cracking energy and utilities: insider tips for endpoint...
TRANSCRIPT
Cracking Energy and Utilities: Insider Tips for Endpoint Security
eBook
Cracking Energy and Utilities: Insider Tips for Endpoint Security 2
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Your Endpoints Are Vulnerable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How Vulnerable is Your Endpoint Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Inside the Head of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Insider Tips for Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Endpoint in Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Stopping Attacks at Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
How Carbon Black Can Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Cracking Energy and Utilities: Insider Tips for Endpoint Security 3
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
IntroductionDespite decades of attacks, energy companies and utilities continue to struggle with the fundamentals of endpoint security . IT
organizations, large and small, continue to wrestle with basic endpoint challenges such as understanding what applications are
running in their environment, who has administrative privileges, and what versions of software are installed on endpoints .
Utilities and Energy companies are building better ways to deliver more
affordable, cleaner, smarter resources to meet demand and maximize
profits. New IP-enabled equipment drives greater visibility throughout the
value chain and control systems that were once isolated and proprietary
now operate in an interconnected ecosystem . As a result, the industry is
seeing a dramatic increase in cyber attacks . Many of these attacks are
getting through traditional security defenses such as anti-virus software.
As the threat landscape has evolved, enterprise servers and endpoints —
and the employees operating them — have become the primary target
of attack .
This eBook will outline the strategies and tactics cyber criminals use to attack enterprise endpoints servers . It will also provide
you with strategies and solutions your organization can use to arm your endpoints against these attacks .
The energy sector led all
other ICS reported incidents in 2014 .
Roughly 55% of incidents involved
advanced persistent threats .
— 2014 U.S. Department of Homeland Security Report
Cracking Energy and Utilities: Insider Tips for Endpoint Security 4
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Your Endpoints Are Vulnerable
While the motivation behind individual attacks may vary, the object is always the same: to steal your organizations most
valuable data .
In the past, the impact of cyber crime was limited to an individual level with limited strategic scope or impact . However, with
the rise of organized cyber crime and state-sponsored actors, today’s attacks have organizational, even national security-level
impacts .
Since 2009, servers and end-user endpoints have risen to become the preferred point of entry for today’s cyber criminals to
gain a foothold in your network . As a defender, it is useful to understand this information as it can help shed light on gaps you
may have in your current security program and where you need to implement extra protection.
As the crown jewels of enterprise data, servers have always been the number one asset cyber criminals want to breach .
However, as organizations move to adopt cloud and other Web-powered services, end-user devices are growing in favor as
they can often serve as a backdoor into an organization’s server system and are more likely to be managed by individuals
susceptible to social engineering attacks .
Server
KioskPerson
Network
User Devices
800
600
400
200
2009 2010 2011 2012 2013
Figure 1
Source: Verizon 2014 Data Breach Investigations Report
Cracking Energy and Utilities: Insider Tips for Endpoint Security 5
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
How Vulnerable is Your Endpoint Software?Cyber criminals often leverage vulnerabilities in software already running on a system to gain access and establish persistence
on a machine .
Figure 2 lists the top 18 programs from Secunia’s 2015 Vulnerability Review, Top 50 Software Portfolio. It shows the type of
program (Microsoft or third-party), the 2014 market share, and the number of vulnerabilities affecting the software programs in
2013 and 2014 .
For example, Adobe Reader with an 85.6 percent market share had:
• Five Secunia Advisories (an approximation of the number of security events in a given period)
• 43 Secunia Vulnerability Count (VULNS: the number of vulnerabilities covered by the Secunia Advisory).
We all remember when Adobe announced that its software was compromised in October 2013 . Eventually 38 million accounts
were affected.
According to the same report, 1,348 vulnerabilities were discovered in 17 products from seven desktop vendors in 2013 in the
Top 50 portfolio, including the most used operating systems, Microsoft Windows 7. This is a 42 percent increase in a five-year
trend and an 11 percent increase from 2013 to 2014. In addition the combined number of ‘Highly Critical’ and ‘Extremely Critical’
vulnerabilities in the Top 50 represents 74 .6 percent of all vulnerabilities .
