Protect Your Organization from Advanced Threats: The APT ...iof.org.sa/files/confrences/Information...
Transcript of Protect Your Organization from Advanced Threats: The APT ...iof.org.sa/files/confrences/Information...
Protect Your Organization from
Advanced Threats:
The APT and Your Users
ANUP GHOSH, PHD
FOUNDER AND CEO, INVINCEA
Every Organization is Under Attack
NATION STATES CYBER CRIMINALS HACKTIVISTS
Motives
include:
• Cyber
espionage
• Intellectual
Property Theft
• Probing of
Critical
Infrastructures
Motives include:
• Identity theft
• Corporate
financial fraud
• Black market
sales to Nation
States
• Probing of
Financial
Infrastructures
Motives include:
• Political action
• Shaming major
corporations
• Attacking
specific
executives
• Exposing
corporate
trade secrets
Competition Auditors
„11, „12 and ‟13 (so far) bloodiest years on
record… • “White House” eCard (spear-phishing)
• HBGary Federal (social engineering)
• Night Dragon (spear-phishing)
• London Stock Exchange Website (watering-hole)
• French Finance Ministry (spear-phishing)
• Dupont, J&J, GE (spear-phishing)
• Charlieware (poisoned SEO)
• Nasdaq (spear-phishing)
• Office of Australian Prime Minister (spear-phishing)
• RSA (spear-phishing)
• Epsilon (spear-phishing)
• Barracuda Networks (spear-phishing)
• Oak Ridge National Labs (spear-phishing)
• Lockheed Martin (spear-phishing)
• Northrup Grumman (spear-phishing)
• Gannet Military Publications (spear-phishing)
• PNNL (spear-phishing)
• ShadyRAT (spear-phishing)
• DIB and IC campaign (spear-phishing)
• „Voho‟ campaign (watering-holes and spear-phishing)
• „Mirage‟ campaign (spear-phishing)
• „Elderwood‟ campaign (spear-phishing)
• White House Military Office (spear-phishing)
• Telvent‟ compromise (spear-phishing)
• Council on Foreign Relations (watering hole)
• Capstone Turbine (watering hole)
• RedOctober (spear-phishing)
• Speedtest.net (watering-hole/drive-by)
• DoE (spear-phishing)
• Federal Reserve (spear-phishing)
• Bit9 (TBD)
Cannot keep this slide up to date…
A Problem of Pandemic
Proportions
Alarming Malware Statistics
• 280 million malicious programs
detected in April 2012*
• 80,000+ new malware
variants daily **
• 134 million web-borne infections
detected (48% of all threats) in
April 2012*
• 24 million malicious URLs
detected in April 2012*
• 30,000+ new malicious URLs
daily**
• 85.8% of malicious programs on
the Internet involve a malicious
URL*
• Organizations witnessing an
average of 643 malicious URL
events per week***
• 225% increase from 201** * Kaspersky April 2012 Threat Report
** Panda Labs Q1 2012 Internet Threat Report
*** FireEye September 2012 Advanced Threats Report
The Primary Target –
The Unwitting Accomplices
The User The #1 Attack Vector =
• Ubiquitous usage of Internet and
Email has enabled adversaries to
shift tactics
• Prey on human psychology
• Spear Phishing – The New Black
• Drive by Downloads
• Malicious sites
• Weaponized Attachments
• Watering Hole Attacks
• Hijacked trusted sites
• Trust in social networks
• Facebook, Twitter, LinkedIn
• Faith in Internet search engines
• Poisoned SEO
• User Initiated Infections
• Fake A/V and fear
mongering
Enterprise Security Architecture
for Addressing APT
Firewalls/Web
Proxies
Network
Controls
Anti-Virus
Forensics and IR
User Training
In Use | Confidence*
84% 66%
34%
92%
64%
31%
55%
52%
17%
40%
App Whitelisting 22% 49%
*Invincea APT Survey Q4 2012
Mapping the APT Kill Chain
Stage 1: Reconnaissance Research the target
Stage 2: Attack Delivery Spearphish with URL links and/or
attachment
Stage 5: Internal Recon Scan network for targets
Stage 3: Client Exploit &
Compromise Vulnerability exploited or user
tricked into running executable
Stage 8: Stage Data & Exfil
Archive/encrypt, leak to drop
sites
Stage 4: C2 Remote Command & Control.
