NetIQ, profile picture
Uploaded byNetIQ
PPTX, PDF1,786 views

Advanced Persistent Threat - Evaluating Effective Responses

The document discusses advanced persistent threats (APTs), highlighting their highly targeted nature and long-term unauthorized access patterns that differentiate them from opportunistic attackers. It outlines ineffective traditional defenses and proposes a pragmatic approach that includes identifying critical data, monitoring for unusual activity, and developing a response plan. The emphasis is on a systematic management of privileged access, effective logging, and understanding the risks to better protect organizations from APTs.

Downloaded 44 times
Advanced Persistent Threats Evaluating Effective Responses strategies for organizations and their impact Garve Hays, Solutions Architect
© 2012 NetIQ Corporation. All rights reserved.2 Persistence “Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” Calvin Coolidge
© 2012 NetIQ Corporation. All rights reserved.3 Introduction • Today we will: – Examine why Advanced Persistent Threats (APTs) are a problem (really) – Look at what has NOT worked – Examine what can work – Provide some practical next steps
What is an APT?
© 2012 NetIQ Corporation. All rights reserved.5 Advanced Means… …they have a plan
© 2012 NetIQ Corporation. All rights reserved.6 P is for Persistent Long haul…
© 2012 NetIQ Corporation. All rights reserved.7 What do you have to lose? All your base are belong to us…
© 2012 NetIQ Corporation. All rights reserved.8 What Are APTs? • They are highly targeted attacks • A long-term pattern of unauthorized computer system intrusions • Advanced – not necessarily leading edge, – Sophisticated – With structure – They have a plan • Persistent – the perpetrators are in no rush – Patient • Threat – the goal is to establish a beachhead or ex-filtrate information
© 2012 NetIQ Corporation. All rights reserved.9 Not Every Attack is an APT • Don’t confuse them with random thieves – Smash and grab – Dude check out the new Metasploit • Important to understand the difference between opportunistic attackers and APTs
© 2012 NetIQ Corporation. All rights reserved.10 Not Always State-Sponsored
© 2012 NetIQ Corporation. All rights reserved.11 The Mandiant Study http://intelreport.mandiant.com/ “Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006.” “Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual ...”
© 2012 NetIQ Corporation. All rights reserved.12 Loss of Intellectual Property The loss of industrial information and intellectual property through cyber espionage constitutes the "greatest transfer of wealth in history” Gen. Keith Alexander, NSA Director
© 2012 NetIQ Corporation. All rights reserved.13 What Do They Look Like?
© 2012 NetIQ Corporation. All rights reserved.14 What Do They Look Like • Typical Attacks Utilize: – Email (phishing) – Community portals (“watering hole”) – Dropbox – Portable media (USB thumb drive)
© 2012 NetIQ Corporation. All rights reserved.15
© 2012 NetIQ Corporation. All rights reserved.16 Plausible Email Messages
© 2012 NetIQ Corporation. All rights reserved.17 Plausible Email Messages
© 2012 NetIQ Corporation. All rights reserved.18 Top Words Used in Spear Phishing Attacks http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf
© 2012 NetIQ Corporation. All rights reserved.19 • Why is Jo on the system at 3 AM? I know she’s a hard worker and all… • Why is the CPU usage spiking on the order-entry server? • Is the sales team really using an open Dropbox account? Don’t we have a policy against that?
© 2012 NetIQ Corporation. All rights reserved.20 Low-Hanging Fruit First… • Attackers are not going to use a 0-day if they don’t have to • Vulnerabilities against Java 7 Update 21 and Java 6 Update 45 • Already in exploit kits
Examples
© 2012 NetIQ Corporation. All rights reserved.22  6 months in duration, ending in December, 2009  First publicly disclosed in January, 2012  Google  Adobe Systems  Juniper Networks  Rackspace  Also targets, according to media reports  Yahoo  Symantec  Northrop Grumman  Morgan Stanley  Dow Chemical Operation Aurora
© 2012 NetIQ Corporation. All rights reserved.23  Cyber Attacks  Started in mid 2006  United Sates  Canada  South Korea  The UN  International Olympic Committee  12 US defense contractors  At least 72 organizations Operation Shady RAT
© 2012 NetIQ Corporation. All rights reserved.24 Drone Contractor Breached “Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.” http://thinkprogress.org/security/2013/05/03/1958871/contractors- outsource-cybersecurity-hacked/
© 2012 NetIQ Corporation. All rights reserved.25 Why Are They A Problem? • Difficult (if not impossible to keep out) • Target saleable information • Very good at long term penetration • Traditional techniques do not keep them out
© 2012 NetIQ Corporation. All rights reserved.26 This isn’t working…
© 2012 NetIQ Corporation. All rights reserved.27 What Hasn’t Worked? • Perimeter based defenses • Malware scanning • Anti-virus • Employee Training • IDS • In reality -
© 2012 NetIQ Corporation. All rights reserved.28 What Hasn’t Worked? • Perimeter based defenses • Malware scanning • Anti-virus • Employee Training • IDS • In reality - YOU WILL NOT KEEP THEM OUT
