Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here.

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

Symantec Education Skills Assessment SESA 3.0 Feature Showcase

Security Life Cycle for Advanced Threats

IT Analytics for Symantec Endpoint Protection

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Targeted Attacks and Advanced Threats Bryon Page Solution Systems Engineer.

Ilias Chantzos Senior Director, Government Affairs - EMEA Symantec Cyber-security & cyber-resilience: Policy implications in smart cities.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

Security for Today’s Threat Landscape Kat Pelak 1.

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

SiteLock Internet Security: Big Threats for Small Business.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

President’s Forum and WSML 2012 INDSTRAT 02 Mobile Market Dynamics Brian Duckering, Deborah Clark, Evan Quinn “A Day in the Life of Mobile” 1.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

Mobile Devices Carry Hidden Threats With Financial Consequences Hold StillInstalled.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

1 Safely Using Shared Computers Amanda Grady December 2013.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

© 2010 Verizon. All Rights Reserved. PTE / DBIR.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Quick Thoughts on PGP Use Cases for KMIP 1 Michael Allen Sr. Technical Director.

The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.

President’s Forum and WSML 2012 SYMSTRAT 03: Enterprise Sales Conversations for Virtualization Todd Zambrovitz with guest appearance by Kevin Fiedler 1.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

WLAN Auditing Tools and Techniques Todd Kendall, Principal Security Consultant September 2007.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

Installation of Storage Foundation for Windows High Availability 5.1 SP2 1 Daniel Schnack Principle Technical Support Engineer.

Incident Response… Be prepared for “not if” but “when” it happens.

What’s new in SEP Presenter’s Name Here Presenter’s Title Here.

Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.

Shared Engineering Services APJ Ghostdetect ver 1.0 for SPC Donghyun Seo Dec 12, 2008.

The cost of Cybercrime 1 Steve Lamb Regional Marketing Manager – EMEA, Enterprise Security Products Twitter: actionlamb.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Optimized Synthetics 1 OpenStorage Optimized Synthetics.

OST Virtual Synthetics 1. Synthetics Overvier Definitions – Catalog – Image – Extent Process Overview (today) – Extent map derivation – Read agenda –

Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.

Why SIEM – Why Security Intelligence??

© 2015 IBM Corporation IBM Security 1 © 2015 IBM Corporation Protecting against cyber threats and security breaches IBM APT Survival Kit Overview Client.

Maximize Profits Through Stronger Security Brook Chelmo Product Marketing

Proactive Incident Response

THR2099 What to do BEFORE all hell breaks loose: Building a modern cybersecurity strategy.

Intelligence Driven Defense, The Next Generation SOC

Cybersecurity Awareness

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.

The Global Challenges of Cybersecurity and Digital Terrorism

Anatomy of a Large Scale Attack

Neil Kirton and Zoë Newman

Incident response and intrusion detection

Strategic threat assessment

Information Protection

Microsoft Data Insights Summit

<offer name> with Microsoft 365 Business Secure Deployment

Information Protection

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Anatomy of a Common Cyber Attack

Presentation transcript:

Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here

Is compromise inevitable? Adversary Defense: Past, Present, Future It’s going to happen… Offense is cheaper and easier than Defense. Compromise is no longer if, but when. Detection takes too long The average number of days to discover a breach Response times impact the business Average response times are weeks to months Not enough skills 70% of organizations lack staff to counter cyber security threats “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.” - Gartner “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.” - Gartner

Are all “Incidents” the same? Public Data Breach Suspected Compromise Malware Outbreaks & Employee Investigations Adversary Defense: Past, Present, Future

Proactive or Reactive? Experiencing a security incident Internal teams unable to address issue at hand Pressure to resolve the incident quickly Need to address legal/compliance reporting requirements post-incident Currently battling an incident and need extra help Media coverage of breach Crisis Mode Realization that gaps in security may have led to an undetected breach Industry peer suffered a breach and they want to know if they have been impacted New security alert or intelligence that causes concern and the customer has no way to determine if they might be impacted Elevated Concern Looking to turn plans into optimized programs Looking for ways to improve or augment internal IR capabilities Want to pre-negotiate terms and rates for faster action when 3 rd party help is needed Have a regulatory or legal requirement to have a 3 rd - party IR team on retainer Proactive Planning Adversary Defense: Past, Present, Future

