1 / 12

Understanding Global Threat Landscape

Understanding Global Threat Landscape. Electronic Criminal Groups: Established Underground Industry (continued examples of successful large scale operations) Organization: Low to High Capability: Medium to High Intent: High for financial gain, but intent is complex

kolina
Télécharger la présentation

Understanding Global Threat Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding Global Threat Landscape • Electronic Criminal Groups: Established Underground Industry (continued examples of successful large scale operations) • Organization: Low to High • Capability: Medium to High • Intent: High for financial gain, but intent is complex • “Kneber” ZeuSBotNet – information sold to anybody • Nation-Sponsored Activities: From Intelligence Gathering to Network-Centric Warfare • Organization: High • Capability: High • Intent: Connected to national policy • Aurora, Titan Rain, etc. • Non-State Actors • Increasing interest from radical / extremist groups in cyberterror • “Hacking as a service”

  2. Pervasive Problems • Nation-sponsored attacks on anything (critical infrastructure, defense industry base, etc.) • Designer malware directed at end users through spear phishing attacks • Covert network channels and obfuscated network traffic • Low and slow data exfiltration • Rogue encryption • Organized criminal group attacks • Insertion of rogue code into retail POS, wire transfer, and ATM systems • Infiltration of transaction processing systems in critical infrastructure sectors • Theft of data at the application, database, and middleware layers with deep “personal information” and other “key” attributes

  3. The Top Threats Are Not Preventable • Spear phishing attacks • Poisoned websites and DNS – “Drive-by” attacks • Pervasive botnet infection (e.g., ZeuS / Gumblar / Storm 2.0) • Social Networking / Mobility / Web 2.0 • Cloud Computing / Unknown risk profiles • Undetected data exfiltration and leakage • Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Java ) • Malware and more malware resulting from all of the above… • The Bottom Line • Threats are already on the inside • Exploits that matter have already happened

  4. Current Technologies Are Failing - Firewalls Intent – Prevent or limit unauthorized connections into and out of your network Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities. Firewalls

  5. The Gaps in Status Quo Security – IDS/ IPS Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t do “network-based” exploitation Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact Intrusion Detection/ Prevention Systems

  6. The Gaps in Status Quo Security – Anti-Malware Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeksEven worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures. Anti-Malware Technologies From an AV Vendor Forum

  7. Security Situation Today • Significant shift in past 3-4 years to “Advanced Threats” • Current technologies are hopelessly exposed • Host trustworthiness (there is none) • Security paradigms are perimeter-based, external threat monitoring oriented (the bad guys are already inside ) • Network layer oriented vs application and content (perfect for 1998) • Almost exclusively signature-based (obsolete by definition) • “Situational Awareness” relies on log and flow-based monitoring (see above to produce GIGO) • Even the “silver bullets” are far from (consider authentication) • The Bottom Line • ALL THREATS ARE ALREADY ON THE INSIDE • ALL EXPLOITS THAT MATTER ARE T MINUS 21 FROM ZERO-DAY

  8. Quotes It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion - Barack Obama, 2009 More money made by organized crime online than by drug trafficking…. - FBI 2009 On average in 2009, a new type of variant of malware was entering cyberspace every 2.2 seconds. The three or four big antivirus companies have sophisticated networks to look for the new malware, but they find and issues a fix for about one in every ten pieces of malware. – Richard Clarke, CyberWar 2010

  9. 2010 Breach Analysis Verizon Data Breach Investigation Report Though phishing, SQL injection, and other attacks can and do steal credentials, malware nabbed more than all others combined by a ratio of 2:1. An incredible 97% of the 140+ million records were compromised through customized malware across the Verizon-USSS caseload Attack scenarios are most effectively and efficiently prevented earlier in their progression rather than later. Said differently, stop adversaries before they own the box because it’s awfully hard to stop them once they have

  10. How Can You Close This Gap? • Get a memory for your network -- record and know everything happening across the network from layer 2 to layer 7 • Get definitive answers to any imaginable security question – no matter how complex • Achieve 24 X 7 real-time situational awareness and continuous network monitoring • Obtain the precision and detail only available from pervasive network forensics • Integrate the intelligence of open, community, commercial and classified threat sources • Deploy an agile solution that can address emerging threat trends

  11. Network Forensics addresses uncertainty • Answers to Complex Security Questions • Focus on advanced threats, such as malware and botnets • Provides a memory for your network, offering forensic accuracy into past activities • Acceleration of Incident Response Processes • Real-time situational awareness through full content and context • Enrichment of existing technologies and incident response workflow • Continuous Security Controls Monitoring • Evaluating the efficacy of security controls • Incident Impact Assessment • Understanding true threat pathology • Limiting incident scope and damage • Insider Threat Identification • Obtaining a true 360 view of insider threats • Application and Content Monitoring • Data exfiltration detection Two types of enterprises today: Those that KNOW they face advanced threats Those that face them WITHOUT knowing it.

  12. Tips for Success • Get rid of your users • Realize you are already breached • Leverage all source intelligence • Improved visibility requires visibility into user content and application context, better analytics and fusion of live threat data • No worthwhile adversary will be stopped, your best results require reducing the noise • Continuous and automated forensic validity – what do you know • Reduce Loss post breach through improved incident response, shortened time to problem recognition, more accurately determine full scope of compromise • Unplug what you can and segregate the rest from the unwashed masses

More Related