© 2012 NetIQ Corporation. All rights reserved.29 Better Approach • Plan on being compromised • Get the basics right • Have a policy and a response plan • Look for activity and changes, not tools – Build a baseline – Harden systems (patch and best practice configurations) – Manage your privileged users – Monitor for activity that looks suspicious*
© 2012 NetIQ Corporation. All rights reserved.30 A Recipe… Implement policies/plans Enforce with technology Know what you’ve got Know how it’s at risk Refine and repeat Know what you’ve got Understand how it’s at risk Implement reasonable policies & processes Enforce with technology Refine and repeat over time
© 2012 NetIQ Corporation. All rights reserved.31 Identify and Protect Critical Data • Finding the data – Data may be in files, on physical media, in databases, or in the cloud. – Most breaches involve data that the victim did not know was there. • Categorizing data – What data is sensitive and at risk? • Monitoring access – Can I identify abnormal access? – Who is really accessing the information?
© 2012 NetIQ Corporation. All rights reserved.32 Control and Monitor Privileged Access • Monitor system and file integrity – Changes to key system files. – Modification of rarely accessed data. • Investigate unusual changes – Changes to key system files. – Modification of rarely accessed data. • Audit individual actions – Focus on privileged and “high risk” users/accounts.
© 2012 NetIQ Corporation. All rights reserved.33 Capture and Monitor Log Data • Security and network devices generate lots of data – OS, Network, Virtual, P&A, User Activity, DAM, IAM. • Compliance mandates capture and review of logs • Logs can often provide early warning signs – 82% of the time, evidence was visible in logs beforehand. • Failure to monitor is costly – Breaches often go undiscovered and uncontained for weeks or months.
© 2012 NetIQ Corporation. All rights reserved.34 What We See Organizations are most successful when they: – Adopt a pragmatic approach – Prioritize monitoring around data – data centricity is key – Include identity and access monitoring – Tie as much together as possible to integrate information – Filter and enrich monitoring of activity
© 2012 NetIQ Corporation. All rights reserved.35 • Develop policy • Understand what critical data you need to protect and where it is stored • Focus resources around protecting inside the perimeter • Layer defenses inside to slow down attackers • Monitor for unusual activity • Reduce your privileged user attack surface • Create, agree, and OWN a response plan Next Steps
© 2012 NetIQ Corporation. All rights reserved.36 NetIQ Can Help • Provide expertise and experience in Identity, Access Management and Security Management • Help reduce number of privileged users • Reduce and manage privileges • Monitor users and look for unusual activity • Provide visibility into access rights to critical resources • Harden systems against attackers
© 2010 NetIQ Corporation. All rights reserved. Security & Compliance Identity & Access Performance & Availability 3737 © 2010 NetIQ Corporation. All rights reserved. Our Areas of Focus and Expertise • Manage and audit user entitlements • Track privileged user activity • Protect the integrity of key systems and files • Monitor access to sensitive information • Simplify compliance reporting • Monitor and manage heterogeneous environments including custom applications • IT Service validation and end-user performance monitoring • Dynamic provisioning of large- scale monitoring with exceptions • Functional and hierarchical incident escalation • Deliver and manage differentiated service levels • User Provisioning Lifecycle Management • Centralize Unix account management through Active Directory • Reduce number of privileged users • Secure delegated administration • Windows and Exchange migration
© 2010 NetIQ Corporation. All rights reserved. Image Credits 38 http://commons.wikimedia.org/wiki/File:Calvin_ Coolidge,_bw_head_and_shoulders_photo_po rtrait_seated,_1919.jpg http://www.flickr.com/photos/seattlemunicipalar chives/4459827777 http://www.flickriver.com/photos/12567713@N 00/44514786/ http://garyckarntzen.deviantart.com/art/Chines e-Flag-Wallpaper-196092557 http://commons.wikimedia.org/wiki/File:Keith_ B._Alexander_official_portrait.jpg http://www.worth1000.com http://commons.wikimedia.org/wiki/File:Oppstilling-2.jpg http://en.wikipedia.org/wiki/File:Barney_Oldfield%27s_R ace_for_a_Life.jpg http://www.flickr.com/photos/crazyeddie/2916193420/ http://www.flickr.com/photos/mookitty/2375679549/ http://commons.wikimedia.org/wiki/File:IllegalFlowerTrib ute1.jpg
Advanced Persistent Threat - Evaluating Effective Responses

More Related Content

PPTX
Scrubbing Your Active Directory Squeaky Clean
byNetIQ
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
PPTX
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
byNorth Texas Chapter of the ISSA
 
PPTX
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
PDF
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
byBurton Lee
 
PPTX
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
PPTX
The Internet of Everything is Here
byLancope, Inc.
 
