Advanced Persistent Threats Approaches to stopping Advanced Threats Roman Ackle 16. Nov. 2015.
-
Upload
silas-byrd -
Category
Documents
-
view
218 -
download
0
Transcript of Advanced Persistent Threats Approaches to stopping Advanced Threats Roman Ackle 16. Nov. 2015.
Advanced Persistent ThreatsApproaches to stopping Advanced Threats
Roman Ackle16. Nov. 2015
© 2015 NTT Com Security 2
Contents
No statistics !
No products !
• ATP: Malware?
• ATP: Architectural Countermeasures
• A more global picture
• Conclusion
16. Nov 2015
© 2015 NTT Com Security 3
APT – Advanced Persistent Threats
“An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s)
targeting a specific entity.”(src: WIKIPEDIA)
There is someone behind it with a specific goal!
16. Nov 2015
© 2015 NTT Com Security 4
APT – just new malware?
You might think of APT as a piece of malware. Is it?
> No!
> APT might be based on some sophisticated malware though.
Is it something completely new?
> No
Is it’s prevention based on completely new technologies, procedure or methods?
> Partially
16. Nov 2015
© 2015 NTT Com Security 5
APT – the goal
It’s not only about data extraction….
> Extract data is one of a lot of possible goals
> Manipulation of information
> Influence industrial processes
> Change production data
> ……everything that might give some advantage to someone
16. Nov 2015
Internet Perimeter
Internal Data Network
10010110100101101
© 2015 NTT Com Security 6
APT Prevention – as everything, it’s a process!
16. Nov 2015
•Detect Incident•Anomaly/misuse detection
•CERT, Incident Managment•Remediation, Forensics and Investigative
•Security Model Change
•System Isolation and Hardening•Preventive Controls (FWs, Content Filters, IPS, Encryption, etc.)
•GAP Analysis•Community Intelligence•Vulnerability Management•Penetration Testing
Predict Prevent
DetectRespond
© 2015 NTT Com Security 7
APT Prevention – as everything, it’s a process!
16. Nov 2015
•Detect Incident•Anomaly/misuse detection
•CERT, Incident Managment•Remediation, Forensics and Investigative
•Security Model Change
•System Isolation and Hardening•Preventive Controls (FWs, Content Filters, IPS, Encryption, etc.)
•GAP Analysis•Community Intelligence•Vulnerability Management•Penetration Testing
Predict Prevent
DetectRespond
© 2015 NTT Com Security 8
APT Challenge – You really want to do it?
APT
> If you don’t think you’re concerned, don’t start with it
> If you thing you are, do it right!
> Don’t do “tick the box” projects
> APT prevention is about strategy, is about architecure, it’s about processes, it’s about incident response, and at the same time, it’s about a lot of technical details
16. Nov 2015
© 2015 NTT Com Security 9
APT Challenge– Knowledge is powerDo you know….?
> Do you really know in detail the dataflow in your enterprise?
> Do you know the baseline?
> Do you get alerted when somebody is logging in off-hours?
> Do you know all the details of filtering at the perimeter?
> Do you have the logs?
> If you had to verify whether you are currently victim of an APT, could you? How would you check?
> Do you know how to react in case of an emergency? What is an emergency?
> …
16. Nov 2015
© 2015 NTT Com Security 10
APT Prevention – The chain
Attack life cycle
1. Reconnaissance
2. Delivery
3. Exploitation of System
4. Malware Download
5. Callbacks and Control
6. Exfiltration / Action
7. Malware spreads laterally
8. Cover tracks
16. Nov 2015
Internet Perimeter Internal Data Network
www
2
4 5
6
7
Recon Delivery Exploit Malware download CC Exfiltration
Action
Malware spreads laterally
Cover tracks
1
3
© 2015 NTT Com Security 11
APT – Ways to get in, ways to get out
The usual suspects:
> In: mail, web, sticks, updates……..
> Out: mail, web, tunnels (dns, ssl, ssh), stego tools…..
> Finally: You cannot control human behaviour and human curiosity (fortunately….) There is always someone clicking on a link……..
16. Nov 2015
Internet Perimeter Internal Data Network
?
© 2015 NTT Com Security 12
APT Prevention – Break the chain !
The attack vector is significantly reduced….
> …if you break the chainat any point
> …if you have controls at everystep an attack could take
> …if the controls are on the samelevel of sophistication as theattack
16. Nov 2015
Internet Perimeter Internal Data Network
www
Recon Delivery Exploit Malware download CC Exfiltration
ActionMalware spreads laterally
Cover tracks
© 2015 NTT Com Security 13
APT Prevention - Reducing attack vector
Less is more….
