Chin Symantec Keynote 6014

8/6/2019 Chin Symantec Keynote 6014

1/30

Anatomy Of A Data Breach:Exploring The Current Threat Landscape

Larry Chin: Sr. Security Architect

CISA, CISSP, PCI-QSA

Moderator:Angela Moscaritolo, senior reporter, SC

Magazine


2/30

Threat Landscape: 2010 Trends

2

Social Networking+ social engineering =compromise

Attack Kits

get a caffeine boost

Targeted Attacks

continued to evolve

Hide and Seek

(zero-day vulnerabilities androotkits)

Mobile Threats

increase


3/30


4/30

The Threats Behind The Numbers

Data Breaches

RSA Lockheed Martin SonyHonda Northrop Grumman Epsilon

Data Breaches

RSA Lockheed Martin SonyHonda Northrop Grumman Epsilon

February 2011

Tatanarg/TatangaTrojan/rootkit/MITM, fraudulent

banking transactions viabrowser

OddjobTrojan infostealer

Night DragonSQL injection and other vectorsfor information theft

February 2011

Tatanarg/TatangaTrojan/rootkit/MITM, fraudulent

banking transactions viabrowser

OddjobTrojan infostealer

Night DragonSQL injection and other vectorsfor information theft

April 2011

QakbotInternet Explorer or Quicktimevulnerability

Rootkit, information theft

LizamoonSQL Injection to propagateFakeAV Ransomware

April 2011

QakbotInternet Explorer or Quicktimevulnerability

Rootkit, information theft

LizamoonSQL Injection to propagateFakeAV Ransomware


5/30

The Escalating Threat Landscape

In 2003 we released an average of 5

definitions a day. 2007 - 1431 daily.

Over the second half of 2007there was a 524% increase in thenumber of threats

More detections were created in2008, than in all the other yearscombined 7500 per day

In 2009 we started releasing up to12,000 new signatures a day

Today, over 25,000 per day

In 2010 there were over10 million signatures writtento catch 286 million threatsand stop over3.1B attacks


6/30

These usually consist of an PDF or Office document with a

built-in vulnerability, that drops a back door attack.

Targeted Email attacks are much more publicized these days

Example: RSA Attack

Email to HR staff with subject: 2011 Recruitment Plan

Excel document titled: 2011 Recruitment plan.xls

The document had a 0day Adobe vulnerability embedded

in it.

The vulnerability downloaded a custom backdoor from the

Poison Ivy family

Infection Vectors:Email Phishing Targeted attack


7/30

Infection Vectors:Malicious Websites and Toolkits


8/30

Advanced Persistent Threats


9/30

What is an Advanced Persistent Threat?

An Advanced Persistent Threat (APT) is a sophisticated andwell-planned network attack focused against a targetedorganization.

APTs are usually well-funded and use state of the art, oftencustomized, tools that help the attackers avoid detection by theusual methods.

In addition to funding and customized tools, APT attacks aredistinguished by their level of perseverance and the patienceneeded on the part of the attacker to be successful.

While most APTs are focused on the government, financial andmanufacturing sectors any organization can be a target.


10/30

APT: Targeted Attacks Continue To Evolve

High profile attacks in 2010 raised awareness of impact

of APTs

Stuxnet was incredibly sophisticated

Fourzero-day vulnerabilities

Stolen digital signatures Ability to leap the air gap with USB key

Potential damage to infrastructure


11/30

Less sophisticated attacks also cause significant damage

Average cost of U.S. data breach in 2010: $7.2 million

Average cost of CAN data breach in 2010: $1.9 million

Average # of Identities Exposed per Data Breach by Cause

Sophistication Degree Of Damage


12/30

Typical Attack Scenario - Noisy

Traditional Hacker Attack In a typical attack scenario the attacker

goes for the low hanging fruit.

An attacker will either scan for vulnerablehosts, set up a malicious website or sendout hundreds of thousands even millions ofphishing emails.

Because of the large number of attemptsthey are bound to find unpatched systems,exploit those systems and extract data fromthose exploited systems.

The large scale of these types of attacksalso means that it is easy to spot them andprevent them from infecting your network.


13/30

APT Attack Low And Slow

An APT Attack

Cost of the attack: < $5000

An APT attack takes a different

approach because it is starting from adifferent perspective: with a targetalready in place.

In the case of an APT, the attackerstarts by finding out as muchinformation as possible about the target

and storyboarding that information.

Information can come from theorganizations website, Googlesearches, social media sites andvarious business research tools.

