rsa@nythun 2017 · 1/17/2017 · with each other, sharing registrant information, malware, c2...
TRANSCRIPT
![Page 1: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/1.jpg)
RSA@NYTHUN 2017D E L L E M C T E C H N O L Y F O R U M
![Page 2: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/2.jpg)
2
![Page 3: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/3.jpg)
3
Top Enterprise Risks
![Page 4: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/4.jpg)
4
Attacks on Industry
Attacks on Government
Cyber attacks are real and growingCybercrime & Espionage*: Hi anonymity; Low attribution
2006 2009 2012
APT1
Taidoor Comodo
Black
Tulip
Nitro IMF
RSA
Lockheed
Martin
>2004 2005 2007 2008 2010 2011 2013
Ghost
Net
Nortel
State
Dept.
US Naval
War College Commerce
Secretary
Estonia
2014 2015
*Many of these threat actor activities and campaigns are ongoing, often collaborating and working
with each other, sharing registrant information, malware, C2 domains, servers and general attack
infrastructure. Dates represent threat groups and malware variants based on dates of information
published by the security industry with thousands of organizations impacted. Putter Panda
Boleto
Backoff
Carbanak
Desert
Falcons
Safe GOZ
Dark
Seoul
Comment
Panda
Olympic
Games
Flame
Gauss
Stuxnet Shamoon
US Investigations
Services
Red October
Los Alamos
Oak Ridge
Night Dragon
PLA
Unit 61398
Aurora
Anunak
US Transport
Command
Equation
Group
Shady
RAT
VOHO
Shell
Crew
Vixen
Panda
Grey
Goose
ArachnophobiaMoonlight
Maze
Titan
Rain
Solar
Sunrise
Buckshot
Yankee
Ababil
Duqu
Australian
Mining
Dragonfly
Op. Pawn Storm
Shylock
Pitty Tiger
Regin
![Page 5: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/5.jpg)
5
Threat Landscape
![Page 6: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/6.jpg)
6
VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT
Attacker Capabilities
Time to Discovery
Attackers are Outpacing
Defenders Percent of breaches where time to compromise
(red)/time to Discovery (blue) was days or less
Time to compromise
Time to discovery
100%
75%
50%
25%
2006
2007
2008
2009
2011
2010
2012
2013
2014
2015
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
![Page 7: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/7.jpg)
7
Defender’s ChallengesExisting strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes
must adapt to
today’s threats
Teams need
to increase experience &
efficiency
Security teams need
comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
![Page 8: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/8.jpg)
8
Blind Spots in Threat Detection &
ResponseONLY 24%
Have Visibility into Attacks
ONLY 8% Can Quickly Detect Attacks
ONLY 11% Can Quickly Investigate Attacks
24%8% 11%
*Attacks = Multiple Incidents, Campaigns.
RSA Threat
Detection Effectiveness Survey,
February 2016
![Page 9: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/9.jpg)
9
At first, there were HACKS Preventative controls filter known attack paths
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
![Page 10: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/10.jpg)
10
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKSDespite increased investment in controls, including SIEM
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
SIEM
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Whitespace Successful ATTACKS
![Page 11: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/11.jpg)
11
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network
sessions is required to eradicate the attacker opportunity.
Unified platform for advanced threat
detection & investigations
Evolution of Threat
Actors & Detection
Implications
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network Visibility Network
Sessions
Fu
ll V
isib
ilit
y
![Page 12: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/12.jpg)
12
Web Threat Landscape
• Layer 7 DDoS Attacks
• Man in the Middle/Browser
• Password Cracking/Guessing
• Parameter Injection
• New Account Registration Fraud
• Advanced Malware (e.g. Trojans)
• Account Takeover
• New Account Registration Fraud
• Promotion Abuse
• Unauthorized Account Activity
• Fraudulent Money Movement
Begin
Session Login Transaction LogoutIn the
Wild
• Phishing
• Rogue Mobile App
• Site Scraping
• Vulnerability Probing
Fraud: Attacks Designed to Defeat Traditional Defenses
Evolving Fraud Threat Landscape
![Page 13: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/13.jpg)
13
T
T
P
actics
echniques
rocedures
How attackers work
to target,
compromise, and
exploit your
organization
![Page 14: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/14.jpg)
14
THREAT ACTORS AND OBJECTIVES
$
IP
PII
Criminals
Nation States
Hacktivists
![Page 15: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/15.jpg)
15
STAGE 1: ESTABLISH FOOTHOLDProbe external servers
and apps for
vulnerabilities
• Develop exploit
• Install webshell or other
remote access mechanism
(Spear-) Phish users
• Obtain credentials
• Deliver malware to obtain
remote access
(RATs, etc.)
