Real-time Threat Intelligence For Detecting Targeted Attacks
•Télécharger en tant que PPTX, PDF•
1 j'aime•1,447 vues
WARD PERRY, Deployment Manager, TAP, FireEye and DAVE DAVIS, Senior Manager, TAP Customer, Enablement, FireEye, at the European IRM Summit 2014.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (16)
Similaire à Real-time Threat Intelligence For Detecting Targeted Attacks
Similaire à Real-time Threat Intelligence For Detecting Targeted Attacks (20)
Plus de ForgeRock
Plus de ForgeRock (20)
Dernier
Dernier (20)
Real-time Threat Intelligence For Detecting Targeted Attacks
- 1. Real-time Threat Intelligence For 1 Copyright © 2014, FireEye, Inc. All rights reserved. Trusted Relationships VERSION 1.0 November 5, 2014 Dave Davis Ward Perry
- 2. We Live the Headlines 2 Copyright © 2014, FireEye, Inc. All rights reserved. LivingSocial Hack Exposes Data for 50 Million Customers 2 - New York Times, April 2013 NASDAQ Confirms a Breach in Network - Wall Street Journal, Feb 2011 Target Corp. was hit by an extensive theft of its customers' credit-card and debit-card data – Wall Street Journal, December 2013 RSA Faces Angry Users After Breach - New York Times, June 2011 Evernote Says Cyber Breach Which Cost Millions Wasn't From China -- BusinessWeek, May 2013 Fed Acknowledges Cybersecurity Breach - Wall St. Journal, Feb 2013 The European Central Bank's website has been hacked and personal information has been stolen by a cybercriminal. -ZDNet, July 2014
- 3. One Question To Ask Yourself Are You Compromised? 3 Copyright © 2014, FireEye, Inc. All rights reserved. 3
- 4. Terms Threat Actor – An individual or organization which conducts cyber attacks Targeted Attack – An attack on a specific individual, company, industry or software. IOC - Indicators of Compromise. Specific artifacts left by an intrusion, sets of information that allow for the detection of intrusions or other activities conducted by attackers. C2 – Command and Control. Infrastructure attackers use to initiate or maintain persistence in a compromised network. APT – Advanced Persistent Threat. A threat actor with the ability to carry out a sustained attack against a target, typically with the mission of financial gain, political advantage, terrorism, or publicity. 4 Copyright © 2014, FireEye, Inc. All rights reserved.
- 5. All Threat Actors Are Not Equal 5 Copyright © 2014, FireEye, Inc. All rights reserved. 5 Economic Espionage Organized Crime Nuisance Threats Hacktivists Objective Example Targeted Persistent Launch Points & Nuisance Economic Advantage Financial Gain Defamation, Press & Policy Botnets & Spam Advanced Persistent Threat Credit Card Theft Anonymous & Lulzsec Attacks which are targeted and persistent pose the greatest challenge and the greatest risk.
- 6. Targeted Attacks Routinely Bypass Preventive Defenses Commodity Threats 6 Copyright © 2014, FireEye, Inc. All rights reserved. Worms & Bots Advanced Persistent Threat (APT) Advanced Targeted Attacks 100% Of Victims Had Up-To-Date Anti-Virus Signatures 67% Of Companies Learned They Were Breached from an External Entity 46% Of Compromised Systems Had No Malware on Them 100% Of Breaches Involved Use of Stolen Credentials
- 7. The Statistics 7 Copyright © 2014, FireEye, Inc. All rights reserved. 7
- 8. Anatomy of a Targeted Attack Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Of all of the compromised machines Mandiant identified in the last year, only 54% had malware on them. 8 Copyright © 2014, FireEye, Inc. All rights reserved. 8 While attackers use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks EVIDENCE OF COMPROMISE Move Laterally Maintain Presence Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files
- 9. Now What? People: Security experts to use the tools to analyze the data Process: Pulling the data together for analysis Technology: Products that enable data analysis Technology 9 Copyright © 2014, FireEye, Inc. All rights reserved. Process People
- 10. Event Data as Evidence Layer: Perimeter – Internet & Extranet Logs: connection, bytes, duration Examples: Firewall, Proxy, VPN 10 Copyright © 2014, FireEye, Inc. All rights reserved. Layer: Host Logs: Authentication, processes Examples: Win Events, AD Layer: Applications Logs: Access, Errors, transactions Examples: IIS, database, email Layer: Data Logs: Authorization, Activity, Audit Examples: File Auditing, DLP, HIDS What is the value to an Incident Responder? Perimeter: Proof of connectivity, policy violations, unauthorized access attempts Host: Confirm the compromise, identify post exploit activity. Application: Confirm the compromise, identify post exploit activity. Data: What are they after? Was the attack successful?
