Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access...

34
1 Stop unauthorised access and defend against targeted attacks Marko Haarala Mark Fox Sr. Regional Product Manager CSP Principal Presales Consultant, Europe, the Middle East and Africa Threat and Risk Management Group UK Stop unauthorised access and defend against targeted attacks

Transcript of Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access...

Page 1: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

1

Stop unauthorised access and defend against targeted attacks

Marko Haarala Mark Fox Sr. Regional Product Manager CSP Principal Presales Consultant,

Europe, the Middle East and Africa Threat and Risk Management Group UK

Stop unauthorised access and defend against targeted attacks

Page 2: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Agenda

2

Cutting Through the Hype 1

What is out there? 2

Stop unauthorised access and defend against targeted attacks

What is Critical System Protection? 3

Summary 4

Page 3: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Sophisticated Attacks Drive Awareness

3 Stop unauthorised access and defend against targeted attacks

Page 4: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

…but not so sophisticated too!

Hey Bob, check this out!

Stop unauthorised access and defend against targeted attacks 4

Page 5: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Servers Are the Juicy Target

5

Verizon 2012 Data Breach Investigations Report

of stolen data is from servers

97%

Stop unauthorised access and defend against targeted attacks

Page 6: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Servers Have Unique Security Requirements

Stop unauthorised access and defend against targeted attacks 6

Confidentiality

Integrity

Availability

Blanket, consistent protections more important

Change visibility less important. Just block malware.

Continuous availability less important. Reboots expected/OK

Targeted Protections based on housed data, function more important

Change visibility highly important. Who/what/where/when

Continuous availability highly important

Laptops/Desktops Server

Desktop-oriented Protections are largely a Subset of Server-oriented Protections

Page 7: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Exponential growth in Malware

• Malicious attacks 81% in 2011(1)

• Attacks used advanced techniques, generating unique versions of malware

• Targeted Attacks avg. 82/day

– 58% of attacks were aimed at non-executive functions to gain foothold in organization

Stop unauthorised access and defend against targeted attacks 7

1-Symantec Internet Security Threat Report April 2012 2-Verizon Data Breach Investigations Report 2012

Page 8: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

How to develop a malware?

Stop unauthorised access and defend against targeted attacks 8

Google it!

If you cannot read – check out YouTube Backtrack Videos

Page 9: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Is the Term APT Overhyped?

Stop unauthorised access and defend against targeted attacks 9

% of execs believe the term APT is being used excessively or in a misleading way Source: CSO Magazine Research, October 2011

Page 10: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

11%

38%

57%

70%

70%

Other (specify)

Distraction from solving APTs

Distraction from solving other pressing security problems

Confusion among IT executives

Confusion among non-IT executives

Source: CSO Magazine Research, October 2011

… Often leading to Confusion on how to effectively protect against them

10

What are the outcomes from the misuse of the term APT?

0 100%

Stop unauthorised access and defend against targeted attacks

Page 11: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

How are Targeted Attacks and APTs Related?

11

Targeted Attacks

An APT is always a targeted attack, but a targeted attack is not necessarily an APT.

Targeted Attacks

APTs

Stop unauthorised access and defend against targeted attacks

APTs are Different from Targeted Attacks: 1. Customized: Uses multiple attack vectors, that are customized to the target, not a generic burst of attack vectors

2. Low and Slow: Specifically designed to penetrate low-n-slow, to avoid detection, most likely stays under radar for a sustained period

3. Higher Aspirations: Seeking more than opportunistic gain, usually involves covert state actors

4. Specific Targets: Highly targeted to specific organizations (e.g., govt. agencies) and high-value targets

Page 12: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Analogy of Advanced Persistent Threat

Stop unauthorised access and defend against targeted attacks 12

1

Phishing

Drops

Malware

4

Data is

Gathered

2

Malware

Creates a

Back Door

3

Malware

Morphs &

Moves

Laterally

5

Remote

Command

& Control

Exfiltrates

Data

5 Steps …

Page 13: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Agenda

13

Cutting Through the Hype 1

What is out there? 2

Stop unauthorised access and defend against targeted attacks

What is Critical System Protection? 3

Summary 4

Page 14: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Nitro: An APT targeting organizations in the chemical industry