Figure 2: The Top Software Portfolio
Source: 2015 Secunia Vulnerability Review
RANK TYPE PROD SHARE ADVS VULNS
1 MS MICROSOFT WINDOWS SCRIPT CONTROL 99 .9% 0 0
2 MS MICROSOFT XML CORE SERVICES (MSXML) 99 .9% 3 3
3 MS MICROSOFT NET FRAMEWORK 99 .5% 5 8
4 MS MICROSOFT WINDOWS MEDIA PLAYER 99 .3% 0 0
5 TP MICROSOFT INTERNET EXPLORER 99 .1% 13 289
6 MS MICROSOFT VISUAL C++ REDISTRIBUTABLE 96 .1% 0 0
7 TP ADOBE FLASH PLAYER 96 .1% 20 99
8 MS MICROSOFT SILVERLIGHT 85 .6% 0 0
9 MS ADOBE READER 85 .3% 5 43
10 TP MICROSOFT WINDOWS DEFENDER 81 .0% 1 1
11 MS ORACLE JAVA RE 79 .1% 4 119
12 MS WINDOWS POWERSHELL 76 .1% 0 0
13 MS WINDOWS DVD MAKER 75 .5% 0 0
14 MS MICOSOFT WORD 75 .1% 6 13
15 MS MICROSOFT EXCEL 74 .3% 1 2
16 MS MICROSOFT POWERPOINT 72 .4% 0 0
17 MS MICROSOFT XPS-VIEWER 69 .8% 0 0
18 NMS GOOGLE CHROME 65 .6% 23 504
Cracking Energy and Utilities: Insider Tips for Endpoint Security 6
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Social EngineeringMore often than not, cyber criminals target people rather than technology because they are far easier to manipulate .
Why break through a wall if you can convince someone to open the door?
Cyber criminals understand this so they are increasingly using social engineering and phishing attacks to obtain stolen
credentials and open a doorway into enterprise networks . According to the Verizon Data Breach Investigations Report for 2015,
credentials were the second most common type of record stolen by crimeware .
The reality in today’s world is that cyber criminals have learned that the weakest link in the security chain is the end user
because they are often naive and gullible to social engineering tactics . Whether it is a mobile device or a traditional endpoint—
such as workstation or laptop— cyber criminals are leveraging the end user as a primary vector to gain access, initially to a
single system and ultimately to the larger enterprise infrastructure .
For example, the February 2015 “U.S. ICS-CERT Monitor” reported that spear-phising is the second most common known attack
vector, behind network scanning .
Cracking Energy and Utilities: Insider Tips for Endpoint Security 7
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
The Cyber Kill ChainWhen cyber criminals seek to infiltrate an organization, they follow a sophisticated, well-defined process that enables them to
leverage their skills effectively to quickly identify their targeted assets and avoid detection.
To help security practitioners better understand and defend against this process, Lockheed Martin researchers Eric Hutchins,
Mike Cloppert, and Rohan Amin, developed a model known as the Cyber Kill Chain . Widely recognized as a foundational model
for information security, the Cyber kill Chain is an invaluable tool for helping security professionals understand the processes
and techniques cyber criminals use to plan and conduct an attack.
While the specifics and flow will vary from one attack to the next, the Cyber Kill Chain provides a model for understanding the
techniques cyber criminals will use to break into your environment.
Figure 4: The Cyber Kill Chain1
1 http://digital-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain
Exploitation
Delivery C & C
Exfiltration
Reconnaissance
Weaponization
Phases of the Cyber Kill Chain
ReconnaissanceSmart military planners never act without knowledge of the enemy’s defenses and tactics. This is just as true in the domain of
cyber warfare as cyber criminals today spend extensive resources to understand the tactics and environment of their targets.
The first step of reconnaissance is to identify appropriate targets that, if compromised, would meet the attacker’s objectives.
For example, an attacker seeking to gain control of a computer controlling the ICS in your environment would likely target
unsuspecting employees by sending phony emails with malware-laden content to individual laptops or drawing them to an
infected website . Once opened, the malware can sit there for months gaining access and harvesting data from networks and
devices of interest without anyone’s knowledge.
