Upload
daniele-bellavista
View
97
Download
2
Embed Size (px)
DESCRIPTION
Presentation of my master degree thesis. I propose a business process and a conceptual framework for defence against targeted attacks.
Citation preview
ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKSRELATORE: Prof. Franco CallegatiCORRELATORE: Ing. Marco RamilliPRESENTATA DA: Daniele Bellavista
INTERNSHIP AT AEPI INDUSTRIE, IMOLA● Defined a defence service for an external company
(referred as ACME corporation).● Analyzed model and taxonomies of cyber attacks
and defence methodologies.● Implemented a simulated cyber attack as part of
the defence service.● Proposed a defence strategy against targeted
attacks and applied it to clean existing infections and to detect new threats.
ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKS
FROM OPPORTUNISTIC TO TARGETED ATTACK
● Cyber attacks targeting any vulnerable system are called opportunistic.
● In the last few years, a new kind of attack, called targeted, is spreading.
● Targeted attacks were once directed against nations or military organizations.
● Now, cyber criminals are targeting companies to compromise their services and steal their data.
CYBER CRIME: OPPORTUNISTIC AND TARGETED ATTACKS
OPPORTUNISTIC ATTACKS:● Target any vulnerable
systems for general motives (e.g. money)
● Thousands of malware variants
● Common● Poor social engineering
techniques● Advanced knowledge NOT
required
TARGETED ATTACKS:● Specific target (company,
nation), motives are fulfilled by compromising the target
● Unknown and unseen malware
● Rare● Advanced social
engineering techniques● Requires advanced
knowledge and complex attack process
MODELS FOR THE ATTACK PROCESS
RECONNAISSANCE WEAPONIZATION
ACTIONS ON OBJECTIVE
EXPLOITATION
INSTALLATIONCOMMAND AND CONTROL
DELIVERY
INCURSION DISCOVERY CAPTURE DATA EXFILTRATION
TARGETED ATTACK AGAINST ACME
Many papers claim that targeted attacks are able to bypass conventional defence systems.
THE ATTACK● Information gathering to know involved defence
systems, email addresses, names and communication protocols.
● Multi-staged malware to bypass defence systems. First stage deployed physically, the second via email.
RESULT● Bypassed every defence system.● Performed keylogging and file stealing.
● Signature based detection doesn’t work against unseen malware.
● Automatic behavior detection can be fooled by complex malware.
● Defence systems focus was to narrow.
● Defence systems didn’t take into account the whole attack process.
WHY DID DEFENCE SYSTEMS FAIL?
DEFENCE SERVICES● Defence against opportunistic attacks: they still are
the most numerous cyber attacks and IDSs can counter them.
● Defence from unknown attacks: exploit of rules and policies to define detection of suspicious events for further analysis.
● Systems check: analysis and test of existing systems.
PROPOSAL● HAZARD: a business process.● WASTE: a conceptual framework, used by HAZARD.
DEFENCE STRATEGY AS SERVICES OFFERED BY A SECURITY TEAM
DEFENCE STRATEGY: ANALYSIS OF SUSPICIOUS EVENTS
WASTE: Warning Automatic System for Targeted Events● Detection of malicious events is based on
automatic auditing of system or network events.
● Some events are not malicious per se, but may be suspicious in the company context.
● WASTE is a conceptual framework to define detection methods for suspicious events.
● The architecture cannot be defined a priori.
WASTE use cases
HAZARD: BUSINESS PROCESS FOR CYBER ATTACKS DEFENCE
HAZARD: Hacking Approach for Zealot Attack Response and Detection
ACTORS:● Analysis Team● Detection Team● Vulnerability Team● Hacking Team● Company IT
PROCESSES:● Incident Analysis● WASTE warning analysis● WASTE issues managements● Vulnerability Assessment● Targeted attack evaluation● Targeted attack test
HAZARD is studied to share information between actors in order to provide an effective defence strategies against targeted attacks.
DEFENCE STRATEGY APPLICATION INSIDE ACME: RESULTS
● Found some opportunistic malware programs reported as non malicious by the IDS.
● No sign of targeted attacks was found.● Reduction of infection events reported by the IDS.
FURTHER WORKS
● Use HAZARD for information sharing to better understand targeted attacks.
● Test the defence strategy against a real targeted attack:○ How to test if a defence approach is
effective against a targeted attack?
ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKSDaniele Bellavista
GRAZIE PERL’ATTENZIONE