strategies to combat new, innovative cyber threats - 2017 · strategies to combat new, innovative...

Click to edit Master title style

STRICTLY PRIVATE & CONFIDENTIAL © 2017

Click to edit Master text styles

Second level

Third level

Fourth level

Fifth level

STRICTLY PRIVATE & CONFIDENTIAL © 2017 1

Strategies to Combat New, Innovative Cyber Threats - 2017




Second level

Third level

Fourth level

Fifth level

2 STRICTLY PRIVATE & CONFIDENTIAL © 2017

Enterprise Security for 2017

Key Cyber Threats to Defend Against in 2017Key

Cyber Strategiesto Deploy in 2017

Ransomware and its evolving variants

Compromised business processes

Increased organizational social engineering

Insider technical compromises

Threats to non-perimeter assets

Analytical machine learning based detection

Enhanced end-point detection

Orchestrated responses

Digital VM systems

CloudOps and DevOps security




Second level

Third level

Fourth level

Fifth level


New, Innovative Threats to Watch out for

IOT threats

AI & voice first attacks

Smart cities attack

Bionics attack

The Mirai worm and Dyn attack exposed vulnerability of IOT systems, acting as a launch pad for other attacks. IOT device usage is expected to rise by 400% in 2017, making this a significant threat.

Attacks on IOTs such as cars, drones, industrial systems, and others should also be considered

The rise in social media, self publishing ,and the shrinking attention span of readers has caused an increase in fake news circulation. This will soon be used for cyber fraud by luring users to act on false information—such as selling of stock and other schemes

As we move beyond touch to voice based interactions, new forms of attacks are likely.

Example #1: Tricking AI algorithms with fake data to gain info and then having the voice-enabled system fool users into performing an action.

Example #2: Your banking bot could talk consumers into giving away credentials to attackers.

Smart city grids that control transportation, utilities, communication, financial services, and other citizen life data will be prone to innovative attacks that leverage a single vector; impacting multiple facilities. Eg: using business logic weaknesses to obtain data that enables compromise

Attacks on medical devices such as pacemakers are already being researched. As greater integration of human capability and technology occurs, attacks will become life threatening. 2017 will see more concept level threats showcased by researchers. The future will see a combination of neuro and cyber weapons as criminals catch on

Fake news attacks




Second level

Third level

Fourth level

Fifth level


Key Threats 2017




Second level

Third level

Fourth level

Fifth level


Ransomware and Variants

Malware objectives between 2001- 2017 now include file deletions, network clogging, botnet creation, data stealing & selling, and data encryption for ransom

Ransowmworm: ransomware combining worm capabilities that spreads fast.

Double dipping: adding data stealing capabilities along with encryption to double profits—once through ransom from the organization and then through the underground selling of data

2017 WILL SEE

Aided by more data on end points and easy anonymous pay gate options

Increased by 4 times compared to 2015

Total losses due to ransomware attacks cost over one billion USD, affecting over 100 thousand companies

2016 SAW A RAPID INCREASE IN RANSOMWARERansomware variations have also increased

Layered infections that include Trojans and key loggers along with ransomware

Selective files and folder encryption

Attackers are targeting high risks sectors such as Financial services, healthcare, utilities and SMB.

Refer to Paladion paper for top variants of ransomware during 2016 and their IOCs for detection

Opportunity

http://paladion.net/ioc-cheat-sheet-for-top-10-ransomware/




Second level

Third level

Fourth level

Fifth level


Business Process Compromise (BPC)

BPC is complex attacks using-social engineering, malwares,

account takeovers, man-in-middle attacks, sniffing and

data exfiltration

Cyber criminals are targeting entire business processes more and more.

Attacks on banks target payment processes involving multiple assets, users, and intimate transaction knowledge (e.g. Bank of Bangladesh). Several copycat attacks on payment systems were reported in the financial sector during 2016. Attackers also targeted inventory management processes, vendor payment processes, and supply chain processes.

These attacks have a higher payoff (averaging millions of USD as opposed to hundreds for ransomware). Larger, more organized cyber crime gangs and rogue nation state players will be attracted to such attacks. They take more time, skills and knowledge of internal processes, but the pay-off is significantly higher.

Global losses are estimated at over 2 billion USD; affecting thousands of organizations.

Organizations’ abilities to defend themselves are weaker today. The focus is on protecting individual assets and applications, while ignoring attack campaigns on business processes.

2017 prediction: The average value in BPC attacks will go up, causing some organizations to lose tens of millions of USD. The number of affected organizations will still be lower given the effort involved in launching such attacks.




Second level

Third level

Fourth level

Fifth level


Targeted Business Social Engineering

Business social engineering schemes included- CEO fraud,

bogus invoice schemes, legal scare scams,

identity takeover of executives, PII data

stealing

Social engineering attacks on organizations have increased; with attackers conducting research on employees and company strategies before scamming high level employees.

Attacker research includes social media data, company news releases, technology case studies, and internal data obtained through sniffing. Attackers then target lower level employees with emails, social media communications, and customized website messages.

