cracking energy and utilities: insider tips for endpoint...

Cracking Energy and Utilities: Insider Tips for Endpoint Security

eBook

Cracking Energy and Utilities: Insider Tips for Endpoint Security 2

eBook | Cracking Energy and Utilities: Insider Tips for Endpoint Security

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Your Endpoints Are Vulnerable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

How Vulnerable is Your Endpoint Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Inside the Head of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Insider Tips for Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The Endpoint in Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Stopping Attacks at Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

How Carbon Black Can Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18



IntroductionDespite decades of attacks, energy companies and utilities continue to struggle with the fundamentals of endpoint security . IT

organizations, large and small, continue to wrestle with basic endpoint challenges such as understanding what applications are

running in their environment, who has administrative privileges, and what versions of software are installed on endpoints .

Utilities and Energy companies are building better ways to deliver more

affordable, cleaner, smarter resources to meet demand and maximize

profits. New IP-enabled equipment drives greater visibility throughout the

value chain and control systems that were once isolated and proprietary

now operate in an interconnected ecosystem . As a result, the industry is

seeing a dramatic increase in cyber attacks . Many of these attacks are

getting through traditional security defenses such as anti-virus software.

As the threat landscape has evolved, enterprise servers and endpoints —

and the employees operating them — have become the primary target

of attack .

This eBook will outline the strategies and tactics cyber criminals use to attack enterprise endpoints servers . It will also provide

you with strategies and solutions your organization can use to arm your endpoints against these attacks .

The energy sector led all

other ICS reported incidents in 2014 .

Roughly 55% of incidents involved

advanced persistent threats .

— 2014 U.S. Department of Homeland Security Report



Your Endpoints Are Vulnerable

While the motivation behind individual attacks may vary, the object is always the same: to steal your organizations most

valuable data .

In the past, the impact of cyber crime was limited to an individual level with limited strategic scope or impact . However, with

the rise of organized cyber crime and state-sponsored actors, today’s attacks have organizational, even national security-level

impacts .

Since 2009, servers and end-user endpoints have risen to become the preferred point of entry for today’s cyber criminals to

gain a foothold in your network . As a defender, it is useful to understand this information as it can help shed light on gaps you

may have in your current security program and where you need to implement extra protection.

As the crown jewels of enterprise data, servers have always been the number one asset cyber criminals want to breach .

However, as organizations move to adopt cloud and other Web-powered services, end-user devices are growing in favor as

they can often serve as a backdoor into an organization’s server system and are more likely to be managed by individuals

susceptible to social engineering attacks .

Server

KioskPerson

Network

User Devices

800

600

400

200

2009 2010 2011 2012 2013

Figure 1

Source: Verizon 2014 Data Breach Investigations Report



How Vulnerable is Your Endpoint Software?Cyber criminals often leverage vulnerabilities in software already running on a system to gain access and establish persistence

on a machine .

Figure 2 lists the top 18 programs from Secunia’s 2015 Vulnerability Review, Top 50 Software Portfolio. It shows the type of

program (Microsoft or third-party), the 2014 market share, and the number of vulnerabilities affecting the software programs in

2013 and 2014 .

For example, Adobe Reader with an 85.6 percent market share had:

• Five Secunia Advisories (an approximation of the number of security events in a given period)

• 43 Secunia Vulnerability Count (VULNS: the number of vulnerabilities covered by the Secunia Advisory).

We all remember when Adobe announced that its software was compromised in October 2013 . Eventually 38 million accounts

were affected.

According to the same report, 1,348 vulnerabilities were discovered in 17 products from seven desktop vendors in 2013 in the

Top 50 portfolio, including the most used operating systems, Microsoft Windows 7. This is a 42 percent increase in a five-year

trend and an 11 percent increase from 2013 to 2014. In addition the combined number of ‘Highly Critical’ and ‘Extremely Critical’

vulnerabilities in the Top 50 represents 74 .6 percent of all vulnerabilities .

