targeted defense for malware & targeted attacks

© 2013 Imperva, Inc. All rights reserved.

Targeted Defense for Malware and Targeted Attacks

Confidential 1

Barry Shteiman Senior Security Strategist


Contents

Confidential 2

§ Compromised Insider §  Incident Analysis § Anatomy of an Attack § Current Controls § Reclaiming Security


Compromised Insider

Confidential 3

Defining the Threat Landscape

© 2013 Imperva, Inc. All rights reserved. Confidential 4

“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.” Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012


Insider Threat Defined

Confidential 5

Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property.

Possible causes: §  Accident §  Malicious intent §  Compromised device


A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.

6

Compromised Insider Defined

Confidential


Malicious Vs. Compromised Potential

Confidential 7

1% < 100%

Source: http://edocumentsciences.com/defend-against-compromised-insiders


Look Who Made the Headlines

Confidential 8

Hackers steal sensitive data related to a planned 2.4B acquisition.

Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses


Know Your Attacker

Confidential 9

Governments •  Stealing Intellectual Property (IP) and raw data, Espionage •  Motivated by: Policy, Politics and Nationalism

Industrialized hackers •  Stealing IP and data •  Motivated by: Profit

Hacktivists •  Exposing IP and data, and compromising the infrastructure •  Motivated by: Political causes, ideology, personal agendas


What Attackers Are After

Confidential 10

Source: Verizon Data Breach Report, 2013


Data & IP

11

Two Paths, One Goal

User with access rights (or his/her

device)

Hacking (various) used in 52% of breaches

Online Application

Malware (40%) Social Engineering (29%)

Servers 54%

Confidential

Users (devices) 71% People 29%

Source: Verizon Data Breach Report, 2013


Incident Analysis

Confidential 12

The South Carolina Data Breach


What Happened?

Confidential 13

4M Individual Records Stolen in a Population of 5M

80%.


A Targeted Database Attack

Confidential 14

12-Sept-12 - 14-Sept-12

Attacker steals the entire database

27-Aug-12

Attacker logs in remotely and accesses the

database

13-Aug-12

Attacker steals login credentials

via phishing email & malware

29-Aug-12 - 11-Sept-12

Additional reconnaissance, more credentials

stolen


The Anatomy of an Attack

How Does It Work

15 Confidential


Anatomy of an Attack

Confidential 16

Spear Phishing



Confidential 17

Spear Phishing

C&C Comm



Confidential 18

Spear Phishing

C&C Comm

Data Dump & Analysis



Confidential 19

Spear Phishing

C&C Comm


Broaden Infection



Confidential 20

Spear Phishing

C&C Comm


Broaden Infection

Main Data Dump


Wipe Evidence


Confidential 21

Spear Phishing

C&C Comm


Broaden Infection

Main Data Dump


Searching on Social Networks…

Confidential 22


…The Results

Confidential 23


Next: Phishing and Malware

Confidential 24

How easy is it?

§ A three-month BlackHole license, with Support included, is US$700

Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.


Drive-by Downloads Are Another Route

Confidential 25

September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By


Cross Site Scripting Is Yet Another Path

Confidential 26

Persistent XSS Vulnerable Sites provide the Infection Platform

GMAIL, June 2012

TUMBLR, July 2012


The Human Behavior Factor

Confidential 27

Source: Google Research Paper “Alice in Warningland”, July 2013


Current Controls

Confidential 28

Won’t the NGFW/IPS/AV Stop It?


What Are the Experts Saying?

Confidential 29

“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/


Security Threats Have Evolved…

Confidential 30

2013 2001

AntiVirus Firewall IPS

AntiVirus Firewall IPS

Sources: Gartner, Imperva analysis


Security Redefined

Confidential 31

Forward Thinking


The DISA Angle

Confidential 32

“In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data” Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012


Rebalance Your Security Portfolio

Confidential 33


Assume You Can Be Breached

Confidential 34


Incident Response Phases for Targeted Attacks

Confidential 35

Reduce Risk

Prevent Compromise

Detection

Containment

Insulate sensitive data

Password Remediation

Device Remediation

Post-incident Analysis

Size Up the Target

Compromise A User

Initial Exploration

Solidify Presence

Impersonate Privileged User

Steal Confidential Data

Cover Tracks


www.imperva.com

36 Confidential

targeted defense for malware & targeted attacks

Technology

access rights

data ip

raw data

sensitive data

infection main data

verizon data breach

south carolina data

phishing email malware