Fortinet Confidential

Cyber Threats Targetting Enterprises & Organizations

Guillaume Lovet

3 Times BlackHat Speaker

Pwnie Award Nominee

M.S. Georgia Tech

Sr. Manager FortiGuard

Agenda

Attack consequencesfor the enterprise

Attack consequencesfor the enterprise

Forms of attacksForms of attacks

DefenseDefense

Agenda

Attack consequencesfor the enterprise

Attack consequencesfor the enterprise

Forms of attacksForms of attacks

DefenseDefense

CONFIDENTIAL

Risks: What you don't want to happen

•Denial of Service (DoS) attack

•Data Theft

•Destruction

•Loss of Reputation

CONFIDENTIAL

• Denial of Service (DoS) attackFrom outside, by a Botnet / Zombie network (Example?)

From inside, on purpose or not (eg: Conficker Worm)

• Data Theft

• Destruction

• Loss of Reputation

Risks: What you don't want to happen

CONFIDENTIAL

• Denial of Service (DoS) attack

• Data TheftCustomer data (Example?)

Intellectual Property

Corporate Info (incl. banking credentials)

• Destruction

• Loss of Reputation

Risks: What you don't want to happen

CONFIDENTIAL

• Denial of Service (DoS) attack

• Data Theft

• DestructionData

Computer systems

Physical/Industrial systems (Example?)

• Loss of Reputation

Risks: What you don't want to happen

CONFIDENTIAL

• Denial of Service (DoS) attack

• Data Theft

• Destruction

• Loss of ReputationOften a consequence of the above

Top risk identified by UK companies (Aon Ltd, 2005)

Adds up to the rest. Example: $318/rec in 2010 (Ponemon)

Risks: What you don't want to happen

CONFIDENTIAL

Loss of Reputation: Heartland Breach

CONFIDENTIAL

•FinancialPay or I DdoS you! (eBay, Amazon...)

Selling stolen data (Heartland, Sony PSN?)

•CompetitiveIndustrial Spying (“Israeli Trojan”)

•Political / HacktivismEspionnage (Ghostnet, Quai D'Orsay, Operation Aurora)

Retaliation (Paypal, Master Card, Visa, Sony PSN?)

•MilitaryDDoS (Russia / Georgia)

Seek & Destroy Worm (Stuxnet)

The other side of the Mirror: Attackers’ Motivation

Agenda

Attack consequencesfor the enterprise

Attack consequencesfor the enterprise

Forms of attacksForms of attacks

DefenseDefense

CONFIDENTIAL

• Via stolen credentials (Phishing / Social Engineering / Insider)

• Via Exploitation of flaws

• Via Infection: Trojan Horses / Bots / Worms

Information System Penetration

CONFIDENTIAL

•E-Mail & IM

•Web Sites

•Social Networks

•Physical Infection Vectors

Multiple Infection Vectors

CONFIDENTIAL

• E-Mail & IMAttachments: executable, archives AND documentsLinks

• Web Sites

• Social Networks

• Physical Infection Vectors

Multiple Infection Vectors

Targeted attacks against Tibetan communities: Email infection

CONFIDENTIAL

• E-Mail & IM

• Web Sites 60% of bot infections: “Drive-By Install” (Enisa)

“Packs” available for purchase on the underground market

• Social Networks

• Physical Infection Vectors

Multiple Infection Vectors

CONFIDENTIAL

CONFIDENTIAL

• E-Mail & IM

• Web Sites

• Social NetworksIntelligence source for targeted attacksWorms (eg: Koobface)

• Physical Infection Vectors

Multiple Infection Vectors

CONFIDENTIAL

CONFIDENTIAL

CONFIDENTIAL

CONFIDENTIAL

• E-Mail & IM

• Web Sites

• Social Networks

• Physical Infection VectorsLaptopsUSB KeysCDs

Multiple Infection Vectors

Agenda

DefenseDefense

Attack consequencesfor the enterprise

Attack consequencesfor the enterprise

Forms of attacksForms of attacks

CONFIDENTIAL

You need AV, IPS, AS, WCF

Above all, you need them altogether

And most importantly, you need them working altogether

Goal: when facing a threat, be able to tackle it from different angles

=> Intelligent Redundancy

Key Elements to Modern Defense

CONFIDENTIAL

Phishing• Phish Letter blocked by AS• If not, blocked by AV• If not, Phish Site blocked by WCF

Backdoor / Bot• Binary blocked by AV• If not, access to C & C blocked by IPS• If not, by WCF=> The bot cannot “phone home”

Two Examples of Enhanced Security by Intelligent Redundancy