Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis of Recent Cyber Attacks WADE WILLIAMSON.

Similar presentations


Presentation on theme: "An Analysis of Recent Cyber Attacks WADE WILLIAMSON."— Presentation transcript:

1 An Analysis of Recent Cyber Attacks WADE WILLIAMSON

2 Introducing Vectra Networks Investors Jim Messina CEO, The Messina Group Board Hitesh Sheth President & CEO, Vectra Eric Wolford GP, Accel Ventures Charles Giancarlo Advisor, Silver Lake Leadership Customers Brad Gillespie GP, IA Ventures Alain Mayer VP Product Mgmt Jason Kehl VP Engineering Mike Banic VP Marketing Rick Geehan VP Sales, N. Amer. Oliver Tavakoli CTO Hitesh Sheth President & CEO Mission Automatically detect any phase of an ongoing cyber attack © 2014 Vectra Networks |

3 Cyber Attacks Follow the Same Blueprint © 2014 Vectra Networks | Breaches are relatively simple (SQL Injection) Security: Focus on preventing exploits 2007 TJX Breach - systemic breach with massive financial impact Security: More prevention, clean-up, and forensics 2013 Breaches become a regular occurrence Security: Evolving to a proactive daily effort to find active breaches

4 The Cyber Attacker Blueprint © 2014 Vectra Networks | Gain privileged access to the network Employees and partners Phishing Social engineering Extend compromise across the network Steal or destroy key assets Spread malware Elevate access Establish control Find key assets Aggregate data Tunnel out of the network 123

5 The Blueprint Applied to Target © 2014 Vectra Networks | Gain privileged access to the network Compromised an HVAC vendor with login credentials to a Target portal Extend compromise across the network Steal or destroy key assets Pivoted from the portal to the internal Target network, and delivered malware to PoS terminals at stores Payment card data aggregated from stores, and exfiltrated out of the Target network

6 The Blueprint Applied to Sony* © 2014 Vectra Networks | Gain privileged access to the network Social engineering to gain access to building, and stole admin credentials Extend compromise across the network Steal or destroy key assets Used admin access to spread malware across the network Stole content, private correspondence, and deployed wiper malware to destroy assets *Investigation into the Sony attack is ongoing

7 The Blueprint Applied to eBay © 2014 Vectra Networks | Gain privileged access to the network Multiple employee credentials exposed Extend compromise across the network Steal or destroy key assets Gained internal access to server with user account info and encrypted passwords Copied database and stole 145 million customer records

8 © 2014 Vectra | 8 Internal Recon Lateral Movement Acquire Data Botnet Monetization Standard C&C Exfiltrate Data Custom C&C & RAT Opportunistic Targeted A Closer Look at a Modern Attack Initial Infection Custom C&C

9 How Security Effort Aligns to Life of an Attack 9 Perimeter security looks for known C&C or malicious domains. SIEM analysis and incident response reconstructs the active phase after the breach. Security Investment & Effort High Effort Low Effort Prevention PhaseActive PhaseClean-up Phase C&C and RAT Internal Recon Lateral Movement Acquire Data Botnet Monetization Exfiltrate Data Exfiltrated Data Initial Exploit Perimeter security looks for exploits and malware: Firewalls IPS Malware Sandboxes

10 How Security Effort Aligns to Life of an Attack 10 SIEM analysis and incident response reconstructs the active phase after the breach. Security Investment & Effort High Effort Low Effort Prevention PhaseActive PhaseClean-up Phase C&C and RAT Internal Recon Lateral Movement Acquire Data Botnet Monetization Exfiltrate Data Exfiltrated Data Initial Exploit Perimeter security looks for exploits and malware: Firewalls IPS Malware Sandboxes Maginot Line Problem

11 11 Maginot Line

12 Prevention Phase – Nearly Impossible to Be Perfect © 2014 Vectra | Each with many interactions Malicious links Custom payloads Social engineering With many devices Servers Laptops Mobile devices Many privileged users Employees Partners Contractors Attackers only need to win once, and have near-infinite chances to win

13 Targeted Attackers Don’t Reuse C&C Servers…typically. 13 The JP Morgan breach was detected when the attackers made a critical mistake Attackers momentarily reused a C&C server that had been used to attack a charity site.

14 Many Ways to Command and Control 14 Recently observed malware using Gmail as an automated C&C Used Microsoft COM to send Python commands directly through Internet Explorer Drafts automatically synced to cloud, so C&C without mail ever being sent.

15 © 2014 Vectra | 15 Internal Recon Lateral Movement Acquire Data Botnet Monetization Standard C&C Exfiltrate Data Custom C&C Opportunistic Targeted The Active Attack Phase – What Perimeter Security Sees Custom C&C Initial Infection

16 Proposing a Methodology for Real-Time Detection of Cyber Attacks

17 © 2014 Vectra | 17 Requirements for Defending Against an Active Attack 1.Establish internal visibility Direct, deep analysis of traffic and host behaviors 2.Detect all phases of the attack Must detect all techniques attackers use to spy, spread and steal 3.Real-time Real-time visibility, correlation, and context to take action before data is lost Prevention Active Cleanup

18 Network-Based Breach Detection 18 Continuous Monitoring Real-time Detection Automated and Intuitive Prioritized Results w/ Full Context All packets N-S, E-W traffic Any OS, app, device No signatures No rules No configuration Machine learning Behavioral analysis Correlated over time Prioritized by risk Correlated by host Insight into attack

19 Learn to see how an attacker spreads 19

20 20

21 21

22 Learn to see C&C and RATs without signatures 22

23 23

24 24

25 25

26 Focus on your data and key assets 26

27 27

28 © 2014 Vectra | Engineering Community Finance Community

29 Summary Establish Full Visibility All traffic, all devices Internal and edge (N-S, E-W) Detect All Phases of Attack Detect without need for signatures Detect in real time Context for fast decisions Automatically correlate events See threats in relation to assets Prevention PhaseActive PhaseClean-up Phase

30 30


Download ppt "An Analysis of Recent Cyber Attacks WADE WILLIAMSON."

Similar presentations


Ads by Google