As quickly as we learn to detect new threats, the threats change — like a game of Whack-a-Mole happening at an ever-increasing pace.
A new survey by the SANS Institute focuses on providing valuable intelligence into the types of threats most severely impacting organizations like yours, and how those threats are evolving.
In this webcast, Lee Neely, who teaches cyber security courses for SANS, Mark Butler, Chief Information Security Officer at Qualys, and other survey sponsors discuss what threat actors are currently up to and how they’re getting around existing defenses, so that you can anticipate attacks and get ahead of the attackers.
Key trends discussed include:
• Primary vectors attackers enter through
• Methods attackers use most effectively as part of their layered attacks
• Impacts of breaches and how to remediate
• Best places to apply defenses
• Lessons learned by those who have been breached
Watch the on-demand webcast: https://www.sans.org/webcasts/105430
Download the complete report: https://goo.gl/rP4KEs
3. from the most trusted name in information security
SANS 2017 THREAT LANDSCAPE
SURVEY
Security Whack-a-Mole: Users On the Front Line
3
4. from the most trusted name in information security
Threats Seen with Significant Impact
Most seen:
• Phishing
• Spyware
• Ransomware
• Trojans
Significant:
• Phishing
• Ransomware
• DDoS*
• APT
4
5. from the most trusted name in information security
Malware-less with Significant Impact
Most seen:
• Scripting attacks
• Compromised creds
• Process exploits
Significant:
• Compromised creds
• Scripting attacks
• Process exploits
• Malicious binaries
5
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Credentialcompromise
orprivilegeescalation
Scriptingattacks
(PowerShell,…
Processexploit(ina
browser)
Maliciousbinaries
HTTPSdowngradeof
encryptedconnection
Lateralmovementfrom
otherdevices
Hiddenregistries
Processexploitof
otherservices
Memory-based(file-
less)attacks
Writingbinarytodisk
Other
What type of malware-less threats have you just seen in
your organization or which you have seen and had the
most significant impact? If you have not encountered
malware-less threats, please skip this question.
Just Seen Seen and Significant Impact
6. from the most trusted name in information security
What Defines Significant?
• Availability (DoS)
• Cost to respond
• Loss of sensitive data
• Damage to brand/rep
• Financial loss
6
0%
10%
20%
30%
40%
50%
60%
Impactonavailability
Costtorespondand
recover
Lossofsensitivedata
Damagetobrandor
reputation
Financiallosstothe
organization
Triggeredinvestment
innewtoolsor…
Other
What were the top three reasons you consider
this incident to be the most significant?
First Second Third
7. from the most trusted name in information security
Impact? What Impact?
7
Nuisance 59%, DoS 27%, System damage 26%
0% 10% 20% 30% 40% 50% 60%
Loss of intellectual property (IP) or other business-related sensitive…
Payments made as result of ransomware
Corporate financial accounts breached or drained
Other
Loss of personal identifying information (PII; Social Security…
Customer financial data loss
Data destruction, including loss of data integrity
System damage
Denial of service
Nuisance
What damages resulted from discovered threats? Select all that apply.
8. from the most trusted name in information security
Zero-Day Threats
8
42.2%
24.0%
9.3%
8.9%
5.8%
3.5%
3.9% 2.3%
How many of your significant threats were previously “unknown” threats or
zero days?
None
1–5%
6–10%
11–25%
26–50%
51–75%
76–99%
100%
9. from the most trusted name in information security
Surprising Threats
• Ransomware
• Phishing
• Targeted attacks
• DNS poisoning
• Malware on air-gapped
laptops
• Persistent malware
• Accidental DDoS
• SSO exploitation
• Mobile inside attack
9
10. from the most trusted name in information security
Threat Vectors Used
10
Email 74%, Browser 48%, Application 30%, Web server 26%, USB Media 26%
0% 20% 40% 60% 80%
Other
ICS system
IoT device
Cloud application or connection
DNS vulnerability
Firewall/IDS/UTM misconfiguration or weakness
Third-party vendor or contractor connection
Remote access service (VPN, RDP) compromise
Server-side vulnerabilities
User endpoint misconfiguration or configuration not up to date
Removable storage device (USB)
Web server or web application vulnerability
Application vulnerability on user endpoints
Web-based drive-by or download
Email attachment or link
What vector(s) did these threats take to enter your organization?
