Today’s business world is online and as such is inherently chock full of cyber risks. Cybercriminals continue to take advantage of system vulnerabilities and social engineering to target personally identifiable information, credit card numbers, trade secrets and more. Although there are hundreds of security solutions, products and consultants that claim to solve and address data breaches, the traditional, tactical approach to security is not working. Evaluated cyber intelligence is trapped in your systems, applications and employees – and making that intelligence easily available and quickly understood can help your organization significantly reduce the cyber risks it faces and improve its business resilience.
This presentation examines how to reduce your cyber risks by unlocking the door to evaluated intelligence. Learn:
• Why the traditional threat intelligence approach is not addressing the problem
• Why it’s not just about adding on more security layers, but shifting your cybersecurity approach
• How to mine both your tactical and strategic cyber data for improved operational intelligence
• How to derive immediate visual insights of relevant trending cyber problems through security analytics
6. … How?
• Add the Strategy Piece: Low-level
threat intel is only small part of the
full picture of risk
• Stop Navel-Gazing: An outside
and inside view is necessary!
• Start Meerkat-ing: Situational
awareness makes every defense
operation better
• Make it Mean Something for
Everyone: Connect security to
business operations
• Enable Sustained Diligence:
Both inside and outside of SECOPS
6
7. Customer Profile
Tech/Security Environment
•Geographically dispersed IT locations
•Lots of data sources, few source types
•Centralized SIEM analysis
•Historical SIEM data storage
•Focus on low-level, internal threat intel
•Static intel reporting and reactive alerting
•No strategic intelligence analysis function
7
Large Multi-National
Manufacturing and
Consumer Goods
with Deep and Wide
Supply Chain
12. Deep-Dive Analysis
and Discovery
12
PETABYTE
S
OF DATA
HADOOP PLATFOR
A
HDFS ANALYTIC
S
Network Security
Data
Endpoint
Security
Data
Data Center
Security Data
SIEM
Log/event
Data
(30 days)
A complement to SIEM.
Security Analyst uses
Platfora for investigating
incidents:
– User Behavior Analytics
– Network Data Based
Analytics
– Device Communication
Analytics
– Information Flow
Analytics
More Data & Business
Context (Multi-Structured)
IT & Business
Data
Unlimited
Data
14. 14
A Typical Data Breach
Lasts 243 Days
Recon
•Social
Engineering
•Network Layout
Weaponization
•Targeted Malware
Exploit / Install
•Lateral Movement
C2C / Exfil
•Command Communication
•Data Exfiltration
Delivery
•Spear Phishing
•Watering Hole Attacks
DAY 1 DAY 243
Multiple Attempts at
each stage of the
attack
Multiple Attempts at
each stage of the
attack
Fingerprint of attack in
Log files and security
events
Fingerprint of attack in
Log files and security
events
15. 15
Anunak Gang Targeting
Financial Institutions
C2C / Exfil
•Gain access to server and
banking system admin
workstations
•Install software for monitoring
key system operators
•Remote access to servers of
interest
Delivery
•Spear Phishing Email to Bank
Employee
•From Government Email Acct
•Deliver new payload to existing
malware
Recon
•Government and Banking Partners
•Partnership with Bot Operators
•Search for Existing malware already
installed in banking environment
Weaponization
•Mimikatz
•MBR Eraser
•SoftPerfect Network Scanner
•Cain and Abel
Exploit / Install
•Password of admin user on local machine
•Legitimate access to one server
•Compromise domain admin password from one
server
•Gaining access and compromise to domain
controller accounts
•Gain access to email servers
FINANCIAL INSTITUTION APT
16. 16
C2C / Exfil
•Pass the Hash Attack
•VPN Connection from external
source to maintain continuous
access
•Covert TCP Channel bounced
across servers
Delivery
•Targeted Phishing Email
•URL Link to Fake Game Site
•Download of Game – Install
backdoor on user machine
•Installing Password Scrapping
and network scanning tools
Recon
•Controlling “bounce” machines
across the globe
•Social
Media/LinkedIn/Usergroups/Su
pport Forums etc
•Corporate Website/Local
Events
Weaponization
•Password Scrapping Tools