Scrubbing Your Active Directory Squeaky Clean
byNetIQ
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
byNorth Texas Chapter of the ISSA
 
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
byBurton Lee
 
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
The Internet of Everything is Here
byLancope, Inc.
 

What's hot

PDF
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
byIgnyte Assurance Platform
 
PDF
Energy Industry Organizational Strategies to Increase Cyber Resiliency
byEnergySec
 
PPTX
Cloud Security: A Business-Centric Approach in 12 Steps
byOmar Khawaja
 
PPTX
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
PDF
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
PDF
Secure Your Data with Fidelis Network® for DLP
byFidelis Cybersecurity
 
PDF
McAfee Total Protection for Data Loss Prevention (DLP)
byTrustmarque
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
PPTX
Vulnerability Testing Services Case Study
byNandita Nityanandam
 
PPTX
Lisa Guess - Embracing the Cloud
bycentralohioissa
 
PDF
Applying intelligent deception to detect sophisticated cyber attacks
byFidelis Cybersecurity
 
PPTX
Smarter Security - A Practical Guide to Doing More with Less
byOmar Khawaja
 
PDF
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
byCableLabs
 
PDF
Fidelis Endpoint® - Live Demonstration
byFidelis Cybersecurity
 
PDF
Industrial IOT Data Connectivity Standard
byGerardo Pardo-Castellote
 
PPT
How Network Data Loss Prevention is Implemented
byJerry Paul Acosta
 
PPTX
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
byGovernment Technology and Services Coalition
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PPTX
Tripwire Energy Working Group: TIV Demo
byTripwire
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
byIgnyte Assurance Platform
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
byEnergySec
 
Cloud Security: A Business-Centric Approach in 12 Steps
byOmar Khawaja
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
Secure Your Data with Fidelis Network® for DLP
byFidelis Cybersecurity
 
McAfee Total Protection for Data Loss Prevention (DLP)
byTrustmarque
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
Vulnerability Testing Services Case Study
byNandita Nityanandam
 
Lisa Guess - Embracing the Cloud
bycentralohioissa
 
Applying intelligent deception to detect sophisticated cyber attacks
byFidelis Cybersecurity
 
Smarter Security - A Practical Guide to Doing More with Less
byOmar Khawaja
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
byCableLabs
 
Fidelis Endpoint® - Live Demonstration
byFidelis Cybersecurity
 
Industrial IOT Data Connectivity Standard
byGerardo Pardo-Castellote
 
How Network Data Loss Prevention is Implemented
byJerry Paul Acosta
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
byGovernment Technology and Services Coalition
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
Security Testing for IoT Systems
bySecurity Innovation
 
Tripwire Energy Working Group: TIV Demo
byTripwire
 

Viewers also liked

PPTX
BrainShare 2014
byNetIQ
 
PPTX
A Smarter, More Secure Internet of Things
byNetIQ
 
PPTX
Are You Being Anti-Social
byNetIQ
 
PPTX
Bring Your Own Identity
byNetIQ
 
PDF
Mobile Apps in Your Business
byNetIQ
 
PPT
Identity, Security and Healthcare
byNetIQ
 
PPTX
Building A Cloud-Ready Security Program
byNetIQ
 
PDF
Cloud Identity
byNetIQ
 
PDF
IT Disaster Recovery
byNetIQ
 
PDF
2014 Cyberthreat Defense Report
byNetIQ
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
byRootedCON
 
PDF
Edurne baines.Vivir Galicia.-IV Curso de Verano Turismo UDC
byIria Caamaño-Franco
 
PDF
Case study-telekom
byBojan Jovic
 
PPTX
Mensajes del rey proclamacion inicial
byCoke Neto
 
PDF
guia turistica
byluiisiitagarciia
 
PDF
datos utilrs
byquijadarosa
 
PDF
HTML alchemy: the secrets of mixing JavaScript and Java EE - Matthias Wessendorf
byJAX London
 
PDF
Diogen magazin printana verzija 2014 2015 new final online
bydebeljackitatjana
 
PPSX
Emarketing y redes sociales
byPlaneta Digital 360
 
BrainShare 2014
byNetIQ
 
A Smarter, More Secure Internet of Things
byNetIQ
 
Are You Being Anti-Social
byNetIQ
 
Bring Your Own Identity
byNetIQ
 
Mobile Apps in Your Business
byNetIQ
 
Identity, Security and Healthcare
byNetIQ
 
Building A Cloud-Ready Security Program
byNetIQ
 
Cloud Identity
byNetIQ
 
IT Disaster Recovery
byNetIQ
 
2014 Cyberthreat Defense Report
byNetIQ
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
byRootedCON
 
Edurne baines.Vivir Galicia.-IV Curso de Verano Turismo UDC
byIria Caamaño-Franco
 
