apt - the threat that keeps on giving
TRANSCRIPT
Copyright © 2014 EiQ Networks, Inc. All rights reserved.
Chris Schweigert – Director of SOCVue Security OperationsMSIA, CISSP, GSNA, OSCE, SFCP, CCNP-Security, SFCSE, CCDA, CMNA,
ITIL v3
APT: The threat that keeps on giving
Copyright © 2014 EiQ Networks, Inc. All rights reserved.2
Attention grabber
Verizon DBIR 2014
Copyright © 2014 EiQ Networks, Inc. All rights reserved.3
Attention grabber
"The Chinese have penetrated every major corporation of any consequence in the United States and taken information," he said. "We've never, ever not found Chinese malware.”Ex-NSA Director Mike McConnell (March 12, 2015)
Verizon DBIR 2014
Copyright © 2014 EiQ Networks, Inc. All rights reserved.4
Agenda
• APT Life Cycle
• Areas of focus for defense and Response
• Strategies for recovering from an APT Attack
Copyright © 2014 EiQ Networks, Inc. All rights reserved.5
APT Life Cycle
• Phase 1 Reconnaissance
• Phase 2 Social Engineering
• Phase 3 Initial exploitation attempt
• Phase 4 Establishing a Presence
• Phase 5 Pivoting
• Phase 6 Data Exfiltration
• Phase 7 Maintaining Persistence
Copyright © 2014 EiQ Networks, Inc. All rights reserved.6
Reconnaissance
• Collecting enough data to start building your attack– Tools:TheHarvester, Maltego, Nmap, unicornscan, MetaSploit– Techniques
• Looking at online content (Facebook, LinkedIn, Twitter)• Dumpster Diving• USB Drops
Copyright © 2014 EiQ Networks, Inc. All rights reserved.7
Reconnaissance
Copyright © 2014 EiQ Networks, Inc. All rights reserved.8
Social Engineering
www.social-engineer.org
Copyright © 2014 EiQ Networks, Inc. All rights reserved.9
Initial Exploitation Attempts
• Extensive Research– Attempt to mimic an
environment they will attack– Extensive vulnerability research
• Testing– Develop Zero-Day exploits that
have a higher likely hood of subverting the security controls the attacker believes are in place
• Attempting the attack
Copyright © 2014 EiQ Networks, Inc. All rights reserved.10
Establishing a Presence
Information Gathering
Social Engineering
Exploitation Attempts
Copyright © 2014 EiQ Networks, Inc. All rights reserved.11
Pivoting
Copyright © 2014 EiQ Networks, Inc. All rights reserved.12
Data Exfiltration
• Getting data out as soon as possible, without being caught.– Egress filtering on their
firewalls?– Is port 80 and 443
wide open outbound?– Can you identify
anomalous outbound traffic?
Copyright © 2014 EiQ Networks, Inc. All rights reserved.13
Persistent Presence
• Attackers may exploit several systems within an environment to use as fallbacks.
• Attackers may not steal information all at one time.
• Several of the steps in the lifecycle of an APT will repeat as they progress towards their goal.
• APT, as the name implies, is a prolonged attack often carried out over months or years.
Copyright © 2014 EiQ Networks, Inc. All rights reserved.14
Defenses
• Monitor key user accounts
• PATCH
• Defensive measures should start with your data!
• Encrypted Data in transit, in use, and at rest?
• Monitor and investigate System changes!
• Assume there is already someone inside your network
• Establish a baseline of your network activity
• The attackers are persistent and the defenses need to be persistent as well.
Copyright © 2014 EiQ Networks, Inc. All rights reserved.15
Response
• Build a Team:– Define the role and purpose (in terms of scope, resources skills, contacts,
escalation)– Experienced and skilled full-time members– Involve cross-functional multi-disciplinary areas of the organization in
the process
• Rules of Engagement:– Create clearly defined rules of engagement for the incident response team– Define incidents, handling and escalation to clearly distinguish and prioritize
• Tools/Techniques:– Invest in technologies that support the collection of information to identify
indicators and potential threats (SIEM Tools)– Understand changes in compliance – Stay current on new threat trends and techniques
Copyright © 2014 EiQ Networks, Inc. All rights reserved.16
Response Cont..
• Preparedness:– Practice, Practice, Practice– Run table top exercises on an ongoing basis– Dealing with the press– Lawyers and law enforcement– Test your backups
• Effectiveness Metrics:– Develop useable operational metrics to measure the overall effectiveness– Consider time based measurements (How long does it take?)
• IoC Sharing:– Consider using third-party organizations to foster collaboration.– Look at industry information exchanges
Copyright © 2014 EiQ Networks, Inc. All rights reserved.17
• Continuous Security Intelligence Platform– SIEM & Log Management – Security Controls Monitoring– Configuration Auditing
EiQ SecureVue®
Automates SANS Critical Security Controls
Copyright © 2014 EiQ Networks, Inc. All rights reserved.18
•Managed Service– 24x7 Security Monitoring– SIEM & Log Management SaaS– Deployed On-Premises or in Cloud– Customized alerting, reporting & analysis
• Proactive Security Monitoring– Security controls monitoring – Vulnerability detection– Anomaly Detection– User Tracking and Watch lists
SOCVue® Security Monitoring Service
Copyright © 2014 EiQ Networks, Inc. All rights reserved.
Please visit www.eiqnetworks.com to learn moreRequest a Demo of SecureVue
Request a Free Trial of SOCVue Monitoring Service
Thank You!