Stage 6: Lateral Movement
Colonize network
Stage 7: Establish Persistence
Root presence to re-infect as
machines are remediated
Stage 9: Incident Response
Analysis, remediation, public
relations, damage control
Einstein‟s Definition of Insanity
Patching software as
vulnerabilities are
made public
Detecting intruders
and infected systems
after the fact
Recovering and restoring
the infected machines back
to a clean state
Security
Insanity
Cycle
Addressing the
Critical Vulnerability in Java 7
“Uninstall Java…”
Addressing the
Critical Vulnerability in IE
“Stop Using IE…”
Addressing the
Pandemic of Spear-Phishing
“Don‟t Click on Links You Don‟t
Trust…”
Protecting the Network from
the User
Time to Rethink Security
If…you could negate user error
And…contain malware in a virtual environment
And…stop zero-days in their tracks without signatures
Then…preventing APT exploits is possible
“Making Prevention Possible Again”
Browser Exploits & SpearPhishing
is Primary Attack Vector
Contain the Contaminants
Prevention
Pre-Breach Forensics
Protect every user and the network from their error
Feed actionable forensic intelligence without the breach
Detection Detect zero-day attacks without signatures
Virtualizing Vulnerable Apps in
Secure Containers
DETECTION | PREVENTION | INTELLIGENCE
Physical Hardware
Incoming Threats
Host Operating System
Invin
cea Iso
lation
} • Invincea builds a contained virtual
environment local to the desktop
• Contained environment runs all
untrusted content
• Behavioral based detection engine
monitors the contained environment
• User receives an alert at point of
infection
• Forensic detail is fed to Invincea
Threat Data Server
• Complete virtual environment is
discarded
Containment and Detection
Central Threat
Data Server
Forensic Detail
Web Browser, Plug-Ins
Acrobat Reader
Virtualized Process Control /
Filesystem / Registry)
Physical Hardware
Host Operating System
• Invincea builds a contained virtual
environment local to the desktop
• Contained environment runs all
untrusted content
• Behavioral based detection engine
monitors the contained environment
• User receives an alert at point of
infection
• Forensic detail is fed to Invincea
Threat Data Server
• Complete virtual environment is
discarded
Containment and Detection
Internet Explorer /
Acrobat Reader
Virtualized Process Control /
Filesystem / Registry)
Physical Hardware
Host Operating System
Invin
cea Iso
lation
}
Automatic Remediation
Virtual
Environment
• Invincea completely rebuilds new
environment
• User is back up and running in a
matter of seconds
Virtual Container restores back to
pristine state off “Gold” image
Breach Prevention
Platform
Breaking the APT Kill Chain
Containment | Detection | Prevention | Intelligence • Highly targeted apps run in contained environment
• Behavioral based detection spots all malware including 0-days
• Automatic kill and remediation to clean state
• Forensic intelligence on thwarted attacks fed to broader
infrastructure
Threat Data Server
Threat Data Server Analytics
Cyber Forensics to Attribution
Peanut Butter &
Chocolate • Real-time forensics from
from corporations and
individuals getting
spearphished or water-
holed
• All Source Intelligence of
active campaigns
• Intel
• LE
• Private Sector
• Together we build
complete story.
• Who has been
targeted
• What was obtained
• TTPs
• Actors
Fusing Forensics with
Intelligence for Attribution
Real-time Forensics is collected globally and sent to Invincea Threat Data Servers
Invincea protected users
Threat Information is shared with partners..
Link Analysis using between C2 domains, IPs, registering entities, addresses, and known campaigns points to adversaries in near real-time
Invincea Threat Data Servers
Every attack is intel gain used to track the
adversary with no breach or loss of data
Improve Efficiency &
Reduce Costs
• Fewer successful intrusions
– Lower incident response costs
– Lower re-imaging costs
• Software patching in scheduled cycles vs. emergency
• Use gathered threat intelligence to improve effectiveness of
existing security infrastructure
• Improve morale and productivity of operational personnel
• Improve national security and reduce data loss
Case Study 1– Speedtest.net
Drive-by Exploit
Drive-by Download/Watering Hole Attack
Exploit running for days on Speedtest.net website
(boasts 4 BILLION+ visits)
• Whitelisted or blacklisted website? More than
likely whitelisted
• Increasingly common poisoning tactic from
adversaries
See http://www.invincea.com/2013/02/popular-site-speedtest-net-compromised-by-
exploitdrive-by-stopped-by-invincea/ or www.invincea.com/blog for analysis
Case Study 2 – Spear Phishing
by Office Document
Weaponized Office Document (Word)
Used to Spread Adobe 0day (CVE 2013-
0634)
• Spoofed document looking like IEEE as the
author (community of interest being
targeted)
• No protection from anti-virus given 0day
nature
• Increasingly common poisoning tactic from
adversaries
See http://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-
adobe-flash-exploit-cve-2013-0634/ or www.invincea.com/blog for analysis
Anup Ghosh:
Go ahead…spear-phish me!
www.invincea.com
Twitter: @Invincea
@AnupGhosh_
For Follow-Up