Figure 2: The Top Software Portfolio

Source: 2015 Secunia Vulnerability Review

RANK TYPE PROD SHARE ADVS VULNS

1 MS MICROSOFT WINDOWS SCRIPT CONTROL 99 .9% 0 0

2 MS MICROSOFT XML CORE SERVICES (MSXML) 99 .9% 3 3

3 MS MICROSOFT NET FRAMEWORK 99 .5% 5 8

4 MS MICROSOFT WINDOWS MEDIA PLAYER 99 .3% 0 0

5 TP MICROSOFT INTERNET EXPLORER 99 .1% 13 289

6 MS MICROSOFT VISUAL C++ REDISTRIBUTABLE 96 .1% 0 0

7 TP ADOBE FLASH PLAYER 96 .1% 20 99

8 MS MICROSOFT SILVERLIGHT 85 .6% 0 0

9 MS ADOBE READER 85 .3% 5 43

10 TP MICROSOFT WINDOWS DEFENDER 81 .0% 1 1

11 MS ORACLE JAVA RE 79 .1% 4 119

12 MS WINDOWS POWERSHELL 76 .1% 0 0

13 MS WINDOWS DVD MAKER 75 .5% 0 0

14 MS MICOSOFT WORD 75 .1% 6 13

15 MS MICROSOFT EXCEL 74 .3% 1 2

16 MS MICROSOFT POWERPOINT 72 .4% 0 0

17 MS MICROSOFT XPS-VIEWER 69 .8% 0 0

18 NMS GOOGLE CHROME 65 .6% 23 504



Social EngineeringMore often than not, cyber criminals target people rather than technology because they are far easier to manipulate .

Why break through a wall if you can convince someone to open the door?

Cyber criminals understand this so they are increasingly using social engineering and phishing attacks to obtain stolen

credentials and open a doorway into enterprise networks . According to the Verizon Data Breach Investigations Report for 2015,

credentials were the second most common type of record stolen by crimeware .

The reality in today’s world is that cyber criminals have learned that the weakest link in the security chain is the end user

because they are often naive and gullible to social engineering tactics . Whether it is a mobile device or a traditional endpoint—

such as workstation or laptop— cyber criminals are leveraging the end user as a primary vector to gain access, initially to a

single system and ultimately to the larger enterprise infrastructure .

For example, the February 2015 “U.S. ICS-CERT Monitor” reported that spear-phising is the second most common known attack

vector, behind network scanning .



The Cyber Kill ChainWhen cyber criminals seek to infiltrate an organization, they follow a sophisticated, well-defined process that enables them to

leverage their skills effectively to quickly identify their targeted assets and avoid detection.

To help security practitioners better understand and defend against this process, Lockheed Martin researchers Eric Hutchins,

Mike Cloppert, and Rohan Amin, developed a model known as the Cyber Kill Chain . Widely recognized as a foundational model

for information security, the Cyber kill Chain is an invaluable tool for helping security professionals understand the processes

and techniques cyber criminals use to plan and conduct an attack.

While the specifics and flow will vary from one attack to the next, the Cyber Kill Chain provides a model for understanding the

techniques cyber criminals will use to break into your environment.

Figure 4: The Cyber Kill Chain1

1 http://digital-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain

Exploitation

Delivery C & C

Exfiltration

Reconnaissance

Weaponization

Phases of the Cyber Kill Chain

ReconnaissanceSmart military planners never act without knowledge of the enemy’s defenses and tactics. This is just as true in the domain of

cyber warfare as cyber criminals today spend extensive resources to understand the tactics and environment of their targets.

The first step of reconnaissance is to identify appropriate targets that, if compromised, would meet the attacker’s objectives.

For example, an attacker seeking to gain control of a computer controlling the ICS in your environment would likely target

unsuspecting employees by sending phony emails with malware-laden content to individual laptops or drawing them to an

infected website . Once opened, the malware can sit there for months gaining access and harvesting data from networks and

devices of interest without anyone’s knowledge.

