ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKSRELATORE: Prof. Franco CallegatiCORRELATORE: Ing. Marco RamilliPRESENTATA DA: Daniele Bellavista

INTERNSHIP AT AEPI INDUSTRIE, IMOLA● Defined a defence service for an external company

(referred as ACME corporation).● Analyzed model and taxonomies of cyber attacks

and defence methodologies.● Implemented a simulated cyber attack as part of

the defence service.● Proposed a defence strategy against targeted

attacks and applied it to clean existing infections and to detect new threats.

ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKS

FROM OPPORTUNISTIC TO TARGETED ATTACK

● Cyber attacks targeting any vulnerable system are called opportunistic.

● In the last few years, a new kind of attack, called targeted, is spreading.

● Targeted attacks were once directed against nations or military organizations.

● Now, cyber criminals are targeting companies to compromise their services and steal their data.

CYBER CRIME: OPPORTUNISTIC AND TARGETED ATTACKS

OPPORTUNISTIC ATTACKS:● Target any vulnerable

systems for general motives (e.g. money)

● Thousands of malware variants

● Common● Poor social engineering

techniques● Advanced knowledge NOT

required

TARGETED ATTACKS:● Specific target (company,

nation), motives are fulfilled by compromising the target

● Unknown and unseen malware

● Rare● Advanced social

engineering techniques● Requires advanced

knowledge and complex attack process

MODELS FOR THE ATTACK PROCESS

RECONNAISSANCE WEAPONIZATION

ACTIONS ON OBJECTIVE

EXPLOITATION

INSTALLATIONCOMMAND AND CONTROL

DELIVERY

INCURSION DISCOVERY CAPTURE DATA EXFILTRATION

TARGETED ATTACK AGAINST ACME

Many papers claim that targeted attacks are able to bypass conventional defence systems.

THE ATTACK● Information gathering to know involved defence

systems, email addresses, names and communication protocols.

● Multi-staged malware to bypass defence systems. First stage deployed physically, the second via email.

RESULT● Bypassed every defence system.● Performed keylogging and file stealing.

● Signature based detection doesn’t work against unseen malware.

● Automatic behavior detection can be fooled by complex malware.

● Defence systems focus was to narrow.

● Defence systems didn’t take into account the whole attack process.

WHY DID DEFENCE SYSTEMS FAIL?

DEFENCE SERVICES● Defence against opportunistic attacks: they still are

the most numerous cyber attacks and IDSs can counter them.

● Defence from unknown attacks: exploit of rules and policies to define detection of suspicious events for further analysis.

● Systems check: analysis and test of existing systems.

PROPOSAL● HAZARD: a business process.● WASTE: a conceptual framework, used by HAZARD.

DEFENCE STRATEGY AS SERVICES OFFERED BY A SECURITY TEAM

DEFENCE STRATEGY: ANALYSIS OF SUSPICIOUS EVENTS

WASTE: Warning Automatic System for Targeted Events● Detection of malicious events is based on

automatic auditing of system or network events.

● Some events are not malicious per se, but may be suspicious in the company context.

● WASTE is a conceptual framework to define detection methods for suspicious events.

● The architecture cannot be defined a priori.

WASTE use cases

HAZARD: BUSINESS PROCESS FOR CYBER ATTACKS DEFENCE

HAZARD: Hacking Approach for Zealot Attack Response and Detection

ACTORS:● Analysis Team● Detection Team● Vulnerability Team● Hacking Team● Company IT

PROCESSES:● Incident Analysis● WASTE warning analysis● WASTE issues managements● Vulnerability Assessment● Targeted attack evaluation● Targeted attack test

HAZARD is studied to share information between actors in order to provide an effective defence strategies against targeted attacks.

DEFENCE STRATEGY APPLICATION INSIDE ACME: RESULTS

● Found some opportunistic malware programs reported as non malicious by the IDS.

● No sign of targeted attacks was found.● Reduction of infection events reported by the IDS.

FURTHER WORKS

● Use HAZARD for information sharing to better understand targeted attacks.

● Test the defence strategy against a real targeted attack:○ How to test if a defence approach is

effective against a targeted attack?

ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKSDaniele Bellavista

GRAZIE PERL’ATTENZIONE