An Analysis of Recent Cyber Attacks WADE WILLIAMSON

Introducing Vectra Networks Investors Jim Messina CEO, The Messina Group Board Hitesh Sheth President & CEO, Vectra Eric Wolford GP, Accel Ventures Charles Giancarlo Advisor, Silver Lake Leadership Customers Brad Gillespie GP, IA Ventures Alain Mayer VP Product Mgmt Jason Kehl VP Engineering Mike Banic VP Marketing Rick Geehan VP Sales, N. Amer. Oliver Tavakoli CTO Hitesh Sheth President & CEO Mission Automatically detect any phase of an ongoing cyber attack © 2014 Vectra Networks |

Cyber Attacks Follow the Same Blueprint © 2014 Vectra Networks | Breaches are relatively simple (SQL Injection) Security: Focus on preventing exploits 2007 TJX Breach - systemic breach with massive financial impact Security: More prevention, clean-up, and forensics 2013 Breaches become a regular occurrence Security: Evolving to a proactive daily effort to find active breaches

The Cyber Attacker Blueprint © 2014 Vectra Networks | Gain privileged access to the network Employees and partners Phishing Social engineering Extend compromise across the network Steal or destroy key assets Spread malware Elevate access Establish control Find key assets Aggregate data Tunnel out of the network 123

The Blueprint Applied to Target © 2014 Vectra Networks | Gain privileged access to the network Compromised an HVAC vendor with login credentials to a Target portal Extend compromise across the network Steal or destroy key assets Pivoted from the portal to the internal Target network, and delivered malware to PoS terminals at stores Payment card data aggregated from stores, and exfiltrated out of the Target network

The Blueprint Applied to Sony* © 2014 Vectra Networks | Gain privileged access to the network Social engineering to gain access to building, and stole admin credentials Extend compromise across the network Steal or destroy key assets Used admin access to spread malware across the network Stole content, private correspondence, and deployed wiper malware to destroy assets *Investigation into the Sony attack is ongoing

The Blueprint Applied to eBay © 2014 Vectra Networks | Gain privileged access to the network Multiple employee credentials exposed Extend compromise across the network Steal or destroy key assets Gained internal access to server with user account info and encrypted passwords Copied database and stole 145 million customer records

© 2014 Vectra | 8 Internal Recon Lateral Movement Acquire Data Botnet Monetization Standard C&C Exfiltrate Data Custom C&C & RAT Opportunistic Targeted A Closer Look at a Modern Attack Initial Infection Custom C&C

How Security Effort Aligns to Life of an Attack 9 Perimeter security looks for known C&C or malicious domains. SIEM analysis and incident response reconstructs the active phase after the breach. Security Investment & Effort High Effort Low Effort Prevention PhaseActive PhaseClean-up Phase C&C and RAT Internal Recon Lateral Movement Acquire Data Botnet Monetization Exfiltrate Data Exfiltrated Data Initial Exploit Perimeter security looks for exploits and malware: Firewalls IPS Malware Sandboxes

How Security Effort Aligns to Life of an Attack 10 SIEM analysis and incident response reconstructs the active phase after the breach. Security Investment & Effort High Effort Low Effort Prevention PhaseActive PhaseClean-up Phase C&C and RAT Internal Recon Lateral Movement Acquire Data Botnet Monetization Exfiltrate Data Exfiltrated Data Initial Exploit Perimeter security looks for exploits and malware: Firewalls IPS Malware Sandboxes Maginot Line Problem

11 Maginot Line

Prevention Phase – Nearly Impossible to Be Perfect © 2014 Vectra | Each with many interactions Malicious links Custom payloads Social engineering With many devices Servers Laptops Mobile devices Many privileged users Employees Partners Contractors Attackers only need to win once, and have near-infinite chances to win

Targeted Attackers Don’t Reuse C&C Servers…typically. 13 The JP Morgan breach was detected when the attackers made a critical mistake Attackers momentarily reused a C&C server that had been used to attack a charity site.

Many Ways to Command and Control 14 Recently observed malware using Gmail as an automated C&C Used Microsoft COM to send Python commands directly through Internet Explorer Drafts automatically synced to cloud, so C&C without mail ever being sent.

© 2014 Vectra | 15 Internal Recon Lateral Movement Acquire Data Botnet Monetization Standard C&C Exfiltrate Data Custom C&C Opportunistic Targeted The Active Attack Phase – What Perimeter Security Sees Custom C&C Initial Infection

Proposing a Methodology for Real-Time Detection of Cyber Attacks

© 2014 Vectra | 17 Requirements for Defending Against an Active Attack 1.Establish internal visibility Direct, deep analysis of traffic and host behaviors 2.Detect all phases of the attack Must detect all techniques attackers use to spy, spread and steal 3.Real-time Real-time visibility, correlation, and context to take action before data is lost Prevention Active Cleanup

Network-Based Breach Detection 18 Continuous Monitoring Real-time Detection Automated and Intuitive Prioritized Results w/ Full Context All packets N-S, E-W traffic Any OS, app, device No signatures No rules No configuration Machine learning Behavioral analysis Correlated over time Prioritized by risk Correlated by host Insight into attack

Learn to see how an attacker spreads 19

20

21

Learn to see C&C and RATs without signatures 22

23

24

25

Focus on your data and key assets 26

27

© 2014 Vectra | Engineering Community Finance Community

Summary Establish Full Visibility All traffic, all devices Internal and edge (N-S, E-W) Detect All Phases of Attack Detect without need for signatures Detect in real time Context for fast decisions Automatically correlate events See threats in relation to assets Prevention PhaseActive PhaseClean-up Phase

30