![Page 16: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/16.jpg)
16
• Relying on prevention is futile– Multiple methods for attackers to find initial foothold
• Not all attacks start with malware; identity is an attack vector
• Opportunities for early detection are limited– Lots of noise in data on external systems
– Up-to-date threat intel can help
• Opportunities exist to make attackers jobs harder– Patch vulnerabilities, especially those with known exploits
– User education
– Make their intelligence gathering more difficult
KEY POINTS: STAGE 1
![Page 17: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/17.jpg)
17
STAGE 2: ENTRENCH, EXPAND,
EXPLORE
• Dump local credentials
• Install malware • Keyloggers, RATs
• Download cracking tools
• Control more machines, accounts• Privileged Accounts: esp. IT, Admin
• Domain Controllers, E-mail servers
• Map network
• Copy directory listings
• Dump databases
• Dump emails• Expand access methods
• VPN, RDP, Proxy
![Page 18: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/18.jpg)
18
• Attackers move very quickly once they gain access
– Speed of detection and remediation are key
• Many more opportunities for detection
– Visibility to spot attacker activity is essential: network traffic, endpoint compromise,
elevation of privilege, anomalous Admin activity
• Need to be able to connect attacker activity
– Addressing disconnected alerts will not disrupt attacks
• Opportunities exist to make attackers jobs harder
– Strong authentication
– Network segmentation
KEY POINTS: STAGE 2
![Page 19: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/19.jpg)
19
STAGE 3: EXFILTRATE, MAINTAIN
• Aggregate and stage data
• Obfuscate to avoid detection
• Exfiltrate data
• http / https,
SSH, FTP, email
• Use of Dyn DNS services to
rotate drop zones
• Periodically return to:
• Update malware
• Grab new data
(keylogs, emails, data)
• Option to use your
infrastructure to launch
other attacks
![Page 20: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/20.jpg)
20
• Egress monitoring / visibility is essential
– What is leaving your network and why?
– Tools like DLP that search for un-altered data will not spot or stop exfiltration
• Detection will become harder as entrenched attackers switch to
maintenance mode and cover their tracks
– Have a greater ability to blend in
• Remediation once attackers reach this point is very complex
• If expelled at this point, most attackers will actively seek to return
– They will up their game
KEY POINTS: STAGE 3
![Page 21: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/21.jpg)
21
• Know your enemy, be prepared
• Compromise is inevitable– Goal should be to detect and respond to attacks to minimize loss and damage
– Limit attacker free time inside your network
• Tools that provide visibility / forensic data are essential for detection and response
– Logs, Packets, Endpoint, Threat Inteligence
– Ability to spot anomalous / suspicious activity and investigate
– Ability to pivot and see the whole picture of the attack
• Experienced responders are required– In-house or on-call
CONCLUSIONS
![Page 22: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/22.jpg)
22
![Page 23: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/23.jpg)
23
People & Process
• Staffing Model & Shift Transition; Roles & Responsibilities
• Business Alignment & Risk Alignment
• Incident Prevention Planning
• Security Controls Implementation & Monitoring
Preparation
• Categorization & prioritization of Incident types
• Content, Analytic & Threat Intelligence; Malware Analysis
• L1, L2 & L3 SOPs; Incident Handling Workflow automation
• Generation of Alerts, Watchlists and Notifications and Reports
Detection & Analysis
• Proactive remediation and breaking the “kill-chain”
• Accumulation and protection of evidence and forensic data
• C-level Escalation and cross functional Rules of Engagement
• 3rd Party stakeholders, incl. Law Enforcement
Containment, Eradication & Recovery
• Updated Incident Metrics, Breach Reporting and Disclosure
• Systems Hardening; Updated Threat and Risk Profile
• Evidence Retention; attribution and hacker prosecution
• Lessons Learned and Training
Post Incident Activity
Reference: NIST Computer Security Incident Handling Guide & RSA Best Practices
NIST Incident Phase RSA Best Practices (sample)
![Page 24: RSA@NYTHUN 2017 · 1/17/2017 · with each other, sharing registrant information, malware, C2 domains, servers and general attack infrastructure. Dates represent threat groups and](https://reader034.vdocuments.site/reader034/viewer/2022050307/5f6f7891ffae0b214b2b5677/html5/thumbnails/24.jpg)
24
Resource Shift Needed: Budgets & People
Today’s
Priorities
Prevention
80%
Monitoring
15%
Response
5%
Prevention
33%
Future
Requirements
Monitoring
33%
Response
33%