Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here.

Published byStanley Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here."— Presentation transcript:

1 Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here

2 Is compromise inevitable? Adversary Defense: Past, Present, Future It’s going to happen… Offense is cheaper and easier than Defense. Compromise is no longer if, but when. Detection takes too long 229 - The average number of days to discover a breach Response times impact the business Average response times are weeks to months Not enough skills 70% of organizations lack staff to counter cyber security threats “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.” - Gartner “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.” - Gartner

3 Are all “Incidents” the same? Public Data Breach Suspected Compromise Malware Outbreaks & Employee Investigations Adversary Defense: Past, Present, Future

4 Proactive or Reactive? Experiencing a security incident Internal teams unable to address issue at hand Pressure to resolve the incident quickly Need to address legal/compliance reporting requirements post-incident Currently battling an incident and need extra help Media coverage of breach Crisis Mode Realization that gaps in security may have led to an undetected breach Industry peer suffered a breach and they want to know if they have been impacted New security alert or intelligence that causes concern and the customer has no way to determine if they might be impacted Elevated Concern Looking to turn plans into optimized programs Looking for ways to improve or augment internal IR capabilities Want to pre-negotiate terms and rates for faster action when 3 rd party help is needed Have a regulatory or legal requirement to have a 3 rd - party IR team on retainer Proactive Planning Adversary Defense: Past, Present, Future

5 5 5 Planning Horizon Reliability Source: Gartner Research, How to Select a Threat Intelligence Service, Informed Judgment High Degree of Certainty Operational Intelligence Network Traffic Feed Strategic Intelligence ImmediateLong Term Snake Oil Security Intelligence

6 Adversary Intelligence Adversary Defense: Past, Present, Future Adversary Actor Group TTP Actions Resources Campaigns Victims Trends Incidents Indicators Intent Attack Vector Vulnerabilities Exploits Targets Industry Geography CollectionProcessingAnalysis Production Data Warehouse Mining Social Network Mining Underground Forums Open Source Monitoring Information Sharing Subscription Consumption Content Capabilities Technical Analysis Directed Research Telemetry

7 Incident Response Today Adversary Defense: Past, Present, Future Un-prioritized AlertsManual IR Call TreesTriage Begins External Response Team CalledDelays in Ramp-upManual Correlation of Evidence

8 Incident Response Tomorrow Adversary Defense: Past, Present, Future Prioritized/Correlated AlertsAutomated Triage WorkflowCollaborative Triage Clear Line of SiteReal-time updatesCollaborative Response Improve Response Times 1 Lower Response Costs 2 Improve Response Effectiveness 3 Enable Continuous Improvement 4

9 Adversary Techniques +91 % Increase in targeted attack campaigns 2012 2013 Adversary Defense: Past, Present, Future

10 Spear Phishing Adversary Defense: Past, Present, Future

11 Spear Phishing with an Attachment More than 50 percent of email attachments used in spear phishing attacks were executable files in 2013.

12 Risk of Being Targeted by Job Role Personal Assistant (Executive Assistant) High Medium Low Media Senior Management Sales C-Level Recruitment R&D Risk Risk of Job Role Impact by Targeted Attack Sent by Spear-Phishing Email Source: Symantec Adversary Defense: Past, Present, Future

13 Targeted Attack Campaigns 201120122013 Email per Campaign Recipient/Campaign 78 122 29 61 111 23 Campaigns Duration of Campaign 165 408 779 4 days 3 days8.3 days Adversary Defense: Past, Present, Future

14 Targeted Organization by Size Spear Phishing Attacks by Size of Targeted Organization, 2011 - 2013 Source: Symantec 50% 39% 18% 31% 30% 100% 0 201120122013 1,501 to 2,500 1,001 to 1,500 501 to 1,000 251 to 500 1 to 250 2,501+ Employees 50% 61% Adversary Defense: Past, Present, Future

15 In operation since at least 2011 Appear to be operating in the UTC +4 time zone suggesting a base of operations working in the Moscow Russia time zone Initially targeted defense and aviation companies in the US and Canada Shifted focus to US and European energy firms in early 2013 Likely to either be state sponsored, or corporate sponsored (given the type of victims targted) Involvement with Russian crime scene/forums (confirmed) – Backdoor.Oldrea – Trojan.Karagany Data theft The Dragonfly group

16 Dragonfly Group - Attack Methods Adversary Defense: Past, Present, Future Send an email to a person of interest Spear Phishing Infect a website and lie in wait for them Watering Hole Attack

17 Dragonfly Malware Threats Adversary Defense: Past, Present, Future Trojan.Karagany From leaked source code Sold in underground market Leaked in 2010 Modified by Dragonfly team Features include collecting passwords, taking screenshots, cataloging documents Backdoor.Oldrea a.k.a. Havex, Energetic Bear RAT Custom malware Used in majority of attacks Acts as backdoor for attackers Features include collecting system information, Outlook address book Symantec Antivirus Backdoor.Oldrea Trojan.Karagany

18 Dragonfly Exploit Kits Adversary Defense: Past, Present, Future Lightsout Exploit Kit Uses Java and IE exploits Injected iframe link sends victim to website hosting malware Hello Exploit Kit Uses Javascript to fingerprint system and determine best exploit Intrusion Prevention Signatures Web Attack: Lightsout Exploit Kit Web Attack: Lightsout Toolkit Website 4

19 Cyber Security Services Prepare Attack Readiness Assessment IR Plan Assessment IR Program Development TableTop Exercises Cyber Exercises and Simulation Detect Data Collection Correlation Analysis Monitoring Services Alerting Services Respond Incident Investigation Incident Containment Incident Recovery Lessons Learned Inform Adversary Intelligence / Data Feeds / Directed Research

20 Thank you! Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! symantec.com/threatreport Adversary Defense: Past, Present, Future http://www.symantec.com/managed-security-services http://go.symantec.com/incidentresponse

Download ppt "Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Symantec Education Skills Assessment SESA 3.0 Feature Showcase

Symantec Education Skills Assessment SESA 3.0 Feature Showcase
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
IT Analytics for Symantec Endpoint Protection

IT Analytics for Symantec Endpoint Protection
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, 2012 1 Industry and the fight against cybercrime.

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Targeted Attacks and Advanced Threats Bryon Page Solution Systems Engineer.

Targeted Attacks and Advanced Threats Bryon Page Solution Systems Engineer.
Ilias Chantzos Senior Director, Government Affairs - EMEA Symantec Cyber-security & cyber-resilience: Policy implications in smart cities.

Ilias Chantzos Senior Director, Government Affairs - EMEA Symantec Cyber-security & cyber-resilience: Policy implications in smart cities.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.

Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
President’s Forum and WSML 2012 INDSTRAT 02 Mobile Market Dynamics Brian Duckering, Deborah Clark, Evan Quinn “A Day in the Life of Mobile” 1.

President’s Forum and WSML 2012 INDSTRAT 02 Mobile Market Dynamics Brian Duckering, Deborah Clark, Evan Quinn “A Day in the Life of Mobile” 1.

Similar presentations

Ads by Google