After they’ve selected a target, cyber criminals then attempt to gather as much intelligence as possible to inform the next
stages of their attack . This can include gleaning information from public websites, social networking, media reports, and other
sources . The attackers seek to learn as much as possible about their target before launching any form of attack .
WeaponizationAfter attackers have identified and researched an appropriate target, they then develop a weapon custom-tailored to their
target. They analyze the information systems used by the attacker and select an exploit that affects an operating system or
application known to be used by the intended victim. For example, a hacking group known as “Energetic Bear” infected energy
and industrial firms around the world with a malicious remote access Trojan (RAT) codenamed Havex, providing them the ability
to shut down major power grids, and oil and gas pipelines .
Attackers are reluctant to use zero-day vulnerabilities against all but the most valuable targets. Each time they launch a ze-
ro-day exploit, they run the risk of the attack being detected and made known to the security community. After this occurs, the
zero-day attack loses its effectiveness as a weapon.
Cracking Energy and Utilities: Insider Tips for Endpoint Security 8
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
When an exploit is selected, it must be embedded in a delivery mechanism appropriate to the exploit and target. For example,
the attacker may embed code exploiting a vulnerability in Adobe Reader into a PDF file. Java exploits then may be coded into a
website that uses Java technology .
DeliveryAfter carefully selecting a target and weapon, a cyber criminal must then deliver the weapon to the intended target . Common
delivery mechanisms include the following:
• Sending a carefully designed spear-phishing message that tricks the target into clicking a link
• Placing an infected file on a USB drive and getting it into the target’s hands as a gift or leave-behind
• Storing the infected file on a website known to be frequented by the target
• Sharing an infected file with the target through a cloud-based file sharing mechanism
• SQL-injection attacks, where users try to send malformed data to database and backend systems via websites and online
forms to try to gain access or retrieve data
Unlike the phishing messages some attackers send to large numbers of individuals seeking to find a couple of unwitting
victims, the spear-phishing messages used by advanced threats are carefully designed to look like legitimate email sent
directly to the intended victim . They make use of information that the attacker gathered during the reconnaissance phase to
increase the likelihood that the target will act on the message .
ExploitationAfter malware is delivered to a target system, the malware engages the selected exploit mechanism to gain control of the
system. The exploit gives the weapon the ability to manipulate the target system with administrative privileges. This level of
access enables the weapon to configure system settings, install additional malware, and perform other actions normally limited
to system administrators .
Command and ControlAfter a system is compromised, cyber criminals typically attempt to establish outbound connections to command-and-control
servers . These command links provide attackers with a way to communicate with the software on their victim systems without
establishing a direct inbound connection .
The connections made to command-and-control servers often use standard HTTPS connections to emulate normal Web
browsing activity. Because the connections are encrypted, they’re indistinguishable from any other HTTPS connection, other
than the fact that their destination isn’t a normal website. This approach allows cyber criminals to limit the likelihood of their
detection by intrusion detection systems monitoring traffic on the victim organization’s network.
In addition to bypassing intrusion detection systems, the command-and-control connection is also designed to evade firewall
controls on the victim network. While most network firewalls are set to block unsolicited inbound connections from the
Internet, they often allow unrestricted or minimally restricted access to Internet sites when a system on the internal network
initiates the connection. The attacker may then use this command-and-control connection to deliver instructions to the
compromised system .
ExfiltrationThe ultimate goal of the attack, exfiltration, is the stealing and removal of proprietary data from your network. Having
established persistence, the cyber criminal can and will remain present inside your network for weeks, months, or years at
a time to slowly exfiltrate organizational data. According to the 2015 Trustwave Global Security Report, the average time
between intrusion and detection in 2014 was 188 days .
Cracking Energy and Utilities: Insider Tips for Endpoint Security 9
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Inside the Head of an AttackerTo help you understand how each of these phases is executed, we will describe a fictional attack so you can see the Cyber Kill Chain in action.