In this case, the attacker is looking forweaknesses in the organization itself,as opposed to typical softwarevulnerabilities.


14/30


15/30

Stopping An APT Attack

Stopping APT attacks is almostimpossible because they relyon a combination of software and human weakness.

The best hope is to contain the attack and work to ensurethat no data is leaked.

Because of the sophistication of these attacks traditional,signature-based detection, does not usually work.

Instead, detecting an APT attack requires anomaly detection,pattern extraction from those anomalies and the ability toblock the attack, or information egress.


16/30

Food For Thought

Mobile & Social Media


17/30

Mobility Challenges

Endpoint

Heterogeneity

Multiple mobile

platforms with widely

varying and everchanging capabilities

and form factors; IT

cannot have in-depth

details about all

platforms

Point solutions make it

difficult to enforce an

overall corporate policy

Mobile

Consumerization

Corporate data on

personal devices raises

security, liability andmanageability issues

How to allow these

large number of devices

to securely connect to

the enterprise?

ApplicationManagement

&Enterprise Integration

Mobile apps need to

connect to enterprise

backends and vice-

versa; what is the

framework to allow this

communication?

Enterprise IT has

existing investments.

How can they be

leveraged for mobility?


18/30

Mobile Data Loss

2008 Ponemon/DellStudy:

12,000 laptops lost inairports each week

2011: ?


19/30

Mobile Threats

Most malware for mobiles are Trojans posing as legitimate

apps

Mobiles will be targeted more when used forfinancial transactions

163vulnerabilities

2010

115vulnerabilities

2009

2011: already > 150vulnerabilities targetingmobile platforms!


20/30

Mobile Threats - Android

Eight Versions in 2.5 years

Currently being used on 310 different devices Activated on 100 million phones in 2011

425,000 apps available by Fall 2011

Google does not test or pre-vet these

Open Source means its easy for cyber criminals to get a quickfinancial hit

$1500 - $4500 for tools required to make much much more schemes that involve premium billing rates, spyware, searchengine poisoning, adware, and pay-per installs.

Thirty Trojanized Apps removed from the Android store Pre-packaged crypters can create fully undectable trojanizedapps


21/30

Social MediaFacebook Statistics as of June 7, 2011

Mobile There are more than 250 million active users currently accessing Facebook through their mobile devices. People that use Facebook on their mobile devices are twice as active on Facebook than non-mobile users. There are more than 200 mobile operators in 60 countries working to deploy and promote Facebook mobile

products

Platform Entrepreneurs and developers from more than 190 countries build with the Facebook Platform People on Facebook install 20 million applications every day Every month, more than 250 million people engage with Facebook on external websites

Since social plugins launched in April 2010, an average of 10,000 new websites integrate with Facebookevery day More than 2.5 million websites have integrated with Facebook, including over 80 of comScore's U.S. Top 100

websites and over half of comScore's Global Top 100 websites

People on Facebook More than 600 million active users 50% of our active users log on to Facebook in any given day Average user has 130 friends

People spend over 700 billion minutes per month on Facebook

If Facebook where a country it would be the 3rd largest in the world


22/30

Social Networking + Social Engineering = Compromise

Hackers have adopted social networking

Use profile information to create targeted social engineering Impersonate friends to launch attacks Leverage news feeds to spread spam, scams and massive

attacks


23/30

Canadian Trends in Mobility Adoption and Social Networking

Demand for access to social networking sites and the desire to Bring

your device to work continue to grow

Many organizations are looking at this as an opportunity rather than athreat Research and Development, Marketing, Human resources, Sales, Customer service Innovation, Create brand recognition, Hire and retain employees, Generate revenue, Improve

customer satisfaction.

Social Networking creates instant access to millions of consumers orconstituents

Bring your device to work can: Reduce Training Costs and subsequent Support Increase Employee Productivity in and outside of an organization Used as a strategy to attract Top Talent in the marketplace Accelerate the process of IT transforming itself from a cost center that says no to the

business partner that helps drive new revenue

Enterprises must develop an appropriate strategy and controls to managetheir use of social media and new smart devices


24/30

Introduction of viruses and malware to the organizational network

Exposure to customers and the enterprise through a fraudulent or hijacked corporatepresence

Unclear or undefined content rights to information posted to social media sites

A move to a digital business model may increase customer service expectations.

