2015 global apt summit matthew rosenquist

Global APT Defense Summit Los Angeles

Matthew Rosenquist | Intel Corp

Understanding APT Threat Agent

Characteristics is Key to Prioritizing Risks

February 25, 2015 – Los Angeles, California

Global APT Defense Summit New York #APTSummit2

Agenda

1. The problems with vulnerability based security strategies

2. Threat Agents are the genesis of risks

3. Intersecting the most likely attacks is key

4. APTs present a special case, directed attacks

5. APTs use of Open Source Intelligence (OSINT)

6. Inclusion of Threat Agent Aspects into the Risk Picture

7. Prioritizing your most important exposures


About the Speaker

Matthew Rosenquist

Cybersecurity Strategist, Intel Corp

Matthew Rosenquist is passionate about cybersecurity! Benefiting from 20 years of

experience, he thrives at establishing strategic organizations and capabilities which

deliver cost effective security capabilities. His role is to champion the meaningfulness

of security, advise on emerging opportunities and threats, and advocate an optimal

balance of cost, controls, and productivity throughout the industry.

Mr. Rosenquist built and managed Intel’s first global 24x7 SOC, overseen internal

platform security products and services, was the first Incident Commander for Intel’s

worldwide IT crisis team, and managed security for Intel’s multi-billion dollar worldwide

M&A activities. He has conducted investigations, defended corporate assets,

established policies, developed strategies to protect Intel’s global manufacturing, and

owned the security playbook for the PC strategic planning group. Most recently,

Matthew worked to identify the synergies of Intel and McAfee as part of the creation of

the Intel Security Group, one of the largest security product organizations in the world.


History is Enlightening

“He who defends everything, defends nothing”– Fredrick the Great


Problems with vulnerability based strategies

Vulnerabilities Exist Everywhere

• Never ending battle, not sustainable

• ‘Vulnerability’ is relative to the threat

• Not efficient on resources

How can we improve defenses?

The Impossible Challenge:

• Identify ALL vulnerabilities

• Close them before they are exploited

• Do it continuously, forever

• For all technology and users


History is Enlightening

“Know your enemy and know yourself and you can fight

a thousand battles without disaster”– Sun Tsu


Threat Agents are the Genesis of Risks

• Threat Agent archetypes are collective

descriptions of attackers, representing

similar risk profiles

• Intelligent attackers whose Motivations

drive their Objectives

• Attributes such as skills, access, and

resources define their most likely Methods

• Not all archetypes represent a significant

threat to every organization

• Knowing your opposition is very valuable

Organized Criminals

Motivation: Personal Financial Gain

Objectives: Theft of digital assets, including money & valuables

Methods: • Compromise payment systems• Access to financial assets• Copying IP or resalable data• Digital ransom (data or access)• Fraudulent use of digital assets

External Threat Tech Skilled

Indirect AttacksDirect Attacks

Nation-State Cyberwarrior






Digital Thief







Intersecting the Most Likely Attacks is Key

Attack Methods

Attacker Objectives

Threat Agents

Attack Methods

Attack Methods

Vulnerabilities without Controls for these attacks are likely Exposures

Areas of

highest

Exposure

All possible Threats, Objectives, and Methods

Highest risk Threats, Objectives, and Methods

Objectives

Threat Agents

Attack Method

s

Optimizing

security resources


Targeting Victims…

“Two types of victims exist...

Those with something of value, and those who are easy

targets.

…therefore, don't be an easy target, and protect your

valuables.”


APT’s Present a Special Case

• Indirect Attacks

– Seeks easy targets based upon vulnerability

– Uses methods for widespread attacks for any victim

– “Spray and pray” mentality

– Seeks to satisfy objectives through whichever is the easiest target

• Direct Attacks – APT’s

– Target is selected based upon motivation and objectives

– Easiest path for that target is determined

– “Stalk and Sniper” mentality

– Attacks against target continue until objectives are met

C O N G R AT U L AT I O N S , Y O U A R E A W I N N E R

O F T H E I N T E R G A L A C T I C L O T T E R Y !

C L I C K O N T H E L I N K T O R E C E I V E Y O U R $ 5 M I L L I O N D O L L A R P R I Z E …

M i k e ,

W h a t a g a m e l a s t n i g h t ! G l a d y o u r s o n

R o g e r h i t t h a t h o m e r u n ! I t o o k t h i s

v i d e o o f h i s g r a n d s l a m i n t h e 6 t h i n n i n g .

C l i c k t h i s l i n k a n d c h e c k i t o u t ! S e e y o u

a t w o r k t o m o r r o w .

- S a m


Phases of a Social Engineering Attack

Source: Hacking the Human Operating System

http://www.mcafee.com/us/resources/reports/rp-hacking-human-os.pdf


APT’s use of Open Source Intelligence (OSINT)

APT’s stalk their prey using OSINT

– OSINT is the legal gathering of data without touching the target

– Advanced attackers are seeking the path-of-least resistance

– Understanding their target helps determine the method of attack

– Reconnaissance of a target begins early

– Search engines, social media, job boards, news stories, investor data,

company profiles, suppliers, domain and network ownership

– A wealth of information can be found…in as little as 20 minutes

Recommendation: understand what the world can determine about you


Open Source Intelligence (OSINT)

What could be learned

• Names and details of employees

& corporate officers

• Projects & reporting structure

• Roles and relationships

• Physical and logical locations

• HW, OS and Apps in use

• Security controls

• Trusted Vendors

How it could be used

• Phishing, spear-phishing

• Confidence scams/schemes

• Network & system targeting

• Software vulnerabilities

• Targeting security gaps

• Vendor impersonation/compromise

• Targeted malware

• Custom extortion & manipulation


Inclusion of Threat Agent Aspects into the Risk Picture

• Tools and process

form a sustainable

security capability

• Prediction of threats

feeds intelligent

decisions

• Smart security is the

key to success

Strategic Cybersecurity

Capability Process

PreventionPrevent or deter attacks so

no loss is experienced

PredictionPredict the most likely attacks,

targets, and methods

ResponseRapidly address incidents to minimize losses and return

to a normal state

Proactive measures to

identify attackers,

their objectives and

methods prior to

materialization of viable

attacks.

Secure the computing

environment with current

tools, patches, updates,

and best-known methods in

a timely manner. Educating

and reinforcing good user

behaviors.

DetectionIdentify attacks not

prevented to allow for rapid and thorough

responseEfficient management of

efforts to contain, repair,

and recover as needed,

returning the environment to

normal operations

Monitor key areas and

activities for attacks which

evade prevention. Identifies

issues, breaches, and attacks


Prioritizing your Most Important Exposures

• Understand the capabilities, methods, & objectives of your APT threats

• Combine threat characteristics with vulnerability analysis to find the

weak areas in your organization most likely to be exploited

• Counter these threats with proper

allocation of resources

Threat prediction can improve Prevention, Detection, and Response

2015 global apt summit matthew rosenquist

Technology

managed security

security strategies

intel security group

security playbook

meaningfulness of security

significant threat

managed intels

intels worldwide