Step 1 — Reconnaissance
Joe is a hacker and looking to infiltrate control computers of a regional utility’s SCADA system. He starts stalking employees
on LinkedIn, Twitter, Facebook, and their blogs. He sees that several employees announce on Foursquare when they go to the
Starbucks location next to their organization’s headquarters for lunch. Joe goes to this Starbucks and watches the employees
work on their laptops. He starts to sniff traffic using tools like Firesheep and sees some of the basic information that they are
sending across the untrusted network .
Soon, Joe is grabbing data off the open network. He now has a few email addresses and knows what websites the employees
are visiting including techstuff.com. With more reconnaissance work on LinkedIn, Google Groups, Facebook, and Maltego, Joe
knows who knows whom and begins to build an idea of how these employees operate and what goes on in their lives .
Joe then calls the organization’s help desk and gets information about the standard builds on the enterprise’s endpoints.
He goes to online support forums to see if any of these employees have ever posted anything .
Step 2 — Weaponization and Delivery
Once Joe has enough information, he is ready to take the
next step – a spear-phishing attack. This takes the form
of a personalized email from employee #1 (one of the
employees he tracked online at Starbucks) to employee
#2 (Joe obtained this email address during reconnais-
sance). The email is very personal and very casual. It says,
“Hey, here is a TechStuff.com catalog that I found and it
happens to have a discount code in it.”
Using social media, industry events, and information on
the company website, Joe will work hard to embellish
the “lure” in this spear-phishing tactic to build a message
that appears familiar and relevant to their target . In some
extremely sophisticated attacks, Joe may even attend
industry events in which his target participates .
Captured:Email address (engineer1@utitlity) Colleague’s email ([email protected])Interests (www.techstuff.com)
Spoofed, of course
Most certainly clicking here
Cracking Energy and Utilities: Insider Tips for Endpoint Security 10
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
With a tailored subject line and message, the “lure” will contain a malformed document or perhaps a spreadsheet or it will
prompt the recipient to visit a dummy website or to run a program .
If the employees do not take the initial lure, Joe will continue to try them at different times with tweaked subject lines,
messages and payload vehicles .
Step 3 — Exploitation
When engineer #2 clicks on the spear-phishing email link, the attachment is not a PDF but AN EVIL PDF with embedded
malicious code that secretly drops an unknown malicious payload onto engineer #2’s machine. Clicking on this PDF, kick-offs
a chain reaction which provides Joe with a foothold into the enterprise’s environment and achieves his necessary first-step;
persistence . This chain reaction can include the dropping of additional payloads, automated lateral movements to other
network machines, and ultimately an attempt to connect outside the network, on a different communication channel, to Joe
to kick-off Step 4; command and control.
Step 4 — Command and Control
Having infected engineer #2’s machine and successfully established both persistence on the system and outbound
connectivity, Joe is able to step into the driver’s seat. Having established outbound connectivity and remote control over
engineer #2’s system, Joe can now initiate a plethora of future malicious activities to advance his goals.
He could begin recording engineer #2’s activity and conversations by copying emails, keystrokes or even accessing his
computer’s camera and microphone. He could attempt to move laterally and establish additional infections on enterprise
servers or another high-target user’s machine, such as executives, to gain access to log-in credentials or files of particular
interest or value .
Step 5 — Exfiltration
Once Joe has located targeted data, he will begin leveraging his C&C connections to exfiltration data. This could be done in a
single push, but is more commonly done over a period of weeks or months to avoid detection .
Having established persistence within a network, Joe will often bounce between step 4 and step 5 as new information of value
is discovered or as new infections are made . Key to this point is understanding that the advancement of an attack to step 5, the
exfiltration of data, does not constitute the end of an attack. In fact, often it can just be the beginning as attackers continue to
leverage their foothold to steal new information or compromise additional systems, both inside or outside of your organization .
Cracking Energy and Utilities: Insider Tips for Endpoint Security 11
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Insider Tips for Endpoint SecurityIn order to detect and stop cyber-attacks, you must have “empathy” with the cyber criminal, get into the head of the attacker,
and figure out how he or she thinks. As in a combat situation, it is useful to think like your adversary and have a model, such as
The Cyber Kill Model, to align your defense to reflect the realities of the war you are fighting.