•NetCat Backdoor
•Remote Access Tools
•Fake Game Download Site
•Other Techniques – Watering
Hole Attacks
Exploit / Install
•Backdoor Trojan Installation
•Network scans for open ports and
services
•Connect to multiple fileshares
•Overwrite notepad.exe with malicious
backdoor
TECHNOLOGY ORGANIZATION
APT – SOURCE CODE BREACH
17. 17
C2C / Exfil
•Buffer Overflow Attack on
Backup Program
•Installation of Sniffer to watch
internal traffic
•Port Scan of Server
•SQL Injection on Web Application
•Access to database records of
millions of Credit Card
Delivery
•Ping Sweep
•Reverse DNS lookup of Server IP
•Port Scan
•Password Guessing – connect to
FTP Server
Recon
•Store Expansion Information
•Physical scouting of the stores
•Network Scanning
•Detect Open Ports for TCP
and UDP. Discover webserver
and DNS server
Weaponization
•Wireless LAN Assessment Tool
•MAC Address Detection from SSID
•MAC Address Spoofing
Exploit / Install
•Network Exploration
•Connection over VPN to FTP servers
across network
•Access to Credit Card Data
RETAIL ORGANIZATION APT –
POINT OF SALE (POS) BREACH
18. 18
Major Challenges When
Detecting Breaches
Exploit / Install
Recon
Weaponization
C2C / ExfilDelivery
243 DAYS
Difficult to Recognize
Sequence of Attacks
in Petabytes of Data
Difficult to Recognize
Sequence of Attacks
in Petabytes of Data
Data Silos Make it
Hard to Understand
your Critical Business
Data
Data Silos Make it
Hard to Understand
your Critical Business
Data
19. 19
Suspicious File Downloaded by UserA–
Possible Spear Phishing Attack
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze file download pattern
for the Joe over last 6 months –
Compare against Org and Dept
Statistics
Analyze device behavior
anomalies – Examine data over
last 6 months and compare
against various dimensionsAnalyze source of
download – analyze all
communication to source
domain across org and dept
over last 6 months
Analyze all communication
path of device and Joe to
uncover if attack has spread
1
24
3
!
20. 20
Malformed Image File Spread –
SQL Injection Based Attack
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze all recent incidents
related to user and device and
compare over last 6 months
(Various Statistics)
Analyze communication
between endpoint and
internal web server
Analyze webserver
compromise - internal and
external communication
mapped and analyzed for
anomalies
Follow trail of SQL Injection
attack followed by compromise
of customer accounts and
malformed file upload
1
24
3
!
21. 21
User Account Compromise –
VPN Authentication Errors
Incident Detected
in SIEM
Security Analyst
Investigates
Analyze VPN Access pattern of
user over last 6 months –
compare against Org and Dept
Analyze all failed and
successful authentication for
user over last 6 months –
compare against Org and Dept
User Behavior Analytics –
file downloads, URL access,
application access etc
Device Behavior Analytics –
destinations, bytes, protocols,
ports etc
1
2
4
3
!
23. 23
Big Data Security Analytics
Forest
through
the Trees
Understand
Business
Data
Iterate
and
Pivot
Petabytes
of Data
Visualization End to End
Platform
Hadoop/HDFS
Analytics
Map
Reduce/Spark
Connect
Variety of
Data
Security
Analyst
SurfWatch Labs Starts Where Traditional Threat Intelligence Stops
Powerful cyber risk analytics and practical BI apps that drive strategic insights for improved long-term cyber resilience
SurfWatch Labs Starts Where Traditional Threat Intelligence Stops
Powerful cyber risk analytics and practical BI apps that drive strategic insights for improved long-term cyber resilience
Looking back at data from 1-2 years ago it was clear that a lot of bad cyber activity was going on without the good guys even knowing.
Each day, I watched the individual attackers hit their targets. Almost always, they were small and seemingly insignificant ones like local dentists, small consulting firms specializing in healthcare IT, 3-hospital chains in the Pacific NorthWest, plastic surgery clinics, tiny regional hospitals in out of the way parts of your own state that you’ve never even been to, dialysis center chains in the Southeast, 5-person insurance claims processing shops, one-off hospital websites in the Mid-West and even emergency vets just for reptiles (yes, they have those).