Embed Size (px)
Citation preview
The Current Threat Landscape: The Confluence of Data
Security Challenges
The Current Threat Landscape: The Confluence of Data
Security Challenges
Brian Marshall Vice President,
Research and Development
Brian Marshall Vice President,
Research and Development
ATTACK STATISTICSATTACK STATISTICS
2
Well, today it’s all about data!Well, today it’s all about data!
Your dataYour data
• So, where is your data today?
• Wherever you are…
• So, where is your data today?
• Wherever you are…
Your data on the move - tabletsYour data on the move - tablets
On oh so many devices…On oh so many devices…
Is your data in the Cloud?Is your data in the Cloud?
In the hands of criminals?In the hands of criminals?
In the hands of other Nation States? In the hands of other Nation States?
In the hands of some Government AgencyIn the hands of some Government Agency
We hear it every day!We hear it every day!
So, what’s new?So, what’s new?
• IT's criticality has never been higher!
• It can be the differentiation of your business, it can be the intimacy with your customer, and it can be the public delivery of what you're doing ... you name it, it's now critical
• You just can't live without your network, your systems, your data center, etc., because you're fully reliant upon them to run a business
• IT's criticality has never been higher!
• It can be the differentiation of your business, it can be the intimacy with your customer, and it can be the public delivery of what you're doing ... you name it, it's now critical
• You just can't live without your network, your systems, your data center, etc., because you're fully reliant upon them to run a business
Know thy enemy – understand the threats Know thy enemy – understand the threats
Because…Because…
• You’re about to be compromised or,
• You’ve already been compromised
• You’re about to be compromised or,
• You’ve already been compromised
Or will You??? Or will You??? • Reflecting on the security and threat landscape of 2013, one trend
that stands out is the growing ability of malware authors to camouflage their attacks. Widespread dissemination of advanced botnet and exploit kit source code allows more malware authors to create innovative and diverse new attacks – SOPHOS Security Threat report 2014
• Reflecting on the security and threat landscape of 2013, one trend that stands out is the growing ability of malware authors to camouflage their attacks. Widespread dissemination of advanced botnet and exploit kit source code allows more malware authors to create innovative and diverse new attacks – SOPHOS Security Threat report 2014
Maybe you have better security ……Maybe you have better security ……
• The web became significantly more malicious , both as an attack vector and as the primary support element of other attack trajectories (e.g., social, mobile, email)
• The web became significantly more malicious , both as an attack vector and as the primary support element of other attack trajectories (e.g., social, mobile, email)
Biggest IT MythsBiggest IT Myths
• Hey, it won’t happen to us!
• "Buy this tool <insert tool here> and it will solve all your problems”
• "Let's get the policy in place and we are good to go”
• I passed my IT audit, I must be secure
• Hey, it won’t happen to us!
• "Buy this tool <insert tool here> and it will solve all your problems”
• "Let's get the policy in place and we are good to go”
• I passed my IT audit, I must be secure
So, where do we focus ?So, where do we focus ?
We have seen an emergence of several criminal factions…
• Nation States
• Collectives
• Hacktivists
We have seen an emergence of several criminal factions…
• Nation States
• Collectives
• Hacktivists
We’re all looking for helpWe’re all looking for help
• Many IT managers believe the government should do more
• While there are things the federal government can do, each organization is responsible for implementing basic prevention, detection, and response controls to deal with inevitable breach attempts
• Many IT managers believe the government should do more
• While there are things the federal government can do, each organization is responsible for implementing basic prevention, detection, and response controls to deal with inevitable breach attempts
Many ChallengesMany Challenges
• Lack of governance is only one challenge facing connected businesses and government agencies
• For years, relatively inexpensive tools have enabled almost anyone with a little computer knowledge to circumvent prevention controls, given enough time
• Lack of governance is only one challenge facing connected businesses and government agencies
• For years, relatively inexpensive tools have enabled almost anyone with a little computer knowledge to circumvent prevention controls, given enough time
LackingLacking
• Cyberspace itself lacks governance and control
• This exposes the perimeters and internal systems (especially end-user) to a wide variety of threats
• And remember, the end user is the last line of defense
• Cyberspace itself lacks governance and control
• This exposes the perimeters and internal systems (especially end-user) to a wide variety of threats
• And remember, the end user is the last line of defense
So, why do these breaches happen so frequently and who are these miscreants?So, why do these breaches happen so frequently and who are these miscreants?