The majority of BPC attacks involve long campaigns of targeted social engineering.

These attacks could also be short non-technical attacks such as Business Email Compromise (BEC) attacks which saw a rise in 2016. BEC utilizes the knowledge of an organization’s internal processes to trick employees into conducting payments and other transactions on behalf of attackers.

The estimated losses from BEC alone were over 3 billion USD in 2016, affecting over fifty thousand organizations globally.

2017 prediction: Given the amount of available online data on employees and organizations this type of attack is easy to carry out. Innovation will no longer be on the technical aspects of an attack, but rather on fraud schemes. 2017 will see many variations in tricking employees to give away data or money.

@




Second level

Third level

Fourth level

Fifth level


Hi-Tech Insider Abuse

Insider threats have received reduced attention due to the stream of news about external attacks.

But insider threats continue to affect organizations, despite their small number compared to external attacks. (60% external versus less than 30% internal)

Over the past few years, two key controls—data leakage detection and privileged identity management—have contained this threat

Insider threats continue to rise as the workforce composition changes. Today there is more technical knowhow and teleworking, but less organizational empathy. The following attacks will get more sophisticated:

Data leakage bypass through encryption Chunking through micro blogging Masquerading as normal traffic Collaboration with external threat actors

2017 predictions: Insider attacks will become as hi-tech as advanced external attacks. These attacks will involve longer campaigns, multiple evasive tools, and co-worker social engineering for credential thefts

Nine Things You Need to know about Insider Threats

Types of Incidents35% of organizations have experienced at least one insider threat, with the following breakdown (the total does not equal 100% as some respondents had more than one type of incident)

Data leak: 49%

Fraud: 41%

Data breach: 36%

IP theft: 16%




Second level

Third level

Fourth level

Fifth level


Threats to non-perimeter assets

3 trends have already reached tipping point

Threats to these assets and data outside of enterprise perimeters are a reality. Cloud and social media incidents related to corporate data have seen a 70% rise

Organizations have not formalized risk modeling frameworks for assets and data. In addition, their on-premise risk mitigation isn’t easily transferrable. E.g. monitoring for threats in a cloud requires different architecture and data collection; and existing IPS and SIEM cannot be extended the same way cloud assets are

2017 prediction: Attacks focused only on non-perimeter assets will increase. Organizations will have a significant delay in discovering them—compared to the average 150 days for on-premises attacks

Teleworking and personal devices used for an increasingly mobile workforce

Cloud-first strategy for both native cloud and SaaSapplications

Social media administering corporate information and marketing activities

25% of employees work remotely at least part of the time

32% have used personal devices in addition to corporate devices.

57% of organizations have cloud assets today

Organizations on average have 3 SaaS apps deployed

Corporate data is 40% as likely to be in social media as in internal stores.




Second level

Third level

Fourth level

Fifth level


Key Strategies 2017




Second level

Third level

Fourth level

Fifth level


Strategy 1: Analytical and Machine Learning systems

Advanced threats are bypassing rule based systems. Malware, account takeover attacks, lateral movements, data exfiltration and fraudulent transactions are being modified by attackers to avoid detection

The typical advanced attack is a long drawn out campaign; similar to a war with multiple battles within one single attack. Current detection systems are unable to link individual threats into the full campaign, preventing a big picture view of the attack.

2017 will see organizations adopt more analytical systems with machine learning capabilities and big data storage approaches to solve the latter two problems. Gartner estimates that over 50% of organizations will have security data warehouses with analytics data within the next four years. (For a detailed description of this strategy, refer to the Paladion 2 report on next Gen SOC and security analytics)

Machine learning analytics will be applied for network analytics, end point analytics, user & entity behavior analytics, and for deeper mining of security alerts.

Use analytical and machine learning based systems for advanced malware and ransomware, slow and low attacks, unknown attack methods, data exfiltration, transaction frauds and to see long drawn out campaigns

http://paladion.net/upgrade-your-soc/




Second level

Third level

Fourth level

Fifth level


Variation of this Diagram

Visual Layer Collaboration

Active Discover

Raw Data Context Data Alert Data

Connector Layer

Active ResponseAlerts

Big data technology with data sciences

Machine learning methods

Outlier algorithms

Pattern search algorithms

Association algorithms

Rare event algorithms

Graph Theory

Link analysis

Visual analytics

Multi-node streaming rule engine Data mining Statistical & Probabilistic

modelling




Second level

Third level

Fourth level

Fifth level


Strategy 2 : End Point Threat Detection

Organizations have matured via logs and network threat monitoring; made possible by wide adoption of SIEM, IPS

and network sandboxing technologies. Advanced attackers are now bypassing these technologies by

attacking users and their end point devices. DBIR data shows over 40% of today’s breaches are caused by end

point compromises.

Traditional anti-malware technologies can no longer contain these advanced attacks

New malware that bypasses signatures and detect sandboxing

Malware using scripts and batch files

Account takeovers via social engineering or privilege escalation attacks on endpoints

Organizations will enable similar 24/7 monitoring for endpoints as done for networks and logs today. This monitoring will continuously search for threat & compromise indicators on endpoints using a combination of rules, signatures, behavior anomalies, and peer profiling.

