Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access...
Transcript of Stop unauthorised access and defend against targeted attacks B06.pdf · Stop unauthorised access...
1
Stop unauthorised access and defend against targeted attacks
Marko Haarala Mark Fox Sr. Regional Product Manager CSP Principal Presales Consultant,
Europe, the Middle East and Africa Threat and Risk Management Group UK
Stop unauthorised access and defend against targeted attacks
SYMANTEC VISION 2012
Agenda
2
Cutting Through the Hype 1
What is out there? 2
Stop unauthorised access and defend against targeted attacks
What is Critical System Protection? 3
Summary 4
SYMANTEC VISION 2012
Sophisticated Attacks Drive Awareness
3 Stop unauthorised access and defend against targeted attacks
SYMANTEC VISION 2012
…but not so sophisticated too!
Hey Bob, check this out!
Stop unauthorised access and defend against targeted attacks 4
SYMANTEC VISION 2012
Servers Are the Juicy Target
5
Verizon 2012 Data Breach Investigations Report
of stolen data is from servers
97%
Stop unauthorised access and defend against targeted attacks
SYMANTEC VISION 2012
Servers Have Unique Security Requirements
Stop unauthorised access and defend against targeted attacks 6
Confidentiality
Integrity
Availability
Blanket, consistent protections more important
Change visibility less important. Just block malware.
Continuous availability less important. Reboots expected/OK
Targeted Protections based on housed data, function more important
Change visibility highly important. Who/what/where/when
Continuous availability highly important
Laptops/Desktops Server
Desktop-oriented Protections are largely a Subset of Server-oriented Protections
SYMANTEC VISION 2012
Exponential growth in Malware
• Malicious attacks 81% in 2011(1)
• Attacks used advanced techniques, generating unique versions of malware
• Targeted Attacks avg. 82/day
– 58% of attacks were aimed at non-executive functions to gain foothold in organization
Stop unauthorised access and defend against targeted attacks 7
1-Symantec Internet Security Threat Report April 2012 2-Verizon Data Breach Investigations Report 2012
SYMANTEC VISION 2012
How to develop a malware?
Stop unauthorised access and defend against targeted attacks 8
Google it!
If you cannot read – check out YouTube Backtrack Videos
SYMANTEC VISION 2012
Is the Term APT Overhyped?
Stop unauthorised access and defend against targeted attacks 9
% of execs believe the term APT is being used excessively or in a misleading way Source: CSO Magazine Research, October 2011
SYMANTEC VISION 2012
11%
38%
57%
70%
70%
Other (specify)
Distraction from solving APTs
Distraction from solving other pressing security problems
Confusion among IT executives
Confusion among non-IT executives
Source: CSO Magazine Research, October 2011
… Often leading to Confusion on how to effectively protect against them
10
What are the outcomes from the misuse of the term APT?
0 100%
Stop unauthorised access and defend against targeted attacks
SYMANTEC VISION 2012
How are Targeted Attacks and APTs Related?
11
Targeted Attacks
An APT is always a targeted attack, but a targeted attack is not necessarily an APT.
Targeted Attacks
APTs
Stop unauthorised access and defend against targeted attacks
APTs are Different from Targeted Attacks: 1. Customized: Uses multiple attack vectors, that are customized to the target, not a generic burst of attack vectors
2. Low and Slow: Specifically designed to penetrate low-n-slow, to avoid detection, most likely stays under radar for a sustained period
3. Higher Aspirations: Seeking more than opportunistic gain, usually involves covert state actors
4. Specific Targets: Highly targeted to specific organizations (e.g., govt. agencies) and high-value targets
SYMANTEC VISION 2012
Analogy of Advanced Persistent Threat
Stop unauthorised access and defend against targeted attacks 12
1
Phishing
Drops
Malware
4
Data is
Gathered
2
Malware
Creates a
Back Door
3
Malware
Morphs &
Moves
Laterally
5
Remote
Command
& Control
Exfiltrates
Data
5 Steps …
SYMANTEC VISION 2012
Agenda
13
Cutting Through the Hype 1
What is out there? 2
Stop unauthorised access and defend against targeted attacks
What is Critical System Protection? 3
Summary 4
SYMANTEC VISION 2012
Nitro: An APT targeting organizations in the chemical industry
14 Stop unauthorised access and defend against targeted attacks
SYMANTEC VISION 2012
Nitro APT Phases
Socially engineered email sent
• Attachments installed Poison Ivy
• Common Remote Access Tool (RAT)
Gathered IP addresses and computer names from network
• Gathered password hashes to take off-machine for cracking
Gained admin credentials and access to critical servers
Captured data and moved it to internal staging servers
Data sent to C&C servers via port 80
15 Stop unauthorised access and defend against targeted attacks
1
2
3
4
5
SYMANTEC VISION 2012
What's next, eternal FLAME?