Bear in mind that you have the home field advantage and can acquire various tools to detect and deny attacks by disrupting
or degrading the attack and deceiving the cyber criminal . Your objective is to respond to attacks by actively engaging with the
cyber criminal . In this way, you can reduce the time it takes to detect and respond to an attack from days or weeks to seconds .
The Reconnaissance Phase
The reconnaissance phase is an important part of this model for the cybercriminal but, unfortunately, you as the victim do not
have a view into it . If a cybercriminal is using Shodan, Google, or searching sites like LinkedIn trying to get information about you,
you do not necessarily know it . However, you can use one little trick to get a clue if somebody is doing reconnaissance on you .
For example Frank, a security professional, knows that cybercriminals search technical forums looking for instances where
administrators are careless when asking questions – perhaps they post sensitive data such as a router configuration, etc. Frank
put together a fake configuration for a Cisco router. This contained an access password and IP address that he posted within a
question to one of the forums. The fake router config actually pointed to a honeypot that Frank’s team created. When someone
came into the honeypot, logging in with the user name and password that was included in the fake router config, it signaled
Frank that someone was actively performing reconnaissance on the company’s network.
There are opportunities to detect this kind of behavior if you execute security strategies like this. In addition, you can set up
tar pits and make sure that you are alerted when people do Google-style reconnaissance on you.
The Weaponization Phase
Obviously, as an intended victim, you do not have any direct visibility into this phase . However, it is important that you
understand what is happening as it can provide intelligence you can use to prevent future attacks .
Even the most sophisticated cybercriminals have a tendency to reuse certain toolkits and techniques. If you have an
understanding of these, you can leverage this intelligence to detect an attack at the next phase, which is delivery.
Insider Tip: Leverage intelligence sharing communities, such as ISACs, to stay up to date on the latest cyber war weapons .
Adversary Activity Potential Intelligence for Defender
Research IP Addresses
Identification and Selection of Targets Identifying Agent Strings or Referrals
Website Crawling, Googling, etc . Unique Browser/Crawler Behavior
Areas of Focus
Adversary Activity Potential Intelligence for Defender
Creating a Deliverable Payload Trojan Toolkits
Scripting Actions Obfuscation Techniques
Crafting Phish Bait
Setting Up a Waterhole
Cracking Energy and Utilities: Insider Tips for Endpoint Security 12
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
The Delivery Phase
The Delivery Phase is the first time where an attack comes into your realm of control. This is the point where a spear-phishing
email is delivered or someone receives a link over Twitter, instant messaging, or Skype . The attack can also be a waterhole
attack where delivery is multi-staged. For example, the cybercriminal may pose as someone the victim knows and ask a
question to entice conversation via several emails back and forth. Eventually, the cybercriminal sends an email with a link or
attachment — the attack payload . It is important that you are aware of these kinds of social engineering tactics .
The Exploitation Phase
Many times, traditional endpoint defenses are incapable of preventing exploitation from advanced attacks. However, there are
actions your organization can take to reduce your attack surface, such as rapidly installing updates / patches and deploying
application control solutions that only allow trusted software to execute. Regardless of your current capabilities, you can
get a decent amount of intelligence from this phase. If you have real-time visibility into your endpoints, you will know what
vulnerabilities and exploit techniques the cyber criminal used. You can also identify techniques or specific malware signatures
that the cyber criminal may reuse on other devices inside your organization .
The exploitation phase is where endpoint security comes into play because it involves dropping files, making a registry change,
stealing a cookie, or any activity that establishes a persistence mechanism or potential means to access your system .
If you can consistently stop a targeted attack at this phase, you can reduce the risk of a data breach. Network defenses, such as
sandboxes, can provide a first line of defense. These technologies can give the cyber criminal the impression that he achieved
a successful installation, but ultimately you must secure the endpoint as it is the primary target of an attack .
This is a very good example of using deception to trick the cyber criminal and let him think he actually reached the C&C phase.
Unfortunately, in most cases, sandboxing will not stop an application from executing in your environment, but can help you
identify malicious activity faster . Ideally, your organization should deploy an endpoint solution that integrates with your network
security defenses to coordinate the identification and blocking of malicious software.