Select those that most apply.
11. from the most trusted name in information security
Discovery Versus Remediation
11
Within 24 hours: 72% Detected 63% Remediate
0%
5%
10%
15%
20%
25%
30%
35%
Discovery Remediation
On average, how much time do you estimate it took to discover the threats that
actually became incidents? How long was it from discovery until you
considered remediation complete?
Please check both columns as they apply.
Unknown < 1 hour 1–5 hours 6–24 hours 2–7 days
8–30 days 1–3 months 4–6 months 7–12 months
12. from the most trusted name in information security
How Are Threats Revealed?
Detection/Discovery Help Desk Calls
• 42% Network monitoring
• 37% UTM/IDS
• 37% Help desk calls
• 37% SIEM
• 34% Log review
12
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Fewerthan10
10to15
16to20
21to50
Morethan50
How many calls per week does your help desk field
are investigated as threats? How many calls
actually represented
actual incidents?
Possible Threat Actual Threat
13. from the most trusted name in information security
False Positives = Lost Resources
13
15.8%
24.9%
19.4%
17.4%
11.5%
6.3%
3.6%
1.2%
How many threats that you followed up on could be considered “false
positives” that don’t apply to your organization?
None
1–5%
6–10%
11–25%
26–50%
51–75%
76–99%
100%
14. from the most trusted name in information security
Determine Scope
14
0%
10%
20%
30%
40%
50%
60%
70%
80%
Logmanagement
Forensicsorincident
responsetoolsor
platform
SIEM
Threatintelligence
Securityanalytics
platform
Third-partyincident
responseservice
Threathunting
Other
What tools or services do you find most helpful in accurately determining the scope
of these events? Please select those that most apply.
Tools
Both
Services
15. from the most trusted name in information security
How Organizations Are Remediating
Option Use
Reimage/Restore compromised machines from gold baseline image 77.5%
Isolate infected machines from the network while remediation is performed 78.4%
Shut down system and take it offline 68.8%
Quarantine affected hosts 68.8%
Block command and control to malicious IP addresses 65.6%
Update policies and rules based on IOC findings and lessons learned 57.8%
Remove rogue files 58.7%
Identify similar systems that are affected 57.8%
Kill rogue processes 50.0%
Remove file and registry keys related to the compromise without rebuilding or reinstalling the entire machine 43.1%
Reboot system to recovery media 38.5%
Boot from removable media and repair system remotely 36.2%
Remotely deploy custom content or signatures from security vendor 44.5%
Other 10.1%
15
Frequency of Remediation: 36% Weekly, 19% Monthly, 18% Daily
16. from the most trusted name in information security
Ability to Respond
Overall confidence in meeting challenges:
16
Challenge Confidence
Respond to significant threats on the network and endpoints 90%
Detect significant threats occurring on your network and endpoints 82%
Intercept threats before they cause damage on your network and
endpoints
74%
Remove all artifacts of significant threats on network and endpoints 73%
Detect zero days/unknown threats that could impact your organization 48%
17. from the most trusted name in information security
Prevention & Challenges
17
Prevention: Train Users, Improve OpSec, Better Net/Endpoint Visibility
0%
10%
20%
30%
40%
50%
60%
Filteringouttoomuch
noiseorfalse-positive
activity
Distinguishingreal,
high-impactthreats
Collectingthe
appropriatethreat
detectiondata
Lackofskillsand
budgetforprotecting
againstthreats
Establishingan
appropriatebaseline
thatdefinesnormal
Findingnewunknown
threatsourcurrent
securityinfrastructure
doesn’thave…
Visibilityintothreats
acrossmultiple
systemsandthreat
actions
Inabilitytofullydeploy
newprotectionsfor
knownrisksbeforea
breach
Inabilitytoscope
threateffectsoncewe
discoverthethreat
Other
What challenges do you face in protecting against threats in your enterprise?
Select all that apply.
18. from the most trusted name in information security
Improvements: Investments
18
User Training, OpSec, Staff Training, Existing Technology Use
0% 5% 10% 15% 20% 25%
Improve our application security processes
Other
Improve our approach to secure development
Improve visibility into network and endpoint behavior for…
Improve our use of existing endpoint security and…
Invest in new network security and detection technology
Invest in new endpoint security and detection…
Improve our use of existing network security and…
Invest in training our staff in existing or new skills, such…
Improve our operational security practices (e.g., timely…
Train our users to be more aware
In the next 18 months, in what area do you intend to make a major investment to protect,
detect and respond to threats in your environment?
