Upload
matthew-rosenquist
View
167
Download
2
Embed Size (px)
Citation preview
Global APT Defense Summit Los Angeles
Matthew Rosenquist | Intel Corp
Understanding APT Threat Agent
Characteristics is Key to Prioritizing Risks
February 25, 2015 – Los Angeles, California
Global APT Defense Summit New York #APTSummit2
Agenda
1. The problems with vulnerability based security strategies
2. Threat Agents are the genesis of risks
3. Intersecting the most likely attacks is key
4. APTs present a special case, directed attacks
5. APTs use of Open Source Intelligence (OSINT)
6. Inclusion of Threat Agent Aspects into the Risk Picture
7. Prioritizing your most important exposures
Global APT Defense Summit New York #APTSummit3
About the Speaker
Matthew Rosenquist
Cybersecurity Strategist, Intel Corp
Matthew Rosenquist is passionate about cybersecurity! Benefiting from 20 years of
experience, he thrives at establishing strategic organizations and capabilities which
deliver cost effective security capabilities. His role is to champion the meaningfulness
of security, advise on emerging opportunities and threats, and advocate an optimal
balance of cost, controls, and productivity throughout the industry.
Mr. Rosenquist built and managed Intel’s first global 24x7 SOC, overseen internal
platform security products and services, was the first Incident Commander for Intel’s
worldwide IT crisis team, and managed security for Intel’s multi-billion dollar worldwide
M&A activities. He has conducted investigations, defended corporate assets,
established policies, developed strategies to protect Intel’s global manufacturing, and
owned the security playbook for the PC strategic planning group. Most recently,
Matthew worked to identify the synergies of Intel and McAfee as part of the creation of
the Intel Security Group, one of the largest security product organizations in the world.
Global APT Defense Summit New York #APTSummit4
History is Enlightening
“He who defends everything, defends nothing”– Fredrick the Great
Global APT Defense Summit New York #APTSummit5
Problems with vulnerability based strategies
Vulnerabilities Exist Everywhere
• Never ending battle, not sustainable
• ‘Vulnerability’ is relative to the threat
• Not efficient on resources
How can we improve defenses?
The Impossible Challenge:
• Identify ALL vulnerabilities
• Close them before they are exploited
• Do it continuously, forever
• For all technology and users
Global APT Defense Summit New York #APTSummit6
History is Enlightening
“Know your enemy and know yourself and you can fight
a thousand battles without disaster”– Sun Tsu
Global APT Defense Summit New York #APTSummit7
Threat Agents are the Genesis of Risks
• Threat Agent archetypes are collective
descriptions of attackers, representing
similar risk profiles
• Intelligent attackers whose Motivations
drive their Objectives
• Attributes such as skills, access, and
resources define their most likely Methods
• Not all archetypes represent a significant
threat to every organization
• Knowing your opposition is very valuable
Organized Criminals
Motivation: Personal Financial Gain
Objectives: Theft of digital assets, including money & valuables
Methods: • Compromise payment systems• Access to financial assets• Copying IP or resalable data• Digital ransom (data or access)• Fraudulent use of digital assets
External Threat Tech Skilled
Indirect AttacksDirect Attacks
Nation-State Cyberwarrior
Motivation: Personal Financial Gain
Objectives: Theft of digital assets, including money & valuables
Methods: • Compromise payment systems• Access to financial assets• Copying IP or resalable data• Digital ransom (data or access)• Fraudulent use of digital assets
External Threat Tech Skilled
Indirect AttacksDirect Attacks
Digital Thief
Motivation: Personal Financial Gain
Objectives: Theft of digital assets, including money & valuables
Methods: • Compromise payment systems• Access to financial assets• Copying IP or resalable data• Digital ransom (data or access)• Fraudulent use of digital assets
External Threat Tech Skilled
Indirect AttacksDirect Attacks
Global APT Defense Summit New York #APTSummit8
Intersecting the Most Likely Attacks is Key
Attack Methods
Attacker Objectives
Threat Agents
Attack Methods
Attack Methods
Vulnerabilities without Controls for these attacks are likely Exposures
Areas of
highest
Exposure
All possible Threats, Objectives, and Methods
Highest risk Threats, Objectives, and Methods
Objectives
Threat Agents
Attack Method
s
Optimizing
security resources
Global APT Defense Summit New York #APTSummit9
Targeting Victims…
“Two types of victims exist...