Case study-telekom
byBojan Jovic
 
Mensajes del rey proclamacion inicial
byCoke Neto
 
guia turistica
byluiisiitagarciia
 
datos utilrs
byquijadarosa
 
HTML alchemy: the secrets of mixing JavaScript and Java EE - Matthias Wessendorf
byJAX London
 
Diogen magazin printana verzija 2014 2015 new final online
bydebeljackitatjana
 
Emarketing y redes sociales
byPlaneta Digital 360
 

Similar to Advanced Persistent Threat - Evaluating Effective Responses

PDF
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
byNathan Anderson
 
PDF
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
byAdam Palmer
 
PDF
Understanding Advanced Cybersecurity Threats for the In-House Counsel
byAdam Palmer
 
PPTX
Insider Threat
byAndy Thompson
 
PDF
Cyber security series advanced persistent threats
byJim Kaplan CIA CFE
 
PDF
Why_TG
byTOP GUN
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
PDF
Countering Advanced Persistent Threats
byBooz Allen Hamilton
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
PDF
01 presentation-kenwillen
byInfinIT - Innovationsnetværket for it
 
PPTX
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
PPTX
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
PPTX
Real World Defense Strategies for Targeted Endpoint Threats
byLumension
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
Operational Security Intelligence
bySplunk
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PPT
NetWitness
byTechBiz Forense Digital
 
PPT
Mark Arena - Cyber Threat Intelligence #uisgcon9
byUISGCON
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
byNathan Anderson
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
byAdam Palmer
 
Understanding Advanced Cybersecurity Threats for the In-House Counsel
byAdam Palmer
 
Insider Threat
byAndy Thompson
 
Cyber security series advanced persistent threats
byJim Kaplan CIA CFE
 
Why_TG
byTOP GUN
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
Countering Advanced Persistent Threats
byBooz Allen Hamilton
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
01 presentation-kenwillen
byInfinIT - Innovationsnetværket for it
 
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
Real World Defense Strategies for Targeted Endpoint Threats
byLumension
 
The State of Data Security
byRazor Technology
 
Operational Security Intelligence
bySplunk
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
NetWitness
byTechBiz Forense Digital
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
byUISGCON
 
Secure Iowa Oct 2016
byLarry Slobodzian
 

More from NetIQ

PDF
Open Enterprise Server With Windows
byNetIQ
 
PDF
Big Payoffs With BYOD and Mobility
byNetIQ
 
PDF
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
byNetIQ
 
PDF
Paraca Inc.
byNetIQ
 
PDF
The University of Westminster Saves Time and Money with Identity Manager
byNetIQ
 
PDF
The London School of Hygiene & Tropical Medicine Accelerates and Streamlines ...
byNetIQ
 
PDF
Swisscard Saves Time and Effort in Managing User Access
byNetIQ
 
PDF
Vodacom Tightens Security with Identity Manager from NetIQ
byNetIQ
 
PDF
University of Dayton Ensures Compliance with Sentinel Log Manager
byNetIQ
 
PDF
Nippon Light Metal Forges a Disaster Recovery Solution with NetIQ
byNetIQ
 
PDF
Nexus Differentiates Itself and Grows Its Capabilities with Operations Center
byNetIQ
 
PDF
Netiq css huntington_bank
byNetIQ
 
PDF
Professional Services Company Boosts Security, Facilitates Compliance, Automa...
byNetIQ
 
PDF
NetIQ Identity Manager Unites Hanshan Normal University
byNetIQ
 
PDF
Handelsbanken Takes Control of Identity Management with NetIQ
byNetIQ
 
PDF
Millions of People Depend on Datang Xianyi Technology and NetIQ
byNetIQ
 
PDF
bluesource Uses NetIQ AppManager to Offer Standout Managed Service
byNetIQ
 
PDF
Central Denmark Region Strengthens Administrative Security with Identity Mana...
byNetIQ
 
PDF
Identity-Powered Security
byNetIQ
 
PDF
Owens Community College adds Single Sign-On and Meets FERPA
byNetIQ
 
Open Enterprise Server With Windows
byNetIQ
 
Big Payoffs With BYOD and Mobility
byNetIQ
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
byNetIQ
 
Paraca Inc.
byNetIQ
 
The University of Westminster Saves Time and Money with Identity Manager
byNetIQ
 
The London School of Hygiene & Tropical Medicine Accelerates and Streamlines ...
byNetIQ
 
Swisscard Saves Time and Effort in Managing User Access
byNetIQ
 
Vodacom Tightens Security with Identity Manager from NetIQ
byNetIQ
 
University of Dayton Ensures Compliance with Sentinel Log Manager
byNetIQ
 
Nippon Light Metal Forges a Disaster Recovery Solution with NetIQ
byNetIQ
 
Nexus Differentiates Itself and Grows Its Capabilities with Operations Center
byNetIQ
 