After they’ve selected a target, cyber criminals then attempt to gather as much intelligence as possible to inform the next

stages of their attack . This can include gleaning information from public websites, social networking, media reports, and other

sources . The attackers seek to learn as much as possible about their target before launching any form of attack .

WeaponizationAfter attackers have identified and researched an appropriate target, they then develop a weapon custom-tailored to their

target. They analyze the information systems used by the attacker and select an exploit that affects an operating system or

application known to be used by the intended victim. For example, a hacking group known as “Energetic Bear” infected energy

and industrial firms around the world with a malicious remote access Trojan (RAT) codenamed Havex, providing them the ability

to shut down major power grids, and oil and gas pipelines .

Attackers are reluctant to use zero-day vulnerabilities against all but the most valuable targets. Each time they launch a ze-

ro-day exploit, they run the risk of the attack being detected and made known to the security community. After this occurs, the

zero-day attack loses its effectiveness as a weapon.



When an exploit is selected, it must be embedded in a delivery mechanism appropriate to the exploit and target. For example,

the attacker may embed code exploiting a vulnerability in Adobe Reader into a PDF file. Java exploits then may be coded into a

website that uses Java technology .

DeliveryAfter carefully selecting a target and weapon, a cyber criminal must then deliver the weapon to the intended target . Common

delivery mechanisms include the following:

• Sending a carefully designed spear-phishing message that tricks the target into clicking a link

• Placing an infected file on a USB drive and getting it into the target’s hands as a gift or leave-behind

• Storing the infected file on a website known to be frequented by the target

• Sharing an infected file with the target through a cloud-based file sharing mechanism

• SQL-injection attacks, where users try to send malformed data to database and backend systems via websites and online

forms to try to gain access or retrieve data

Unlike the phishing messages some attackers send to large numbers of individuals seeking to find a couple of unwitting

victims, the spear-phishing messages used by advanced threats are carefully designed to look like legitimate email sent

directly to the intended victim . They make use of information that the attacker gathered during the reconnaissance phase to

increase the likelihood that the target will act on the message .

ExploitationAfter malware is delivered to a target system, the malware engages the selected exploit mechanism to gain control of the

system. The exploit gives the weapon the ability to manipulate the target system with administrative privileges. This level of

access enables the weapon to configure system settings, install additional malware, and perform other actions normally limited

to system administrators .

Command and ControlAfter a system is compromised, cyber criminals typically attempt to establish outbound connections to command-and-control

servers . These command links provide attackers with a way to communicate with the software on their victim systems without

establishing a direct inbound connection .

The connections made to command-and-control servers often use standard HTTPS connections to emulate normal Web

browsing activity. Because the connections are encrypted, they’re indistinguishable from any other HTTPS connection, other

than the fact that their destination isn’t a normal website. This approach allows cyber criminals to limit the likelihood of their

detection by intrusion detection systems monitoring traffic on the victim organization’s network.

In addition to bypassing intrusion detection systems, the command-and-control connection is also designed to evade firewall

controls on the victim network. While most network firewalls are set to block unsolicited inbound connections from the

Internet, they often allow unrestricted or minimally restricted access to Internet sites when a system on the internal network

initiates the connection. The attacker may then use this command-and-control connection to deliver instructions to the

compromised system .

ExfiltrationThe ultimate goal of the attack, exfiltration, is the stealing and removal of proprietary data from your network. Having

established persistence, the cyber criminal can and will remain present inside your network for weeks, months, or years at

a time to slowly exfiltrate organizational data. According to the 2015 Trustwave Global Security Report, the average time

between intrusion and detection in 2014 was 188 days .



Inside the Head of an AttackerTo help you understand how each of these phases is executed, we will describe a fictional attack so you can see the Cyber Kill Chain in action.