• Well-meaning Insiders
• Targeted attacks
• The malicious Insider
• Well-meaning Insiders
• Targeted attacks
• The malicious Insider
Their M.O.Their M.O.
• The cyberspies typically enter targeted computer networks through “spearfishing” attacks, in which a company official receives a creatively disguised email and is tricked into clicking on a link or attachment that then opens a secret door for the hackers
• The cyberspies typically enter targeted computer networks through “spearfishing” attacks, in which a company official receives a creatively disguised email and is tricked into clicking on a link or attachment that then opens a secret door for the hackers
They can’t get to me… I am secureThey can’t get to me… I am secure
• Hackers go after suppliers to get into larger companies
• Smaller companies tend not to have the funding, staff or knowledge needed to formalize – let alone maintain – more secure policies and procedures all combining to make them the path of least resistance . . . and the bad guys have discovered this
• Hackers go after suppliers to get into larger companies
• Smaller companies tend not to have the funding, staff or knowledge needed to formalize – let alone maintain – more secure policies and procedures all combining to make them the path of least resistance . . . and the bad guys have discovered this
But I don’t run windows. I am not vulnerableBut I don’t run windows. I am not vulnerable
There has been significant innovation in how Android malware seeks to avoid and counter detection methods.
While Linux sees a small fraction of the volume of malware targeted at Windows or Android, we are seeing a modest but steady stream of malware executables and scripts attacking it.
There has been significant innovation in how Android malware seeks to avoid and counter detection methods.
While Linux sees a small fraction of the volume of malware targeted at Windows or Android, we are seeing a modest but steady stream of malware executables and scripts attacking it.
But I don’t run windows. I am not vulnerableBut I don’t run windows. I am not vulnerable
Last year, AlienVault and Sophos identified backdoor Trojans that compromised Macs in Asia through boobytrapped Word documents. These Trojans were embedded in documents claiming to discuss human rights abuses in Tibet, triggering speculation that the attack might have come from sources related to the Chinese government
Last year, AlienVault and Sophos identified backdoor Trojans that compromised Macs in Asia through boobytrapped Word documents. These Trojans were embedded in documents claiming to discuss human rights abuses in Tibet, triggering speculation that the attack might have come from sources related to the Chinese government
A wolf in sheep’s clothing: Plugx, Blame and Simbot A wolf in sheep’s clothing: Plugx, Blame and Simbot
Some targeted attacks try to camouflage themselves as legitimate applications. In particular, we are seeing dangerous certificate-stealing attacks, which use clean, signed components from the Windows OS or third-party vendors in order to load malicious components. The malicious code is then executed by a trusted process, so if a firewall sees data traffic headed outbound, it may conclude that the traffic is legitimate.
Some targeted attacks try to camouflage themselves as legitimate applications. In particular, we are seeing dangerous certificate-stealing attacks, which use clean, signed components from the Windows OS or third-party vendors in order to load malicious components. The malicious code is then executed by a trusted process, so if a firewall sees data traffic headed outbound, it may conclude that the traffic is legitimate.
Botnets Grow in Size and StealthBotnets Grow in Size and Stealth
• In the past 12 months, botnets have become more widespread, resilient and camouflaged—and they seem to be finding some dangerous new targets
• Botnet operators are also faster and more effective at responding to countermeasures. One antivirus company took control of part of the ZeroAccess botnet, redirecting traffic from 500,000 infected clients to a server controlled by the antivirus company (what we call sinkholing).
• In response, the botnet’s owners quickly ramped up and within weeks, replaced all that were lost—and the new versions aren’t vulnerable to the same countermeasure.