14 Stop unauthorised access and defend against targeted attacks

Page 15: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Nitro APT Phases

Socially engineered email sent

• Attachments installed Poison Ivy

• Common Remote Access Tool (RAT)

Gathered IP addresses and computer names from network

• Gathered password hashes to take off-machine for cracking

Gained admin credentials and access to critical servers

Captured data and moved it to internal staging servers

Data sent to C&C servers via port 80

15 Stop unauthorised access and defend against targeted attacks

1

2

3

4

5

Page 16: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

What's next, eternal FLAME?

Stop unauthorised access and defend against targeted attacks 16

Page 17: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Targeted Attacks and APTs are constantly reinventing themselves…

Malware variants exploit new zero-day vulnerabilities and leverage new attack vectors each day, making it challenging for security solutions to “keep up”

Stop unauthorised access and defend against targeted attacks 17

Vulnerability or Attack Vector Targeted Attack/Malware/APT

MS Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability

Stuxnet Worm

Poison Ivy Trojan (sent as email attachment)

Nitro

IE Remote Code Execution Vulnerability

Hydraq (Operation Aurora)

Vulnerability in Windows Kernel-Mode Drivers

Duqu

Page 18: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

What do APT’s Target on a Server?

Critical System Protection

Registry

Config Files

Portable Storage Devices

Applications

Operating System

Memory

Stop unauthorised access and defend against targeted attacks

Enforce Registry Integrity

Enforce File Integrity

Enforce Memory Protection

Enforce network controls

Enforce device controls

18

Page 19: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Agenda

19

Cutting Through the Hype 1

What it out there? 2

Stop unauthorised access and defend against targeted attacks

What is Critical System Protection? 3

Summary 4

Page 20: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Understand the security problem behind

Reliable software is software that does what it designed to do

Secure software is software that does what it is ONLY supposed to do

Stop unauthorised access and defend against targeted attacks 20

Page 21: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

How do we handle this situation?

We will allow applications and OS only to do what they supposed to be doing :)

In other words we’ll stick them into the Sandboxes and control their behaviour at

kernel level.

Stop unauthorised access and defend against targeted attacks 21

Page 22: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Symantec Critical System Protection

Stop unauthorised access and defend against targeted attacks 22

Broad Platform & Application Support

Policy Based Lockdown Out-of-the-box policies Restrict access to critical system resources Protection against Zero Day Attacks and APT’s Close network back doors De-escalate user privileges Prevent external media use

Business critical applications in physical and virtual environments

Real- Time Monitoring Out-of-the-box policies Real-time File Integrity Monitoring Helps address security regulations like PCI DSS

Integrated with SIEM &

IT GRC Solutions Control Compliance Suite (CCS) Security Information Manager (SSIM)

Page 23: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

How does CSP technically work?

creates a “sandbox” or

“containment jail” for one

or more programs

(processes) using a policy

that defines least privilege

controls or “acceptable”

resource access

behaviors

Files

Registry

Network

Devices

File system and

Configuration info

Process Access Control

Outlook

CMD

DNS Server

Kernel

RPC

Services or

Daemons

Interactive Applications

Granular Resource Constraints Host

Chrome

Most programs require a limited set of resources and access rights to perform normal functions

But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap

Stop unauthorised access and defend against targeted attacks 23

Defaults for Service and Interactive

Etc. Etc.

Memory

Usage of Ports and Devices

Default “containment jail”

Page 24: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Least Privilege Application Control (LPAC)

Stop unauthorised access and defend against targeted attacks 24

Files

Registry

Network

Devices

File system and

Configuration info

Process Access Control

Granular Resource Constraints Host

Int_stdpriv_ps

Memory

Usage of Ports and Devices

Containment jail

Page 25: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 25

DEMO: How sandboxing works?

