2012

Taking Complexity out of Information Security

…allowing you to focus on your business

Advanced Persistent Threats…the external enemy within

Advanced Persistent Threats

The Problem Landscape

APTs: a Hype or Reality

• Google• RSA• Juniper• DuPont• IMF• Lockheed Martin• … 762 companies were

hit during the RSA attack

Regardless of the definition, 99.999% they adhere to the following characteristics:◦ Nature

Targeted attacks Blended Threats (multiple attack vectors) “Low and Slow”

◦ Tactics: Social Engineering, Attacking the user (most of the times) Establishing a foothold (e.g. Remote Access Trojans) Attack Escalation & Metastasis – Access to critical data and services Retaining persistence (different RATs, multiple footholds, etc.)

◦ Results: Data leakage, Sabotage, Fraud…

In essence is the attack method of choice of Professional Attackers

Defining Advanced Persistent Threats (APT)

Advanced Persistent Threats (APT) - An Illustration

Step 1

• Reconnaissance

Step 2

• Initial Intrusion into the Network

Step 3

• Establish a Backdoor into the Network

Step 4

• Obtain User Credentials

• Install Various Utilities

Step 5

• Privilege Escalation

• Attack Escalation

• Metastasis

Step 7

• Maintain Persistence

• Data Exfiltration/Other objectives realization

Internal Users

Web Applications

Data Center

Attacker

Advanced Persistent Threats – Is it a problem?

ORGANIZATIONS MUST LEARN TO LIVE IN A STATE OF COMPROMISE

Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor…, a Bloomberg Government study found

APT Tops Security Risks to Corporate IP in 2012,

"I'm meeting more CSO's saying 'all I care about is APT…’”

Bruce Schneier, CTO of BT Counterpane

ENCODE Extrusion Testing™:◦ Security Assessment via APT Simulation◦ Running Extrusion Tests from 2003!...8 years of hands-on

experience◦ Proprietary tools and methodologies◦ Attacking “outside-in and inside-out”

Our own Experience on APTS

44%

3%2%2%6%

17%

15%

13%Finance

Automotive

IT

Manufacturing

Services

Telecom

Transportation

Public Sector

Digital Forensics◦ Performed Forensics on

APT cases on various organisations

Why APTs are succeedingBecause Controls fail

“Medieval approach to IT Security” - Building “castles/perimeters” around the network and trying to be “Preventive”

Single “attack vector” controls

“Evolved versions” of ones designed for the 90’s

Reactive approach

Why Controls Fail

While Security Programs are focused in Compliance◦ However: Compliant ≠Secure

And at the same time even Specialized Security Controls are not adequate on their own (or even combined)

“Traditional” Controls fail◦ Firewalls, IPS, Secure Web Gateways, AV/Endpoint Security…◦ They are totally blind, due to a misfit paradigm for APTs

But also “less traditional” ones◦ Data Leak Prevention – Designed for human actions, not for leakages by a

piece of advanced software (malware, Trojans)◦ 24x7 Security Monitoring - “Garbage IN, Garbage OUT”, No Monitoring in

context, Not having the right tools for the job

Advanced Persistent Threats

Addressing APTs

Solving a Problem

One quite clever guy once said that

“if he had one hour to save the world he would spend fifty-five minutes defining the problem and only five minutes finding the solution”

Is it a Malware problem

Is it an adversary problem

Is it a Forensics Problem

Is it a Visibility Problem

Is it a zero-day exploit Problem

Is it a Botnet detection and/or takedown problem

Is it a lack of Security skills problem

Is it a lack of Defense in Depth problem

…

Defining the APT Problem

…the short answer is NO

Each one of them is a piece of the problem, but not the problem!

We believe it is 2-fold problem:

A “Name Problem”

A “Complexity Problem”

Defining the APT Problem

What is the “Name Problem” of APTs

Threat

• Of course and actually a Threat that really matters!• Motive, Opportunity, Capabilities!

Persistent

• For sure…the attacker is committed and persistent • And is here to stay!

Advanced

• …hmmm

Are APTs really Advanced?

ENCODE Extrusion Testing Facts:

Infection vectors used - Total

14%

77%

2%

7%

Browser or other Exploit

Non-exploit (File)

Media-born

Other (VPN, Web App)

Because

they are considered “Advanced” for “traditional” but also for “less traditional” security controls

they are also “Advanced” for “Single-vector” specialized security controls

they are not “advanced enough” for some specialized security controls trying to be “very advanced”, missing KISS APT

organizations (used to) underplay/underestimate the Threat saying “this is too advanced… it won’t happen to us”

Why is “Advanced” the problem

What is the “Complexity Problem” of APTs

Complexity:◦ Complex IT environments & Business process, supporting Business

Agility◦ Complex Threat Landscape◦ Complexity of the Internet

Attackers are taking advantage of this Complexity to achieve their goals, along with the fact that Business must be agile to remain in business!

However to solve a “complexity problem” or a complex problem you have to:◦ Take out complexity, where you can◦ Focus on the parts of the problem that really mater and

solve them

Solving the “Complexity Problem” of APTs

You cannot reduce complexity, at least from every part of your business…period

As Complexity increases the good old “Preventive” controls get less and less effective or impair Business

Nonetheless you have to be “Proactive”

Proactive Security ≠ Preventive Controls alone◦ Early Warning & Response is the “preventive” control of choice

for Complex environments and Threats

You have to focus on APT

Focus on APTIf Early Warning is what we need, let’s think “What cannot be evaded”

Behavior ◦ An IT environment under attack does not behaves as normal◦ Each attack, APT included, has its own signs in behavior change

True Visibility – at all (relevant) Levels◦ Network: Internet Access (incoming/outgoing)◦ Endpoint: System state & Data Access/Use

Expertise – the human factor◦ Encapsulated expertise◦ Expert view and analysis

Advanced Persistent Threats

Conclusion

APT goes mainstream

APTs are becoming the weapon of choice:

from Government and Defense

to companies with Intellectual Property or Critical Infrastructure

to other “high-value” targets◦ Finance◦ …

APT : Targets

“…if professional attackers didn’t use such techniques they should have been sued for negligence…”

is not a matter of What

is not a matter of Who

is a matter of When!

APTs…Revisited

Attorney David Navetta: … but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding

www.encodegroup.com_