- 11. Detecting Evil In Event Data Rules • Expert knowledge expressed through tools • Updated based on latest FireEye incident response work, headlines • Detects non-malware attacker methodology as well as malware family behavior Analytics • Detects previously 11 Copyright © 2014, FireEye, Inc. All rights reserved. unknown attacker behavior • Focused on non-malware activity: e.g., lateral movement & exfiltration • Drives visualizations and explorations of your event data Indicators • Simple facts about known-bad behavior • Collected via multiple proprietary methods—no purchased indicators • Domains, IP addresses, email addresses, MD5 hashes
- 12. Using Identity Data to Find Anomalous Behavior 12 Copyright © 2014, FireEye, Inc. All rights reserved. 12
- 13. Threat Intel and IRM – Pulling It Together Prevention will eventually fail Start integrating data sources Invest in IRM technology Ensure technology teams are trained, enabled and aligned 13 Copyright © 2014, FireEye, Inc. All rights reserved.
Notes de l'éditeur
- Key Points: Mandiant is on the front lines of the largest computer security breaches you read in the headlines every day. Note: The only companies that have publicly stated that they have hired Mandiant for incident response are Evernote, New York Times, Schnucks, WTOP and the State of South Carolina.
- Key Points: Companies routinely perform vulnerability tests to determine if attackers could get through their preventive defenses. All it takes is reading the headlines to think that might not be the right question. A better question – maybe the most important question – to ask yourself is “Are You Compromised?” Are the attackers already in your systems. If you were to boil it down to one question that Mandiant answers this is it: Are you compromised? And what is the material impact of that compromise?”
- APT: Is a “who” not a “what” – Human(s) at a keyboard Targets selected after research/recon Highly tailored and customized attacks Effective at bypassing preventive controls They are Professional, Organized & Well Funded… Often well-funded and organized Division of labor for different stages of attack Utilize change management processes Escalate sophistication of tactics as needed If You Kick Them Out They Will Return Specific targets mean a desire to return Long-term occupation one of the goals Persistence tools ensure ongoing access Relentlessly focused on objectives over time
- Key Points: All threat actors are not equivalent. Two types of threat actors that pose the greatest risk to organization are those focused on economic espionage, such as the APT, and those focused on financial gain such as organized crime. These two threat actors pose unique risks because they are not just targeted but persistent. They entrench themselves for months or years and when you kick them out they try to come back. Oftentimes the volume of alerts generated by the nuisance threats makes it hard for organizations to identify the riskiest threats.
- 229 days before the hacker was known 2,287 days was the longest presence identified in 2013 Ponemon cost of a breach in 2013 study was $188 per record and the average breach was 28,765 records. They eliminated all breaches of greater than 100,000 records for their study.
- Mention joint venture and/or acquisitions of Chinese companies
- Key Points: One thing that’s important to understand is that malware is only used at the beginning of the attack and as the attacker moves laterally. In fact, when you look at all of the compromised machines Mandiant investigated last year only 54% of them had malware on them. To effectively detect and scope the impact of a threat you need to be able to find all of the evidence of compromise – not just malware.
- Defense in Depth will slow the determined attacker, but Logging in Depth provides your Incident Responders the capability to quickly identify and respond to attacks. BullsEye = logging approach = ESM strategy Perimeter – ACCEPTS and deny Host – Need auth, but also ACTIVITY – process creation, cmd line commands, sysmon tool Application – auth, activity, error codes, transaction logs Data – File integrity monitoring, AV & Whitelist can provide MD5’s Value to IR: Perimeter: match Threat Intel to IP’s and domains of known evil Host: account / process creation – priv escalate – hash dump Application – exploit (web logs = SQLi) – web shells, or post exploit Threat Intel – URI’s, Email sender/subjects Data – access logs from HVA’s – what are they after? Was it successful? Threat Intel = MD5
- Prepare – Are the right devices available? Generating the right logs to find evil? Are the logs retained for IR? Have a plan. Right people authorized, trained, with IR Workplans