2017 will see large organizations rolling out EDR technologies and services. IDC estimates that

over 80% of organizations will have this capability by 2018. Refer to Paladion’s report on IST for

more details on how to monitor threats at end points.




Second level

Third level

Fourth level

Fifth level


SHORTER FORM OF THIS DIAGRAM

Remediation at scale5

Endpoints with agents installed1 Paladion ETDR – as a Service 2

Analysis and Investigation4 Fast, Accurate, Complete Detection at scale

3

Fix Issues quickly and Completely

DataLeakage

MalwareActivity

UserBehaviors

LateralMovement

IR for alerts

Continuous Monitoring on Endpoints

Validate Prioritize Mitigate




Second level

Third level

Fourth level

Fifth level


Strategy 3 : Response Automation and Orchestration

Manual incident response is a time consuming process. The average time for responses involving triage, incident analysis, containment, recovery, and eradication is over 35 days. Furthermore, organizations do not have runbooks for handling common incidents, and end up being unprepared for threats.

2017 will see organizations invest in central incident response platforms with automation for various stages of incident management. Organizations will build or acquire runbooks that integrate with these platforms. The platform will also have analytical capabilities to analyze incidents in-depth, uncovering the full blast radius and patient zero for long campaigns.

Forrester estimates that over 37% of organizations are currently planning to automate incident response management through analytics. For more details on how to implement this strategy, refer to Paladion’s reports on Next Gen SOC and security analytics & orchestration.

http://paladion.net/upgrade-your-soc/




Second level

Third level

Fourth level

Fifth level


Response Automation Diagram

Alert Validation

Verify how relevant the alert is in your context and the likelihood of damage

Investigate the impact, attacker, attack campaign and extent of compromise

Quickly contain the attack and its impact to stop the spread

Design security features to remove root causes and prevent repeat breaches

Incident Analysis Containment

Root Mitigation

……………. across the lifecycle 24/7




Second level

Third level

Fourth level

Fifth level


Strategy 4: Digital VM Programs

Continuous Automated Intelligence

Vulnerability management programs in most organizations are slow and cumbersome. Automation of test planning, scheduling, reporting, mitigation, analytics generation, and distribution is limited

The vulnerability results are not prioritized for attack scenarios; i.e. which vulnerability will be exploited in an organization’s own context and hence needs faster remediation. There is limited threat intelligence gathering and correlation of vulnerabilities

Digital VM programs aim to automate analytics and threat intelligence so that vulnerability discovery, mitigation, and stakeholder collaboration is fast tracked. These enable VM programs to run continuously like existing security monitoring programs

2017 will see organizations implement digital VM programs with a centralized VM platform. Gartner estimates that enterprises that implement a strong vulnerability management process will experience 90% less successful attacks

Refer to Paladion’s report on this topic. It’s time to stop being complacent about vulnerabilities and execute this strategy

Analytics

Discovery

Testing

Triaging

Mitigation

http://paladion.net/are-periodic-vulnerability-scans-enough-to-prevent-breaches/




Second level

Third level

Fourth level

Fifth level


Digital VM platform

Workflow Management Vulnerability Analytics

Asset Aggregator

TestManager

SecurityTelemetry

TriageEngine

SolutionStore

PolicyEnforcer

Test Administrators PenTesters

Vulnerability Analysts Solution SME Remeditators




Second level

Third level

Fourth level

Fifth level


Strategy 5 : Security for CloudOps and Devops

Organizations moving to cloud for their development—in terms of testing and production systems—will look for integrating security into their CloudOps and DevOps.

DoS attacks are already happening on the cloud. It’s the APT kind of attacks that will be difficult to detect in a cloud environment, and this can potentially affect multiple tenants simultaneously.

The two main requirements for security will be:

speed of controls given that CloudOps and DevOps are both highly automated in providing resources, changing configurations, and deploying systems & users

Seamless use of cloud technologies such as native APIs of cloud providers, configuration management systems such as chef/puppet, and ChatOps system such as Slack

Securing CloudOps and DevOps need tools that are differently built. This can be in security monitoring, vulnerability testing, configuration reviews, or identity & user activity monitoring.

In 2017, organizations will adopt new security architecture & practices to secure cloud assets and a more agile development environment. They will then look at integrating these security processes into their traditional on-premise security management systems for an integrated view.




Second level

Third level

Fourth level

Fifth level


Cloud Architecture

Cloud Trail

FlowLogs

CloudWatch

IAM

Docker

Collector

Network Threat Module

Windows servers

Unix servers

Amazon Console Scanners

AutomationScript

Cloud Security PlatformOn

premise SOCs




Second level

Third level

Fourth level

Fifth level


Contact us today to combat today’s sophisticated cyber threats

www.paladion.netVisit

[email protected]

strategies to combat new, innovative cyber threats - 2017 · strategies to combat new, innovative...

Documents