Step 1 — Reconnaissance

Joe is a hacker and looking to infiltrate control computers of a regional utility’s SCADA system. He starts stalking employees

on LinkedIn, Twitter, Facebook, and their blogs. He sees that several employees announce on Foursquare when they go to the

Starbucks location next to their organization’s headquarters for lunch. Joe goes to this Starbucks and watches the employees

work on their laptops. He starts to sniff traffic using tools like Firesheep and sees some of the basic information that they are

sending across the untrusted network .

Soon, Joe is grabbing data off the open network. He now has a few email addresses and knows what websites the employees

are visiting including techstuff.com. With more reconnaissance work on LinkedIn, Google Groups, Facebook, and Maltego, Joe

knows who knows whom and begins to build an idea of how these employees operate and what goes on in their lives .

Joe then calls the organization’s help desk and gets information about the standard builds on the enterprise’s endpoints.

He goes to online support forums to see if any of these employees have ever posted anything .

Step 2 — Weaponization and Delivery

Once Joe has enough information, he is ready to take the

next step – a spear-phishing attack. This takes the form

of a personalized email from employee #1 (one of the

employees he tracked online at Starbucks) to employee

#2 (Joe obtained this email address during reconnais-

sance). The email is very personal and very casual. It says,

“Hey, here is a TechStuff.com catalog that I found and it

happens to have a discount code in it.”

Using social media, industry events, and information on

the company website, Joe will work hard to embellish

the “lure” in this spear-phishing tactic to build a message

that appears familiar and relevant to their target . In some

extremely sophisticated attacks, Joe may even attend

industry events in which his target participates .

Captured:Email address (engineer1@utitlity) Colleague’s email ([email protected])Interests (www.techstuff.com)

Spoofed, of course

Most certainly clicking here



With a tailored subject line and message, the “lure” will contain a malformed document or perhaps a spreadsheet or it will

prompt the recipient to visit a dummy website or to run a program .

If the employees do not take the initial lure, Joe will continue to try them at different times with tweaked subject lines,

messages and payload vehicles .

Step 3 — Exploitation

When engineer #2 clicks on the spear-phishing email link, the attachment is not a PDF but AN EVIL PDF with embedded

malicious code that secretly drops an unknown malicious payload onto engineer #2’s machine. Clicking on this PDF, kick-offs

a chain reaction which provides Joe with a foothold into the enterprise’s environment and achieves his necessary first-step;

persistence . This chain reaction can include the dropping of additional payloads, automated lateral movements to other

network machines, and ultimately an attempt to connect outside the network, on a different communication channel, to Joe

to kick-off Step 4; command and control.

Step 4 — Command and Control

Having infected engineer #2’s machine and successfully established both persistence on the system and outbound

connectivity, Joe is able to step into the driver’s seat. Having established outbound connectivity and remote control over

engineer #2’s system, Joe can now initiate a plethora of future malicious activities to advance his goals.

He could begin recording engineer #2’s activity and conversations by copying emails, keystrokes or even accessing his

computer’s camera and microphone. He could attempt to move laterally and establish additional infections on enterprise

servers or another high-target user’s machine, such as executives, to gain access to log-in credentials or files of particular

interest or value .

Step 5 — Exfiltration

Once Joe has located targeted data, he will begin leveraging his C&C connections to exfiltration data. This could be done in a

single push, but is more commonly done over a period of weeks or months to avoid detection .

Having established persistence within a network, Joe will often bounce between step 4 and step 5 as new information of value

is discovered or as new infections are made . Key to this point is understanding that the advancement of an attack to step 5, the

exfiltration of data, does not constitute the end of an attack. In fact, often it can just be the beginning as attackers continue to

leverage their foothold to steal new information or compromise additional systems, both inside or outside of your organization .



Insider Tips for Endpoint SecurityIn order to detect and stop cyber-attacks, you must have “empathy” with the cyber criminal, get into the head of the attacker,

and figure out how he or she thinks. As in a combat situation, it is useful to think like your adversary and have a model, such as

The Cyber Kill Model, to align your defense to reflect the realities of the war you are fighting.

