addressing the cyber kill chain

Addressing the Cyber Kill Chain

André Carraretto, CISSP

Security Strategist

Agenda

1 Current Threat Landscape Challenges

2 The Cyber Kill Chain

3 How Symantec can help

4 Q&A

Copyright © 2015 Symantec Corporation2

Current Threat Landscape Challenges

Copyright © 2015 Symantec Corporation 3

Enterprise Threat Landscape

4

Attackers Moving Faster Digital extortion

on the riseMalware gets

smarter

Zero-Day Threats Many Sectors Under Attack

5 of 6 large companies attacked

317M new malware created

1M new threats

daily

60% of attacks

targeted SMEs

113% increase in

ransomware

45X more devices

held hostage

28% of malware was Virtual

Machine Aware

24 all-time

high

Top 5 unpatched for

295 days

24

Healthcare

+ 37% Retail

+11% Education

+10%Government

+8%Financial

+6%

Source: Symantec Internet Security Threat Report 2015

Key Trends Reshaping the Enterprise Security Market

RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT

DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter

RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud

SERVICES Security as a Service; box fatigue

CYBERSECURITY Governments and regulators playing ever larger role

5

Copyright © 2015 Symantec Corporation

Top Breaches in 2014


Top Breaches in 2015 (so far...)


The Cyber Kill Chain



• Military concept, now applied to Cyber Security

• Developed by Lockheed Martin in 2011

• Describes the phases an Adversarywill follow to target an Organization

• It has 7 well defined phases

• Attack is considered successfullif/when all phases have beenaccomplished



Reconnaissance Harvesting email addresses, conference information, etc

Weaponization Coupling exploit with backdoor info deliverable payload

DeliveryDelivering weaponized bundle to the victim via email, web, USB, etc

ExploitationExploiting a vulnerability to execute code on victimsystem

Installation Installing malware on the asset

Command & Control Command channel for remote manipulation of victim

Actions on ObjectivesWith “Hands on Keyboard” access, intruders accomplishtheir original goal


Addressing the Cyber Kill Chain

Phase Detect Deny or Contain Disrupt, Eradicate

or Deceive

Recover

Reconnaissance Web analytics, Internet scannning

reports, vuln. scanning, pen testing,

SIEM, DAST/SAST, threat

intelligence, TIP

Firewall ACL, system and service

hardening, network obfuscation,

logical segmentation

Honeypot SAST/DAST

Weaponization sentiment analysis, vuln.

announcements, vuln. assessm.

NIPS, NGFW, patch management,

configuration hardening,

application remediation

SEG, SWG

Delivery user training, security analytics,

network behavior analysis, threat

intelligence, NIPS, NGFW, WAF,

DDoS, SSL inspection, TIP

SWG, NGIPS, ATD, TIP EPP Backup or EPP

cleanup

Exploitation EPP, NIPS, SIEM, WAF EPP, NGIPS, ATD, WAF NIPS, NGFW, EPP,

ATD

data restoration

from backups

Installation EPP, endpoint forensics or ETDR,

sandboxing, FIM

EPP, MDM, IAM, endpoint

containerization/app wrapping

EPP, HIPS, incidente

forensic tools

incident response,

ETDR

Command and

Control

NIPS, NBA, network forensics, SIEM,

DNS security,TIP

IP/DNS reputation blocking, DLP,

ATA

DNS redirect, threat

intelligence on DNS,

egress filtering, NIPS

incident response,

system restore

Action on

Targets

Logging, SIEM, DLP, honeypot, TIP,

DAP

egress filtering, SWG, trust zones,

DLP

QoS, DNS, DLP, ATA incident response


Source: Gartner (August 2014) – G00263765

How Symantec can help


Symantec Enterprise Security | STRONG FRANCHISES

17

#1 share; AAArating

12 quarters in a row

Endpoint Security

#1 share; 100% uptime with

<0.0003% FPs 5 years in a row

Email Security

#1 DLP share;

100% of Fortune 100

Data Protection

#1 share

6B certificate lookups/day

TrustServices

13B validations every day

100% uptime last 5 years

Authentication & Authorization

ManagedSecurity Services

12 Yrs Gartner MQ leader

30B logs analyzed/day


Symantec Enterprise Security | UNIQUE VISIBILITY

18

57M attack sensors in

157 countries

175M endpoints

182M web attacks

blocked last year

3.7Trows of telemetry

100 Billion more/month

9threat response centers

500+rapid security response team

30% of world’s enterprise

email traffic scanned/day

1.8 Billion web requests


Symantec Enterprise Security | PRODUCT STRATEGY

19

Threat Protection

ENDPOINTS DATA CENTER GATEWAYS

• Advanced Threat Protection Across All Control Points• Built-In Forensics and Remediation Within Each Control Point• Integrated Protection of Server Workloads: On-Premise, Virtual, and Cloud• Cloud-based Management for Endpoints, Datacenter, and Gateways

