Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation Threat Protection

Similar presentations

Presentation on theme: "Next Generation Threat Protection"— Presentation transcript:

1 Next Generation Threat Protection
Randy Lee– Sr. SE Manager

2 The Acceleration of Advanced Targeted Attacks
Cyber-espionage and Cybercrime # of threats are up 5X Nature of threats changing From broad, scattershot to advanced, targeted, persistent Advanced attacks accelerating High profile victims common (e.g., RSA, Symantec, Google) Numerous APT attacks like Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro Advanced Persistent Threats Zero-day Targeted Attacks Dynamic Trojans Stealth Bots Cybercrime Damage of Attacks Spyware/ Bots Disruption Worms Viruses 2004 2006 2008 2010 2012 STAT: The pace of attacks are way up. 10 X from 2007 (according to Intel’s threat data reports) and 5 X from 2009 (again according to Intel’s threat data reports). And, the nature of these attacks have changed from broad, scattershot attacks to very targeted attacks with persistent adversaries (often times nation-states) GARTNER is re-affirming the fact that advanced attacks have evolved to a point that has bypassed the capabilities of traditional tools. (TRANSITION: Let’s take a look at some of these high-profile victims.) “Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.” Gartner, 2012

3 High Profile Attacks are Increasingly Common
Coke Gets Hacked And Doesn’t Tell Anyone By Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, :01 PM ET Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.

4 We are Only Seeing the Tip of the Iceberg
Headline Grabbing Attacks Thousands More Below the Surface APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks

5 Traditional Defenses Don’t Work
Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and Gateways Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses As a result, traditional defenses are ineffective against today’s advanced targeted attacks. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.

6 Defining Advanced Targeted Attacks
Utilizes advanced techniques and/or malware Unknown Targeted Polymorphic Dynamic Personalized Uses zero-day exploits, commercial quality toolkits, and social engineering Often targets IP, credentials and often spreads laterally throughout network AKA—Advanced Persistent Threat (APT) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted ADVANCED Stealthy Unknown and Zero Day Targeted Persistent Advanced Targeted Attack Advanced Targeted Attacks is the term we will use to describe the attacks in this market (it is also what Gartner has just coined and uses). What are advanced targeted attacks? They use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft. Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized. We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks. Many in the IT security industry call these cyber criminal actors – Advanced, Persistent Threats TRANSITION: Why are advanced targeted attacks so effective? Open Known and Patchable Broad One Time TRADITIONAL

7 Advanced Malware Infection Lifecycle
1 System gets exploited Drive-by attacks in casual browsing Links in Targeted s Attachments in Targeted s Dropper malware installs First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites Malicious data theft & long- term control established Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system Compromised Web server, or Web 2.0 site Callback Server 2 DMZ Servers Perimeter Security Signature, rule-based Other gateway List-based, signatures 3 Anti-spam KEY POINT: Modern Malware has an infection lifecycle. It is no longer the case that an exploit of a system leads to just one infection. Goal is LONG-TERM control over system. “0wn-ing” the system. - Once a system is exploited, a multi-stage infection cycle begins in which dozens of malware infections are installed onto the end system - These MULTIPLE infections on the same system help to ensure LONG-TERM control over the PC by the cyber criminal - To effectively stop the infection, a solution must address the entire lifecycle (initial exploitation, subsequent downloads, and ongoing malware outbound callbacks.) Desktop antivirus Losing the threat arms race

8 Discrete Object analysis
Malware Analysis What types of Malware Analysis should you do? Malware Analysis Static Analysis Signature Heuristics Dynamic Analysis Discrete Object analysis Contextual Analysis

9 Case Study: Operation Aurora Infection Cycle
1 System gets exploited Social engineering Obfuscated JavaScript code Exploited IE 6 zero-day vulnerability Web server delivers malware Servers mapped by dynamic DNS XOR encoded malware EXE delivered No Signatures Malware calls home & long-term control established Complete control of infected system Further payloads downloaded C&C located in Taiwan Using outbound port 443 (SSL) Malicious Web server Callback Server 2 3 Desktop antivirus Losing the threat arms race

10 Captured Aurora on Day Zero
Signature-less detection of zero-day attack Malicious binary download posing as JPG Decryption routine for “a.exe”

11 Captured Aurora on Day Zero
Decryption complete. MD5 of Hydraq.Trojan Hydraq callback captured

12 Requirements for APT Detection / Protection
1. Dynamic defenses to stop targeted, zero-day attacks 2. Real-time protection to block data exfiltration attempts 3. Accurate, low false positive rates 4. Global intelligence on advanced threats to protect the local network

13 Who is Mission Critical Systems?
Southeast based Information security solutions reseller & integrator in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa. Network and Data security solutions are our only focus Representing 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable. Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies. We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out.

14 Professional Services
Installation, Configuration and Support Services Security Assessment and Audits Vulnerability Scanning / Penetration Testing Web Application Assessment Secure Network Design Telephone Support Contracts Training

15 Thank You

Download ppt "Next Generation Threat Protection"

Similar presentations

Ads by Google