Advanced Threats: The New World Order - Hkcert PDF Free Download

1y ago

24 Views

1 Downloads

4.81 MB

34 Pages

Report/dmca

Download PDF

Transcription

Traditional Security Is Not Working99% of breaches led tocompromise within “days” or lesswith 85% leading to dataexfiltration in the same time85% of breaches took“weeks” or more todiscoverSource: Verizon 2012 Data Breach Investigations Report Copyright 2012 EMC Corporation. All rights reserved.3

What is APT?Gartner uses a simple definition for “APT”:Advanced: It gets through your existingdefenses.Persistent: It will keep trying until it gets in,and once done, it succeeds in remaininghidden from your current level of detectionuntil it attains its objective.Threat: It can cause harm. Copyright 2012 EMC Corporation. All rights reserved.“ Strategies for Dealing withAdvanced Target Attacks”Gartner, 6 Jun 20135

Aims of APT Information compromise: Stealing,destroying or modifying business-criticalinformation. Theft of service: Obtain use of the businessproduct or service without paying for it. Denial of service: Disrupting businessoperations. Copyright 2012 EMC Corporation. All rights reserved.6

Unknown Threat . Targeted attacks often use custom-createdmalware that is undetectable by signaturebased techniques. Such attacks generally require some meansof communication back to an outside party(beaconing). Copyright 2012 EMC Corporation. All rights reserved.8

APT leaves clues! APT footprints––––Payload (one or several)Compromised hostRemote C2 serverNetwork communications Routable IP address or a domain name pointing to it Registered with a fully qualified domain name Or an account with a DDNS provider Payload Binaries, strings & functions, etc. Configured with the address\domain Proactive Intelligence to detect these clues Copyright 2012 EMC Corporation. All rights reserved.9

Advanced Threats Are Different1TARGETED 2 STEALTHY 3INTERACTIVELOW AND SLOWSPECIFIC mpleteDwell Time1 Copyright 2012 EMC Corporation. All rights reserved.Cover-Up DiscoveryLeap Frog AttacksHUMAN INVOLVEMENTResponse TimeAttack IdentifiedDecreaseDwell Time[Attacker FreeTime]2ResponseSpeedResponse Time10

SIEM has been a good start SIEM can provide:– Valuable reporting on device and application activity– Basic alerting on known sequences (i.e. basiccorrelation)– Proof of compliance for internal and external auditors– Central view into disparate event sources beingcollectedIn today’s world Threats are multi-faceted, dynamic and stealthyThe most dangerous attacks have never been seen beforeThreats often don’t leave a footprint in logs Copyright 2012 EMC Corporation. All rights reserved.14

Today’s tools need to adapt Today’s tools need to be able to detect andinvestigate– Lateral movement of threats as they gain foothold– Covert characteristics of attack tools, techniques &procedures– Exfiltration or sabotage of critical data Today’s tools need to be able to scale– To collect and store the volume and diversity of datarequired– To provide analytic tools to support security workstreams– Time to respond is critical in a breach situations – andSIEM often falls shortTraditional SIEM will not meet these needs! Copyright 2012 EMC Corporation. All rights reserved.15

ControlCoverageAttack the control‘whitespace’“Defense in logAssetsfull packetcaptureEmerging Threats 0‐day malware Trusted C2 Valid enceLive Intelligence &CCIGovernanceECAT

Critical Questions against APTsGovernanceWhatMatters?Comprehensive VisibilityWhat isgoing on?Actionable IntelligenceHow do Iaddress it?

Use a Strategic Security Approach toImplement Tactical Best-Practice ControlsBest Practice Strategies from Gartner Use a comprehensive approach; no one singletechnology will stop advanced targeted attacks, evenproducts specifically targeted at advanced forms ofattacks. Acknowledge that technology alone won’t stop APT;your strategy must include the search forcompromised systems, improvements in yourforensics and incident response capabilities, andrapid response. Copyright 2012 EMC Corporation. All rights reserved.19

List of RSA offerings within Gartner control layersTechnologiesSolution OfferingsAuthentication TechnologyRSA SecurIDAdvanced Threat ProtectionAppliancesRSA Security AnalyticsNetwork forensicsRSA Security AnalyticsSecurity information and eventmanagementRSA Security AnalyticsSecurity Intelligence ServicesRSA Security AnalyticsRSA Cyber Crime IntelligenceEndpoint Threat Detection andresponseRSA ECATIncident Response CapabilitiesRSA ArcherDLPRSA DLPGarnter:G00256438 Copyright 2012 EMC Corporation. All rights reserved.20

What changed between 2011- 201320112013Target1 Bank3 Banks and a TVStationDestructionDelete Bootfiles &RebootDelete MBR &RebootDeliverySingle VectorMulti-VectorSIEMNoMostlyNetwork imalDowntime2 Days2 Hours Copyright 2012 EMC Corporation. All rights reserved.25

Sphere of Protection Fed by more than 2,000 securitydevices which generate 12 to 14 millionsecurity events per hour Protecting critical infrastructure ofthousands of customers spanning morethan 500 sites in over 100 countries Manages Security Incidents,Investigate Suspicious Behavior,Vulnerability Analysis, MalwareAnalysis, and Threat Management Built on EMC Proven Technologies fromRSA, including RSA Security Analyticsand RSA Archer A specialized cross-functional highlyskilled team focused just on monitoringfor critical threats and incidentresponse Copyright 2012 EMC Corporation. All rights reserved.28

EMC CIRC Statistics Reference After filtering, alerts that need to be handle isaround 200 instances. Out of the 200 alerts, 30 need to do furtherinvestigation. Need 3 person to handle the in-depth advanceinvestigation. Copyright 2012 EMC Corporation. All rights reserved.29

Solutions Highlights RSA Security Analytics (upgradable from RSA enVision)– Provide enterprise-wide visibility into network traffic and logevent data to reduce attacker free time from weeks to hours. RSA ECAT (Enterprise Compromise Assessment Tool)– Detect advanced malware and quickly response leveraginginnovative live memory analysis. RSA Archer– Provide business context hence incident prioritization, manageremediation procedures. Copyright 2012 EMC Corporation. All rights reserved.31

RSA ACD Services PortfolioNextGen SOC Design & ImplementationIdentity & Access ControlBreach ManagementCyber Threat IntelligenceBreach ReadinessIncident Response/DiscoveryImpacting the Attack “Cyber Kill Chain”Establish Beach Head Copyright 2011 EMC Corporation. All rights reserved.InfiltrationData Exfiltration61

RSA Security Analytics (upgradable from RSA enVision) - Provide enterprise-wide visibility into network traffic and log event data to reduce attacker free time from weeks to hours. RSA ECAT (Enterprise Compromise Assessment Tool) - Detect advanced malware and quickly response leveraging innovative live memory analysis. RSA Archer