Bear in mind that you have the home field advantage and can acquire various tools to detect and deny attacks by disrupting

or degrading the attack and deceiving the cyber criminal . Your objective is to respond to attacks by actively engaging with the

cyber criminal . In this way, you can reduce the time it takes to detect and respond to an attack from days or weeks to seconds .

The Reconnaissance Phase

The reconnaissance phase is an important part of this model for the cybercriminal but, unfortunately, you as the victim do not

have a view into it . If a cybercriminal is using Shodan, Google, or searching sites like LinkedIn trying to get information about you,

you do not necessarily know it . However, you can use one little trick to get a clue if somebody is doing reconnaissance on you .

For example Frank, a security professional, knows that cybercriminals search technical forums looking for instances where

administrators are careless when asking questions – perhaps they post sensitive data such as a router configuration, etc. Frank

put together a fake configuration for a Cisco router. This contained an access password and IP address that he posted within a

question to one of the forums. The fake router config actually pointed to a honeypot that Frank’s team created. When someone

came into the honeypot, logging in with the user name and password that was included in the fake router config, it signaled

Frank that someone was actively performing reconnaissance on the company’s network.

There are opportunities to detect this kind of behavior if you execute security strategies like this. In addition, you can set up

tar pits and make sure that you are alerted when people do Google-style reconnaissance on you.

The Weaponization Phase

Obviously, as an intended victim, you do not have any direct visibility into this phase . However, it is important that you

understand what is happening as it can provide intelligence you can use to prevent future attacks .

Even the most sophisticated cybercriminals have a tendency to reuse certain toolkits and techniques. If you have an

understanding of these, you can leverage this intelligence to detect an attack at the next phase, which is delivery.

Insider Tip: Leverage intelligence sharing communities, such as ISACs, to stay up to date on the latest cyber war weapons .

Adversary Activity Potential Intelligence for Defender

Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, etc . Unique Browser/Crawler Behavior

Areas of Focus


Creating a Deliverable Payload Trojan Toolkits

Scripting Actions Obfuscation Techniques

Crafting Phish Bait

Setting Up a Waterhole



The Delivery Phase

The Delivery Phase is the first time where an attack comes into your realm of control. This is the point where a spear-phishing

email is delivered or someone receives a link over Twitter, instant messaging, or Skype . The attack can also be a waterhole

attack where delivery is multi-staged. For example, the cybercriminal may pose as someone the victim knows and ask a

question to entice conversation via several emails back and forth. Eventually, the cybercriminal sends an email with a link or

attachment — the attack payload . It is important that you are aware of these kinds of social engineering tactics .

The Exploitation Phase

Many times, traditional endpoint defenses are incapable of preventing exploitation from advanced attacks. However, there are

actions your organization can take to reduce your attack surface, such as rapidly installing updates / patches and deploying

application control solutions that only allow trusted software to execute. Regardless of your current capabilities, you can

get a decent amount of intelligence from this phase. If you have real-time visibility into your endpoints, you will know what

vulnerabilities and exploit techniques the cyber criminal used. You can also identify techniques or specific malware signatures

that the cyber criminal may reuse on other devices inside your organization .

The exploitation phase is where endpoint security comes into play because it involves dropping files, making a registry change,

stealing a cookie, or any activity that establishes a persistence mechanism or potential means to access your system .

If you can consistently stop a targeted attack at this phase, you can reduce the risk of a data breach. Network defenses, such as

sandboxes, can provide a first line of defense. These technologies can give the cyber criminal the impression that he achieved

a successful installation, but ultimately you must secure the endpoint as it is the primary target of an attack .

This is a very good example of using deception to trick the cyber criminal and let him think he actually reached the C&C phase.