19. from the most trusted name in information security
Endpoints on the Front Line
• 74% of respondents named clicking a link or opening an
attachment in an email as the top ways threats enter the
organization, and 48% named web drive-by or download,
both of which involve user intervention
• 21% identified awareness training for users as the top
mitigation effort they intend to invest in over the next 18
months
• 81% see endpoint security tools as the most helpful for
threat detection
• 81% noted log management tools and services were helpful
in determining threat scope
19
20. from the most trusted name in information security
Conclusions
• Few new weaknesses
• Zero-day threats exploit same old weaknesses
• Endpoints are the primary target
• User training
• Time to turn on it’s head
• Operational procedures
• Need to cleanup
• Supporting technology needed
• Operations, Users and Endpoints
20
22. S I G N I F I C AN C E O F U N K N O W N T H R E AT S
Traditional security approach
is no match for today’s
dynamic threat landscape
Respondents had some significant threats within
their environment that were previously unknown
Achieve a State of Prevention with Cylance
58% • It only takes one small change to an
existing threat to make static
signature based detection useless
• Relying on static detection
techniques is highly ineffective,
especially with unknown threats
• Organizations need security
products capable of detecting
unknown threats prior to detonation
23. C H AL L E N G E S FAC E D I N P R O T E C T I N G AG AI N S T T H R E AT S
Indicated a key challenge is finding the unknown
threats where their current security infrastructure
doesn’t have signatures
Achieve a State of Prevention with Cylance
60%
Big data means big problems
for security products
• Vast amounts of security data
generated daily, much of which is
irrelevant
• Redundant events from different
security products drive down
efficiency of security analysts
• With expertise shortage
organizations need security tools
that reduce the noise, introduce
automation, and make security
analysts more efficient
24. T H E I M PAC T O F D I S C O V E R E D T H R E AT S
Impact of availability
Cost to respond & recover
Loss of sensitive data
Achieve a State of Prevention with Cylance
The long tail of security incidents
• Recovering from successful
breaches and compromises impact
employee effectiveness
• Imaging of drives, overtime, or
contracting outside help to recover
makes incident response costs
explode
• Losing customer data will result in
fines, added scrutiny from
regulators, as well as impact brand
perception
25. AR E W E L O O K I N G I N T H E W R O N G D I R E C T I O N ?
NOT CONFIDENT
DETECTING UNKNOWN THREATS
Achieve a State of Prevention with Cylance
51%
Demand the following from
vendors:
• First and foremost focus on
preventing threats from impacting
business, pre execution
• Provide capabilities to uncover and
prevent unknown threats in real time
• Deliver consistent visibility across
endpoints to enable easy threat
hunting and fast incident response
• Security should be silent on the
endpoint with low system resources
as to not disrupt business
26. 26Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017
McAfee Company Confidential, Copyright 2017
Security Whack-a-Mole
Threat Landscape Survey
How are attackers getting past defenses and what
can we do about it?
Robert H. Leong | Director, Product Management
Version 1.4RC2
McAfee Labs, Office of the CTO
27. 27Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017
Recreational /
Vandals
Cybercriminals /
Organized Crime
Hacktivism /
Reputation Attacks
State Sponsored
Cyberespionage
Cyberattacks
Sources: McAfee Labs/OCTO 2017
Why Is Whack-a-Mole Occurring?
28. 28Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017
What are the Underlying Methods used
by these Threats?
Malware will change disguises
on every PC
Malware can see the sandbox
Malware ‘Piggybacks’ behind
clean applications
Malware will misuse clean
applications
Malware uses “file-less” methods
McAfee Labs Threat Research
• 44.5 B queries/day to Labs’ GTI
• Detects 316 threats per minute, 5 per second
• 250 threat researchers worldwide
• 300+ million sensors globally
• Over 15 billion lines of telemetry per day
• 1.2 million files analyzed per day
• 750,000 URLs analyzed per day
• 300,000 files analyzed in a sandbox per day
What “Moles” Are Getting In, and How Do We Know That?
