targeted defense for malware & targeted attacks
DESCRIPTION
Sophisticated attacks leverage social engineering techniques and malware to compromise those individuals already on the inside of your enterprise, and then steal your data. By targeting your trusted employees, attackers can circumvent conventional defenses like firewalls and IPS solutions to penetrate your network and compromise your data center. This presentation will examine why attackers looking to steal sensitive data targeted your data center; explain how targeted attacks, often using spear phishing and malware, consistently defy perimeter and endpoint defenses; and present an eight step incident response model to help prevent, detect, and respond to targeted attacks.TRANSCRIPT
© 2013 Imperva, Inc. All rights reserved.
Targeted Defense for Malware and Targeted Attacks
Confidential 1
Barry Shteiman Senior Security Strategist
© 2013 Imperva, Inc. All rights reserved.
Contents
Confidential 2
§ Compromised Insider § Incident Analysis § Anatomy of an Attack § Current Controls § Reclaiming Security
© 2013 Imperva, Inc. All rights reserved.
Compromised Insider
Confidential 3
Defining the Threat Landscape
© 2013 Imperva, Inc. All rights reserved. Confidential 4
“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.” Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012
© 2013 Imperva, Inc. All rights reserved.
Insider Threat Defined
Confidential 5
Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property.
Possible causes: § Accident § Malicious intent § Compromised device
© 2013 Imperva, Inc. All rights reserved.
A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.
6
Compromised Insider Defined
Confidential
© 2013 Imperva, Inc. All rights reserved.
Malicious Vs. Compromised Potential
Confidential 7
1% < 100%
Source: http://edocumentsciences.com/defend-against-compromised-insiders
© 2013 Imperva, Inc. All rights reserved.
Look Who Made the Headlines
Confidential 8
Hackers steal sensitive data related to a planned 2.4B acquisition.
Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses
© 2013 Imperva, Inc. All rights reserved.
Know Your Attacker
Confidential 9
Governments • Stealing Intellectual Property (IP) and raw data, Espionage • Motivated by: Policy, Politics and Nationalism
Industrialized hackers • Stealing IP and data • Motivated by: Profit
Hacktivists • Exposing IP and data, and compromising the infrastructure • Motivated by: Political causes, ideology, personal agendas
© 2013 Imperva, Inc. All rights reserved.
What Attackers Are After
Confidential 10
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved.
Data & IP
11
Two Paths, One Goal
User with access rights (or his/her
device)
Hacking (various) used in 52% of breaches
Online Application
Malware (40%) Social Engineering (29%)
Servers 54%
Confidential
Users (devices) 71% People 29%
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved.
Incident Analysis
Confidential 12
The South Carolina Data Breach
© 2013 Imperva, Inc. All rights reserved.
What Happened?
Confidential 13
4M Individual Records Stolen in a Population of 5M
80%.
© 2013 Imperva, Inc. All rights reserved.
A Targeted Database Attack
Confidential 14
12-Sept-12 - 14-Sept-12
Attacker steals the entire database
27-Aug-12
Attacker logs in remotely and accesses the
database
13-Aug-12
Attacker steals login credentials
via phishing email & malware
29-Aug-12 - 11-Sept-12
Additional reconnaissance, more credentials
stolen
© 2013 Imperva, Inc. All rights reserved.
The Anatomy of an Attack
How Does It Work
15 Confidential
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 16
Spear Phishing
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 17
Spear Phishing
C&C Comm
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 18
Spear Phishing
C&C Comm
Data Dump & Analysis
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 19
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
© 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Confidential 20
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
© 2013 Imperva, Inc. All rights reserved.
Wipe Evidence
Anatomy of an Attack
Confidential 21
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
© 2013 Imperva, Inc. All rights reserved.
Searching on Social Networks…
Confidential 22
© 2013 Imperva, Inc. All rights reserved.
…The Results
Confidential 23
© 2013 Imperva, Inc. All rights reserved.
Next: Phishing and Malware
Confidential 24
How easy is it?
§ A three-month BlackHole license, with Support included, is US$700
Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.
© 2013 Imperva, Inc. All rights reserved.
Drive-by Downloads Are Another Route
Confidential 25
September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By
© 2013 Imperva, Inc. All rights reserved.
Cross Site Scripting Is Yet Another Path
Confidential 26
Persistent XSS Vulnerable Sites provide the Infection Platform
GMAIL, June 2012
TUMBLR, July 2012
© 2013 Imperva, Inc. All rights reserved.
The Human Behavior Factor
Confidential 27
Source: Google Research Paper “Alice in Warningland”, July 2013
© 2013 Imperva, Inc. All rights reserved.
Current Controls
Confidential 28
Won’t the NGFW/IPS/AV Stop It?
© 2013 Imperva, Inc. All rights reserved.
What Are the Experts Saying?
Confidential 29
“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Mikko Hypponen, F-Secure, Chief Research Officer Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
© 2013 Imperva, Inc. All rights reserved.
Security Threats Have Evolved…
Confidential 30
2013 2001
AntiVirus Firewall IPS
AntiVirus Firewall IPS
Sources: Gartner, Imperva analysis
© 2013 Imperva, Inc. All rights reserved.
Security Redefined
Confidential 31
Forward Thinking
© 2013 Imperva, Inc. All rights reserved.
The DISA Angle
Confidential 32
“In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data” Lt. Gen. Ronnie Hawkins JR – DISA. AFCEA, July 2012
© 2013 Imperva, Inc. All rights reserved.
Rebalance Your Security Portfolio
Confidential 33
© 2013 Imperva, Inc. All rights reserved.
Assume You Can Be Breached
Confidential 34
© 2013 Imperva, Inc. All rights reserved.
Incident Response Phases for Targeted Attacks
Confidential 35
Reduce Risk
Prevent Compromise
Detection
Containment
Insulate sensitive data
Password Remediation
Device Remediation
Post-incident Analysis
Size Up the Target
Compromise A User
Initial Exploration
Solidify Presence
Impersonate Privileged User
Steal Confidential Data
Cover Tracks
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
36 Confidential