Unfortunately, in most cases, sandboxing will not stop an application from executing in your environment, but can help you

identify malicious activity faster . Ideally, your organization should deploy an endpoint solution that integrates with your network

security defenses to coordinate the identification and blocking of malicious software.


Transmission of Weapon to Target Environment IP Addresses

Sending an Attachment via Email Hostnames

Sending a link via Twitter, IM, Email Email Senders

Attacking a Webserver Identifying Browser Information

Might be Multi-Stage Handles on Twitter, IM, etc .

Payload Characteristics

Filenames

Targeted Individuals

. . . and more


Weapon Will Exploit a Vulnerability or Flaw Vulnerability Details

Tricking a User Exploit Techniques

Installation of RAT or Backdoor Social Engineering Techniques

Change to System Configuration Details of Malware

Changes to System Configuration



Command and Control Phase

This phase is your last chance to stop an attack before your network and systems are compromised . Using available tools, you

can detect when something beacons out and block it, or detect when something beacons out and quarantine the host. Either

way, you break the kill chain. While IP blacklisting and IP anomaly detection systems can help, cyber criminals have developed

ever increasingly sophisticated techniques to evade these types of traditional network alerting systems.

Exfiltration

This is the final phase of the Cyber Kill Chain. The cyber criminal now has a foothold on an endpoint or a server and he owns

that machine. He is exfiltrating data out of your organization. At this point, you have been breached and the Cyber Kill Chain

ends. Now, the question you ask yourself is not “will there be damage” but rather “how great will the damage be?”

From this point, the cybercriminal can go many different ways. For example, he might:

• Focus on privilege escalation and getting information off the machines he has compromised

• Start scanning or trying to enumerate the network from the inside

• Use this opportunity to study the network to launch a more complex attack

• Already have stolen credentials and attempts to use them


Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, etc . Unique Browser/Crawler Behavior

Areas of Focus


Achieve Original Objectives Adversary’s Information Targets

Privilege Escalation Additional Tools Used

Internal Reconnaissance

Lateral Movement

Data Collection

Data Exfiltration



The Endpoint in FocusThere are several ways you can prevent exploitation. First, minimize your attack surface by keeping software up to date and

implementing solutions that only allow trusted software to execute. In the past when Microsoft released security updates and

patches, most IT teams installed them on a handful of workstations or non-essential servers and waited for two weeks before

installing the update across the entire fleet. Today, that is not the case. When security updates drop, you must get them in

place within 24 hours for servers, 48 hours for desktops .

Today, Microsoft does extremely good regression testing and we do not see security updates that have a major operational

impact. However, if you are six months behind in updates, that may not be the case—another reason why it we recommend that

you stay on top of updates and patches. It is worth investing time to achieve the level of operational excellence you need to get

updates and patches installed quickly.

When Microsoft makes it Patch Tuesday announcements, always refer to their Exploitability Index. This helps you prioritize

security bulletin deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security

update will be exploited2 .

If you see something that is potentially exploitable, even if it has not been seen in the wild3, you can assume it will be

exploited quickly.

To prevent the installation of malware, there are several approaches that vendors inenterprise into their security solutions:

• Signature-based Blacklisting

• Application Containers

• Trust-based Application Control

Bulletin Vulnerability Title CVE ID

Exploitability Assessment for Latest

Software Release

Expolitability Assessment for Older

Software Release

Denial of Service Expolitability Assessment

Key Notes

MS14-

xxx

User After Free

Vulnerability

CVE-

2014-

XXXX

2 - Exploitation

Less Likely

1 - Exploitation

More LikelyTemporary

2 http://technet.microsoft.com/en-us/security/cc998259.aspx 3 http://searchsecurity.techtarget.com/definition/in-the-wild

Figure 5: Example of an Exploitability Assessment



100%

% A

V V

END

OR

S D

ETEC

TIN

G

0

10

0

20

0

30

0

DAYS TO DETECTION

90%

80%

1st Percentile - Least Detected Malware(Advanced Attacks)

70%

60%

50%

40%

30%

20%

10%

0%

AV Can’t Keep Up:The majority of antivirus vendors take more than 250 days to detect the kind of customized malware most likely used in advanced attacks.

