A discussion of sophisticated Cyber threats used by advanced adversaries The A discussion of sophisticated Cyber threats used by advanced adversaries. The primary objective is to draw a distinction between the current state of Cyber Security practices and our probable future. The present security posture is heavily reliant upon the use of tools and products to provide protection This presentation will discuss the the use of tools and products to provide protection. This presentation will discuss the flaws in present‐day methodologies and begin to contemplate workable concepts for increased security through a mature and sophisticated response to the threats against a network or against the data which it contains. Simply put: network attackers are g p y prapidly increasing in both technical and operational sophistication, comprehensive Computer Network Defense must keep pace in order to effectively mitigate the threat.
© Mike Saylor 2012
We don’t have anything they want We don t have anything they want. Bandwidth Networks free from Government’s prying eyes Networks…free from Government s prying eyes “Lucrative” business proposals Intellectual Property Intellectual Property Hacktivism CEO/President with influence or clout CEO/President with influence or clout▪ Excellent source for “whale‐phishing”▪ Spoofed e‐mails to target the people who trust him/herSpoofed e mails to target the people who trust him/her
Trusted Business Relationships Subcontractors/Peer connections Mergers, partnerships, etc.
Trusted Internal Networks Trusted Internal Networks “Internal” users assumed
trustworthytrustworthy
Use of ‘Valid’ Credentials
Trusted E‐mailTrusted E mail Exploited by “Spear Phishing”
Trusted Internet WebsitesTrusted Internet Websites Cross site scripting Remote code executionRemote code execution
Trusted Applications Un‐patched programsUn patched programs▪ PDF, Word, Excel exploits
Unauthorized software▪ Media players▪ Mobile Apps
Most Organizations do not have a formal, gstructured, and/or mature Information Security (InfoSec) Program.F O i i h h Fewer Organizations have a somewhat matureInfoSec Program; but rely heavily upon the tools and vendors for their sense of security with little or and vendors for their sense of security with little or no skilled / dedicated internal InfoSec personnel.
Even Fewer yet have a mature InfoSec Program Even Fewer yet have a mature InfoSec Program that incorporates technology solutions, training / awareness, and dedicated, skilled InfoSec, ,personnel.
The majority of organizations work towards The majority of organizations work towards Compliance‐based Security (SOX, PCI, HIPAA, GLBA, FFIEC, FERC, etc).GLBA, FFIEC, FERC, etc).
Most InfoSec groups operate in a responsive / tactical mode, further hindered by a disconnect tactical mode, further hindered by a disconnect from business strategy.
The focus of most InfoSec programs is still the The focus of most InfoSec programs is still the Network Perimeter (Firewalls, IDS/IPS, Email Filter, Internet Filter, etc).Internet Filter, etc).
NETWORK PERIMETER
INTERNAL
DMZWeb Sites
NETWORK
CORESYSTEMSWeb Applications
Social Engineering
SYSTEMSWeb Applications
Most InfoSec Programs include numerous security g ytools. Firewalls Intrusion Detection / Prevention Anti‐Virus Email / Spam Filters
Intrusion Detection / Prevention Data Leakage Prevention (DLP) Anti‐MalwareEmail / Spam Filters
Internet Filtering SIM / SEIM
Anti‐Malware End Point Security Encryption SIM / SEIM
Does simply implementing these tools and their associated Policy and Procedures make them
Encryption
associated Policy and Procedures make them secure today? Tomorrow?
By definition – the intrusion has already happenedy y pp Most InfoSec personnel struggle with root cause and focus primarily on stopping the attack.p y pp g In one personal experience, I asked a Firewall Administrator why he didn’t think several days of after y yhours bandwidth spikes were suspicious. His response, “after the second day I thought it was normal”.
Almost all Social Engineering and Facility Breach k f l d d dAttacks are successful and go undetected.
Unexpected emails—particularly emails from US‐based Unexpected emails particularly emails from US based companies like Hotmail but with a foreign source IP
HTTP traffic that has more outbound than inbound
Late‐night traffic—particularly login failures
Continuous, periodic “beaconing” activity—may , p g y yrepresent Trojan activity to “calling card” addresses
Domain names which resolve to “reserved” networks 192.168.X.X, 255.255.255.X
0.0.0.0, 1.1.1.1, 127.X.X.X
10.X.X.X
Verizon Reportp 48% of compromises take less than a day 75% of intrusions are not detected for at least a week 94% require 7 to 31 days for containment
Attackers have a lot of time to operatep Defenders are inherently disadvantaged
Insiders are still the greatest threat
In 2011, U.S. companies spent ~$130 Billion combating data breaches (Lanscope)data breaches (Lanscope).
