Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
The Most Analytical and Comprehensive Defense Network in a Box.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Chapter 12 Network Security.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IBM Security Network Protection (XGS)
Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Introduction to Network Defense
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
APT29 HAMMERTOSS Jayakrishnan M.
COEN 252 Computer Forensics
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Study Results Advanced Persistent Threat Awareness.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED Dmitry Kagansky, CTO - Public Sector (Federal) March 14, 2011 Quest Software – APT and the Insider Threat.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Chapter 5: Implementing Intrusion Prevention
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Information Security What is Information Security?
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Ali Alhamdan, PhD National Information Center Ministry of Interior
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Legitimate Vulnerability Markets By: Jeff Wheeler.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Advanced Persistent Threats (APT) Sasha Browning.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.
MIS323 – Business Telecommunications Chapter 10 Security.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
Surveillance and Security Systems Cyber Security Integration.
Proactive Incident Response
Botnets A collection of compromised machines
CSCE 548 Student Presentation By Manasa Suthram
Six Steps to Secure Access for Privileged Insiders and Vendors
Juniper Software-Defined Secure Network
Rules of Thumb to Mathematical Rule- A Cyber Security Journey
Threat Management Gateway
Answer the questions to reveal the blocks and guess the picture.
Botnets A collection of compromised machines
Virtualization & Security real solutions
Information Security: Risk Management or Business Enablement?
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
I have many checklists: how do I get started with cyber security?
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Shifting from “Incident” to “Continuous” Response
Anatomy of a Large Scale Attack
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
4/9/ :42 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Presentation transcript:

Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS

APT in this presentation The original meaning when US Navy coined the phrase Before it started being used by every IT Security vendor, anti- malware vendor, and everyone with “Cyber” in their marketing portfolio

Agenda What APT is – its background/history Detection and elimination The people and what they attack The on-going fight Reminder checklist Some difficult truths Questions.

APT Targeted Malware with the intent to –Enter your estate –Stay in your estate –Obtain your data Commercial advantage Technology leapfrog etc

APT is a new threat Wrong –Very wrong Instances of well developed attacks and associated malware seen since before 2006 Some folks working on these issues since perhaps as early as 2002 Candidly, if you haven’t seen this stuff you probably are not looking properly.

APT family It isn't –Single attack type –Single type of malware –Single attack group

APT Family It is –Range of attack types Spearphishing Generic social engineered attacks Very well targeted social engineering attacks Targeted drive-by attacks –Range of malware types Relatively simple through to Quite sophisticated Perhaps 7 to 9 different levels of complexity Generally use the simplest malware needed

APT Activity Gain a foot hold that can obtain command and control instructions –Via some quite interesting approaches “interactive” sessions instructions by hidden means eg jpeg images Usually (always?) via other parties –Other compromised companies/web-sites –University systems –“mom & pop shops” –Compromised systems unlikely to initiate a web connection to … Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

What a rush! There is no rush from the attackers point of view Marathon not sprint Sleeper malware –Long period beaconing Check in only every few months A bit more on this later…

Elimination How do you get rid of it after you first detect it? –Or after you have had a tip-off that you might have a problem –You may get a tip-off from…

Whack-a-Mole? Very dynamic – lots of IT folks doing stuff But dangerous and not very effective Attackers will notice They will change attack approach They will remain in your estate

Structured approach You will probably need help with some of this Who you gonna call? Competent Capable Trusted Much less fun, much harder work, much more effective –Detect/locate –Prepare/Understand –Disconnect –Eliminate –Protect –Future processes –Re-connect –The new normal

Detection Log file analysis –dns, dhcp, vpn, firewall, ids/ips, proxy, AV Network Analysis –packet capture and analysis, network sensors Host Capability –process maps, memory maps, file structures, registry contents, file contents One third/one third/one third

Prepare/Understand Do you know your estate? –Network connections –Password policies –Password and application interactions Understand how the malware works –Command and control –How it persists –How it moves/how it is moved

Structured approach Detect/locate  Prepare/Understand  Disconnect Eliminate Protect Future processes Re-connect New normal      

New Normal They will re-attack They will get in Your processes have to: –Detect –Investigate –Eliminate –Adapt

The Human Element Groups –Developers –Doers –Follow-up Below the radar –Working patterns –Comms patterns Multiple Groups? –Probably –May not always be aware of each other

They are only human Oops! –Human script followers Identified keyboard drivers Typos Mistakes Repeat commands May not be sure of where they are Sometimes careless/sloppy –Compressed archives not fully deleted

The Attack Surface Microsoft / Adobe / Java –Because they are the most popular platforms. “I rob banks ‘cause that’s where the money is” Patching and the role it can play…

The products that fix the problem Unfortunately none Needs a structured approach to robust monitoring and a number of products to help manage the risk An approach based on –People – at all levels of the organisation –Process –Technology In that order of priority

The approach that handles the problem This is about our approach, but others have similar. SOC – multi-geography, 24*365 Evolution of tools –Externally sourced –Internally sourced Evolution of people skills –Better understanding of the subject –Better analysis skills

Tools Log consolidation and analysis –DHCP, dns, proxy, firewall, ids, vpn etc Network traffic monitoring and analysis Host data capture –To aid in incident identification –To aid in incident investigation

Tool Effectiveness Initially –34% / 33% / 33% (log/network/host) Now –65% / 30% / 5% (log/network/host) Future? –45%? / 50%? / 5%? (log/network/host)

The approach takes time

Summary Bad folks are doing bad stuff very well They see it as huge commercial benefit We need to get better at detecting/eliminating/protecting It can be done but must be done in a structured and on-going fashion to be effective It is an evolving threat so there are no “fit and forget” solutions

Remember, you may have to…. Detect/locate  Prepare/Understand  Disconnect Eliminate Protect Future processes Re-connect New normal      

Difficult Truths Safe harbours will continue to exist Traditional prevention and detection has failed Governments cannot prevent intrusions Data loss is inevitable Attacks will continue Companies often breached for years

Additional Reading –Write-up from RSA on the threat and what can be done to help reduce the risk and the impact.

Any Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.