Netiq css huntington_bank
byNetIQ
 
Professional Services Company Boosts Security, Facilitates Compliance, Automa...
byNetIQ
 
NetIQ Identity Manager Unites Hanshan Normal University
byNetIQ
 
Handelsbanken Takes Control of Identity Management with NetIQ
byNetIQ
 
Millions of People Depend on Datang Xianyi Technology and NetIQ
byNetIQ
 
bluesource Uses NetIQ AppManager to Offer Standout Managed Service
byNetIQ
 
Central Denmark Region Strengthens Administrative Security with Identity Mana...
byNetIQ
 
Identity-Powered Security
byNetIQ
 
Owens Community College adds Single Sign-On and Meets FERPA
byNetIQ
 

Recently uploaded

PDF
Top 10 Sites to Buy LinkedIn Accounts 2025.pdf
byBusiness Tipe
 
PDF
INRS Kingsley Maine Finland November 2025.pdf
byeric kingsley
 
PDF
5 Best Places to Buy LinkedIn Connections (Boost Your ....pdf
bymarketing
 
PPTX
How to Build a Water Taxi Booking App.pptx
bygoriderzusa
 
PDF
The Critical Role of Change Management in PMO Success - Kering | FuturePMO 2025
byWellingtone
 
PDF
_how to Buy// Onlyfans in usa all country Accounts.pdf
bygvd2437
 
PDF
YOUCHANNELL.pdf Company Online video Llc
byYouchannell
 
PDF
20251106-collective-pensions-with-investment-choice-ppi-kcl-nuffield.pdf
byHenry Tapper
 
PDF
The Ins and Outs of Sports Sponsorship: What Characterizes the Best Deals and...
byNeil Horowitz
 
PDF
business-leader-letter-to-the-chancellor-06-11-2025_v2.pdf
byHenry Tapper
 
PDF
occupational pension increases.pdf William Mcgrath
byHenry Tapper
 
PDF
Trusted byers_ Top 5 Sites for Verified Linkedin Accounts.pdf
byremyquick
 
PDF
Quiz_ Fastest Way to Buy Old GitHub Accounts for Development
byselida2395
 
PDF
ASEAN and Thailand in a Disruptive World
byKobsak
 
PDF
Navigating the Process of Buying Verified Paypal Accounts.pdf
byellison50
 
PDF
The Evolving PMO: A View of the FuturePMO - Wellingtone | FuturePMO 2025
byWellingtone
 
PPTX
What is the future of banking ... an AI generated PowerPoint
byChris Skinner
 
PDF
Salesforce Project Management & Business Analysis Panel Discussion on 11/5/2025
byMichael Orias
 
PDF
Lesaka Anchor research report 10.29.25 "Ctrl-Alt-Delete - Round Two"
bylesakafan
 
PDF
The Power of Connection_ Understanding Twitter Accounts (1).pdf
byjtjf0730
 
Top 10 Sites to Buy LinkedIn Accounts 2025.pdf
byBusiness Tipe
 
INRS Kingsley Maine Finland November 2025.pdf
byeric kingsley
 
5 Best Places to Buy LinkedIn Connections (Boost Your ....pdf
bymarketing
 
How to Build a Water Taxi Booking App.pptx
bygoriderzusa
 
The Critical Role of Change Management in PMO Success - Kering | FuturePMO 2025
byWellingtone
 
_how to Buy// Onlyfans in usa all country Accounts.pdf
bygvd2437
 
YOUCHANNELL.pdf Company Online video Llc
byYouchannell
 
20251106-collective-pensions-with-investment-choice-ppi-kcl-nuffield.pdf
byHenry Tapper
 
The Ins and Outs of Sports Sponsorship: What Characterizes the Best Deals and...
byNeil Horowitz
 
business-leader-letter-to-the-chancellor-06-11-2025_v2.pdf
byHenry Tapper
 
occupational pension increases.pdf William Mcgrath
byHenry Tapper
 
Trusted byers_ Top 5 Sites for Verified Linkedin Accounts.pdf
byremyquick
 
Quiz_ Fastest Way to Buy Old GitHub Accounts for Development
byselida2395
 
ASEAN and Thailand in a Disruptive World
byKobsak
 
Navigating the Process of Buying Verified Paypal Accounts.pdf
byellison50
 
The Evolving PMO: A View of the FuturePMO - Wellingtone | FuturePMO 2025
byWellingtone
 
What is the future of banking ... an AI generated PowerPoint
byChris Skinner
 
Salesforce Project Management & Business Analysis Panel Discussion on 11/5/2025
byMichael Orias
 