Sophos Security threat report 2014
• In the past 12 months, botnets have become more widespread, resilient and camouflaged—and they seem to be finding some dangerous new targets
• Botnet operators are also faster and more effective at responding to countermeasures. One antivirus company took control of part of the ZeroAccess botnet, redirecting traffic from 500,000 infected clients to a server controlled by the antivirus company (what we call sinkholing).
• In response, the botnet’s owners quickly ramped up and within weeks, replaced all that were lost—and the new versions aren’t vulnerable to the same countermeasure.
Sophos Security threat report 2014
Every secondEvery second
• According to TrendMicro, cybercriminals unleash a new threat targeting SMBs every second
• Another attraction to cybercriminals is the sheer number of targets
• In the U.S., there are about 23 million SMBs
• According to TrendMicro, cybercriminals unleash a new threat targeting SMBs every second
• Another attraction to cybercriminals is the sheer number of targets
• In the U.S., there are about 23 million SMBs
Launch pad for bold intrusionsLaunch pad for bold intrusions
• Furthermore, criminals increasingly look at SMBs as part of the supply chain of a larger company that they want to raid
• By penetrating an SMB with an established communication path into the larger company, cybercriminals can often bypass much of the larger firm’s more sophisticated security
• The SMB, unknowingly, becomes a kind of Trojan horse
• Furthermore, criminals increasingly look at SMBs as part of the supply chain of a larger company that they want to raid
• By penetrating an SMB with an established communication path into the larger company, cybercriminals can often bypass much of the larger firm’s more sophisticated security
• The SMB, unknowingly, becomes a kind of Trojan horse
Launch padsLaunch pads
• In a frightening example from 2009, China purportedly wanted access to Lockheed Martin but could not breach the company’s walls
• However, by penetrating a smaller defense contractor, they were able to make their way in and steal blueprints for the joint strike fighter planes F-35 and F-22 worth more than $1 trillion
• In a frightening example from 2009, China purportedly wanted access to Lockheed Martin but could not breach the company’s walls
• However, by penetrating a smaller defense contractor, they were able to make their way in and steal blueprints for the joint strike fighter planes F-35 and F-22 worth more than $1 trillion
LOGICA AND NORDEA BANK MAINFRAME BREACH APRIL 2013LOGICA AND NORDEA BANK MAINFRAME BREACH APRIL 2013
32
Lessons learnedLessons learned
• Bill for the data breach was in the MILLIONS…Investigations aren’t cheap
• And none of those dollars will be used to secure the State’s network
• Bill for the data breach was in the MILLIONS…Investigations aren’t cheap
• And none of those dollars will be used to secure the State’s network
But WAIT!!!!!!!!!But WAIT!!!!!!!!!
• In September of 2013, Gottfrid Svartholm was cleared of hacking into the Swedish bank Nordea, because, “that it was impossible to prove that he had illegally gained access to their mainframe.” even though $990,000 was stolen and even though his conviction for hacking into the Banks IT provider Logica was upheld.
• In September of 2013, Gottfrid Svartholm was cleared of hacking into the Swedish bank Nordea, because, “that it was impossible to prove that he had illegally gained access to their mainframe.” even though $990,000 was stolen and even though his conviction for hacking into the Banks IT provider Logica was upheld.
How Facebook Got HackedHow Facebook Got Hacked
• Does this sound familiar?
• Facebook says it fell victim to a sophisticated attack discovered in January 2013 in which an exploit allowed malware to be installed on employees' laptops
• Does this sound familiar?
• Facebook says it fell victim to a sophisticated attack discovered in January 2013 in which an exploit allowed malware to be installed on employees' laptops
But they had Anti-virus?But they had Anti-virus?
• Several Facebook employees visited a mobile developer website that was compromised
• The compromised website hosted an exploit that then allowed malware to be installed on these employees' laptops
• The laptops were fully-patched and running up-to-date anti-virus software
• Several Facebook employees visited a mobile developer website that was compromised
• The compromised website hosted an exploit that then allowed malware to be installed on these employees' laptops
• The laptops were fully-patched and running up-to-date anti-virus software
South Carolina D.O.R.South Carolina D.O.R.