Those with something of value, and those who are easy
targets.
…therefore, don't be an easy target, and protect your
valuables.”
Global APT Defense Summit New York #APTSummit10
APT’s Present a Special Case
• Indirect Attacks
– Seeks easy targets based upon vulnerability
– Uses methods for widespread attacks for any victim
– “Spray and pray” mentality
– Seeks to satisfy objectives through whichever is the easiest target
• Direct Attacks – APT’s
– Target is selected based upon motivation and objectives
– Easiest path for that target is determined
– “Stalk and Sniper” mentality
– Attacks against target continue until objectives are met
C O N G R AT U L AT I O N S , Y O U A R E A W I N N E R
O F T H E I N T E R G A L A C T I C L O T T E R Y !
C L I C K O N T H E L I N K T O R E C E I V E Y O U R $ 5 M I L L I O N D O L L A R P R I Z E …
M i k e ,
W h a t a g a m e l a s t n i g h t ! G l a d y o u r s o n
R o g e r h i t t h a t h o m e r u n ! I t o o k t h i s
v i d e o o f h i s g r a n d s l a m i n t h e 6 t h i n n i n g .
C l i c k t h i s l i n k a n d c h e c k i t o u t ! S e e y o u
a t w o r k t o m o r r o w .
- S a m
Global APT Defense Summit New York #APTSummit11
Phases of a Social Engineering Attack
Source: Hacking the Human Operating System
Global APT Defense Summit New York #APTSummit12
APT’s use of Open Source Intelligence (OSINT)
APT’s stalk their prey using OSINT
– OSINT is the legal gathering of data without touching the target
– Advanced attackers are seeking the path-of-least resistance
– Understanding their target helps determine the method of attack
– Reconnaissance of a target begins early
– Search engines, social media, job boards, news stories, investor data,
company profiles, suppliers, domain and network ownership
– A wealth of information can be found…in as little as 20 minutes
Recommendation: understand what the world can determine about you
Global APT Defense Summit New York #APTSummit13
Open Source Intelligence (OSINT)
What could be learned
• Names and details of employees
& corporate officers
• Projects & reporting structure
• Roles and relationships
• Physical and logical locations
• HW, OS and Apps in use
• Security controls
• Trusted Vendors
How it could be used
• Phishing, spear-phishing
• Confidence scams/schemes
• Network & system targeting
• Software vulnerabilities
• Targeting security gaps
• Vendor impersonation/compromise
• Targeted malware
• Custom extortion & manipulation
Global APT Defense Summit New York #APTSummit14
Inclusion of Threat Agent Aspects into the Risk Picture
• Tools and process
form a sustainable
security capability
• Prediction of threats
feeds intelligent
decisions
• Smart security is the
key to success
Strategic Cybersecurity
Capability Process
PreventionPrevent or deter attacks so
no loss is experienced
PredictionPredict the most likely attacks,
targets, and methods
ResponseRapidly address incidents to minimize losses and return
to a normal state
Proactive measures to
identify attackers,
their objectives and
methods prior to
materialization of viable
attacks.
Secure the computing
environment with current
tools, patches, updates,
and best-known methods in
a timely manner. Educating
and reinforcing good user
behaviors.
DetectionIdentify attacks not
prevented to allow for rapid and thorough
responseEfficient management of
efforts to contain, repair,
and recover as needed,
returning the environment to
normal operations
Monitor key areas and
activities for attacks which
evade prevention. Identifies
issues, breaches, and attacks
Global APT Defense Summit New York #APTSummit15
Prioritizing your Most Important Exposures
• Understand the capabilities, methods, & objectives of your APT threats
• Combine threat characteristics with vulnerability analysis to find the
weak areas in your organization most likely to be exploited
• Counter these threats with proper
allocation of resources
Threat prediction can improve Prevention, Detection, and Response