Lesaka Anchor research report 10.29.25 "Ctrl-Alt-Delete - Round Two"
bylesakafan
 
The Power of Connection_ Understanding Twitter Accounts (1).pdf
byjtjf0730
 

Advanced Persistent Threat - Evaluating Effective Responses

  • 1.
    Advanced Persistent Threats EvaluatingEffective Responses strategies for organizations and their impact Garve Hays, Solutions Architect
  • 2.
    © 2012 NetIQCorporation. All rights reserved.2 Persistence “Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” Calvin Coolidge
  • 3.
    © 2012 NetIQCorporation. All rights reserved.3 Introduction • Today we will: – Examine why Advanced Persistent Threats (APTs) are a problem (really) – Look at what has NOT worked – Examine what can work – Provide some practical next steps
  • 4.
  • 5.
    © 2012 NetIQCorporation. All rights reserved.5 Advanced Means… …they have a plan
  • 6.
    © 2012 NetIQCorporation. All rights reserved.6 P is for Persistent Long haul…
  • 7.
    © 2012 NetIQCorporation. All rights reserved.7 What do you have to lose? All your base are belong to us…
  • 8.
    © 2012 NetIQCorporation. All rights reserved.8 What Are APTs? • They are highly targeted attacks • A long-term pattern of unauthorized computer system intrusions • Advanced – not necessarily leading edge, – Sophisticated – With structure – They have a plan • Persistent – the perpetrators are in no rush – Patient • Threat – the goal is to establish a beachhead or ex-filtrate information
  • 9.
    © 2012 NetIQCorporation. All rights reserved.9 Not Every Attack is an APT • Don’t confuse them with random thieves – Smash and grab – Dude check out the new Metasploit • Important to understand the difference between opportunistic attackers and APTs
  • 10.
    © 2012 NetIQCorporation. All rights reserved.10 Not Always State-Sponsored
  • 11.
    © 2012 NetIQCorporation. All rights reserved.11 The Mandiant Study http://intelreport.mandiant.com/ “Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006.” “Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual ...”
  • 12.
    © 2012 NetIQCorporation. All rights reserved.12 Loss of Intellectual Property The loss of industrial information and intellectual property through cyber espionage constitutes the "greatest transfer of wealth in history” Gen. Keith Alexander, NSA Director
  • 13.
    © 2012 NetIQCorporation. All rights reserved.13 What Do They Look Like?
  • 14.
    © 2012 NetIQCorporation. All rights reserved.14 What Do They Look Like • Typical Attacks Utilize: – Email (phishing) – Community portals (“watering hole”) – Dropbox – Portable media (USB thumb drive)
  • 15.
    © 2012 NetIQCorporation. All rights reserved.15
  • 16.
    © 2012 NetIQCorporation. All rights reserved.16 Plausible Email Messages
  • 17.
    © 2012 NetIQCorporation. All rights reserved.17 Plausible Email Messages
  • 18.
    © 2012 NetIQCorporation. All rights reserved.18 Top Words Used in Spear Phishing Attacks http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf
  • 19.
    © 2012 NetIQCorporation. All rights reserved.19 • Why is Jo on the system at 3 AM? I know she’s a hard worker and all… • Why is the CPU usage spiking on the order-entry server? • Is the sales team really using an open Dropbox account? Don’t we have a policy against that?
  • 20.
    © 2012 NetIQCorporation. All rights reserved.20 Low-Hanging Fruit First… • Attackers are not going to use a 0-day if they don’t have to • Vulnerabilities against Java 7 Update 21 and Java 6 Update 45 • Already in exploit kits
  • 21.
  • 22.
    © 2012 NetIQCorporation. All rights reserved.22  6 months in duration, ending in December, 2009  First publicly disclosed in January, 2012  Google  Adobe Systems  Juniper Networks  Rackspace  Also targets, according to media reports  Yahoo  Symantec  Northrop Grumman  Morgan Stanley  Dow Chemical Operation Aurora
  • 23.
    © 2012 NetIQCorporation. All rights reserved.23  Cyber Attacks  Started in mid 2006  United Sates  Canada  South Korea  The UN  International Olympic Committee  12 US defense contractors  At least 72 organizations Operation Shady RAT
  • 24.
    © 2012 NetIQCorporation. All rights reserved.24 Drone Contractor Breached “Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.” http://thinkprogress.org/security/2013/05/03/1958871/contractors- outsource-cybersecurity-hacked/
  • 25.
    © 2012 NetIQCorporation. All rights reserved.25 Why Are They A Problem? • Difficult (if not impossible to keep out) • Target saleable information • Very good at long term penetration • Traditional techniques do not keep them out
  • 26.
    © 2012 NetIQCorporation. All rights reserved.26 This isn’t working…
  • 27.
    © 2012 NetIQCorporation. All rights reserved.27 What Hasn’t Worked? • Perimeter based defenses • Malware scanning • Anti-virus • Employee Training • IDS • In reality -
  • 28.
