anatomy of an attack: how to defend against a multi-stage attack
TRANSCRIPT
Anatomy of an Attack: How to Defend Against a Multi-Stage Attack
Michael Osterman | Osterman Research
McAfee Confidential
About Osterman Research
• Focused on the messaging, Web and collaboration industries
• Practice areas include archiving, security, encryption, content management, etc.
• Strong emphasis on primary research conducted with decision makers and influencers
• Founded in 2001
• Based near Seattle
©2014 Osterman Research, Inc.
McAfee Confidential
“Take advantage of the enemy's unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.”
- Sun Tzu
“I remember when a hacker was someone who murdered people by chopping them into tiny pieces. A simpler, more innocent time.”
@badbanana
McAfee Confidential
Types of Attack
Phishing attacks • Broad-based and fairly unfocused
• Contains an attachment or a link
Spearphishing • Much more focused, normally on a
select audience within a company
• Also contains either an attachment or a link
Whaling • Highly focused, usually on a CFO,
CEO or other high-value targets
• Also contains either an attachment or a link
Spam • Less of a problem than it was, but it continues to be a serious issue
• Can be part of a blended attack
©2014 Osterman Research, Inc.
McAfee Confidential
Types of Attack (cont’d.)
Advanced Persistent Threats • Long-term, continued attacks against a company using
a variety of threats
Watering hole attacks • Cybercriminals will infect a Web site that a particular
group is likely to visit with the goal of infecting members of that group
Nation/state attacks • Highly sophisticated (e.g., Stuxnet and Duqu)
• Can involve any of the threats noted above
©2014 Osterman Research, Inc.
McAfee Confidential
Threats are Evolving
Malware is morphing • Obfuscation • One-time URLs
Detection delays • There can be tens or hundreds of days between
parts of an attack, making it difficult to detect
• Verizon found that 62% of respondents reported it took “months” to learn they had been breached*
Cybercriminals are getting smarter, victims…not so much
*2014 Data Breach Investigations Report
©2014 Osterman Research, Inc.
McAfee Confidential
The Goal
Steal money • Drain financial accounts
• Obtain credit card data
Steal data • Intellectual property
• Sensitive or confidential information
• Health-related information
Gain access to sensitive systems • Military databases
• Defense contractors
©2014 Osterman Research, Inc.
McAfee Confidential
Three Basic Issues to Address
Detect phishing attacks • Spearphishing
• Whaling
• Other forms of attack
Detect malware • In an email
• In a link
• In a social media post
• On a Web site
Detect outbound content • Exfiltrated data
• DLP is essential
©2014 Osterman Research, Inc.
McAfee Confidential
The Social Media Problem A message with the subject line “Problem with your recent transaction at Three Fingered Jacks Saloon & Café” would be a good way to get this Facebook poster to open a phishing email. Telling the world about your recent purchases could make you subject to spearphishing attacks focused specifically on messages discussing product recalls or problems with a credit card charge. Advertising where you are and the travel problems you’re experiencing could result in your receiving a text or email asking you to log into your travel account.
©2014 Osterman Research, Inc.
McAfee Confidential
Other Issues to Consider
False positives can render a solution moot • A solution can produce too much information
• Valid data can be lost in the flood of alerts and other information
• Security staff may become accustomed to the false positives and assume that valid data is simply more of the same
Mobile is becoming a more serious threat vector • Personally owned devices over which
IT has less control
• Mobile platforms are inherently less secure
• Copycat mobile applications are fairly common
©2014 Osterman Research, Inc.
McAfee Confidential
Examples INFILTRATIONS • Cryptolocker has infected 25 million
computers as of early 2014.
• MiniDuke infiltrates sensitive systems like government computers.
• A phishing attack on Fazio Mechanical penetrated company defenses and infected a computer with a ZeuS variant.
• Israel Aerospace Industries was targeted by the Comment Crew, a hacking group sponsored by the Chinese government. By installing malware onto IAI computers, the hackers were able to exfiltrate data on Israel’s Iron Dome missile defense system.
CONSEQUENCES → Untold numbers of victims have paid
ransom to cybercriminals
→ Highly sensitive military or other data may have been stolen
→ Two months later, customer records for 110 million customers were stolen from Target.
→ Consequences uncertain: the cybercriminals may have wanted to steal data so that a Chinese version of the missile defense system could be built, or they may have sought information to render Iron Dome inoperable. ©2014 Osterman Research, Inc.
McAfee Confidential
What to Do Next
Users are the first line of defense • Train users to be skeptical, not to click on unknown links, not to open suspect
attachments
• Get smart about social media
• Be careful when connecting to unprotected networks
• Don’t forget about mobile users!
Implement a multi-phase solution to detect and remediate threats • Implement policies for handling email attachments and other content
• Phishing, spearphishing and whaling attacks • Malware and Web traffic
• A DLP solution that will examine outbound content
Key: focus comprehensively on all attack vectors ©2014 Osterman Research, Inc.
McAfee Confidential
Osterman Research, Inc. +1 253 630 5839 +1 206 905 1010 [email protected] www.ostermanresearch.com ostermanresearch.wordpress.com mosterman
For More Information
©2014 Osterman Research, Inc.
McAfee Confidential
Email Protection
Web Protection
Data Loss Prevention
(DLP)
Protect Against Multi-stage Attacks
14
The McAfee Solution
McAfee Confidential
95% of all attacks on enterprise networks are the
result of successful spear phishing. – Allen Paller
Director of Research, SANS Institute
15
McAfee Confidential
The Challenge
16
10 Questions
20,000+ respondents
48 countries
How would your business users fare?