Signature-based blacklisting, or traditional anti-virus software,

stops malware installation based on a default-allow approach.

This means the software has a list of known bad conditions

and if an attack matches a bad condition, the anti-virus software

will not allow it to run .

Today, the blacklist approach is rarely effective and only of

real use against nuisance malware . Advanced cyber criminals

will use various packing techniques to get past most antivirus

software and go undetected . While there is no reason not to

filter against known bad, you cannot count on it as your only

approach and it should be integrated with signature-less

approaches to advanced threat prevention, such as application

whitelisting .

Application containers are an increasingly popular

approach that has been gaining in popularity and leading

endpoint providers offer integrations to take advantage of

network-based sandbox technologies. While containers can

be useful, most of these solutions do not natively protect your

organization’s endpoints from advanced attacks. While a few select vendors have attempted to bring containers, or

micro-virtualization, to the endpoint, these solutions are often Windows-only and even then they protect only a select

list of applications. With these limitations they cannot stop all zero-day attacks or attacks targeting vulnerabilities in

unprotected applications .

Last but most importantly, there are trust-based approaches that stop the installation of malware based on a default-deny

approach . For any application or condition to run, it has to be approved by name, by publisher, by reputation or via other

mechanisms. Proven to be effective against advanced attacks, trust-based solutions are the best way to prevent, detect, and

respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility.

140,000,000

120,000,000

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

New Malware 200

6 -

200

7 -

200

8 -

200

9 -

2010

-

2011

-

2012

-

2013

-

2014

-



Stopping Attacks at DeliveryA very effective technology to stop attacks at delivery is network detonation. Detonation software, such as from FireEye or Palo

Alto Networks, sees executable code coming over the network, determines whether it is malware (based on what it does versus

matching against a signature), and, if bad, detonates it. Network detonation software is incredibly useful and moderately effective

at protecting activity for devices inside an enterprise network . However, network detonation solutions will not protect a device

when an employee is working offline — an increasingly common scenario with mobile employees. In addition, many solutions

monitor the network passively and are not in-line. In these instances, there can be a lag between execution and detonation.

This lag can provide an opportunity for an attacker to deploy a secondary payload that can go undetected . To help address

this issue, leading endpoint security solutions offer integrations with network detonation services to extend these capabilities

beyond the network by sending files from off-network endpoints for analysis..

Even if any employee is working online, bad conditions do not always present initially on the network. If a file comes in over an

encrypted tunnel, like SSL, and you do not have a SSL man in the middle, you might not see it. If that file comes in some type

of sandbox, like a ZIP, RAR, or 7Z file, for example, the network detonation software cannot examine that sandbox and will let a

bad condition get into the network. Lastly, a USB stick with a Trojan virus is also going to be first seen at the endpoint.

United Experts and Knowledge

United Systems

Open API, Automation, and Orchestration

Network Security SIEM and Analytics Threat Intelligence Custom/Services

Cb EnterpriseProtection Cb Threat Intel

Cb EnterpriseResponse

10,000 Practitioners70+ IR and MSSP Partners

2000+ Customers

Policies & RulesPatterns of CompromiseConnectors & Code

Multiple Prevention Strategies

Compliance and Reporting

Windows, Mac, Linux

System-of-Record Continuous Recording

IT and Security Ops Team Reputation, Indicators, Classification SOC IR & Threat Hunting Teams

Kill Chain Visualization Attack Remediation

Root Cause Analysis



How Carbon Black Can HelpThe Carbon Black Security Platform provides real-time visibility, detection, response, and proactive, customizable signature-less

prevention from advanced persistent threats. At the heart of the Carbon Black Security Platform is a unique policy-driven

approach to application control. It combines real-time visibility and a file discovery agent, with IT-driven controls aided by trust

ratings from the Carbon Black Threat Intel solution, to help organizations simplify and automate the set-up and administration

of a secure whitelisting platform . This results in a customizable application control solution that combines the highest level of

advanced threat protection with minimal end-user impact and administrative overhead.