5 5 Planning Horizon Reliability Source: Gartner Research, How to Select a Threat Intelligence Service, Informed Judgment High Degree of Certainty Operational Intelligence Network Traffic Feed Strategic Intelligence ImmediateLong Term Snake Oil Security Intelligence

Adversary Intelligence Adversary Defense: Past, Present, Future Adversary Actor Group TTP Actions Resources Campaigns Victims Trends Incidents Indicators Intent Attack Vector Vulnerabilities Exploits Targets Industry Geography CollectionProcessingAnalysis Production Data Warehouse Mining Social Network Mining Underground Forums Open Source Monitoring Information Sharing Subscription Consumption Content Capabilities Technical Analysis Directed Research Telemetry

Incident Response Today Adversary Defense: Past, Present, Future Un-prioritized AlertsManual IR Call TreesTriage Begins External Response Team CalledDelays in Ramp-upManual Correlation of Evidence

Incident Response Tomorrow Adversary Defense: Past, Present, Future Prioritized/Correlated AlertsAutomated Triage WorkflowCollaborative Triage Clear Line of SiteReal-time updatesCollaborative Response Improve Response Times 1 Lower Response Costs 2 Improve Response Effectiveness 3 Enable Continuous Improvement 4

Adversary Techniques +91 % Increase in targeted attack campaigns Adversary Defense: Past, Present, Future

Spear Phishing Adversary Defense: Past, Present, Future

Spear Phishing with an Attachment More than 50 percent of attachments used in spear phishing attacks were executable files in 2013.

Risk of Being Targeted by Job Role Personal Assistant (Executive Assistant) High Medium Low Media Senior Management Sales C-Level Recruitment R&D Risk Risk of Job Role Impact by Targeted Attack Sent by Spear-Phishing Source: Symantec Adversary Defense: Past, Present, Future

Targeted Attack Campaigns per Campaign Recipient/Campaign Campaigns Duration of Campaign days 3 days8.3 days Adversary Defense: Past, Present, Future

Targeted Organization by Size Spear Phishing Attacks by Size of Targeted Organization, Source: Symantec 50% 39% 18% 31% 30% 100% ,501 to 2,500 1,001 to 1, to 1, to to 250 2,501+ Employees 50% 61% Adversary Defense: Past, Present, Future

In operation since at least 2011 Appear to be operating in the UTC +4 time zone suggesting a base of operations working in the Moscow Russia time zone Initially targeted defense and aviation companies in the US and Canada Shifted focus to US and European energy firms in early 2013 Likely to either be state sponsored, or corporate sponsored (given the type of victims targted) Involvement with Russian crime scene/forums (confirmed) – Backdoor.Oldrea – Trojan.Karagany Data theft The Dragonfly group

Dragonfly Group - Attack Methods Adversary Defense: Past, Present, Future Send an to a person of interest Spear Phishing Infect a website and lie in wait for them Watering Hole Attack

Dragonfly Malware Threats Adversary Defense: Past, Present, Future Trojan.Karagany From leaked source code Sold in underground market Leaked in 2010 Modified by Dragonfly team Features include collecting passwords, taking screenshots, cataloging documents Backdoor.Oldrea a.k.a. Havex, Energetic Bear RAT Custom malware Used in majority of attacks Acts as backdoor for attackers Features include collecting system information, Outlook address book Symantec Antivirus Backdoor.Oldrea Trojan.Karagany

Dragonfly Exploit Kits Adversary Defense: Past, Present, Future Lightsout Exploit Kit Uses Java and IE exploits Injected iframe link sends victim to website hosting malware Hello Exploit Kit Uses Javascript to fingerprint system and determine best exploit Intrusion Prevention Signatures Web Attack: Lightsout Exploit Kit Web Attack: Lightsout Toolkit Website 4

Cyber Security Services Prepare Attack Readiness Assessment IR Plan Assessment IR Program Development TableTop Exercises Cyber Exercises and Simulation Detect Data Collection Correlation Analysis Monitoring Services Alerting Services Respond Incident Investigation Incident Containment Incident Recovery Lessons Learned Inform Adversary Intelligence / Data Feeds / Directed Research

Thank you! Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! symantec.com/threatreport Adversary Defense: Past, Present, Future