View
489
Download
4
Category
Tags:
Preview:
Citation preview
APT1 IN THE FINANCIAL SECTOR
ONDREJ KREHEL
ONDREJ KREHEL
CISSP, CEH, CEI
MANAGING DIRECTOR
LIFARS LLC
Twitter: @LIFARSLLC
Digital Firefighter
Talk Agenda
1 Introduction
2 Today’s APT Threat Landscape
3 Attacks and Stories
4 Questions & Answers
There are only two types of companies in the world: The ones that have been
hacked, and those that will be.
-FBI Director Robert Mueller
If you had to bet a $100 on someone to protect your private data, who would it
be?
I hope you weren’t thinking of betting on any of these …
D
A
T
A
B
R
E
A
C
H
Total cost of cybercrime is
on the rise across the
globe.0%
$3.67
$4.72
$5.19
$6.73
$7.56
$11.56
$3.33
$3.99
$5.93
$6.38
$6.91
$8.13
$12.69
Russia
Australia
United Kingdom
France
Japan
Germany
United States
Total cost of cybercrime in seven countries.In millions of US dollars. Based on results collected from 257 companies.
FY 2014 FY 2013No info on Russia in FY 2013
Data from the 2014 Global Report on the Cost of Cyber Crime by the Ponemon Institute
How often
cybersecurity
crosses one’s
mind…
THE CYBER EVENT HORIZON
The types of attacks
companies face.
35%
49%
49%
51%
52%
58%
59%
97%
98%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Malicious Insiders
Stolen Devices
Denial of Service
Malicious Code
Phishing & SE
Web-based Attacks
Botnets
Malware
Viruses, Worms, Trojans
Types of cyberattacks experiencedBased on results collected from 257 companies.
Percentage of experienced attacks
Data from the 2014 Global Report on the Cost of Cyber Crime by the Ponemon Institute
The black market price of your data
The usual APT suspects
Getting from point A to point B is only a click away. So is the danger.
Alarming Advanced Persistent
Threat survey results
22%
69%
9%
YES NO DON'T KNOW
Data from the Palo Alto Networks APT Report 2014
In the past year, has your organization experienced a security incident as a result of advanced threat or
advanced persistent threat (APT)?
What is APT?
Advanced Persistent Threat
AdvancedAttacker, not attack
Persistent Attacker won’t give up after a failurw
ThreatAttacker has a particular target
What are the typical
entry points of an APT
attack?
Human Itself
Social engineering• Phishing & whaling emails• Message with malicious
-URL-Attachment
• Malicious web pages-Drive by download of malicious code
• Free stuff (USB keys, software, music, movies)
Vulnerability of the client machine• Message with malicious content• Malicious web pages
-Redirection to malicious code/exploit
Vulnerable public facing service
What are the typical
attack goals?
Information • Blueprints • Research• Financial information• Plans, contracts • Classified information• PII
Control of system• SCADA / PLC
-Critical information providers-Vendors of technology-Research and development facilities
Disruption of services• Critical infrastructure• Competitor’s services
Research
Important facts about APT attacks
An APT attack is typically discovered after 6-9 months
Exploitation of vulnerabilities • not known (zero-days)• not considered as threat(social engineering, physical
access, employee)
APT produce not imminent losses • Loss not seen in the moment
“The fact, that you have not discovered a breach does not mean that you are not compromised.”
Principles of defense
Least privilege for the most specific people• Assign only necessary privileges and only for those
who need them
Divide “et impera”• Do proper classification on every information• Know who is (and can be) owner, consumer, and
holder of information• Where and how can it be stored, processed, and used
Defense in Depth
• Multiple layers of security
4 eyes principle• Every possible attack vector should be addressed by
at least two different controls • At least one should be technical• At least one should include human supervision
Technical controls
Defense of known perimeters
Malicious code protection
Network behavioral analysis
Intrusion protection
Internal network defense
Hardening of systems
Data Loss Prevention
Known high-profile
APTs
Ghostnet (2009)•103 countries, cyber espionage
Aurora (2009)•High-tech, security and defense companies•Modification of source code, cyber espionage
Stuxnet (2010)•IRAN, nuclear devices
Aramco (2012)•Kingdom of Saudi Arabia•30 000 workstations and servers compromised
James Bond of yesterday…
…Meet the James Bond of today!
The APT Lifecycle
When breached, follow these three steps…
Step 0 - UPDATE YOUR RESUME
Step 1 - CONFIRM INCIDENT
Step 2 - PROVIDE RESPONSE
Step 3 - IMPROVE
NO ONE SAID IT WOULD BE EASY
Cybersecurity CasinoWelcome to the cybersecurity casino! (Whether you like it or not)
To shun this approach is to meddle with the primary forces of the Internet, Mr. Beale. The hackers won’t have it. They’ll take millions out of your business and put nothing back in. It is ebb and flow, tidal gravity. It is the new cyber ecological balance. -movie
NETWORK, 1976
SIDE NOTE
Q&A
PART FOUR
THANK YOU!
Recommended