Post on 09-Jun-2015
description
Know What to Defend Against: Anatomy of an Attack
Stephen Coty
Chief Security Evangelist
Industry Analysis – 2013 Data Breaches
Who is breaching data?
92% External Sources
14% Inside Sources
1% Business Partners
58% Data Theft tied to Activist
Groups
19% Attributed to state affiliated
actors
How do breaches occur?
13% Involved privilege misuse and abuse
52% Hacking
40% Incorporated Malware
35% Physical attacks
29% Employed Social Tactics
76% Intrusions exploited weak or stolen
credentials
What Commonalities Exist
78% Attacks were not highly difficult
75% Driven by financial motives
69% Were discovered by external parties
66% Took months or more to discover
71% Targeted user devices
*Statistics from 2013 Verizon Business Data Breach Investigation Report
Industry Analysis – 2014 Data Breaches
2014 Mandiant Data Breach Report
Industry Analysis
Industry Analysis - Finance
Industry Analysis - Healthcare
Malicious Actors and the
Tools they use
Various Groups
8
Tools of the Trade
Black Shades RAT
Havex – StuxNet Take 2 with a Twist
http://securityaffairs.co/wordpress/26092/cyber-crime/cyber-espionage-havex.html - FSecure and CrowdStrike
• Has Focused on Energy Targets in:
• Germany
• Switzerland
• Belgium
• Suppliers of Remote Management Software for ICS
Systems (2)
• Started attacking US and Canadian Defense Contractors
• Delivered through:
• Spam Email
• Exploit Kits
• Trojanized Installers deployed on compromised web
sites
• Once infected, it now opens a backdoor
• Installs Remote Access Trojan Functionality
Attackers:
• C&C Servers are not Managed Professionally
• Uses additional Payloads to collect data, shows interest in
ICS
Underground Economy
Malware
Distribution
Service
Data
Mining &
Enrichment
Data
Acquisition
Service
Phishing
Data
Sales
Cashing
Gambling Drop Sites
Keyloggers
Payment
Gateway
s
Retailers
Bank
Carding
Forums
ICQ
Validation
Service
(Card
Checkers)
eCurrency
Spammers
Botnet
Owners
Master
Criminals
Drop
Service
Wire
Transfer
eCommerc
e
Sites
Botnet
Servic
e
Malware
Writers
Identity
Collectors Credit
Card
Users
Credit Card Selling Sites
How do we defend against
these attacks
Security Architecture
Firewall/AC
L
Intrusion
Detection Deep Packet
Forensics
Network DDOS
Netflow
Analysis
Backup
Patch
Mgmt Vulnerabilities
Server/App
Log Mgmt AV
Anti-Virus Encryption GPG/PGP
Host Anti
Malware
FIM
NAC Scanner
Mail/Web
Filter Scanner
Lo-Jacking Central
Storage
Data Correlation is the Key
NGX SIEM Operations
17
8.2
Million
Per Day
40,000
Per Month
Threat Intelligence
Threat Intelligence
Honeypot Findings
• Highest volume of attacks occurred in Europe
• Attacks against Microsoft DS accounted for over 51% of the overall attack vectors
• Database services have been a consistent target
• 14% of the malware loaded on the Honeypots was considered undetectable by AV
• Underscores the importance of a defense in depth strategy for the need to secure your cloud infrastructure
Partnering with Law Enforcement
Open/Closed Source Intelligence
Monitoring the Social Media Accounts
Following IRC and Forums
Tracking and Predicting the Next Move
• He is a guy from a European country/ (Russia)
• His handle or nick is madd3
• Using ICQ 416417 as a tool of communication
(illegal transaction)
• A simple /whois command to the nick provided us
with good information
• 85.17.139.13 (Leaseweb)
• ircname : John Smith
• channels : #chatroom
• server : irc.private-life.biz [Life Server]
• Check this out user has another room.
#attackroom4
• We can confirm that Athena version 2.3.5 is
being use to attack other sites.
• 2,300 infected Users
• Cracked Software is available in forums
• As of today 1 BTC to $618.00 or £361.66
Forums to Follow – darkode.com & exploit.in- Russian
Stay Informed of the Latest Vulnerabilities
• Websites to follow
• http://www.securityfocus.com
• http://www.exploit-db.com
• http://seclists.org/fulldisclosure/
• http://www.securitybloggersnetwork.com/
Thank You
To Follow our Research:
Twitter:
@StephenCoty
Blog:
https://www.alertlogic.com/resources/blog/
Cloud Security Report:
https://www.alertlogic.com/resources/cloud
-security-report/