• The hack took over 2 months
• They pilfered the tax returns of 3.8 million state residents and 700,000 businesses going back to 1998, gaining access to the Social Security numbers and bank accounts of the taxpayers and 1.9 million of their dependents
• The hack took over 2 months
• They pilfered the tax returns of 3.8 million state residents and 700,000 businesses going back to 1998, gaining access to the Social Security numbers and bank accounts of the taxpayers and 1.9 million of their dependents
So What Can I do?So What Can I do?
• “Every man has a plan, until he gets hit!”• “Every man has a plan, until he gets hit!”
1. Understand that we are still vulnerable1. Understand that we are still vulnerable
• And yet in the face of this very clear danger, we continue to have a lot of open windows and open doors
• Mandiant's latest threat landscape assessment indicates that the median number of days that advanced hackers are on the network before being detected is 243 days
• And yet in the face of this very clear danger, we continue to have a lot of open windows and open doors
• Mandiant's latest threat landscape assessment indicates that the median number of days that advanced hackers are on the network before being detected is 243 days
2. Make the effort! Secure it…2. Make the effort! Secure it…
• Systems that are unpatched, privileged accounts that are inadequately protected, a reliance on anti-virus alone for security — these are all examples of open windows and doors that allow an attacker to easily 'walk' into our network and take way all that is dear to the business
• Systems that are unpatched, privileged accounts that are inadequately protected, a reliance on anti-virus alone for security — these are all examples of open windows and doors that allow an attacker to easily 'walk' into our network and take way all that is dear to the business
3. Collaborate3. Collaborate
• The only way we can move forward safely and securely is through information sharing
• We don’t have time in the day research all that is going on in the criminal world
• Think awareness
• The only way we can move forward safely and securely is through information sharing
• We don’t have time in the day research all that is going on in the criminal world
• Think awareness
4. Obtain tools 4. Obtain tools
• Many tools, used by both white hat and black hat hackers, are free (e.g., Live Hacking)
• Others, like Metasploit, are intended for the professional cybercriminal and penetration tester
• Vanguard has tools. We have provided security and security tools for Big Iron for over 25 years.
• Many tools, used by both white hat and black hat hackers, are free (e.g., Live Hacking)
• Others, like Metasploit, are intended for the professional cybercriminal and penetration tester
• Vanguard has tools. We have provided security and security tools for Big Iron for over 25 years.
5. Watch for anomalous behavior5. Watch for anomalous behavior
• Anomalous network or system activity often resembles a technology issue rather than an attack behavior
• Attacks can come from anywhere, and they do!
• Defense must take this into account with prevention and detection with response controls in place
• Anomalous network or system activity often resembles a technology issue rather than an attack behavior
• Attacks can come from anywhere, and they do!
• Defense must take this into account with prevention and detection with response controls in place
6. Stop ignoring the reality of today’s threats?6. Stop ignoring the reality of today’s threats?
• There's probably very few IT and business people who have not heard of the Chinese hackers attacking our systems and stealing valuable business intelligence through APT
• There's probably very few IT and business people who have not heard of the Chinese hackers attacking our systems and stealing valuable business intelligence through APT
7. Train your Management7. Train your Management
• Management of controls requires continuous vigilance over the ever-changing threat landscape
• The low cost of the attacks allows anyone with a modicum of skills to effect attacks
• Think: Defense in depth. No maginot lines
• The attackers can try 1000 different times incorrectly and get it right once, we have to protect all 1000 times correctly
• Management of controls requires continuous vigilance over the ever-changing threat landscape
• The low cost of the attacks allows anyone with a modicum of skills to effect attacks
• Think: Defense in depth. No maginot lines
• The attackers can try 1000 different times incorrectly and get it right once, we have to protect all 1000 times correctly
8. Know who to call…And When8. Know who to call…And When
9. Watch your network and yours systems, closely…Call Vanguard!9. Watch your network and yours systems, closely…Call Vanguard!
10. Remember: You are the last line of Defense! Step Up!
10. Remember: You are the last line of Defense! Step Up!
• Understand
• Educate
• Collaborate
• Prepare
• Understand
• Educate
• Collaborate
• Prepare
Thank you Thank you