2009 Data Breach Investigations Report –Verizon Business RISK Team
8% in ol ed pri ilege mis se ( 26%) 48% involved privilege misuse (+26%) 40% resulted from hacking (‐24%)38% utilized malware (<>) 38% utilized malware (<>)
28% employed social tactics (+16%)15% comprised physical attacks (+6%) 15% comprised physical attacks (+6%)
96% of breaches were avoidable through i l i di l ( %)simple or intermediate controls (+9%)
2010 Data Breach Investigations Report –Verizon Business RISK Team
Covert Reconnaissance/Surveillance Obfuscated Exfiltration of Data
l f l k Exploitation of Internal Networks & Trust Persistent Presence of Advanced Adversary
ll f l d d l Illegitimate use of Valid Credentials Wholesale Loss of Trust/Information Fidelity
Insider Insider
Ope
Insider Insider SupportSupport
erational So
Valid Credentials
PersistencePersistenceophisticatio
S i i l Si l
Scanning Intrusion
on
IDS
Firewall
Statistical Signal Analysis
Technical Sophistication
Commercial Software and Vendor Developed Commercial Software and Vendor Developed Software is Secure. Adobe MS Office Internet Explorer Firefox etc Adobe, MS Office, Internet Explorer, Firefox, etc
For a User or Attacker to Escalate Privileges they must compromise the Administrator Accountmust compromise the Administrator Account. Any process running as Admin can be broken Privilege Escalation is inevitable Privilege Escalation is inevitable
Freshly installed Operating Systems, or newly re‐imaged systems are secure and can be trustedimaged systems are secure and can be trusted. Yes, if never connected to the Internet
Most InfoSec Programs are ineffective Today and g ywill stand little chance tomorrow, for the following reasons: Budgets and Executive Management Support Tactical Approach, disconnected from Corp StrategyTactical Approach, disconnected from Corp Strategy Heavy Reliance on Tools and Vendors Overwhelmed by Alerts and emails from Security Tools Overwhelmed by Alerts and emails from Security Tools, most ignored Myopic view of what to protect, how to protect it, and Myopic view of what to protect, how to protect it, and why?
NETWORK PERIMETERWeb Sites
INTERNAL
DMZ
NETWORK
CORESYSTEMSMobile Device / Media
Social EngineeringSocial NetworkingNetwork AttacksSYSTEMS
Internet Use Physical BreachMalwarePhishingInsiders
APT
Insiders
C D tC D t
Phone Phone
Cloud Provider / Vendor
Company DataCompany Data
CallsCalls
EmailsEmails
Remote UsersRemote UsersUsersUsers
WirelessNetworksWirelessNetworks
InternetInternetInternetWirelessHomeNetworks
WirelessHomeNetworks Worms
Virus Worms Virus MalwareMalware
Assume a proactive posture
Ignores detection and preventionIgnores detection and prevention Certainty of intrusion is assumed
Based on research into real‐world intrusions Based on research into real‐world intrusions
Focuses on ‘self‐cleansing’ and ‘level of trust’
Off‐the‐shelf solutions are very limited i.e., I know of none, f
90
100
70
80
st
50
60Potential Damage
el of T
rus
20
30
40Trust
Leve
0
10
20
1 2 3 4 5 6 7 8 9 10
Uptime / Runtime
( ) Self‐Cleansing Intrusion Tolerance (SCIT) (1)
Works with HTTP and DNS servers Nightly shutdown/re‐image desktops Integrate with IDS and IPS systemsg y Maintain higher overall trust, over time
(1)(1)cs.gmu.edu/~asood/scit
More restrictive Internet usage More restrictive Internet usage Unpopular, but effective
Restrict email attachments Deny attackers their easiest point of entry Potential adverse effect to “normal” businessT o Factor A thentication Two‐Factor Authentication Makes it harder for attackers to operate Increase in corporate cost of operationsIncrease in corporate cost of operations
Mobile Device Management Smart Phones, Tablets, Laptops
Employee Training / Awareness
Reduce ‘Window of Exposure’ to RiskReduce Window of Exposure to Risk Proactive Measures, not event dependent Frequent Restore to the ‘Trusted State’ Frequent Restore to the Trusted State
Isolate sensitive dataWhat data truly needs to be on the Internet? What data truly needs to be on the Internet?
Wholesale Policy Changes More restrictive Information ‘Assurance’ over Information Security May result in political battles
f Attacking is much easier than defending The one who takes initiative has the advantage.
All networks are vulnerable Given time, APT actors will defeat defenses Currently, defenders incur nearly all of the risk If you are in business, you are a target.