitespace
Corporate Assets 9
Evolution of Threat Actors & Detection Implications
Threat Actors Firewall
Blocked Session
IDS/IPS
Blocked Session
AntiVirus Malicious Traffic
Blocked Session
More Logs
S I E M
Alert
Successful ATTACKS
Whitespace
Corporate Assets
10
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKS Despite increased investment in controls, including SIEM
Evolution of Threat Actors & Detection Implications
Threat Actors Blocked Session
IDS/IPS
Blocked Session
AntiVirus
Blocked Session
Malicious Traffic Logs
Alert
Endpoint Visibility
Process
Network Visibility
Corporate Assets
11
Network Sessions
Now, successful ATTACK CAMPAIGNS target any and all whitespace. Full Visibility
Firewall
Complete visibility into every process and network sessions is required to eradicate the attacker opportunity.
Unified platform for advanced threat detection & investigations
Evolving Fraud Threat Landscape Fraud: Attacks Designed to Defeat Traditional Defenses In the Wild
Begin Session
Login
Transaction
Logout
Web Threat Landscape • • • •
• • • • • •
Phishing Rogue Mobile App Site Scraping Vulnerability Probing
12
Layer 7 DDoS Attacks Man in the Middle/Browser Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans)
• • • • •
Account Takeover New Account Registration Fraud Promotion Abuse Unauthorized Account Activity Fraudulent Money Movement
T actics T echniques P rocedures 13
How attackers work to target, compromise, and exploit your organization
THREAT ACTORS AND OBJECTIVES
$
Criminals
IP
Nation States
PII
Hacktivists 14
STAGE 1: ESTABLISH FOOTHOLD Probe external servers and apps for vulnerabilities • •
Develop exploit Install webshell or other remote access mechanism
(Spear-) Phish users • •
Obtain credentials Deliver malware to obtain remote access (RATs, etc.) 15
KEY POINTS: STAGE 1 • Relying on prevention is futile – Multiple methods for attackers to find initial foothold
• Not all attacks start with malware; identity is an attack vector • Opportunities for early detection are limited – Lots of noise in data on external systems – Up-to-date threat intel can help
• Opportunities exist to make attackers jobs harder – Patch vulnerabilities, especially those with known exploits – User education – Make their intelligence gathering more difficult 16
STAGE 2: ENTRENCH, EXPAND, EXPLORE
• •
Dump local credentials Install malware •
•
•
• •
Keyloggers, RATs
Download cracking tools 17
Control more machines, accounts
•
Privileged Accounts: esp. IT, Admin Domain Controllers, E-mail servers
Expand access methods •
VPN, RDP, Proxy
• • • •
Map network Copy directory listings Dump databases Dump emails
KEY POINTS: STAGE 2 • Attackers move very quickly once they gain access – Speed of detection and remediation are key
• Many more opportunities for detection – Visibility to spot attacker activity is essential: network traffic, endpoint compromise, elevation of privilege, anomalous Admin activity
• Need to be able to connect attacker activity – Addressing disconnected alerts will not disrupt attacks
• Opportunities exist to make attackers jobs harder – Strong authentication – Network segmentation
18
STAGE 3: EXFILTRATE, MAINTAIN
•
•
Aggregate and stage data
•
Obfuscate to avoid detection 19
• Exfiltrate data • http / https, SSH, FTP, email • Use of Dyn DNS services to rotate drop zones
Option to use your infrastructure to launch other attacks
•
Periodically return to: • Update malware • Grab new data (keylogs, emails, data)
KEY POINTS: STAGE 3 • Egress monitoring / visibility is essential – What is leaving your network and why? – Tools like DLP that search for un-altered data will not spot or stop exfiltration
• Detection will become harder as entrenched attackers switch to maintenance mode and cover their tracks – Have a greater ability to blend in
• Remediation once attackers reach this point is very complex • If expelled at this point, most attackers will actively seek to return – They will up their game 20
CONCLUSIONS • Know your enemy, be prepared
• Compromise is inevitable – Goal should be to detect and respond to attacks to minimize loss and damage – Limit attacker free time inside your network
• Tools that provide visibility / forensic data are essential for detection and response – Logs, Packets, Endpoint, Threat Inteligence – Ability to spot anomalous / suspicious activity and investigate – Ability to pivot and see the whole picture of the attack
• Experienced responders are required – In-house or on-call
21
22
People & Process NIST Incident Phase
Preparation
RSA Best Practices (sample) • Staffing Model & Shift Transition; Roles & Responsibilities • Business Alignment & Risk Alignment • Incident Prevention Planning • Security Controls Implementation & Monitoring
Detection & Analysis
• Categorization & prioritization of Incident types • Content, Analytic & Threat Intelligence; Malware Analysis • L1, L2 & L3 SOPs; Incident Handling Workflow automation • Generation of Alerts, Watchlists and Notifications and Reports
Containment, Eradication & Recovery
• Proactive remediation and breaking the “kill-chain” • Accumulation and protection of evidence and forensic data • C-level Escalation and cross functional Rules of Engagement • 3rd Party stakeholders, incl. Law Enforcement
Post Incident Activity
• Updated Incident Metrics, Breach Reporting and Disclosure • Systems Hardening; Updated Threat and Risk Profile • Evidence Retention; attribution and hacker prosecution • Lessons Learned and Training
Reference: NIST Computer Security Incident Handling Guide & RSA Best Practices
23
Resource Shift Needed: Budgets & People Monitoring 15%
Response 5%
Monitoring 33%
Response 33%
Prevention 80%
Prevention 33%
Today’s Priorities
Future Requirements
24
Thank You
25