Page 26: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 26

Symantec Server Protection Un-compromised at Black Hat 2011 and 2012

• Challenge:

– ‘Flags hidden across un-patched Windows and Linux systems

– Main flag protected with CSP and SEP out-of-the box prevention policy

– 50+ skillful hackers/pen-testers from DoD, NSA, DISA, Anonymous, etc.

• Attacks Techniques used:

– Backtrack 5 and custom tools used during penetration attempts

– Zero day attack used and stopped on protected system

– Recompiled version of Flamer stopped by CSP out of the box policy

• Outcome:

– No one was able to capture the flag… now two years in a row…

– Hackers said if they would have known that Sandboxing and Whitelisting was used, maybe not worth the time they put into it

• Proven Security at “Capture The Flag” Challenges

Page 27: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

To make it easy SCSP Provides out-of-the-box Policy Templates

Targeted

Core OS Protection with Maximum Application Compatibility • OS Hardening + Buffer Overflow protection Core

Limits Execution of non-server applications • Strict + execution denial for interactive processes, unless in white-list

Limited Execution

Strict OS and Application control • Buffer Overflow + Network Lockdown + System file lockdown Strict

Customizable Policy for Specific, Targeted Prevention • Enables easy / fast build out of custom IPS policies in targeted stages,

sequentially enabling prevention capabilities

Stop unauthorised access and defend against targeted attacks 27

Page 28: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

SCSP can protect against these attacks by focusing on enforcing “good” behavior

Stop unauthorised access and defend against targeted attacks 28

Buffer Overflow Incursion via LNK vulnerability Spreads to USB drives and network using Print Spooler vulnerability, file shares, etc.

SCSP prevents the Stuxnet buffer overflow Uses LPAC to confine process (no access to system resources)

Poison Ivy Trojan Spreads through email, injects itself into other processes to control machine

SCSP confines the execution of Poison Ivy Uses LPAC to prevent thread injection, stops registry modification and execution

IE Remote Code Execution Vulnerability Exploits IE vulnerability to open back door that allow remote attacker access to machine

SCSP blocks inbound/outbound network access Uses LPAC to block installation, stateless firewall prevents connection to C&C servers

Vulnerability in Windows Kernel-Mode Drivers Allows remote code execution if user opens a special document or visits a malicious Web page

SCSP blocks shell code from launching Uses LPAC to prevent launch of a shell to install programs, create accounts, manipulate files

Regardless of the attack vectors or vulnerabilities exploited by known or unknown threats, SCSP protects by leveraging least privilege application control features

Page 29: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 29

DEMO: I’m now going to hack my self

Page 30: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Agenda

30

Cutting Through the Hype 1

What is out there? 2

Stop unauthorised access and defend against targeted attacks

What is Critical System Protection? 3

Summary 4

Page 31: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Achieve Your Key Business Initiatives

Stop unauthorised access and defend against targeted attacks 31

Block Targeted Attacks

You’ll decide how

Your applications are

running

Patch Mitigation

In most cases you do not

have the luxury to apply

patches

Visibility into Compliance Posture

Have comprehensive

view towards your

environment

Page 32: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Remember the cool hands on labs tomorrow!

IS L06

Protect servers and defend against APTs with Symantec Critical System Protection

15:45 - 16:45

P1 Room 119

IS L07

Lock down your virtual environment with Symantec Critical System Protection

17:15 - 18:15

P1 Room 119

Stop unauthorised access and defend against targeted attacks 32

Page 33: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

SYMANTEC VISION 2012

Is there a hacker in you?

The Symantec Cyber Readiness Challenge is a competition designed for all levels of technical expertise that puts participants in the hacker’s shoes to understand their targets, technology and thought processes so they can ultimately better protect their company or agency.

This interactive ‘capture the flag’ style competition will take place at various locations around the globe and participants will have the opportunity to test their skills within a unique and real world environment developed by Symantec, the global leader in security.

Stop unauthorised access and defend against targeted attacks 33

Page 34: Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access and defend against targeted attacks SYMANTEC VISION 2012 26 Symantec Server Protection

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Stop unauthorised access and defend against targeted attacks 34