> Identify and minimize the dataflows
> Establish baselines
> Identify and get the low hanging fruits
> Reduce the unknownblock the unknown (the Trusted Internet)
16. Nov 201516. Nov 2015 13
Internet Perimeter Internal Data Network
www
© 2015 NTT Com Security 14
APT Prevention - Reducing attack vector
Less is more….
> Identify and minimize the dataflows
> Establish baselines
> Identify and get the low hanging fruits
> Reduce the unknownblock the unknown (the Trusted Internet)
16. Nov 201516. Nov 2015 14
Internet Perimeter Internal Data Network
www
© 2015 NTT Com Security 15
APT Prevention– Architectural Countermeasures
It start’s with the policy…..
> Implement a control is not enough, it has to be governed by a policy
> It is not a security engineers task to decide about the level of protection, because it influences the daily business
> A policy has a very big influence on the daily work load
> A lot of measures are not implemented because they might be too technical for ISO and considered too risky for business by engineering
> There’s a big difference between a simple firewall and a firewall with protocol checks (UUID f.e), IPS etc.
> … and remember:
16. Nov 2015
There is someone behind it with a specific goal!
© 2015 NTT Com Security 16
APT Prevention– Architectural Countermeasures
Internal zoning
> The zoning concept and services/data placing decision tree is the base of it all!
> It’s not just about firewalling
> User based rules
> RPC restriction based on UUID
> Protocol checks
> IPS
> Routing limitation
> ….
16. Nov 2015
Internet PerimeterInternal Clients
Internal Data- and Services
© 2015 NTT Com Security 17
APT Prevention– Architectural Countermeasures
System administration
> No internet access for admins
> No internet access for servers/services
> Privileged account management
16. Nov 2015
Internet PerimeterInternal Clients
Internal Data- and Serviceswww
© 2015 NTT Com Security 18
APT Prevention– Architectural Countermeasures
System administration
> Management zone for system administration
> Pass-the-hash prevention
16. Nov 2015
Internet Perimeter
Internal Clients
Internal Data- and Serviceswww
System Administration
© 2015 NTT Com Security 19
APT Prevention– Architectural Countermeasures
Internet Communication: DNS
> No Internet DNS resolution for internal systems, as it can be used to setup DNS tunnels
> Can even be seen in environments with proxy
16. Nov 2015
Internet PerimeterInternal Clients
Internal Data- and Servicesdns dns
© 2015 NTT Com Security 20[Name]-Public-[Status]-v0 01
APT Prevention– Architectural Countermeasures
Internet Communication: Web Access
> Application filtering
> Authentication
> No browsing from the workstation
> Block the unknown!
16. Nov 2015dd mmm yyyy
Internet Perimeter
Internal Clients
Internal Data- and Serviceswww
System Administration
proxy
© 2015 NTT Com Security 21
APT Prevention– Architectural Countermeasures
Internet Communication: Mail
> Take care about the ruleset!
> Take care about the quarantine!
> File filtering (did you ever think about whitelisting?)
> Reputation
> SPF
> …..
16. Nov 2015
Internet Perimeter
Internal Clients
Internal Data- and ServicesMTA
System Administration
MTA
Quarantine
© 2015 NTT Com Security 22
APT Prevention– Architectural Countermeasures
The user / the endpoint
> No admin rights!
> No USB control
> NAC
> Client Protection– Application whitelisting
– Application Containment
– Malware scanning
16. Nov 2015
© 2015 NTT Com Security 23
APT Prevention– Architectural Countermeasures
Internet Communication: Web Presence
> Check the uploads
> Check the partners (remember: we are talking about APT)
16. Nov 2015
Internet PerimeterInternal Clients
Internal Data- and Services
Partner
www
© 2015 NTT Com Security 24
APT Prevention– Architectural Countermeasures
Data access
> Most probably, the intruder's goal is the data in the database
> There are a lot of measures to take concerning database security– access control
– auditing
– authentication
– ……
> What about live data being used in UAT environments
16. Nov 2015
© 2015 NTT Com Security 25
APT Prevention– Getting a better microscope
Now that we might have:
> A solid architecture
> Procedures
> A good understanding of our dataflow
> A good understanding of what we already do
….. and now?
Let’s get a better microscope!
16. Nov 2015
© 2015 NTT Com Security 26
APT Prevention– Getting a better microscope
The ATP solution and what they do:
> Sandboxing
> Static code analysis
> Analysing behaviour in an specific environment: – What DLL calls are made
– What registry keys are accessed
– What network calls are made
– …..