Adversary Activity Potential Intelligence for Defender
Transmission of Weapon to Target Environment IP Addresses
Sending an Attachment via Email Hostnames
Sending a link via Twitter, IM, Email Email Senders
Attacking a Webserver Identifying Browser Information
Might be Multi-Stage Handles on Twitter, IM, etc .
Payload Characteristics
Filenames
Targeted Individuals
. . . and more
Adversary Activity Potential Intelligence for Defender
Weapon Will Exploit a Vulnerability or Flaw Vulnerability Details
Tricking a User Exploit Techniques
Installation of RAT or Backdoor Social Engineering Techniques
Change to System Configuration Details of Malware
Changes to System Configuration
Cracking Energy and Utilities: Insider Tips for Endpoint Security 13
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Command and Control Phase
This phase is your last chance to stop an attack before your network and systems are compromised . Using available tools, you
can detect when something beacons out and block it, or detect when something beacons out and quarantine the host. Either
way, you break the kill chain. While IP blacklisting and IP anomaly detection systems can help, cyber criminals have developed
ever increasingly sophisticated techniques to evade these types of traditional network alerting systems.
Exfiltration
This is the final phase of the Cyber Kill Chain. The cyber criminal now has a foothold on an endpoint or a server and he owns
that machine. He is exfiltrating data out of your organization. At this point, you have been breached and the Cyber Kill Chain
ends. Now, the question you ask yourself is not “will there be damage” but rather “how great will the damage be?”
From this point, the cybercriminal can go many different ways. For example, he might:
• Focus on privilege escalation and getting information off the machines he has compromised
• Start scanning or trying to enumerate the network from the inside
• Use this opportunity to study the network to launch a more complex attack
• Already have stolen credentials and attempts to use them
Adversary Activity Potential Intelligence for Defender
Research IP Addresses
Identification and Selection of Targets Identifying Agent Strings or Referrals
Website Crawling, Googling, etc . Unique Browser/Crawler Behavior
Areas of Focus
Adversary Activity Potential Intelligence for Defender
Achieve Original Objectives Adversary’s Information Targets
Privilege Escalation Additional Tools Used
Internal Reconnaissance
Lateral Movement
Data Collection
Data Exfiltration
Cracking Energy and Utilities: Insider Tips for Endpoint Security 14
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
The Endpoint in FocusThere are several ways you can prevent exploitation. First, minimize your attack surface by keeping software up to date and
implementing solutions that only allow trusted software to execute. In the past when Microsoft released security updates and
patches, most IT teams installed them on a handful of workstations or non-essential servers and waited for two weeks before
installing the update across the entire fleet. Today, that is not the case. When security updates drop, you must get them in
place within 24 hours for servers, 48 hours for desktops .
Today, Microsoft does extremely good regression testing and we do not see security updates that have a major operational
impact. However, if you are six months behind in updates, that may not be the case—another reason why it we recommend that
you stay on top of updates and patches. It is worth investing time to achieve the level of operational excellence you need to get
updates and patches installed quickly.
When Microsoft makes it Patch Tuesday announcements, always refer to their Exploitability Index. This helps you prioritize
security bulletin deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security
update will be exploited2 .
If you see something that is potentially exploitable, even if it has not been seen in the wild3, you can assume it will be
exploited quickly.
To prevent the installation of malware, there are several approaches that vendors inenterprise into their security solutions:
• Signature-based Blacklisting
• Application Containers
• Trust-based Application Control
Bulletin Vulnerability Title CVE ID
Exploitability Assessment for Latest
Software Release
Expolitability Assessment for Older
Software Release
Denial of Service Expolitability Assessment
Key Notes
MS14-
xxx
User After Free
Vulnerability
CVE-
2014-
XXXX
2 - Exploitation
Less Likely
1 - Exploitation
More LikelyTemporary
2 http://technet.microsoft.com/en-us/security/cc998259.aspx 3 http://searchsecurity.techtarget.com/definition/in-the-wild
Figure 5: Example of an Exploitability Assessment
Cracking Energy and Utilities: Insider Tips for Endpoint Security 15
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
100%
% A
V V
END
OR
S D
ETEC
TIN
G
0
10
0
20
0
30
0
DAYS TO DETECTION
90%
80%
1st Percentile - Least Detected Malware(Advanced Attacks)
70%
60%
50%
40%
30%
20%
10%
0%
AV Can’t Keep Up:The majority of antivirus vendors take more than 250 days to detect the kind of customized malware most likely used in advanced attacks.