Mismanagement of electronic communications that may be impacted by retentionregulations or e-discovery

Use of personal accounts to communicate work-related information

Employee posting of pictures or information that link them to the enterprise

Excessive employee use of social media in the workplace

Employee access to social media via enterprise-supplied mobile devices (smartphones,personal digital assistants [PDAs])

There are significant risks to those who adopt this technology without a clear strategythat addresses both the benefits and the risks

Risks Of Social Media In The Enterprise


25/30

Stages Of A Breach

>Incursion

The #1 vector is email, a trend that has accelerated

The web is becoming an increasing vector for malwarecoming into companies.

90% of breaches due to un-patched vulnerabilities

> Discovery

Advanced Persistent Threats

Phishing/Spear Phishing

Compromise of endpoints

> Capture Data Theft

Bundling of information for egress

Survey for egress points ( mail, ftp, dns, web )

> Exfiltration

400,000 military documents posted by Wikileaks

Oct. 2010

Dumpster Dives Turn Up Personal Information TorontoOct. 2010

Copy Machines Spill Identity SecretsOct. 2010


26/30

What Caused The Breach

Poorly ProtectedInfrastructure

SQL Injection

Siloed, Inconsistent Protection, Physical Security

Proactive Threat Information

Lack ofIT Policies 81% Of Targeted Companies Were Not PCI Compliant

67% Of Breaches Are Due To Insider Negligence Or LackOf Knowledge

Poorly ProtectedInformation

Encryption, Particularly On Mobile Devices AndDetachable Storage

Data Loss Prevention

Application And Device Control

Poorly ManagedSystems

Reporting And EnterpriseWide Visibility

Timely Patching Or Mitigating Measures

Policy And Procedure


27/30

Preventing The Breach: A Holistic Security Strategy

Protection (Data / Information / Intellectual Property)

LOGS

W

O

R

K

F

L

O

W

W

O

R

K

F

L

O

W

M

onitoring

Management ( TCO )

Policy, Procedure (Compliance & Audit )

Standards, Legislation,Regulations ( PCI, SOX etc )

Policy / Procedure (Internaland External)

User Awareness

ServerManagement Service & Asset Mgmt. Workstation Management

Log Collection From All Systems Reporting Proactive Measures

LOGS

Workstation Config &Security Servers Config & Security

Web SecurityData Protection & Backup Mail Security

Legal Action & FinancialPenalties

Lack ofStandardization,

operational costsFlawed Operations,Liability, Data Loss

Unplanned outages, dataloss, operational costs

Excessive SW/HWCosts, NoAsset Mgmt., support costs

TCO, LOE, & support cost.levels of control and security

Endpoint CompromiseEnterprise Compromise Web Borne

Threats Confidential Info Loss Spam,Phising,Trojansetc.

No Log Aggregation, &Correlation for Reporting

No Operational Visibility No Ability to MitigateImpact of New Threats


28/30

The Consequences

Protection (Data / Information / Intellectual Property)

LOGS

M

onitoring

Management ( TCO )

Policy, Procedure (Compliance & Audit )

Standards, Legislation,Regulations ( PCI, SOX etc )

Policy / Procedure (Internaland External)

User Awareness

ServerManagement Service & Asset Mgmt. Workstation Management

Log Collection From All Systems Reporting Proactive Measures

LOGS

Workstation Config &Security Servers Config & Security

Web SecurityData Protection & Backup Mail Security

Legal Action & FinancialPenalties

Lack ofStandardization,

operational costsFlawed Operations,Liability, Data Loss

Unplanned outages, dataloss, operational costs

Excessive SW/HWCosts, NoAsset Mgmt., support costs

TCO, LOE, & support cost.levels of control and security

Endpoint CompromiseEnterprise Compromise Web Borne

Threats Confidential Info Loss Spam,Phising,Trojansetc.

No Log Aggregation, &Correlation for Reporting

No Operational Visibility No Ability to MitigateImpact of New Threats


29/30

Eight Questions To Security

Can You Respond To ThreatsProactively ?

Are Your Policies Current AndRelevant ?

Do You Know Where YourSensitiveInformation Resides?

Is Your

Infrastructure

ManagementAs Cost Effective As Possible ?

Can You Enforce IT Policies AndRemediate Deficiencies ?

Do You Know Who Is Using YourInformation

Can You Easily Manage TheLifecycle Of YourIT Assets?

Do YouH

ave Visibility Across TheEnterprise ?


30/30

Thank You

Larry Chin

[email protected]

Chin Symantec Keynote 6014

Documents

Transcript of Chin Symantec Keynote 6014