> Typically implemented in the mail flow, the web traffic flow and on the endpoint
16. Nov 2015
Internet PerimeterInternal Clients
Internal Data- and Services
WWW HTTP(S)
MTA SMTP
© 2015 NTT Com Security 27
APT Prevention– Getting a better microscope
ATP solutions: the current hype in IT security……
> Very detailed information about what files are actually doing
> Some solutions could be used as forensic tools
> Available in different “form factors”– CPE / appliances
– Hybrid solutions
– Cloud services
So this is it? Is my company protected now?
16. Nov 2015
© 2015 NTT Com Security 28
APT Prevention– Multilevel Security
16. Nov 2015
Internet
Web Presence
Internal Clients
Internal Data and Services
AdministrationMail
Web Access
E2E
Remote Access
DNS
S2S
Cloud Services
Branches
Internal Devices
Zero TrustIndustrial Processing
© 2015 NTT Com Security 29
APT Prevention– Multilevel Security
16. Nov 2015
Internet
Web Presence
Internal Clients
Internal Data and Services
Administration
HTML Filtering
Mail Filtering
Web Access
Web Filtering
E2E
SOAP / XML Filter
Remote Access
Client Based / Portal
DNS
DNS Sec
S2S
Cloud Services
Branches
Internal Devices
DB FW
NACCP
DLPMDMDLP
IPS/IDSIA
BOT
CPClnt Check
Certs
IPS/IDSIA
BOT
IPS/IDSDDOSBOT
Priv Acct MgtIAM
Zero TrustDB FWVirt. FWsDLP
Data Classific.
Patch MgtVuln MgtLog Mgt
SIEMPKI
Auth Services
SCADA FW
IPSec
NACCP
DLP
Reputation DBsVuln. Scan
Authentication
Industrial Processing
MDM
© 2015 NTT Com Security 30
APT Prevention– Multilevel Security
16. Nov 2015
Internet
Web Presence
Internal Clients
Internal Data and Services
Administration
HTML Filtering
Mail Filtering
Web Access
Web Filtering
E2E
SOAP / XML Filter
Remote Access
Client Based / Portal
DNS
DNS Sec
S2S
Cloud Services
Branches
Internal Devices
DB FW
NACCP
APTDLP
MDMDLP
IPS/IDSAPT-Prev
IABOT
CPClnt Check
Certs
IPS/IDSAPT-Prev
IABOT
IPS/IDSAPT-Prev
DDOSBOT
Priv Acct MgtIAM
Zero TrustDB FWVirt. FWsDLP
Data Classific.
Patch MgtVuln MgtLog Mgt
SIEMPKI
Auth Services
SCADA FW
IPSec
NACCP
APTDLP
Reputation DBsVuln. Scan
Authentication
Industrial Processing
MDMAPT
APT
© 2015 NTT Com Security 31
APT Prevention – The strategy
Establishing a strategy…..
> A strategy is at the beginning towards comprehensive IT security infrastructure
> It should be the base for any further extension like new technologies, new controls, new procedures
> It should take care of what is possible in an enterprise.
> Take into consideration:– Investment
– Resources
– Know How
– Operational costs
– and of course: a realistic risk assessment
16. Nov 2015
© 2015 NTT Com Security 32
APT Prevention – The human factor
> Commonly seen as the most vulnerable “link” in the attack chain
> Processes and guidelines should help people, not control them
> Employees should be part of the IT Security process
> Management should be part of the IT Security process!
….. especially with regard to APTs
16. Nov 2015
© 2015 NTT Com Security 33
APT Conclusion– Risk Based Security
> There is no simple technical solution, but new technologies might help
> Risk Based Security: not everything has to be protected to the same level, not everything has the same importance
16. Nov 2015
• What has to be protected?• Where do we protect?
• What are the threats?• How to protect efficiently?
target-oriented
adequate
Security should be…..
© 2015 NTT Com Security 34
APT ConclusionAPT Prevention with new technologies?
> APT’s are not only a new type of malware
> New technologies might be required and might help
> New technologies must be understood in order to be used in a practical environment
But:
> Fighting APT’s is not only a technological task of more granular file filtering
-------------------------------------------
Preventing APTs is about establishing a comprehensive security architecture strategy, that will help an enterprise getting a clear picture of it’s IT landscape
and that will lead to a reliable and sustainable protection for it’s assets.
16. Nov 2015
© 2015 NTT Com Security 35
APT Conclusion
> ….. and did we mention that already?
16. Nov 2015
There is someone behind it with a specific goal!
© 2015 NTT Com Security 36
NTT Com Security
16. Nov 2015
Thank you
Roman [email protected]