    © 2012 NetIQCorporation. All rights reserved.28 What Hasn’t Worked? • Perimeter based defenses • Malware scanning • Anti-virus • Employee Training • IDS • In reality - YOU WILL NOT KEEP THEM OUT
  • 29.
    © 2012 NetIQCorporation. All rights reserved.29 Better Approach • Plan on being compromised • Get the basics right • Have a policy and a response plan • Look for activity and changes, not tools – Build a baseline – Harden systems (patch and best practice configurations) – Manage your privileged users – Monitor for activity that looks suspicious*
  • 30.
    © 2012 NetIQCorporation. All rights reserved.30 A Recipe… Implement policies/plans Enforce with technology Know what you’ve got Know how it’s at risk Refine and repeat Know what you’ve got Understand how it’s at risk Implement reasonable policies & processes Enforce with technology Refine and repeat over time
  • 31.
    © 2012 NetIQCorporation. All rights reserved.31 Identify and Protect Critical Data • Finding the data – Data may be in files, on physical media, in databases, or in the cloud. – Most breaches involve data that the victim did not know was there. • Categorizing data – What data is sensitive and at risk? • Monitoring access – Can I identify abnormal access? – Who is really accessing the information?
  • 32.
    © 2012 NetIQCorporation. All rights reserved.32 Control and Monitor Privileged Access • Monitor system and file integrity – Changes to key system files. – Modification of rarely accessed data. • Investigate unusual changes – Changes to key system files. – Modification of rarely accessed data. • Audit individual actions – Focus on privileged and “high risk” users/accounts.
  • 33.
    © 2012 NetIQCorporation. All rights reserved.33 Capture and Monitor Log Data • Security and network devices generate lots of data – OS, Network, Virtual, P&A, User Activity, DAM, IAM. • Compliance mandates capture and review of logs • Logs can often provide early warning signs – 82% of the time, evidence was visible in logs beforehand. • Failure to monitor is costly – Breaches often go undiscovered and uncontained for weeks or months.
  • 34.
    © 2012 NetIQCorporation. All rights reserved.34 What We See Organizations are most successful when they: – Adopt a pragmatic approach – Prioritize monitoring around data – data centricity is key – Include identity and access monitoring – Tie as much together as possible to integrate information – Filter and enrich monitoring of activity
  • 35.
    © 2012 NetIQCorporation. All rights reserved.35 • Develop policy • Understand what critical data you need to protect and where it is stored • Focus resources around protecting inside the perimeter • Layer defenses inside to slow down attackers • Monitor for unusual activity • Reduce your privileged user attack surface • Create, agree, and OWN a response plan Next Steps
  • 36.
    © 2012 NetIQCorporation. All rights reserved.36 NetIQ Can Help • Provide expertise and experience in Identity, Access Management and Security Management • Help reduce number of privileged users • Reduce and manage privileges • Monitor users and look for unusual activity • Provide visibility into access rights to critical resources • Harden systems against attackers
  • 37.
    © 2010 NetIQCorporation. All rights reserved. Security & Compliance Identity & Access Performance & Availability 3737 © 2010 NetIQ Corporation. All rights reserved. Our Areas of Focus and Expertise • Manage and audit user entitlements • Track privileged user activity • Protect the integrity of key systems and files • Monitor access to sensitive information • Simplify compliance reporting • Monitor and manage heterogeneous environments including custom applications • IT Service validation and end-user performance monitoring • Dynamic provisioning of large- scale monitoring with exceptions • Functional and hierarchical incident escalation • Deliver and manage differentiated service levels • User Provisioning Lifecycle Management • Centralize Unix account management through Active Directory • Reduce number of privileged users • Secure delegated administration • Windows and Exchange migration
  • 38.
    © 2010 NetIQCorporation. All rights reserved. Image Credits 38 http://commons.wikimedia.org/wiki/File:Calvin_ Coolidge,_bw_head_and_shoulders_photo_po rtrait_seated,_1919.jpg http://www.flickr.com/photos/seattlemunicipalar chives/4459827777 http://www.flickriver.com/photos/12567713@N 00/44514786/ http://garyckarntzen.deviantart.com/art/Chines e-Flag-Wallpaper-196092557 http://commons.wikimedia.org/wiki/File:Keith_ B._Alexander_official_portrait.jpg http://www.worth1000.com http://commons.wikimedia.org/wiki/File:Oppstilling-2.jpg http://en.wikipedia.org/wiki/File:Barney_Oldfield%27s_R ace_for_a_Life.jpg http://www.flickr.com/photos/crazyeddie/2916193420/ http://www.flickr.com/photos/mookitty/2375679549/ http://commons.wikimedia.org/wiki/File:IllegalFlowerTrib ute1.jpg