Signature-based blacklisting, or traditional anti-virus software,
stops malware installation based on a default-allow approach.
This means the software has a list of known bad conditions
and if an attack matches a bad condition, the anti-virus software
will not allow it to run .
Today, the blacklist approach is rarely effective and only of
real use against nuisance malware . Advanced cyber criminals
will use various packing techniques to get past most antivirus
software and go undetected . While there is no reason not to
filter against known bad, you cannot count on it as your only
approach and it should be integrated with signature-less
approaches to advanced threat prevention, such as application
whitelisting .
Application containers are an increasingly popular
approach that has been gaining in popularity and leading
endpoint providers offer integrations to take advantage of
network-based sandbox technologies. While containers can
be useful, most of these solutions do not natively protect your
organization’s endpoints from advanced attacks. While a few select vendors have attempted to bring containers, or
micro-virtualization, to the endpoint, these solutions are often Windows-only and even then they protect only a select
list of applications. With these limitations they cannot stop all zero-day attacks or attacks targeting vulnerabilities in
unprotected applications .
Last but most importantly, there are trust-based approaches that stop the installation of malware based on a default-deny
approach . For any application or condition to run, it has to be approved by name, by publisher, by reputation or via other
mechanisms. Proven to be effective against advanced attacks, trust-based solutions are the best way to prevent, detect, and
respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility.
140,000,000
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
New Malware 200
6 -
200
7 -
200
8 -
200
9 -
2010
-
2011
-
2012
-
2013
-
2014
-
Cracking Energy and Utilities: Insider Tips for Endpoint Security 16
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
Stopping Attacks at DeliveryA very effective technology to stop attacks at delivery is network detonation. Detonation software, such as from FireEye or Palo
Alto Networks, sees executable code coming over the network, determines whether it is malware (based on what it does versus
matching against a signature), and, if bad, detonates it. Network detonation software is incredibly useful and moderately effective
at protecting activity for devices inside an enterprise network . However, network detonation solutions will not protect a device
when an employee is working offline — an increasingly common scenario with mobile employees. In addition, many solutions
monitor the network passively and are not in-line. In these instances, there can be a lag between execution and detonation.
This lag can provide an opportunity for an attacker to deploy a secondary payload that can go undetected . To help address
this issue, leading endpoint security solutions offer integrations with network detonation services to extend these capabilities
beyond the network by sending files from off-network endpoints for analysis..
Even if any employee is working online, bad conditions do not always present initially on the network. If a file comes in over an
encrypted tunnel, like SSL, and you do not have a SSL man in the middle, you might not see it. If that file comes in some type
of sandbox, like a ZIP, RAR, or 7Z file, for example, the network detonation software cannot examine that sandbox and will let a
bad condition get into the network. Lastly, a USB stick with a Trojan virus is also going to be first seen at the endpoint.
United Experts and Knowledge
United Systems
Open API, Automation, and Orchestration
Network Security SIEM and Analytics Threat Intelligence Custom/Services
Cb EnterpriseProtection Cb Threat Intel
Cb EnterpriseResponse
10,000 Practitioners70+ IR and MSSP Partners
2000+ Customers
Policies & RulesPatterns of CompromiseConnectors & Code
Multiple Prevention Strategies
Compliance and Reporting
Windows, Mac, Linux
System-of-Record Continuous Recording
IT and Security Ops Team Reputation, Indicators, Classification SOC IR & Threat Hunting Teams
Kill Chain Visualization Attack Remediation
Root Cause Analysis
Cracking Energy and Utilities: Insider Tips for Endpoint Security 17
eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security
How Carbon Black Can HelpThe Carbon Black Security Platform provides real-time visibility, detection, response, and proactive, customizable signature-less
prevention from advanced persistent threats. At the heart of the Carbon Black Security Platform is a unique policy-driven
approach to application control. It combines real-time visibility and a file discovery agent, with IT-driven controls aided by trust
ratings from the Carbon Black Threat Intel solution, to help organizations simplify and automate the set-up and administration
of a secure whitelisting platform . This results in a customizable application control solution that combines the highest level of
advanced threat protection with minimal end-user impact and administrative overhead.
