targeted attacks

Confidential1 © 2013 Imperva, Inc. All rights reserved.

Targeted Attacks

Barry ShteimanDirector of Security Strategy

© 2013 Imperva, Inc. All rights reserved. Confidential

Agenda

2

Compromised Insider Incident Analysis Anatomy of an Attack Current Controls Reclaiming Security


Today’s Speaker - Barry Shteiman

3

Director of Security Strategy Security Researcher working

with the CTO office Author of several application

security tools, including HULK Open source security projects

code contributor CISSP Twitter @bshteiman


Compromised Insider

4

Defining the Threat Landscape

© 2013 Imperva, Inc. All rights reserved. Confidential5

“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.”

Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012


Insider Threat Defined

Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property.

Possible causes: Accident

Malicious intent

Compromised device


A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.

7

Compromised Insider Defined


Malicious vs Compromised Potential

1% < 100%

Source: http://edocumentsciences.com/defend-against-compromised-insiders


Look who made the headlines

Hackers steal sensitive data related to a planned 2.4B acquisition.

Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses

Confidential© 2013 Imperva, Inc. All rights reserved.

Evaluating Magnitude

10

Source: Verizon Data Breach Report, 2013

California 2012 Data Breach Report:

• More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders.

Source: State of California Department of Justice, July 2013


Know your Attacker

Governments• Stealing Intellectual Property (IP) and raw data, Espionage• Motivated by: Policy, Politics and Nationalism

Industrialized hackers• Stealing IP and data• Motivated by: Profit

Hacktivists• Exposing IP and data, and compromising the infrastructure• Motivated by: Political causes, ideology, personal agendas


What Attackers Are After

12



Data & IP

13

Two Paths, One Goal

User with access rights (or his/her

device)

Hacking (various) used in 52% of breaches

Online Application

Malware (40%)Social Engineering

(29%)


Servers 54%Users (devices) 71%

People 29%


Incident Analysis

14

The South Carolina Data Breach


What Happened?

4M Individual Records Stolen in a Population of 5M

80%.


A Targeted Database Attack

12-Sept-12 -14-Sept-12

Attacker steals the entire database

27-Aug-12

Attacker logs in remotely and accesses the

database

13-Aug-12

Attacker steals login credentials

via phishing email & malware

29-Aug-12 -11-Sept-12

Additional reconnaissance, more credentials

stolen


The Anatomy of an Attack

How does it work

17


Anatomy of an Attack

Spear Phishing



Spear Phishing

C&C Comm



Spear Phishing

C&C Comm

Data Dump & Analysis



Spear Phishing

C&C Comm


Broaden Infection



Spear Phishing

C&C Comm


Broaden Infection

Main Data Dump


Wipe Evidence


Spear Phishing

C&C Comm


Broaden Infection

Main Data Dump


Searching on Social Networks…


…The Results


Next: Phishing and Malware

How easy is it? A three-month BlackHole license,

with Support included, is US$700

Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.


Drive-by Downloads Are Another Route

September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By


Cross Site Scripting Is Yet Another Path

Persistent XSS Vulnerable Sites provide the Infection Platform

GMAIL, June 2012

TUMBLR, July 2012


The Human Behavior Factor

29

Source: Google Research Paper “Alice in Warningland”, July 2013


Current Controls

Wont the NGFW/IPS/AV Stop It?


What Are the Experts Saying?

“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Mikko Hypponen, F-Secure, Chief Research Officer

Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/

http://www.wired.com/threatlevel/2012/06/internet-security-fail/


Security Threats Have Evolved…

Sources: Gartner, Imperva analysis

32

20132001

AntiVirusFirewallIPS

AntiVirusFirewallIPS


Security Redefined

33

Forward Thinking


The DISA Angle

34

“In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data”

Lt. Gen. Ronnie Hawkins JR – DISA.AFCEA, July 2012


Rebalance Your Security Portfolio


Assume You Can Be Breached

36


Incident Response Phases for Targeted Attacks

37

Reduce Risk

Prevent Compromise

Detection

Containment

Insulate sensitive data

Password Remediation

Device Remediation

Post-incident Analysis

Size Up the Target

Compromise A User

Initial Exploration

Solidify Presence

Impersonate Privileged User

Steal Confidential Data

Cover Tracks


Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group,Imperva Data Security Direct, for…

Webinar Materials

38


Questions?

39

www.imperva.com


Thank You!

40

targeted attacks

Technology

access rights

raw data

data ipsource

sensitive data

data dump analysisconfidential

verizon data breach

south carolina data

attackspear phishing19cc