Methods attackers use most effectively as part of their layered attacks
SANS 2017 Threat Landscape Survey
• 40% respondents said phishing was top perceived
threat (including spear-phishing and whaling)
• 20% identified ransomware
• 11% chose DDoS
• 11% chose APT
29. 29Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017
Layered Security: Attacks Must Pass Layers – Layers Speak to Each Other
Layer 5
Layer 1
Layer 2
Layer 3
Layer 4
Layer 0
Layer 6
What Did You
See? Should
Other Layers
Know About
It or do
Something
About it?
“Have we or anyone else seen this before? How often? How long? Did it do
anything bad worldwide?”
“Have we run this thing before? Do we know if this is clean or dirty based on
what it did then? If we put it in a fake room and let it run right now, does it do
anything bad?”
“Do the fingerprints match any dirty objects? Does the way it looks match any
dirty objects? Does its relationships reveal anything bad?”
“If this thing is still suspicious, what should we prevent it from doing? Is it
performing bad behaviors right now? When we unmask its blueprints, does it
imply bad behavior?
“If we put it in a fake room and let it run, does it do anything bad? Has anyone
else put it in a fake room and let it run? Did they find anything out?”
“Looking at what happened as the object came in to our house, did it do anything
suspicious or bad? Did it follow a suspicious path or do something weird across our
Networks to get to us? Did a lot of suspicious activities occur? “
“If we look at the overall activity of suspicious stuff on the network, then do
we see an attack pattern? Can we figure out what’s bad and then fix it?“
Successful “Whack-a-Mole” Defenses
30. 30Robert H. Leong | McAfee Labs / OCTO | June 2017 MCAFEE COMPANY CONFIDENTIAL. COPYRIGHT 2017
Change
disguises on
every PC
Can see the
sandbox
‘Piggybacks’
behind clean
applications
Misuse clean
applications
Uses “file-
less”
methods
Whack-a-Mole Success Statistics…
Where is the mole usually slowed or stopped?
37. Threat Landscape
Endpoint
Prevent & Detect
Email & Internet
browsing risks =
ransomware & file-
less malware risks &
exposures
Existing Account
credential takeover
Memory based
exploits will increase
to avoid detection
Network
Monitor & Restore
Traffic Patterns
Analysis / Geo Filters
/ Bandwidth Tuning
Threat Intelligence
Gaps (lack of context)
SSL / Payload
Analysis / Connection
Tracking
DDoS / DNS / Circuit
Protection / Resiliency
Identity
Monitor & Recover
Account behaviors not
tracked over time
Existing Acct Misuse
Lack of clearly defined
Roles / Functions /
Permissions
Credential Mgmt. /
Token / 2FA /
One-time use tokens
37
38. Observations of Qualys Threat Data
Inadequate Patching timing:
high severity vulnerabilities
are taking 100+ days to
patch/configure/correct
Exploits and attacks patterns
are speeding up and taking
< 30 days on average
(WannaCry was distributed
in 26 days)
38
39. 39
The core IT service areas must be improved:
• Risk Identification, Monitoring critical in-scope assets
• Alert Speed, Triage Accuracy, Enabling effective response
• Asset & Configuration Management / Build Compliance
• Effective Vulnerability Remediation over time for real risks
targeting individual environments vs. commodity risks
• Network Architecture and Segmentation gaps
Observations of Qualys Threat Data
40. Recommendations
40
• Take time to learn instead of wiping / re-imaging systems
quickly
• Track progress on solving root cause issues
System build compliance, administrative access, unapproved software, poor
email/internet filters, user security awareness competencies
• Increase data analytics skills and capabilities
• Figure out how to ask the harder questions (Why / Root Cause)
• What vertical specific attacks or malware families are seen?
• Why are the threat patterns occurring?
Network attacks to capture Health Data – ePHI, DDoS attacks to cover up
account fraud, POS attacks for capturing CHD, Diversion attacks
41. from the most trusted name in information security
Q & A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
Send to “Organizers”
and tell us if it’s for
a specific panelist.
41
42. from the most trusted name in information security
Acknowledgements
Thanks to our sponsors:
Cylance, FireEye, McAfee, and Qualys
To our special guests:
Chad Skipper, Robert Leong,
Sean Murphy, and Mark Butler
And to our attendees,
Thank you for joining us today!
42