how to address complex cybersecurity needs with a ... · presales manager, kaspersky lab . 2 facts...
TRANSCRIPT
How to address complex cybersecurity needs with a straightforward process
Roberto SemperboniPresales Manager, Kaspersky Lab
1NEW VIRUS EVERY HOUR
1994
1NEW VIRUS EVERY MINUTE
2006
1NEW VIRUS EVERY SECOND
2011
360,000NEW SAMPLES EVERY DAY
2018
The scale of the Threat
Look for the solutions with the highest prevention ratio
90%
9.9%
0.1%
Advanced persistent threats
and cyber-weapons
Targeted attacks
and advanced malware
Generic
malware
Advanced
detection
solutions
Advanced
automated
prevention
platforms
The nature of the Threat
Smart camera
Smart light
Smart socket
Smart TVWashing
machine
SCADA
PLC
Attack Surface is Increasing
Data
NormalizationData collection &
Data storage
Threat
Discovery
Incident
Prioritization
Incident
InvestigationIncident
Response
Single Web
interface
IDS
YARA rules
Android files analysis
Anti-malware engine
Threat Intelligence
Behavior analysis
Certcheck
URL reputation
Sandboxing
IoC-scan
Single Automation tool for network and endpoint data analysis and incident response
SIEM
SOC
Expert services
Threat
Intelligence Portal
access
Security Training
for SIEM/SOC
team
Threat
Data
Feeds
Emergency
Incident
Response
CE
F, S
ysL
og
Additional
Expertise &
Intelligence
Ad
ditio
na
l Au
tom
atio
n, R
ele
va
nt c
on
text
an
d V
isib
ility
Identifying a Modern Threat is a Complex Work
2016, attack on water treatment plant in USAChemical mix changed for tap supplies
2015 (+2016), attack on Electric Grid in Ukraine
225,000 customers to lose power across various areas
2014, attack on Steel Mill in Germany. The furnace was forced to shut down improperly, resulting in unexpected conditions and physical damage.
2010, attack on nuclear enrichment facilities in IranDestroyed uranium enriching centrifuges, ruined nuclear program
2017, former employee hacked paper factory in USA, causing more that $1M damage
Publically Known Incidents
Attacker
Tailored Threat Intelligence Reporting
A snapshot of current and anticipated
threats to the specific organization or
country within the reporting time-frame
Target
Discover weaknesses
Identify useful information
Find tech vulnerabilities
ICS: research device and process exploitation
Mostly by using passive techniques
APT x – Reconnaissance
Kaspersky Lab
Knowledge Base
KASPERSKY LAB
KNOWLEDGE BASE:
Malware Samples Analysis
Botnet and Phishing Tracking
APT Intelligence Reports
Sinkhole and Malware Servers
Threat Data Feeds
Surface, Deep
and Dark Web
SURFACE, DEEP
AND DARK WEB:
Cybercriminal Activity
Data and Credential Leaks
Malicious Insiders
Employees on Social Media
OSINT
Your Unstructured Data
Online Infrastructure
Intellectual Property
Company Domains
NETWORK PERIMETER
EXTERNAL INVENTORY:
Available Services
Services Fingerprinting
Vulnerabilities Identification
Exploit Analysis
Scoring and Risk Analysis
Network Perimeter
External Inventory Report with Strategic,
Operational and Tactical
Threat Intelligence
Malware Activity
Tailored Campaigns by
Region, Industry or
Customer
Early Warnings
Inventory and Vulnerabilities
Tailored Vulnerability and
Exploit Analysis
Tailored Threat Intelligence Reporting
Attacker
Kaspersky® APT Reporting
Tailored Threat Intelligence Reporting
A snapshot of current and anticipated
threats to the specific organization or
country within the reporting time-frame
Exclusive access to descriptions of
high-profile cyber-espionage
campaigns, including Indicators of
Compromise (IOCs) and YARA rules
Target
Discover weaknesses
Identify useful information
Find tech vulnerabilities
In case of ICS: device and process exploitation
Mostly by using passive techniques
APT x – Reconnaissance
Executive summary
C-level oriented information
Conclusions and recommendations
Indicators of compromise
Deep technical analysis
Attack methods
Exploits used
Malware description
C&C infrastructure and protocols description
Victim analysis
Data exfiltration analysis
Attribution
APT Threat Intelligence Reporting Content
Attacker
Security Assessment
Kaspersky® APT Reporting
Tailored Threat Intelligence Reporting
A snapshot of current and anticipated
threats to the specific organization or
country within the reporting time-frame
Exclusive access to descriptions of
high-profile cyber-espionage
campaigns, including Indicators of
Compromise (IOCs) and YARA rules
Identifying the weakest point in your
infrastructure to avoid the financial,
operational and reputational damage
caused by a cyberattack.
Target
Discover weaknesses
Identify useful information
Find tech vulnerabilities
In case of ICS: device and process exploitation
Mostly by using passive techniques
APT x – Reconnaissance
PENETRATION TESTING
APPLICATION SECURITY
ASSESSMENT
Kaspersky®
SecurityAssessment
TELECOMMUNICATION NETWORKS
SECURITY ASSESSMENT
ATM/POS SECURITY ASSESSMENT
RED TEAMING
ICS SECURITY ASSESSMENT
Security Assessment
Installed
Backdoor
Kaspersky®
Cybersecurity Awareness
Training
Kaspersky Cybersecurity
Awareness for Senior Managers,
Line Managers, IT Security
Officers and All Employees
Training and simulated
phishing attacks
• Email / phishing
• Web browsing
• Passwords
• Social networks & messengers
• PC security
• Mobile devices
• Confidential data
• Personal data
• GDPR
• Social engineering
• Security at home and on travel
APT x – Delivery
Installed
Backdoor
New backdoor Persistence
New C&C serverC&C Server
Data Wiper
Launcher
Kaspersky®
Threat Management and
Defense
APT x – Intrusion/Execution
KATA/KEDR
Retrospective dataVerdicts
Data normalization
and analysis
Collected
Data
Global Threat
Intelligence Data
Relevant
incident
Data
Acquisition
Telemetry from Endpoints
Network Metadata
KTMD - Solution Overview
On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages to customers. The outages were due to a third party’s illegal entry into the company’s computer and SCADA systems: Starting at approximately 3:35 p.m. local time, seven 110 kV and 23 35 kV substations were disconnected for three hours*
* SANS Analysis of the Cyber Attack on the Ukrainian Power Grid
“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2) used in the attack
Background - Black Energy 3
22
In late 2016, power systems in Ukraine suffered a new cyberattack
Experts believe that specially crafted phishing emails may have been used
At the time it was discovered by researchers, the malware had been fully deployed on the target system and was providing the attackers with a remote access channel
A single 330 kV to 110 kV to 10 kV electrical substation belonging to the Ukrenergo utility and serving the northern part of Kiev was attacked causing more relevant power outages than the Black Energy 2015 attack
Industroyer
Installed
Backdoor
New backdoor Persistence
New C&C serverC&C Server
Data Wiper
101 payload
Launcher
104 payload 61850 payload OPC DA payload
Kaspersky®
Cybersecurity Awareness
Training
Kaspersky®
Threat Management and
Defense
Kaspersky®
Industrial Cyber Security
APT x – ICS attack