Unified Security Analytics Platform

Log andTelemetryCollection

Unified IncidentManagement and Customer Hub

Inline Integrationsfor Closed-loopActionable Intelligence

Regional and Industry Benchmarking

Integrated Threatand BehavioralAnalysis

Information Protection

DATA IDENTITIES

• Integrated Data and Identity Protection• Cloud Security Broker for Cloud and Mobile Apps• User and Behavioral Analytics• Cloud-based Encryption and Key Management

Users

Data

Apps

Cloud

Endpoints

Gateways

Data Center

Cyber Security Services

Monitoring, Incident Response, Simulation, Adversary Threat Intelligence


Addressing the Cyber Kill Chain with Symantec

Phase Detect Deny or Contain Disrupt, Eradicate

or Deceive

Recover

Reconnaissance Deepsight Threat Intelligence,

Managed Security Services (MSS)

Control Compliance Suite

Control Compliance Suite,

Datacenter Security

N/A N/A

Weaponization Deepsight Managed Adversary

Threat Intelligence (MATI)

Control Compliance Suite,

Altiris ITMS

Messaging Gateway,

Symantec.cloud

(email/web)

N/A

Delivery MSS, Deepsight Threat Intelligence,

Blackfin acquisition (user training,

phishing tests)

ATP Suite, Deepsight Threat

Intelligence

Endpoint Protection Endpoint

Protection (Power

Eraser), Veritas

Exploitation Endpoint Protection, Datacenter

Security, MSS

Endpoint Protection, Datacenter

Security, ATP Suite, Deepsight

Threat Intelligence

Endpoint Protection,

ATP Suite,

Datacenter Security

Veritas

Installation Endpoint Protection, Advanced

Threat Protection Suite (ATP Suite),

Datacenter Security

Endpoint Protection, Moblity

Suite, Authentication Manager,

VIP, Managed PKI

Endpoint Protection,

ATP Suite,

Datacenter Security

Incident Response

Retainer Services

Command and

Control

MSS, Deepsight Threat Intelligence Deepsight Threat Intelligence,

DLP, ATP Suite

Deepsight Threat

Inteligence

Incident Response

Retainer Services

Action on

Targets

MSS, Data Loss Prevention (DLP),

Deepsight Threat Intelligence

Data Loss Prevention DLP, ATP Suite Incident Response

Retainer Services


Source: Gartner (August 2014) – G00263765

Recommendations

Reconnaissance

• Regular external scannings / pentest

• Deepsight MATI: Monitor underground Internet

• DCS:SA: Enforce least privilegie concept on Internet-facing servers

• MSS: Analytics to detect indicatorsof unwanted activity againstInternet-facing servers

• Employ SLDC to guaranteeapplications are processinguntrusted input correctly

Weaponization

• Deepsight Intelligence: keepinformed of recently discoveredvulnerabilities and weaponizedexploits available to them

• Deepsight MATI: Monitor possible/future activities plannedagainst your organization and to track adversaries


Recommendations

Delivery

• Keep using your traditional controls(NGFW, NGIPS, SWG, DDoS, WAF) to provide visibility and preventcompromise attempts

• ATP Suite: inspect suspicious files through sandboxing analysis

• Analyze DNS resolution to unwantedor malicious hosts

Exploitation

• MSS: collect and correlate logs fromvarious control points to providebetter visibility of malicious behavior

• Email Security.cloud, EndpointProtection: those can help limitmost of the attack attempts

• Deepsight Datafeeds: provideintelligence over maliciousIPs/Domains to your SIEM.

• ATP Suite: inspect suspicious files through sandboxing analysis


Recommendations

Installation

• Endpoint Protection: to providegreater protection over advancedmalware, browser attacks andapplication white/blacklisting

• SAM/VIP/MPKI: employ strongauthentication to reduce likelyhoodof installation and data access

• Incident Response Retainer: helps with incidente response practicesand containment

Command and Control

• Deepsight Datafeeds: provideintelligence over maliciousIPs/Domains to your SIEM. It canalso be used to create a “DNS Sinkhole” to divert maliciousconnections

• MSS: collect and correlate logs fromvarious control points to providebetter visibility of maliciousbehavior, including C&C connections


Recommendations

Action on Targets

• Data Loss Prevention: to performcontinous monitoring of userbehavior/data access

• Employ Database monitoring tools to detect/block suspicious data access (excess in volume, abnormal times, locations, etc)


&Q A


Thank you!

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

André Carraretto, [email protected]

@andrecarraretto

https://br.linkedin.com/in/andrecarraretto

addressing the cyber kill chain

Technology