With Carbon Black Enterprise Protection, you get multiple levels of protection. Most application whitelisting solutions require
organizations to adopt a “one size fits all” threat prevention strategy, leaving users frustrated and overwhelming security teams.
With Cb Enterprise Protection, organizations can apply application whitelisting to certain systems while also choosing from a
suite of additional prevention options to find the right balance between organizational culture and risk posture.
To learn more about the Carbon Black Security Platform, please visit https://www.carbonblack.com/solutions/endpoint-security/
Medium Enforcement
High EnforcementLow Enforcement
Stops banned filestracking all activity
Stops untrusted files and asksusers for permission
Stops untrusted files and onlyallows it to run after IT approval
Visibility
Fixed-function Devices ServersDesktopsLaptops
Collects data in a real-time catalog ofwhat’s on the endpoint
Dial-up and dial-down your endpoint protection policies.
1100 Winter Street Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499
www.carbonblack.com
About Carbon Black
Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy
the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the
balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint
activity, making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks
and determine root causes. Carbon Black also offers a range of prevention options so organizations can match
their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident
response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling
security teams to: Disrupt. Defend. Unite.
2016 © Carbon Black is a registered trademark of Carbon Black. All other company or product names may be the trademarks of their
respective owners. 20160228 MMC
SummaryToday, cyber criminals are more sophisticated using complex attack strategies and social engineering tactics to get into
enterprise networks. The reality in today’s world is that cyber criminals target your endpoints and end users to gain access to
your company’s most critical and valuable data. Many times, your employees are not diligent about data protection, are naïve
about hacker strategies, or too trusting in the Internet of Everything world. It is getting more difficult to keep up with cyber
criminals’ exploits, particular in large distributed environments where you have thousands of global users.
To ensure the protection of your endpoints, your organization must execute several strategies:
• Inenterprise the Cyber Kill Chain into your strategy . This model will help you identify and determine how far an attack has
progressed and where / how the damage occurs.
• To take advantage of the information you can gather via the Cyber Kill Chain, acquire the tools you need to detect and
deny attacks by disrupting or degrading the attack and deceiving and engaging with the cyber criminal . This can help
reduce the time it takes to detect and respond to an attack from days or weeks to seconds .
• Be sure to quickly install updates and patches to reduce your attack surface.
• To prevent the installation of malware, install an application control solution that only allows trusted software to execute.
Today, there are three types of data protection software:
• Anti-virus software is a blacklisting approach that is rarely effective and only stops nuisance malware. Cyber criminals
can use various packing techniques to get past most antivirus software and go undetected. While valuable at stopping
nuisance malware, organizations should look to leverage antivirus solutions that are integrated with next-generation
endpoint protection platforms .
• While application containers can be useful, most of these solutions cannot protect your organization’s endpoints from
zero-day attacks, attacks targeting unpatched vulnerabilities, non-Windows machines, or actors in lateral movement.
Many also do not provide real-time visibility into endpoint activity.
• Trust based approaches that stop the installation of malware based on a default deny approach are the best way to
prevent, detect, and respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility.
• Some organizations cannot implement default-deny especially in cases where IT doesn’t have full control over the
software on a given endpoint and must allow end users to install software on-demand. In those cases, multistage detect
deny and detonate and deny are the best strategies to bridge this gap .
• Lastly, it is important that you integrate your entire security stack so that your network devices and endpoint security
solutions pass information back and forth . Intelligence is useful but can have a short life . The sooner you know that a
security breach has happened, the sooner you can stop it .