Targeted Defense for Malware & Targeted Attacks

© 2013 Imperva, Inc. All rights reserved.
Targeted Defense for Malware and
Targeted Attacks
Confidential1
Barry Shteiman
Senior Security Strategist

Contents
Confidential2
§  Compromised Insider
§  Incident Analysis
§  Anatomy of an Attack
§  Current Controls
§  Reclaiming Security

Compromised Insider
Confidential3
Defining the Threat Landscape

© 2013 Imperva, Inc. All rights reserved. Confidential4
“There are two types of companies: companies
that have been breached and companies that
don’t know they’ve been breached.”
Shawn Henry, Former FBI Executive Assistant Director
NY Times, April 2012

Insider Threat Defined
Confidential5
Risk that the access rights of a
trusted person will be used to view,
take or modify data or intellectual
property.
Possible causes:
§  Accident
§  Malicious intent
§  Compromised device

A person with no malicious
motivation who becomes an
unknowing accomplice of third
parties who gain access to their
device and/or user credentials.
6
Compromised Insider Defined
Confidential

Malicious Vs. Compromised Potential
Confidential7
1% < 100%
Source: http://edocumentsciences.com/defend-against-compromised-insiders

Look Who Made the Headlines
Confidential8
Hackers steal sensitive data related to a
planned 2.4B acquisition.
Hacker stole 4-million Social Security
numbers and bank account information from
state tax payers and businesses

Know Your Attacker
Confidential9
Governments
•  Stealing Intellectual Property (IP) and raw data, Espionage
•  Motivated by: Policy, Politics and Nationalism
Industrialized hackers
•  Stealing IP and data
•  Motivated by: Profit
Hacktivists
•  Exposing IP and data, and compromising the infrastructure
•  Motivated by: Political causes, ideology, personal agendas

What Attackers Are After
Confidential10
Source: Verizon Data Breach Report, 2013

Data & IP
11
Two Paths, One Goal
User with access
rights (or his/her
device)
Hacking (various) used
in 52% of breaches
Online
Application
Malware (40%)
Social Engineering (29%)
Servers 54%
Confidential
Users (devices) 71%
People 29%
Source: Verizon Data Breach Report, 2013

Incident Analysis
Confidential12
The South Carolina Data Breach

What Happened?
Confidential13
4M Individual Records Stolen in a Population of 5M
80%.

A Targeted Database Attack
Confidential14
12-Sept-12 -
14-Sept-12
Attacker steals the
entire database
27-Aug-12
Attacker logs in
remotely and
accesses the
database
13-Aug-12
Attacker steals
login credentials
via phishing email
& malware
29-Aug-12 -
11-Sept-12
Additional
reconnaissance,
more credentials
stolen

The Anatomy of an Attack
How Does It Work
15 Confidential

Anatomy of an Attack
Confidential16
Spear
Phishing

Confidential17
Spear
Phishing
C&C
Comm

Confidential18
Spear
Phishing
C&C
Comm
Data Dump
& Analysis

Confidential19
Spear
Phishing
C&C
Comm
Data Dump
& Analysis
Broaden
Infection

Confidential20
Spear
Phishing
C&C
Comm
Data Dump
& Analysis
Broaden
Infection
Main Data
Dump

Wipe
Evidence
Confidential21
Spear
Phishing
C&C
Comm
Data Dump
& Analysis
Broaden
Infection
Main Data
Dump

Searching on Social Networks…
Confidential22

…The Results
Confidential23

Next: Phishing and Malware
Confidential24
How easy is it?
§  A three-month BlackHole license,
with Support included, is US$700
Specialized Frameworks and Hacking tools, such as BlackHole
2.0, allow easy setup for Host Hijacking and Phishing.

Drive-by Downloads Are Another Route
Confidential25
September 2012 “iPhone 5 Images Leak” was caused by a
Trojan Download Drive-By

Cross Site Scripting Is Yet Another Path
Confidential26
Persistent XSS Vulnerable Sites provide the Infection Platform
GMAIL, June 2012
TUMBLR, July 2012

The Human Behavior Factor
Confidential27
Source: Google Research Paper “Alice in Warningland”, July 2013

Current Controls
Confidential28
Won’t the NGFW/IPS/AV Stop It?

What Are the Experts Saying?
Confidential29
“Flame was a failure for the antivirus industry. We really should have been able
to do better. But we didn’t. We were out of our league, in our own game.”
Mikko Hypponen, F-Secure, Chief Research Officer
Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/

Security Threats Have Evolved…
Confidential30
20132001
AntiVirus
Firewall
IPS
AntiVirus
Firewall
IPS
Sources: Gartner, Imperva analysis

Security Redefined
Confidential31
Forward Thinking

The DISA Angle
Confidential32
“In the past, we’ve all been about protecting our
networks—firewall here, firewall there, firewall
within a service, firewall within an organization,
firewalls within DISA. We’ve got to remove those
and go to protecting the data”
Lt. Gen. Ronnie Hawkins JR – DISA.
AFCEA, July 2012

Rebalance Your Security Portfolio
Confidential33

Assume You Can Be Breached
Confidential34

Incident Response Phases for Targeted Attacks
Confidential35
Reduce Risk
Prevent Compromise
Detection
Containment
Insulate sensitive
data
Password
Remediation
Device Remediation
Post-incident
Analysis
Size Up the Target
Compromise A User
Initial Exploration
Solidify Presence
Impersonate
Privileged User
Steal Confidential Data
Cover Tracks

www.imperva.com
36 Confidential

Targeted Defense for Malware & Targeted Attacks

More Related Content

Targeted Defense for Malware & Targeted Attacks

Editor's Notes