top 9 mistakes of apt victims: what they are and what you can do to prevent them
TRANSCRIPT
Top 9 Mistakes of APT Victims: What They Are and What
You Can Do To Prevent Them
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker Chris Merritt – Director, Solution Marketing
www.lumension.com
Preview of Key Points
© 2013 Monterey Technology Group Inc.
1. Allowing open attack surfaces without securing configurations
2. Permitting unlocked ports and unfettered device usage
3. Failing to use centralized vulnerability remediation
4. Allowing untrusted software to execute
5. Failing to follow existing security policies/procedures and use at-hand technology consistently
6. Permitting open policies for privileged user authority
7. Not engaging in consistent end-user security awareness
8. Failing to leverage logging and to set up traps
9. Permitting Malware beaconing and exfiltration
Risk Real and Percieved
© 2013 Monterey Technology Group Inc.
Do you think you could be a targetHow confident are you that you could detect an
APT attack?
ExamplesAutomatic proxy detectionLeaving auto-update configured to contact MS
Unnecessary or out-of-date software
1. Allowing open attack surfaces without securing configurations
© 2013 Monterey Technology Group Inc.
Feds: Infected USB drive idled power plant 3 weekshttp://www.usatoday.com/story/tech/2013/01/16/usb-drive-infected-with-crimeware-shut-power-plant/1840783/
Two-Thirds of Lost USB Drives Carry Malwarehttp://it.slashdot.org/story/11/12/07/2037223/two-thirds-of-lost-usb-drives-carry-malware
Malware USB drives handed out a tradeshows
2. Permitting unlocked ports and unfettered device usage
© 2013 Monterey Technology Group Inc.
There are too many tweaks and security fixes that can’t be made via Group Policy De-registering unsafe DLLs Setting the kill bit Setting up bitlocker Configuring powershell security Changing admin password
You can’t Visit each PC in person and that’s a waste of time anyway Depend on end-users
You need a way to run commands, remediation scripts and other fixes on all your PCs
automatically Track the success of remediation steps
3. Failing to use centralized vulnerability remediation
© 2013 Monterey Technology Group Inc.
This is the single most effective way to stop APTs
4. Allowing untrusted software to execute
© 2013 Monterey Technology Group Inc.
Adobe allows critical code-signing server to run noncompliant with corporate standards
Other examples
5. Failing to follow existing security policies/procedures and use
at-hand technology consistently
© 2013 Monterey Technology Group Inc.
RSA SecurID incident involved lateral movement resulting in privilege escalation
This typically means that a privileged user was logged on interactively on a system where they also read email, browse the web or open document files
Best practices and privileged user technologies exist to keep admin level credentials sacrosanct
6. Permitting open policies for privileged user authority
© 2013 Monterey Technology Group Inc.
RSA SecurID incident occurred when 3 users were sent an infected spreadsheet, it went into their Junk email, and a single user opened it
One corporation sent a spear-phishing email to its users It took 3 campaigns before they got the open rate below 20%
LessonRepeated and constantTrackable
7. Not engaging in consistent end-user security awareness
© 2013 Monterey Technology Group Inc.
Most organizations do notMonitor process start events to discover new EXEs
Deploy decoy folders with bait files on production systems and audit access
8. Failing to leverage logging and to set up traps
© 2013 Monterey Technology Group Inc.
A EXE file must be installed and permitted to run for an APT to be successful
When activated, most APT-ware must beacon back to command and control servers
At some point data is exfiltrated It is challenging, but there are techniques for
recognizing outbound traffic that could be malwareLook for strange packet patterns inconsistent with
normal web browsing• Like more data going up than down
Look for mysterious domain names like ibiz.3387.org
9. Permitting Malware beaconing and exfiltration
© 2013 Monterey Technology Group Inc.
Most of these are little thingsBut with APTs it only takes one
One userOne PCOne setting or vulnerability that lets the bad guy get established
It’s all aboutDefense-in-depthDoing everything rightNot allowing untrusted code to execute
Bottom Line
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker Chris Merritt – Director, Solution Marketing
www.lumension.com
Defense-in-Depth Strategy
AVControl the Bad
Device ControlControl the Flow
HD and Media EncryptionControl the Data
Application ControlControl the Gray
Patch and Configuration ManagementControl the Vulnerability Landscape
Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.
16
Mapping
© 2013 Monterey Technology Group Inc.
Top Mistakes How Lumension Helps
1. Allowing open attack surfaces without securing configurations
Security Configuration Management / Patch and Remediation
2. Permitting unlocked ports and unfettered device usage
Device Control
3. Failing to use centralized vulnerability remediation
Patch and Remediation
4. Allowing untrusted software to execute Application Control / AntiVirus
5. Failing to follow existing security policies / procedures and to use at-hand technology consistently
6. Permitting open policies for privileged user authority
Application Control
7. Not engaging in consistent end-user security awareness
8. Failing to leverage logging and to set up traps
9. Permitting malware beaconing and exfiltration Application Control
More Information• Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and application vulnerabilities on your network
» Application Scanner – discover all the apps being used in your network
» Device Scanner – discover all the devices being used in your network
http://www.lumension.com/Resources/Security-Tools.aspx
• Lumension® Endpoint Management and Security Suite» Online Demo Video:
http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2
18