2012 Taking Complexity out of Information Security …allowing you to focus on your business

The Problem Landscape

Google RSA Juniper DuPont IMF Lockheed Martin … 762 companies were hit during the RSA attack

 Regardless of the definition, % they adhere to the following characteristics: ◦ Nature  Targeted attacks  Blended Threats (multiple attack vectors)  “Low and Slow” ◦ Tactics:  Social Engineering, Attacking the user (most of the times)  Establishing a foothold (e.g. Remote Access Trojans)  Attack Escalation & Metastasis – Access to critical data and services  Retaining persistence (different RATs, multiple footholds, etc.) ◦ Results:  Data leakage, Sabotage, Fraud…  In essence is the attack method of choice of Professional Attackers

Step 1 Reconnaissance Step 2 Initial Intrusion into the Network Step 3 Establish a Backdoor into the Network Step 4 Obtain User Credentials Install Various Utilities Step 5 Privilege Escalation Attack Escalation Metastasis Step 7 Maintain Persistence Data Exfiltration/Other objectives realization Internal Users Web Applications Data CenterAttacker

 ORGANIZATIONS MUST LEARN TO LIVE IN A STATE OF COMPROMISE  Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor…, a Bloomberg Government study found  APT Tops Security Risks to Corporate IP in 2012,  "I'm meeting more CSO's saying 'all I care about is APT…’” Bruce Schneier, CTO of BT Counterpane

 ENCODE Extrusion Testing™: ◦ Security Assessment via APT Simulation ◦ Running Extrusion Tests from 2003!...8 years of hands-on experience ◦ Proprietary tools and methodologies ◦ Attacking “outside-in and inside-out”  Digital Forensics ◦ Performed Forensics on APT cases on various organisations

Because Controls fail  “Medieval approach to IT Security” - Building “castles/perimeters” around the network and trying to be “Preventive”  Single “attack vector” controls  “Evolved versions” of ones designed for the 90’s  Reactive approach

 While Security Programs are focused in Compliance ◦ However: Compliant ≠Secure  And at the same time even Specialized Security Controls are not adequate on their own (or even combined)  “Traditional” Controls fail ◦ Firewalls, IPS, Secure Web Gateways, AV/Endpoint Security… ◦ They are totally blind, due to a misfit paradigm for APTs  But also “less traditional” ones ◦ Data Leak Prevention – Designed for human actions, not for leakages by a piece of advanced software (malware, Trojans) ◦ 24x7 Security Monitoring - “Garbage IN, Garbage OUT”, No Monitoring in context, Not having the right tools for the job

Addressing APTs

One quite clever guy once said that “if he had one hour to save the world he would spend fifty-five minutes defining the problem and only five minutes finding the solution”

 Is it a Malware problem  Is it an adversary problem  Is it a Forensics Problem  Is it a Visibility Problem  Is it a zero-day exploit Problem  Is it a Botnet detection and/or takedown problem  Is it a lack of Security skills problem  Is it a lack of Defense in Depth problem …… …the short answer is NO Each one of them is a piece of the problem, but not the problem!

We believe it is 2-fold problem: A “Name Problem” A “Complexity Problem”

ENCODE Extrusion Testing Facts: Infection vectors used - Total

Because  they are considered “Advanced” for “traditional” but also for “less traditional” security controls  they are also “Advanced” for “Single-vector” specialized security controls  they are not “advanced enough” for some specialized security controls trying to be “very advanced”, missing KISS APT  organizations (used to) underplay/underestimate the Threat saying “this is too advanced… it won’t happen to us”

 Complexity: ◦ Complex IT environments & Business process, supporting Business Agility ◦ Complex Threat Landscape ◦ Complexity of the Internet  Attackers are taking advantage of this Complexity to achieve their goals, along with the fact that Business must be agile to remain in business!  However to solve a “complexity problem” or a complex problem you have to: ◦ Take out complexity, where you can ◦ Focus on the parts of the problem that really mater and solve them

 You cannot reduce complexity, at least from every part of your business…period  As Complexity increases the good old “Preventive” controls get less and less effective or impair Business  Nonetheless you have to be “Proactive”  Proactive Security ≠ Preventive Controls alone ◦ Early Warning & Response is the “preventive” control of choice for Complex environments and Threats  You have to focus on APT

If Early Warning is what we need, let’s think “What cannot be evaded”  Behavior ◦ An IT environment under attack does not behaves as normal ◦ Each attack, APT included, has its own signs in behavior change  True Visibility – at all (relevant) Levels ◦ Network: Internet Access (incoming/outgoing) ◦ Endpoint: System state & Data Access/Use  Expertise – the human factor ◦ Encapsulated expertise ◦ Expert view and analysis

Conclusion

APTs are becoming the weapon of choice:  from Government and Defense  to companies with Intellectual Property or Critical Infrastructure  to other “high-value” targets ◦ Finance ◦ … “…if professional attackers didn’t use such techniques they should have been sued for negligence…”

 is not a matter of What  is not a matter of Who  is a matter of When! Attorney David Navetta: … but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding

_