Upload
stanley-charles
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
Adversary Defense: Past, Present, Future
Presenter’s Name HerePresenter’s Title Here
Is compromise inevitable?
Adversary Defense: Past, Present, Future
It’s going to happen…
Offense is cheaper and easier than Defense. Compromise is no longer if, but when.
Detection takes too long
229 - The average number of days to discover a breach
Response times impact the business
Average response times are weeks to months
Not enough skills
70% of organizations lack staff to counter cyber security threats
“By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.”
- Gartner
Are all “Incidents” the same?
Suspected Compromise
Malware Outbreaks & Employee Investigations
Adversary Defense: Past, Present, Future
Proactive or Reactive?
• Experiencing a security incident
• Internal teams unable to address issue at hand
• Pressure to resolve the incident quickly
• Need to address legal/compliance reporting requirements post-incident
• Currently battling an incident and need extra help
• Media coverage of breach
Crisis Mode
• Realization that gaps in security may have led to an undetected breach
• Industry peer suffered a breach and they want to know if they have been impacted
• New security alert or intelligence that causes concern and the customer has no way to determine if they might be impacted
Elevated Concern
• Looking to turn plans into optimized programs
• Looking for ways to improve or augment internal IR capabilities
• Want to pre-negotiate terms and rates for faster action when 3rd party help is needed
• Have a regulatory or legal requirement to have a 3rd-party IR team on retainer
Proactive Planning
Adversary Defense: Past, Present, Future
Adversary Defense: Past, Present, Future
Planning Horizon
Reliability
Source: Gartner Research, How to Select a Threat Intelligence Service,
InformedJudgment
High Degree of Certainty
Operational Intelligence
Network Traffic Feed
Strategic Intelligence
Immediate Long Term
Snake Oil
Security Intelligence
Adversary Intelligence
Adversary Defense: Past, Present, Future
Adversary
•Actor•Grou
p
TTP•Action
s•Resour
ces
Campaigns
•Victims
•Trends
Incidents
• Indicators
• Intent
Attack Vector
•Vulnerabilities
• Exploits
Targets•Industr
y• Geogr
aphyCollection Processing Analysis Production
Data Warehouse Mining
Social Network Mining
UndergroundForums
Open Source Monitoring
Information Sharing
Subscription
Cons
umpti
onCo
nten
tCa
pabi
lities
Technical Analysis
Directed Research
Telemetry
Incident Response Today
Adversary Defense: Past, Present, Future
Un-prioritized Alerts Manual IR Call Trees Triage Begins
External Response Team Called Delays in Ramp-up Manual Correlation of Evidence
Incident Response Tomorrow
Adversary Defense: Past, Present, Future
Prioritized/Correlated Alerts Automated Triage Workflow Collaborative Triage
Clear Line of Site Real-time updates Collaborative Response
Improve Response Times1
Lower Response Costs2
Improve Response Effectiveness3
Enable Continuous Improvement4
Adversary Techniques
+91% Increase in targeted attack campaigns
2012
2013
Adversary Defense: Past, Present, Future
Spear Phishing
Adversary Defense: Past, Present, Future
Spear Phishing with an Attachment
• More than 50 percent of email attachments used in spear phishing attacks were executable files in 2013.
Risk of Being Targeted by Job Role
Personal Assistant (Executive Assistant)High
Medium
Low
Media
Senior Management
Sales
C-Level
Recruitment
R&D
Risk
Risk of Job Role Impact by Targeted AttackSent by Spear-Phishing EmailSource: Symantec
Adversary Defense: Past, Present, Future
Targeted Attack Campaigns
2011 2012 2013
Email per Campaign
Recipient/Campaign
78
122
29
61
111
23
Campaigns
Duration of Campaign
165
408
779
4 days 3 days 8.3 days
Adversary Defense: Past, Present, Future
Targeted Organization by Size
Spear Phishing Attacks by Size of Targeted Organization, 2011 - 2013Source: Symantec
50% 50%39%
18%31% 30%
100%
02011 2012 2013
1,501 to 2,500
1,001 to 1,500
501 to 1,000
251 to 500
1 to 250
2,501+Employees
50% 50%61%
Adversary Defense: Past, Present, Future
• In operation since at least 2011 • Appear to be operating in the UTC +4 time zone suggesting a
base of operations working in the Moscow Russia time zone• Initially targeted defense and aviation companies in the US
and Canada• Shifted focus to US and European energy firms in early 2013• Likely to either be state sponsored, or corporate sponsored
(given the type of victims targted)• Involvement with Russian crime scene/forums (confirmed)
– Backdoor.Oldrea
– Trojan.Karagany
• Data theft
The Dragonfly group
Dragonfly Group - Attack Methods
Adversary Defense: Past, Present, Future
Send an email to a person of interest
Spear Phishing
Infect a website and lie in wait for them
Watering Hole Attack
Dragonfly Malware Threats
Adversary Defense: Past, Present, Future
Trojan.KaraganyFrom leaked source code
Sold in underground marketLeaked in 2010Modified by Dragonfly teamFeatures include collecting passwords, taking screenshots, cataloging documents
Backdoor.Oldreaa.k.a. Havex, Energetic Bear RAT
Custom malwareUsed in majority of attacksActs as backdoor for attackersFeatures include collecting system information, Outlook address book
SymantecAntivirus
Backdoor.OldreaTrojan.Karagany
Dragonfly Exploit Kits
Adversary Defense: Past, Present, Future
Lightsout Exploit KitUses Java and IE exploits
Injected iframe link sends victim to website hosting malware
Hello Exploit KitUses Javascript to fingerprint system and determine best exploit
Intrusion Prevention SignaturesWeb Attack: Lightsout Exploit Kit
Web Attack: Lightsout Toolkit Website 4
Cyber Security Services
PrepareAttack Readiness AssessmentIR Plan AssessmentIR Program DevelopmentTableTop ExercisesCyber Exercises and Simulation
Detect
Data CollectionCorrelationAnalysisMonitoring ServicesAlerting Services
RespondIncident InvestigationIncident ContainmentIncident Recovery Lessons Learned
InformAdversary Intelligence / Data Feeds / Directed Research
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you! symantec.com/threatreport
Adversary Defense: Past, Present, Future
http://www.symantec.com/managed-security-serviceshttp://go.symantec.com/incidentresponse