Speaker Training for ISTR19
Download
Report
Transcript Speaker Training for ISTR19
Adversary Defense:
Past, Present, Future
Presenter’s Name Here
Presenter’s Title Here
Is compromise inevitable?
It’s going to happen…
Offense is cheaper and easier than
Defense. Compromise is no longer
if, but when.
Detection takes too long
229 - The average number of days to
discover a breach
Not enough skills
70% of organizations lack staff to
counter cyber security threats
Response times
impact the business
Average response times are
weeks to months
Adversary Defense: Past, Present, Future
“By 2020, 60% of enterprise
information security budgets will be
allocated for rapid detection and
response approaches, up from less
than 10% in 2013.”
- Gartner
Are all “Incidents” the same?
Public
Data Breach
Suspected
Compromise
Malware Outbreaks &
Employee Investigations
Adversary Defense: Past, Present, Future
Proactive or Reactive?
Crisis Mode
• Experiencing a security
incident
• Internal teams unable to
address issue at hand
• Pressure to resolve the
incident quickly
• Need to address
legal/compliance reporting
requirements post-incident
• Currently battling an
incident and need extra
help
• Media coverage of breach
Adversary Defense: Past, Present, Future
Elevated Concern
• Realization that gaps in
security may have led to an
undetected breach
• Industry peer suffered a
breach and they want to know
if they have been impacted
• New security alert or
intelligence that causes
concern and the customer has
no way to determine if they
might be impacted
Proactive Planning
• Looking to turn plans into
optimized programs
• Looking for ways to improve
or augment internal IR
capabilities
• Want to pre-negotiate terms
and rates for faster action
when 3rd party help is needed
• Have a regulatory or legal
requirement to have a 3rdparty IR team on retainer
Security Intelligence
Informed
Judgment
Operational
Intelligence
Strategic Intelligence
Reliability
High
Degree of
Certainty
Network Traffic Feed
Snake Oil
Immediate
Planning Horizon
Source: Gartner Research, How to Select a
Threat Intelligence Service,
Adversary Defense: Past, Present, Future
Long Term
Capabilities
Content
Consumption
Adversary Intelligence
Directed Research
Subscription
Adversary
• Actor
• Group
TTP
• Actions
• Resources
Collection
Telemetry
Data Warehouse
Mining
Adversary Defense: Past, Present, Future
Campaigns
• Victims
• Trends
Processing
Social Network
Mining
Incidents
• Indicators
• Intent
Analysis
Underground
Forums
Attack Vector
Targets
• Vulnerabilities
• Exploits
• Industry
• Geography
Production
Open Source
Monitoring
Information
Sharing
Technical
Analysis
Incident Response Today
Un-prioritized Alerts
Manual IR Call Trees
Triage Begins
External Response Team Called
Delays in Ramp-up
Manual Correlation of Evidence
Adversary Defense: Past, Present, Future
Incident Response Tomorrow
Prioritized/Correlated Alerts
Automated Triage Workflow
Collaborative Triage
1
Improve Response Times
2
Lower Response Costs
3
Improve Response Effectiveness
4
Enable Continuous Improvement
Clear Line of Site
Adversary Defense: Past, Present, Future
Real-time updates
Collaborative Response
Adversary Techniques
2013
2012
+91
%
Increase in targeted attack campaigns
Adversary Defense: Past, Present, Future
Spear Phishing
Adversary Defense: Past, Present, Future
Spear Phishing with an Attachment
• More than 50 percent of email attachments used in
spear phishing attacks were executable files in 2013.
Risk of Being Targeted by Job Role
Risk of Job Role Impact by Targeted Attack
Sent by Spear-Phishing Email
Source: Symantec
Risk
High
Medium
Personal Assistant (Executive Assistant)
Media
Senior Management
Sales
Low
C-Level
Recruitment
R&D
Adversary Defense: Past, Present, Future
Targeted Attack Campaigns
2011
Email per Campaign
Recipient/Campaign
Campaigns
Duration of Campaign
Adversary Defense: Past, Present, Future
2012
2013
122
779
78
111
61
408
29
23
165
4 days
3 days
8.3 days
Targeted Organization by Size
Spear Phishing Attacks by Size of Targeted Organization, 2011 - 2013
Source: Symantec
100%
39%
2,501+
Employees
50%
50%
1,501 to 2,500
1,001 to 1,500
61%
501 to 1,000
50%
50%
251 to 500
18%
1 to 250
31%
30%
2012
2013
0
2011
Adversary Defense: Past, Present, Future
The Dragonfly group
• In operation since at least 2011
• Appear to be operating in the UTC +4 time zone sug
base of operations working in the Moscow Russia tim
• Initially targeted defense and aviation companies in
and Canada
• Shifted focus to US and European energy firms in ea
• Likely to either be state sponsored, or corporate spo
(given the type of victims targted)
• Involvement with Russian crime scene/forums (conf
– Backdoor.Oldrea
– Trojan.Karagany
• Data theft
Dragonfly Group - Attack Methods
Spear Phishing
Watering Hole Attack
Trojanized+Update+
Send an email to a person
of interest
Infect a website and lie
in wait for them
Infect'so* ware'update'vic3m'
downloads'
Adversary Defense: Past, Present, Future
Dragonfly Malware Threats
Backdoor.Oldrea
a.k.a. Havex, Energetic Bear RAT
Custom malware
Used in majority of attacks
Acts as backdoor for attackers
Features include collecting system information,
Outlook address book
Trojan.Karagany
From leaked source code
Sold in underground market
Leaked in 2010
Modified by Dragonfly team
Features include collecting passwords,
taking screenshots, cataloging documents
Adversary Defense: Past, Present, Future
Symantec
Antivirus
Backdoor.Oldrea
Trojan.Karagany
Dragonfly Exploit Kits
Lightsout Exploit Kit
Uses Java and IE exploits
Injected iframe link sends victim to website
hosting malware
Hello Exploit Kit
Uses Javascript to fingerprint system
and determine best exploit
Adversary Defense: Past, Present, Future
Intrusion Prevention Signatures
Web Attack: Lightsout Exploit Kit
Web Attack: Lightsout Toolkit Website 4
Cyber Security Services
Inform
Adversary Intelligence / Data Feeds / Directed Research
Prepare
Attack Readiness
Assessment
IR Plan Assessment
IR Program Development
TableTop Exercises
Cyber Exercises and
Simulation
Detect
Data Collection
Respond
Correlation
Incident Investigation
Analysis
Incident Containment
Monitoring Services
Incident Recovery
Alerting Services
Lessons Learned
Thank you!
symantec.com/threatreport
http://www.symantec.com/managed-security-services
http://go.symantec.com/incidentresponse
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Adversary Defense: Past, Present, Future