Quest Software – APT and the Insider Threat

© 2010 Quest Software, Inc. ALL RIGHTS RESERVED

Dmitry Kagansky, CTO - Public Sector (Federal)March 14, 2011

Quest Software – APT and the Insider Threat

2

Agenda• The Insider Threat• Advanced Persistent Threat

– What is it and what does it mean for Public Sector?• The Federal Supply Chain

– Where are the weaknesses, and how can they be shored up?• The Commercial Perspective

– Paul Harper to discussion the view from the Commercial side• Privileged Identity Management (PIM)

– The ‘firewall’ for the insider threat• Demonstration• Q & A

#QSFTcybersecurity - follow this webcast/ask questions!

3

The Insider Threat• We all know the stats and stories• The Insider is more dangerous• The Insider is more careless• The Insider is more malicious

• However . . .

• Sometimes . . .

• The Insider doesn’t know he’s the source of the compromise!


4

What is APT (Advanced Persistent Threat)?• New term for an old problem

– Coined by Mandiant• What is it?

– Advanced• No one attack is particularly sophisticated• Combination of attacks from many different vectors

– Email– Web– Social Engineering– Devices

– Persistent• No longer recreational or even opportunistic• This is someone’s job

– Threat • Co-ordinated• Skilled, motivated and well-funded

• What does it mean for Public Sector?


5

The Federal Supply Chain• Any chain is only as strong as the weakest link

– Where are the weaknesses, and how can they be shored up?– Documents

• Adobe Acrobat is a bigger vehicle for malware than MS Word– Email– Websites– Devices – that USB stick you found at Starbucks!

• An agency may be ‘clean’ but it is not safe if it interacts with anyone else on the outside

• This same supply chain analogy applies to all agencies and all their partners– First Responders


6

The Commercial Perspective• APTs are just as prevalent

– Not publicly discussed or acknowledged

• Part of the Federal Supply Chain

• Many ties to government

• Slower to acknowledge that it’s a problem


7

Now what?• How do you guard against the APT?

– Low & slow attacks• Days and weeks to develop• Multiple vectors

– Data gathering and observation• Train your users• Constantly update anti-virus• Avoid giving out privileged access

– Segregation of duties– Segregation of accounts (dual accounts for admins)


8

Privileged Identity Management (PIM)• aka PAM (Privileged Account Management)• Elevated privileged are most dangerous when obtained by an

APT– It’s not the secretary or the janitor that is a concern– It’s the people with the keys to the kingdom– They won’t know when they’ve given up the keys

• 2 Flavors:– Named Accounts– System accounts such as root, oracle, administrator, etc

• Password Vault• Continuous logging and monitoring• Session recording• Command control


9

Demonstration


10

Summary• Advanced Persistent Threat is a reality and only going to grow• Harder to detect• Harder to prevent• Weakness through weak security not just from users but

partners• Elevated accounts are most dangerous


11

Resources• Advanced Persistent Threat

– http://en.wikipedia.org/wiki/Advanced_Persistent_Threat (Definition and overview page)

– http://www.usenix.org/event/lisa09/tech/slides/daly.pdf (Excellent presentation from Raytheon)

– http://www.mandiant.com(Great white papers and studies – check their M-Trends paper)

• The Federal Supply Chain– http

://www.businessofgovernment.org/sites/default/files/The%20Role%20of%20the%20Federal%20Supply%20Chain%20in%20Preparing%20for%20National%20Emergencies.pdf(Planning for the Inevitable: The Role of the Federal Supply Chain in Preparing for National Emergencies)

• Quest TPAM– http://www.edmz.com


http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

http://www.usenix.org/event/lisa09/tech/slides/daly.pdf



http://www.mandiant.com/

http://www.businessofgovernment.org/sites/default/files/The%20Role%20of%20the%20Federal%20Supply%20Chain%20in%20Preparing%20for%20National%20Emergencies.pdf





http://www.edmz.com/

12

Want more info?

• DLT Contact Information:Phone: 877-783-7800 Email: [email protected] Twitter: @DLTSolutions

• Quest’s identity management solutions– http://www.quest.com/identity-management– http://www.GetToOne.com


© 2010 Quest Software, Inc. ALL RIGHTS RESERVED

Thank You