Stop unauthorised access and defend against targeted attacks 16
SYMANTEC VISION 2012
Targeted Attacks and APTs are constantly reinventing themselves…
Malware variants exploit new zero-day vulnerabilities and leverage new attack vectors each day, making it challenging for security solutions to “keep up”
Stop unauthorised access and defend against targeted attacks 17
Vulnerability or Attack Vector Targeted Attack/Malware/APT
MS Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability
Stuxnet Worm
Poison Ivy Trojan (sent as email attachment)
Nitro
IE Remote Code Execution Vulnerability
Hydraq (Operation Aurora)
Vulnerability in Windows Kernel-Mode Drivers
Duqu
SYMANTEC VISION 2012
What do APT’s Target on a Server?
Critical System Protection
Registry
Config Files
Portable Storage Devices
Applications
Operating System
Memory
Stop unauthorised access and defend against targeted attacks
Enforce Registry Integrity
Enforce File Integrity
Enforce Memory Protection
Enforce network controls
Enforce device controls
18
SYMANTEC VISION 2012
Agenda
19
Cutting Through the Hype 1
What it out there? 2
Stop unauthorised access and defend against targeted attacks
What is Critical System Protection? 3
Summary 4
SYMANTEC VISION 2012
Understand the security problem behind
Reliable software is software that does what it designed to do
Secure software is software that does what it is ONLY supposed to do
Stop unauthorised access and defend against targeted attacks 20
SYMANTEC VISION 2012
How do we handle this situation?
We will allow applications and OS only to do what they supposed to be doing :)
In other words we’ll stick them into the Sandboxes and control their behaviour at
kernel level.
Stop unauthorised access and defend against targeted attacks 21
SYMANTEC VISION 2012
Symantec Critical System Protection
Stop unauthorised access and defend against targeted attacks 22
Broad Platform & Application Support
Policy Based Lockdown Out-of-the-box policies Restrict access to critical system resources Protection against Zero Day Attacks and APT’s Close network back doors De-escalate user privileges Prevent external media use
Business critical applications in physical and virtual environments
Real- Time Monitoring Out-of-the-box policies Real-time File Integrity Monitoring Helps address security regulations like PCI DSS
Integrated with SIEM &
IT GRC Solutions Control Compliance Suite (CCS) Security Information Manager (SSIM)
SYMANTEC VISION 2012
How does CSP technically work?
creates a “sandbox” or
“containment jail” for one
or more programs
(processes) using a policy
that defines least privilege
controls or “acceptable”
resource access
behaviors
Files
Registry
Network
Devices
File system and
Configuration info
Process Access Control
Outlook
CMD
DNS Server
Kernel
RPC
Services or
Daemons
Interactive Applications
Granular Resource Constraints Host
Chrome
Most programs require a limited set of resources and access rights to perform normal functions
But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap
Stop unauthorised access and defend against targeted attacks 23
Defaults for Service and Interactive
Etc. Etc.
Memory
Usage of Ports and Devices
Default “containment jail”
SYMANTEC VISION 2012
Least Privilege Application Control (LPAC)
Stop unauthorised access and defend against targeted attacks 24
Files
Registry
Network
Devices
File system and
Configuration info
Process Access Control
Granular Resource Constraints Host
Int_stdpriv_ps
Memory
Usage of Ports and Devices
Containment jail
SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 25
DEMO: How sandboxing works?
SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 26
Symantec Server Protection Un-compromised at Black Hat 2011 and 2012
• Challenge:
– ‘Flags hidden across un-patched Windows and Linux systems
– Main flag protected with CSP and SEP out-of-the box prevention policy
– 50+ skillful hackers/pen-testers from DoD, NSA, DISA, Anonymous, etc.
• Attacks Techniques used:
– Backtrack 5 and custom tools used during penetration attempts
– Zero day attack used and stopped on protected system
– Recompiled version of Flamer stopped by CSP out of the box policy
• Outcome:
– No one was able to capture the flag… now two years in a row…
– Hackers said if they would have known that Sandboxing and Whitelisting was used, maybe not worth the time they put into it
• Proven Security at “Capture The Flag” Challenges
SYMANTEC VISION 2012
To make it easy SCSP Provides out-of-the-box Policy Templates
Targeted
Core OS Protection with Maximum Application Compatibility • OS Hardening + Buffer Overflow protection Core
Limits Execution of non-server applications • Strict + execution denial for interactive processes, unless in white-list
Limited Execution
Strict OS and Application control • Buffer Overflow + Network Lockdown + System file lockdown Strict
Customizable Policy for Specific, Targeted Prevention • Enables easy / fast build out of custom IPS policies in targeted stages,
sequentially enabling prevention capabilities
Stop unauthorised access and defend against targeted attacks 27
SYMANTEC VISION 2012
SCSP can protect against these attacks by focusing on enforcing “good” behavior
Stop unauthorised access and defend against targeted attacks 28
Buffer Overflow Incursion via LNK vulnerability Spreads to USB drives and network using Print Spooler vulnerability, file shares, etc.
SCSP prevents the Stuxnet buffer overflow Uses LPAC to confine process (no access to system resources)
Poison Ivy Trojan Spreads through email, injects itself into other processes to control machine
SCSP confines the execution of Poison Ivy Uses LPAC to prevent thread injection, stops registry modification and execution
IE Remote Code Execution Vulnerability Exploits IE vulnerability to open back door that allow remote attacker access to machine
SCSP blocks inbound/outbound network access Uses LPAC to block installation, stateless firewall prevents connection to C&C servers
Vulnerability in Windows Kernel-Mode Drivers Allows remote code execution if user opens a special document or visits a malicious Web page
SCSP blocks shell code from launching Uses LPAC to prevent launch of a shell to install programs, create accounts, manipulate files
Regardless of the attack vectors or vulnerabilities exploited by known or unknown threats, SCSP protects by leveraging least privilege application control features
SYMANTEC VISION 2012 Stop unauthorised access and defend against targeted attacks 29
DEMO: I’m now going to hack my self
SYMANTEC VISION 2012
Agenda
30
Cutting Through the Hype 1
What is out there? 2
Stop unauthorised access and defend against targeted attacks
What is Critical System Protection? 3
Summary 4
SYMANTEC VISION 2012
Achieve Your Key Business Initiatives
Stop unauthorised access and defend against targeted attacks 31
Block Targeted Attacks
You’ll decide how
Your applications are
running
Patch Mitigation
In most cases you do not
have the luxury to apply
patches
Visibility into Compliance Posture
Have comprehensive
view towards your
environment
SYMANTEC VISION 2012
Remember the cool hands on labs tomorrow!
IS L06
Protect servers and defend against APTs with Symantec Critical System Protection
15:45 - 16:45
P1 Room 119
IS L07
Lock down your virtual environment with Symantec Critical System Protection
17:15 - 18:15
P1 Room 119
Stop unauthorised access and defend against targeted attacks 32
SYMANTEC VISION 2012
Is there a hacker in you?
The Symantec Cyber Readiness Challenge is a competition designed for all levels of technical expertise that puts participants in the hacker’s shoes to understand their targets, technology and thought processes so they can ultimately better protect their company or agency.
This interactive ‘capture the flag’ style competition will take place at various locations around the globe and participants will have the opportunity to test their skills within a unique and real world environment developed by Symantec, the global leader in security.
Stop unauthorised access and defend against targeted attacks 33
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Stop unauthorised access and defend against targeted attacks 34