McAfee Confidential
The Sobering Results
17
Average Score? 1 in 3 emails are
misclassified
80% Of all employees fell for at least one phishing email
88% in HR and Finance fell for at least one phishing email
McAfee Confidential
Take the Email Phishing Quiz! www.mcafee.com/phishingquiz
McAfee Confidential
Attack Intercept Points
September 23, 2014 19
RECON TO IDENTIFY EXPLOIT
WEAPONIZE
CRAFT AN EMAIL
DELIVER
EMAIL SCANNED
USER OPENS
USER CLICKS
EXPLOIT OCCURS
COMMAND & CONTROL. DATA EXFILTRATES
DATA SOLD ON UNDERGROUND MARKETS
• URLs • Attachments
McAfee Confidential
• Combats email-based advanced persistent threats (APTs), spearphishing and links to malware
• Works on any device • URL reputation check at scan
time Adds • URL reputation check at click
time • Real-time URL emulation
- Backed by the McAfee Web Gateway enterprise web proxy
• Unmasked URL • Customizable warning template
ClickProtect
20
Scan-time & click-time URL awareness
McAfee Confidential
21
Arms Users with Information
ClickProtect SafePreview
McAfee Advanced Anti-Malware Scan is completed on link
Unmasked URL helps end users determine if the site is safe to visit
SafePreview image provides a screen scrape to help verify the site destination
McAfee Confidential
McAfee Advanced Threat Defense
22
Dynamic Analysis • Sandbox with Virtual
Machine • Behavior Only… • Good, but Not Good
Enough!
Static Analysis • Reverse engineering code • Observed behavior and
familiarity of unexecuted code
Plus Unpacking
Integrated Malware Detection
• ClickProtect • Data Loss Prevention • Global Threat Intelligence
SaaS
• Real-time Malware Emulation & Detection • Application Controls • C2 Identification
SaaS
• Static and Dynamic Analysis • Zero Day Protection • Containment / Remediation
• Spear Phishing • Social Engineering • Weaponized doc • Malicious URLS
• Watering hole • Drive by Downloads • PDF/Office Exploits • SQL Injection
Advanced Threat Defense
Web Protection Email Protection
McAfee Confidential
The right solution for today and tomorrow
Form Factor Freedom
In the Cloud
• Unlimited scalability
On-premises
• Leverages existing infrastructure
• Turnkey appliance
• Blade servers for the most demanding environments; 10+ messages/ hour/blade
In the Cloud Integrated Hybrid
• Single management console
• Single license
Clean Pipes Data Residency Best of Cloud & On-
premises
Enables better security for:
McAfee Confidential
Email Protection
Web Protection
Data Loss Prevention
(DLP)
Protect Against Multi-stage Attacks
24
The McAfee Solution
McAfee Confidential
Web Gateway Multi-layered Protection
ePO
• Identify all web applications, including shadow IT • Enforce acceptable usage policy • Control access with SSO and multi-factor
authentication
Anti-Malware Botnet Client
Data Leakage
Application Visibility
Content Inspection
SSL Scanning
• DLP Engine ‒ Full dictionaries ‒ Enforce data leakage policy
• File encryption ‒ Protect data on file-sharing sites
• Identify “phone-home” behavior • Aggressive scanning of non-
human initiated requests
• Signature-based AV • Zero-day malware detection
‒ Dissect, emulate target platform environment
‒ Evaluate code behavior
• Scrutinize HTTPS traffic • Identify malware and
applications hidden in encrypted web session
• Reputation (GTI) • Geo-location (GTI) • URL categorization & filtering (GTI) • Media & file analysis
Outbound Traffic Inbound Traffic
McAfee Confidential
Advanced Threat Defense
Web Gateway
26
Web Gateway + Advanced Threat Defense The Industry’s Most Complete Malware Detection Solution
Number of Samples You Can Process
Known Good Known Bad
Dynamic / Reverse-engineering Analysis Real-time Emulation
Compute Cycles Needed
White/ Black Listing
AV GTI
McAfee Confidential
Deployment Options Deploy on-premises, in the cloud, or a hybrid combination
VM
Appliance and SaaS (Hybrid)
Appliance and SaaS (Hybrid)
Remote Users (SaaS)
SaaS or VM
Performance and Scalability from Branch Offices to Corporate Headquarters
Common policy, management & reporting
Hardware Appliances Blade Server
Virtual Appliance Cloud-based
SaaS
McAfee Confidential
28
McAfee Client Proxy Protect mobile & remote users
Off Network
McAfee Data Center SaaS Web Protection
(or Web Gateway in DMZ)
Internet
Active
?
Browser Browser
Corporate Office
On-Network Web Gateway
?
Client Proxy
McAfee Confidential
Email Protection
Web Protection
Data Loss Prevention
(DLP)
Protect Against Multi-stage Attacks
29
The McAfee Solution
McAfee Confidential
McAfee DLP Comprehensive Suite
30
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types Data Loss Vectors Solution
DLP Prevent DLP Monitor
DLP Discover
DLP Endpoint
Email Web Post Network IM Chat
Desktop/Laptop Database
Removable Media
Screen Printer
File Share
Clipboard
McAfee Confidential
McAfee Email Protection • Block inbound spam, phishing attacks • Click-protect • Scan outbound email using DLP
McAfee Web Protection • Stop web malware downloads • Expose Shadow IT applications • Enforce acceptable usage policy • Scan outbound web traffic using DLP
McAfee Advanced Threat Defense • Sandbox – dynamic code analysis • Reverse-engineering – static code analysis
McAfee DLP • Protect data in motion (email, web) • Data at rest • Data in use (endpoint)
Defend Against Multi-Stage Attacks
31
McAfee Confidential
Thank You! Q&A
www.mcafee.com/emailwebsecurity
