from the cyber trenches - cyber security experts ... · © mandiant, a fireeye company. all rights...
TRANSCRIPT
1© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
FROM THE CYBER TRENCHES
LESSONS LEARNED FROM INVESTIGATING TARGETED ATTACKS
Director Security Consulting Services BeNeLux & Nordics
+31 6 24 255 472
Jeroen Herlaar
2© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ABOUT MANDIANT
FOUNDED
2004EMPLOYEES
2500+
COUNTRIES
40+FIREEYE
2014
RESPOND ASSESS TRANSFORM
3© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ABOUT MANDIANT
RESPOND
ASSESS
TRANSFORM
AM I VULNERABLE?
AM I COMPROMISED?
AM I PREPARED?
I AM BREACHED!
AM I PREPARED?
- INCIDENT RESPONSE -
- INCIDENT RESPONSE RETAINER -
- COMPROMISE ASSESSMENT -
- VULNERABILITY ASSESSMENT -
- RESPONSE READINESS ASSESSMENT -
- SECURITY PROGRAM ASSESSMENT -
- CYBER DEFENSE CENTER DEVELOPMENT -
4© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ABOUT MANDIANT
5© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
2014 NUMBERS
229 ~17.144 467.234>2M13
6© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
BREACH INVESTIGATIONS
7© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT HAPPENED?
PICTURE THIS
75.000
8© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
INITIAL
COMPROMISE
WHAT HAPPENED?
CREDENTIAL
HARVESTING
LATERAL
MOVEMENT
DATA
EXFILTRATION
1001010101
1101010010
1011110100
1101001010
REMOTE
ACCESS
9© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT HAPPENED?
205
67
100
3.5M
10© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT HAPPENED?
2982
11© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Attacker has domain administrator privileges
Attacker has hashes or cracked passwords for all domain accounts
Attacker has additional stolen credentials
Attacker can freely move:
VPN to Servers
VPN to workstations
Host-to-Host
Partner networks may be compromise
ASSUMPTION: UNFETTERED ACCESS
12© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
INITIAL
COMPROMISE
WHAT HAPPENED?
CREDENTIAL
HARVESTING
LATERAL
MOVEMENT
DATA
EXFILTRATION
1001010101
1101010010
1011110100
1101001010
REMOTE
ACCESS
13© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
14© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
INITIAL
COMPROMISE
WHAT HAPPENED?
CREDENTIAL
HARVESTINGLATERAL
MOVEMENT
DATA
EXFILTRATION
1001010101
1101010010
1011110100
1101001010
REMOTE
ACCESS
Unauthorized
Use of Valid
Accounts
Known &
Unknown
Malware
Command &
Control
Activity
Suspicious
Network
Traffic
Files
Accessed by
Attackers
Valid Programs
Used for Evil
Purposes
Trace
Evidence &
Partial Files
EVIDENCE OF COMPROMISE
15© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
INITIAL
COMPROMISE
WHAT HAPPENED?
CREDENTIAL
HARVESTINGLATERAL
MOVEMENT
DATA
EXFILTRATION
1001010101
1101010010
1011110100
1101001010
REMOTE
ACCESS
Unauthorized
Use of Valid
Accounts
Known &
Unknown
Malware
Command &
Control
Activity
Suspicious
Network
Traffic
Files
Accessed by
Attackers
Valid Programs
Used for Evil
Purposes
Trace
Evidence &
Partial Files
EVIDENCE OF COMPROMISE
16© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT HAPPENED?
DEEPDIVE SCALE SPEED
✓ ✓ ✓
17© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT DID WE SEE IN 2014?
YEAR 2014 IN REVIEW
TAKE AWAYS
SO WHAT DO WE DO
18© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
YEAR 2014 IN REVIEW
17%BUSINESS &
PROFESSIONAL
SERVICES
14%RETAIL
7%GOVERNMENT &
INTERNATIONAL
ORGANIZATIONS
6%HEALTHCARE
TAKEN FROM M-TRENDS 2015 REPORT
8%MEDIA &
ENTERTAINMENT
19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
YEAR 2014 IN REVIEW
20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
YEAR 2014 IN REVIEW
China“PLA Unit 61398”
Russia“APT 28, Russians
are back”
Iran
Syria“Behind the Syrian
Conflict’s Digital
Frontlines”
North Korea
21© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
China“PLA Unit 61398”
Russia“APT 28, Russians
are back”
Iran
Syria“Behind the Syrian
Conflict’s Digital
Frontlines”
USA
UK
North Korea
YEAR 2014 IN REVIEW
22© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
YEAR 2014 IN REVIEW
24© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ATTACK VECTORS: APT 28 EXAMPLE
25© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ATTACK VECTORS: APT 30 EXAMPLE
26© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ATTACK VECTORS: MOBILE EXAMPLE
27© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
2014 TAKE AWAYS
28© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
2014 TAKE AWAYS
IF YOUR NETWORK CAN BE
COMPROMISED, IT WILL BE
COMPROMISED
29© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
THERE EXIST FEW RISKS OR
REPERCUSSIONS FOR THE
ATTACKERS
2014 TAKE AWAYS
30© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
CYBER SPACE IS AN
ASYMETRICAL THEATRE
2014 TAKE AWAYS
31© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ATTRIBUTION AND THREAT
INTELLIGENCE MORE IMPORTANT
2014 TAKE AWAYS
32© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
CYBERCRIME TRADECRAFT
IMPROVED DRASTICALLY
2014 TAKE AWAYS
33© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
DISCLOSURE MORE PROBABLE
2014 TAKE AWAYS
34© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
SECURITY POVERTY LINE EXISTS
2014 TAKE AWAYS
35© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
REDEFINE THE WIN
36© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
REDEFINE THE WIN
ELIMINATE THE CONSEQUENCES OF CYBER ATTACKS
37© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
- RISK APETITE -
38© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
REDEFINE THE WIN
39© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
REDEFINE THE WIN
TURN SECURITY INCIDENT INTO A 10 MINUTE PROBLEM
40© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT CAN WE EXPECT NEXT?
41© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHAT CAN WE EXPECT NEXT?
More destructive attacks?
Attribution will be more important
Counter forensics will improve
Attacks will align with conflicts
More threat actors will emerge
More government involvement
A return to standards for non-regulated
industries
More reliance on the cloud
More active defense (Hunting)
42© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Q&A
“QUESTIONS NOW ALLOWED, ANSWERS NOT GUARANTEED”
43© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
WHERE TO CALL IN CASE OF INCIDENT?
INTERNATIONAL: + 1 703 996 3012
44© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
THE
END