Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
7 BEHAVIORS OF HIGHLY EFFECTIVE BDS
Tarun Gupta Senior Technical Consultant Trend Micro
#CLOUDSEC
THREAT ACTORS GROWING WORLDWIDE
2
3
Victim
The Boss
Mercenary
Attackers
Data Fencing
The Captain Garant
Bullet Proof Hoster
CRIME SYNDICATE (SIMPLIFIED)
4
$4
Victim Blackhat
SEO
Attacker $10
Attacker
Keywords
(Botherder) $2
$6 $10
Programmer $10
Cryptor $10
Virtest $5
Worm
Exploit Kit
Bot Reseller $1 $1
$1
Traffic
Direction
System $5
Garant $10
$3
Carder $4
Money Mule
Droppers
$1
Card Creator $2
Bullet Proof
Hoster
$5
Compromised
Sites (Hacker) SQL Injection
Kit
CRIME SYNDICATE (DETAILED)
A PREDATOR THAT BLENDS RIGHT IN
5
6
Lucrative payoff, low penalty for failure
Easy access to weapons/expertise
Broad attack surface (mobile, cloud…)
Social engineering easier than ever
Impact beyond cost
Resource constrained
Many points of defense
Users cannot be controlled
HACKERS HAVE AN UNFAIR ADVANTAGE!
7
All that’s needed is a credit card and a mouse!
HACKERS HAVE AN UNFAIR ADVANTAGE!
8
Limitations in device/OS/file coverage
Unmonitored ports and protocols
Generic sandbox environments
Limited insight on known and zero-day attacks
Lack of visibility into attack evolution & polymorphic malware
ATTACKERS EXPLOIT THE “GAPS "IN YOUR SECURITY
Poison Ivy
Use Multiple Ports
EvilGrab MW
Use Multiple Protocols
IXESHE MW
Evolve/Morph over Time
91% of targeted
attacks begin with a spear-phishing email
Attack Weakest Point: Humans
ATTACKERS CUSTOMIZE ATTACKS TO EVADE YOUR STANDARD DEFENSES
Moves laterally across network seeking valuable data
Gathers intelligence about organization and individuals
Targets individuals using social engineering
Employees
Establishes link to Command & Control server
Attackers
Extracts data of interest – can go undetected for months!
$$$$
A TARGETED ATTACK IN ACTION: SOCIAL, STEALTHY
7 BEHAVIORS OF HIGHLY EFFECTIVE BDS
11
12
EFFECTIVE BEHAVIOR 1 - VISIBILITY
• Breach detection solutions need pervasive traffic
visibility.
• Monitoring Perimeter and all internal network traffic
between endpoints, servers, and any other
devices.
• Mobile device access and activities
• Identify risky applications in use; mobile device
access and activities
• unusual traffic and data transfer patterns and
more.
13
EFFECTIVE BEHAVIOR 2 - DETECTION
• Network based breach detection solution can discover
the malicious content, communications in complex
networks
• Monitoring of all critical network segments over Multiple
Protocols
• Custom sandbox simulation and threat detection rules to
reflect environment risks.
• Is agnostic to devices, operating systems and network
traffic
• Can detect network threats activity emanating from any
IP based device detects attacks across all network
traffic.
14
EFFECTIVE BEHAVIOR 3 – ANALSYSIS AND RISK ASSESSMENT
• Augments automated local threat analysis with relevant
global intelligence.
• Identify emerging threats, vulnerabilities and associated
risk.
• Analysis should be able to derive Actionable
Intelligence.
• Risk Impact Assessment, Prioritization and Notification.
• Helps in risk mitigation with integration and Information
sharing
• Highlight Infectious unusual network activity
15
EFFECTIVE BEHAVIOR 4 - PREVENTION
• Custom detection, analysis and intelligence to augment
protection from further attack
• Detect and block current attack activity such as
command and control communications, Lateral Moment
etc.
• Includes custom security updates sent from the
detection/analysis platform to all pertinent protection
points
• With entire security infrastructure adapts to defend
against the new attacker.
16
EFFECTIVE BEHAVIOR 5 - REMEDIATION
• In-depth threat profile information will help guide
containment and remediation actions
• SIEM or other log analysis methods to determine the
full extent of the Attack
• Provides the custom relevant intelligence to guide
your rapid response
• Open Web Services Interfaces allow any product to
integrate
17
EFFECTIVE BEHAVIOR 6 - SECURITY THAT FITS
• Integration with SIEMs; HP, IBM, Splunk, Any
• Sharing of Threat Intelligence with other security
products
• Open Web Services Interfaces allow any product to
integrate
18
EFFECTIVE BEHAVIOR 7 – INVESTIGATIVE COLLABORATION
Monitor
Detect
Analyse
Compile
Forward
Action
Intel Report
Member Countries
Copyright 2014 Trend Micro Inc. 19
Global Threat Intelligence Accurately Analyzes and Identifies Threats Faster
• 100TB of data analyzed and correlated daily • 300,000 new threats identified daily • Big data analytics and threat expertise
Global Sensor net
Collects More Information in More Places
• 150 million sensors
• 16 billion threat queries daily
• Files, URL’s, vulnerabilities, threat actors…
Proactive Protection Blocks Real-World Threats Sooner
• 500,000+ businesses
• Millions of consumers
• 150M threats blocked daily
FUELED BY GLOBAL THREAT INTELLIGENCE
MONITOR & CONTROL:
Security administrator alerted and
provided actionable intelligence
DETECT: Suspicious file detected and analyzed by Deep
Discovery
ANALYZE: Affected endpoints identified
with Deep Discovery Endpoint Sensor
RESPOND: Custom signature deployed and
malicious file quarantined; Servers protected
from unpatched vulnerability used in the attack
PROTECT:
Protection improved against future attacks
with integrated Trend solutions
RECOMMENDED APPROACH
TREND MICRO DEEP DISCOVERY PLATFORM Advanced Threat Detection Where it Matters Most
Defends against targeted attacks invisible to standard security products • Advanced malware & exploits
• Command & control communication
• Attacker activity and lateral movement
• Across inbound, outbound & internal traffic
Copyright 2014 Trend Micro Inc. 21
Deploy protection where it matters most to your organization
Inspector
Detect and analyze targeted
attacks anywhere on your network
Network-wide attack detection
Analyzer
Improve the threat protection of your
existing security investments
Integrated sandboxing
Email Inspector
Stop the targeted attacks that
can lead to a data breach
Email attack protection
Endpoint Sensor
Investigate & respond to attacks with
network detection + endpoint
intelligence
Endpoint Investigation
22 Copyright 2015 TrendMicro Inc.
DEEP DISCOVERY FAMILY PRODUCTS
23 Copyright 2015 Trend Micro Inc.
• Proven results for standard HTTP & SMTP
• Plus additional detection for 100+ protocols & applications across all ports
• Detection of Mac and Mobile malware
• Custom sandboxing
• Monitors all network traffic
• Detect attacker activity
• Single appliance & low TCO
Superior detection & 360°protection
WHY DEEP DISCOVERY?
Tarun Gupta Senior Technical Consultant Trend Micro
#CLOUDSEC