Editor's Notes

  • #3 Takes about 20 seconds to read aloud; pause that long Image Source: http://commons.wikimedia.org/wiki/File:Calvin_Coolidge,_bw_head_and_shoulders_photo_portrait_seated,_1919.jpg
  • #6 Advanced doesn’t necessarily mean futuristic; it means sophisticated or planned Image Source: http://www.flickr.com/photos/seattlemunicipalarchives/4459827777
  • #7 In it for the long haul; see the quote from Calvin Coolidge
  • #9 Summarize 3 previous slides Henry Ford of hacking – analogy to code re-use in software development They are professionals (may be helpful point to distinguish them against amateurs in subsequent slides)
  • #11 Image Source: http://garyckarntzen.deviantart.com/art/Chinese-Flag-Wallpaper-196092557
  • #12 Not all my attacks are state sponsored, but when they are…
  • #13 About 11 seconds to read… Image Source: http://commons.wikimedia.org/wiki/File:Keith_B._Alexander_official_portrait.jpg
  • #14 Well, the good ones look like everything else!
  • #15 A watering hole is what it sounds like – lots of people go there, often of necessity USB ---> Stuxnet anyone? http://blogs.cisco.com/security/watering-hole-attacks-an-attractive-alternative-to-spear-phishing/ http://en.wikipedia.org/wiki/Watering_Hole "The anonymity associated with posting the files and the whitelisting of the servers by enterprise perimeter-filtering technologies combine to make it a convenient tool for hosting the malicious content.“ http://www.darkreading.com/attacks-breaches/dropbox-wordpress-used-as-cloud-cover-in/240158057
  • #16 Not easy to spot: The intent speaks to the "A" in advanced -- the attackers aren't going to announce their intent. In start contrast to the picture, where the villain and his intent is obvious. http://news.yahoo.com/german-police-robbers-100-foot-tunnel-berlin-bank-220758307.html You’ll need monitoring, logging, etc. Transition in to phishing
  • #17 Use your mail client’s link “hover” feature – place the cursor over the link, but do not click it Most browsers have a “tool-tip” feature that shows the actual URL
  • #18 They look official! This one was lifted from Microsoft: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx. “TrustedBank” is from Wikipedia: http://en.wikipedia.org/wiki/Phishing.
  • #19 Word cloud High % of topics: Postal, Banking, Tax, Urgency, Airline, Billing All airline confirmation express label statement alert copy fedex notification ticket banking delivery financial postal ups billing dhl invoice shipment urgency calculations document irs shipping usps
  • #20 What else? Are employees passing around USB drives or using Dropbox instead of authorized network shares?
  • #21 Tell them what a “zero day” is http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
  • #23 Who has been compromised? Wait a sec! Google? Don’t they have a bunch of rocket surgeons working there? Yes, Google. Operation Aurora was a cyber attack conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army.[1] First publicly disclosed by Google on January 12, 2010, in a blog post,[2] the attack began in mid-2009 and continued through December 2009.[3] http://en.wikipedia.org/wiki/Operation_Aurora Operation Aurora, http://en.wikipedia.org/wiki/Operation_Aurora Google Hack Attack Was Ultra Sophisticated, http://www.wired.com/threatlevel/2010/01/operation-aurora/ Inside The Aurora (Google Attack) Malware, http://threatpost.com/en_us/blogs/inside-aurora-google-attack-malware-011910 An Insight into the Aurora Communication Protocol, http://blogs.mcafee.com/mcafee-labs/an-insight-into-the-aurora-communication-protocol
  • #24 http://en.wikipedia.org/wiki/Operation_Shady_RAT Revealed: Operation Shady RAT, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf The Truth Behind the Shady RAT, http://www.symantec.com/connect/blogs/truth-behind-shady-rat Operation Shady RAT, http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109 (Vanity Fair? Really?) Enter the Cyber-dragon, http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109 (Vanity Fair? Again?) Operation Shady RAT, http://arstechnica.com/security/news/2011/08/operation-shady-rat-five-year-hack-attack-hit-14-countries.ars (Ars Technica -- I like their graphic) Shady Rat Attacks Hit 70 Organizations, 14 Countries, http://www.informationweek.com/news/security/attacks/231300108
  • #25 QinetiQ, defense contractor specializing in drones, attacked over a 7 year period http://mobile.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
  • #28 Firewall, DMZ Intrusion detection, intrusion prevention This is the best Maginot Line picture I could find… The Maginot Line was a series of concrete fortifications along France’s border with Germany
  • #29 Firewall, DMZ Intrusion detection, intrusion prevention This is the best Maginot Line picture I could find… The Maginot Line was a series of concrete fortifications along France’s border with Germany
  • #30 Be able to recognize a threat or attack What is the plan? Recognize what is normal Leverage your human resources Automate what you can Log analysis Defense in depth