Presentation on theme: "Next Generation Threat Protection"— Presentation transcript:
1Next Generation Threat Protection Randy Lee– Sr. SE Manager
2The Acceleration of Advanced Targeted Attacks Cyber-espionage and Cybercrime# of threats are up 5XNature of threats changingFrom broad, scattershot to advanced, targeted, persistentAdvanced attacks acceleratingHigh profile victims common (e.g., RSA, Symantec, Google)Numerous APT attacks like Operation Aurora, Shady RAT, GhostNet, Night Dragon, NitroAdvanced Persistent ThreatsZero-dayTargeted AttacksDynamic TrojansStealth BotsCybercrimeDamage of AttacksSpyware/ BotsDisruptionWormsViruses20042006200820102012STAT: The pace of attacks are way up. 10 X from 2007 (according to Intel’s threat data reports) and 5 X from 2009 (again according to Intel’s threat data reports).And, the nature of these attacks have changed from broad, scattershot attacks to very targeted attacks with persistent adversaries (often times nation-states)GARTNER is re-affirming the fact that advanced attacks have evolved to a point that has bypassed the capabilities of traditional tools.(TRANSITION: Let’s take a look at some of these high-profile victims.)“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”Gartner, 2012
3High Profile Attacks are Increasingly Common Coke Gets Hacked And Doesn’t Tell AnyoneBy Ben Elgin, Dune Lawrence & Michael Riley - Nov 4, :01 PM ETHackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
4We are Only Seeing the Tip of the Iceberg Headline Grabbing AttacksThousands More Below the SurfaceAPT AttacksZero-Day AttacksPolymorphic AttacksTargeted Attacks
5Traditional Defenses Don’t Work Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and GatewaysAdvanced attacks bypass both signature and heuristics-based technologies in existing IT security defensesAs a result, traditional defenses are ineffective against today’s advanced targeted attacks.Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted APT malware. No matter how malicious the code is, if signature-based tools haven't seen it before, they let it through. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers.Also, advanced attacks bypass heuristics-based technologies in existing IT security defenses as well. Heuristic-based protection alone has not proven to be operationally effective. They use rough algorithms to estimate suspicious behavior generating lots of false alerts. While these heuristic techniques have merit, the true positive to false positive ratio (a.k.a. Signal-to-Noise ratio) is too low for a cost-effective ROI. The false positives clutter up security event logs and real-time blocking based on these heuristic alerts is simply not an option. Administrators often "dumb down" available heuristics to catch only the most obvious suspicious behavior. Multi-stage targeted attacks don't trip this coarse-grained filter.
6Defining Advanced Targeted Attacks Utilizes advanced techniques and/or malwareUnknownTargetedPolymorphicDynamicPersonalizedUses zero-day exploits, commercial quality toolkits, and social engineeringOften targets IP, credentials and often spreads laterally throughout networkAKA—Advanced Persistent Threat (APT)The New Threat LandscapeThere is a new breed of attacks that are advanced, zero-day, and targetedADVANCEDStealthyUnknown and Zero DayTargetedPersistentAdvanced Targeted AttackAdvanced Targeted Attacks is the term we will use to describe the attacks in this market (it is also what Gartner has just coined and uses). What are advanced targeted attacks? They use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft.Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized.We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks.Many in the IT security industry call these cyber criminal actors – Advanced, Persistent ThreatsTRANSITION: Why are advanced targeted attacks so effective?OpenKnown and PatchableBroadOne TimeTRADITIONAL
7Advanced Malware Infection Lifecycle 1System gets exploitedDrive-by attacks in casual browsingLinks in Targeted sAttachments in Targeted sDropper malware installsFirst step to establish controlCalls back out to criminal serversFound on compromised sites, and Web 2.0, user-created content sitesMalicious data theft & long- term control establishedUploads data stolen via keyloggers, Trojans, bots, & file grabbersOne exploit leads to dozens of infections on same systemCriminals have built long-term control mechanisms into systemCompromisedWeb server, orWeb 2.0 siteCallback Server2DMZServersPerimeter SecuritySignature, rule-basedOther gatewayList-based, signatures3Anti-spamKEY POINT:Modern Malware has an infection lifecycle. It is no longer the case that an exploit of a system leads to just one infection. Goal is LONG-TERM control over system. “0wn-ing” the system.- Once a system is exploited, a multi-stage infection cycle begins in which dozens of malware infections are installed onto the end system- These MULTIPLE infections on the same system help to ensure LONG-TERM control over the PC by the cyber criminal- To effectively stop the infection, a solution must address the entire lifecycle (initial exploitation, subsequent downloads, and ongoing malware outbound callbacks.)Desktop antivirusLosing the threat arms race
8Discrete Object analysis Malware AnalysisWhat types of Malware Analysis should you do?Malware AnalysisStatic AnalysisSignatureHeuristicsDynamic AnalysisDiscrete Object analysisContextual Analysis
10Captured Aurora on Day Zero Signature-less detection of zero-day attackMalicious binary download posing as JPGDecryption routine for “a.exe”
11Captured Aurora on Day Zero Decryption complete. MD5 of Hydraq.TrojanHydraq callback captured
12Requirements for APT Detection / Protection 1. Dynamic defenses to stop targeted, zero-day attacks2. Real-time protection to block data exfiltration attempts3. Accurate, low false positive rates4. Global intelligence on advanced threats to protect the local network
13Who is Mission Critical Systems? Southeast based Information security solutions reseller & integrator in business for over 15 years. Headquarters in South Florida with additional offices in Atlanta and Tampa.Network and Data security solutions are our only focusRepresenting 20+ best-of-breed security products at either Platinum/Elite or Gold level partner status. Our relationships and status with the manufacturers allow us to leverage significant resources and hold manufacturers accountable.Sales consultants and engineers maintain manufacturer certifications to ensure we provide accurate information to help customers achieve their security goals and not purchase unnecessary technologies.We work on behalf of the customer to design the appropriate solution for their security needs, negotiate the best value, and ensure a successful project roll-out.
14Professional Services Installation, Configuration and Support ServicesSecurity Assessment and AuditsVulnerability Scanning / Penetration TestingWeb Application AssessmentSecure Network DesignTelephone Support ContractsTraining