With Carbon Black Enterprise Protection, you get multiple levels of protection. Most application whitelisting solutions require

organizations to adopt a “one size fits all” threat prevention strategy, leaving users frustrated and overwhelming security teams.

With Cb Enterprise Protection, organizations can apply application whitelisting to certain systems while also choosing from a

suite of additional prevention options to find the right balance between organizational culture and risk posture.

To learn more about the Carbon Black Security Platform, please visit https://www.carbonblack.com/solutions/endpoint-security/

Medium Enforcement

High EnforcementLow Enforcement

Stops banned filestracking all activity

Stops untrusted files and asksusers for permission

Stops untrusted files and onlyallows it to run after IT approval

Visibility

Fixed-function Devices ServersDesktopsLaptops

Collects data in a real-time catalog ofwhat’s on the endpoint

Dial-up and dial-down your endpoint protection policies.

1100 Winter Street Waltham, MA 02451 USA

P 617.393.7400 F 617.393.7499

www.carbonblack.com

About Carbon Black

Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy

the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the

balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint

activity, making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks

and determine root causes. Carbon Black also offers a range of prevention options so organizations can match

their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident

response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling

security teams to: Disrupt. Defend. Unite.

2016 © Carbon Black is a registered trademark of Carbon Black. All other company or product names may be the trademarks of their

respective owners. 20160228 MMC

SummaryToday, cyber criminals are more sophisticated using complex attack strategies and social engineering tactics to get into

enterprise networks. The reality in today’s world is that cyber criminals target your endpoints and end users to gain access to

your company’s most critical and valuable data. Many times, your employees are not diligent about data protection, are naïve

about hacker strategies, or too trusting in the Internet of Everything world. It is getting more difficult to keep up with cyber

criminals’ exploits, particular in large distributed environments where you have thousands of global users.

To ensure the protection of your endpoints, your organization must execute several strategies:

• Inenterprise the Cyber Kill Chain into your strategy . This model will help you identify and determine how far an attack has

progressed and where / how the damage occurs.

• To take advantage of the information you can gather via the Cyber Kill Chain, acquire the tools you need to detect and

deny attacks by disrupting or degrading the attack and deceiving and engaging with the cyber criminal . This can help

reduce the time it takes to detect and respond to an attack from days or weeks to seconds .

• Be sure to quickly install updates and patches to reduce your attack surface.

• To prevent the installation of malware, install an application control solution that only allows trusted software to execute.

Today, there are three types of data protection software:

• Anti-virus software is a blacklisting approach that is rarely effective and only stops nuisance malware. Cyber criminals

can use various packing techniques to get past most antivirus software and go undetected. While valuable at stopping

nuisance malware, organizations should look to leverage antivirus solutions that are integrated with next-generation

endpoint protection platforms .

• While application containers can be useful, most of these solutions cannot protect your organization’s endpoints from

zero-day attacks, attacks targeting unpatched vulnerabilities, non-Windows machines, or actors in lateral movement.

Many also do not provide real-time visibility into endpoint activity.

• Trust based approaches that stop the installation of malware based on a default deny approach are the best way to

prevent, detect, and respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility.

• Some organizations cannot implement default-deny especially in cases where IT doesn’t have full control over the

software on a given endpoint and must allow end users to install software on-demand. In those cases, multistage detect

deny and detonate and deny are the best strategies to bridge this gap .

• Lastly, it is important that you integrate your entire security stack so that your network devices and endpoint security

solutions pass information back and forth . Intelligence is useful but can have a short life . The sooner you know that a

security breach has happened, the sooner you can stop it .

cracking energy and utilities: insider tips for endpoint...

Documents