How to address complex cybersecurity needs with a straightforward process

Roberto SemperboniPresales Manager, Kaspersky Lab

2

Facts About Us

3

Our Research

1NEW VIRUS EVERY HOUR

1994

1NEW VIRUS EVERY MINUTE

2006

1NEW VIRUS EVERY SECOND

2011

360,000NEW SAMPLES EVERY DAY

2018

The scale of the Threat

Look for the solutions with the highest prevention ratio

90%

9.9%

0.1%

Advanced persistent threats

and cyber-weapons

Targeted attacks

and advanced malware

Generic

malware

Advanced

detection

solutions

Advanced

automated

prevention

platforms

The nature of the Threat

Smart camera

Smart light

Smart socket

Smart TVWashing

machine

SCADA

PLC

Attack Surface is Increasing

Data

NormalizationData collection &

Data storage

Threat

Discovery

Incident

Prioritization

Incident

InvestigationIncident

Response

Single Web

interface

IDS

YARA rules

Android files analysis

Anti-malware engine

Threat Intelligence

Behavior analysis

Certcheck

URL reputation

Sandboxing

IoC-scan

Single Automation tool for network and endpoint data analysis and incident response

SIEM

SOC

Expert services

Threat

Intelligence Portal

access

Security Training

for SIEM/SOC

team

Threat

Data

Feeds

Emergency

Incident

Response

CE

F, S

ysL

og

Additional

Expertise &

Intelligence

Ad

ditio

na

l Au

tom

atio

n, R

ele

va

nt c

on

text

an

d V

isib

ility

Identifying a Modern Threat is a Complex Work

2016, attack on water treatment plant in USAChemical mix changed for tap supplies

2015 (+2016), attack on Electric Grid in Ukraine

225,000 customers to lose power across various areas

2014, attack on Steel Mill in Germany. The furnace was forced to shut down improperly, resulting in unexpected conditions and physical damage.

2010, attack on nuclear enrichment facilities in IranDestroyed uranium enriching centrifuges, ruined nuclear program

2017, former employee hacked paper factory in USA, causing more that $1M damage

Publically Known Incidents

Attacker

Tailored Threat Intelligence Reporting

A snapshot of current and anticipated

threats to the specific organization or

country within the reporting time-frame

Target

Discover weaknesses

Identify useful information

Find tech vulnerabilities

ICS: research device and process exploitation

Mostly by using passive techniques

APT x – Reconnaissance

Kaspersky Lab

Knowledge Base

KASPERSKY LAB

KNOWLEDGE BASE:

Malware Samples Analysis

Botnet and Phishing Tracking

APT Intelligence Reports

Sinkhole and Malware Servers

Threat Data Feeds

Surface, Deep

and Dark Web

SURFACE, DEEP

AND DARK WEB:

Cybercriminal Activity

Data and Credential Leaks

Malicious Insiders

Employees on Social Media

OSINT

Your Unstructured Data

Online Infrastructure

Intellectual Property

Company Domains

NETWORK PERIMETER

EXTERNAL INVENTORY:

Available Services

Services Fingerprinting

Vulnerabilities Identification

Exploit Analysis

Scoring and Risk Analysis

Network Perimeter

External Inventory Report with Strategic,

Operational and Tactical

Threat Intelligence

Malware Activity

Tailored Campaigns by

Region, Industry or

Customer

Early Warnings

Inventory and Vulnerabilities

Tailored Vulnerability and

Exploit Analysis

Tailored Threat Intelligence Reporting

Attacker

Kaspersky® APT Reporting

Tailored Threat Intelligence Reporting

A snapshot of current and anticipated

threats to the specific organization or

country within the reporting time-frame

Exclusive access to descriptions of

high-profile cyber-espionage

campaigns, including Indicators of

Compromise (IOCs) and YARA rules

Target

Discover weaknesses

Identify useful information

Find tech vulnerabilities

In case of ICS: device and process exploitation

Mostly by using passive techniques

APT x – Reconnaissance

Executive summary

C-level oriented information

Conclusions and recommendations

Indicators of compromise

Deep technical analysis

Attack methods

Exploits used

Malware description

C&C infrastructure and protocols description

Victim analysis

Data exfiltration analysis

Attribution

APT Threat Intelligence Reporting Content

Attacker

Security Assessment

Kaspersky® APT Reporting

Tailored Threat Intelligence Reporting

A snapshot of current and anticipated

threats to the specific organization or

country within the reporting time-frame

Exclusive access to descriptions of

high-profile cyber-espionage

campaigns, including Indicators of

Compromise (IOCs) and YARA rules

Identifying the weakest point in your

infrastructure to avoid the financial,

operational and reputational damage

caused by a cyberattack.

Target

Discover weaknesses

Identify useful information

Find tech vulnerabilities

In case of ICS: device and process exploitation

Mostly by using passive techniques

APT x – Reconnaissance

PENETRATION TESTING

APPLICATION SECURITY

ASSESSMENT

Kaspersky®

SecurityAssessment

TELECOMMUNICATION NETWORKS

SECURITY ASSESSMENT

ATM/POS SECURITY ASSESSMENT

RED TEAMING

ICS SECURITY ASSESSMENT

Security Assessment

Installed

Backdoor

Kaspersky®

Cybersecurity Awareness

Training

Kaspersky Cybersecurity

Awareness for Senior Managers,

Line Managers, IT Security

Officers and All Employees

Training and simulated

phishing attacks

• Email / phishing

• Web browsing

• Passwords

• Social networks & messengers

• PC security

• Mobile devices

• Confidential data

• Personal data

• GDPR

• Social engineering

• Security at home and on travel

APT x – Delivery

Installed

Backdoor

New backdoor Persistence

New C&C serverC&C Server

Data Wiper

Launcher

Kaspersky®

Threat Management and

Defense

APT x – Intrusion/Execution

KATA/KEDR

Retrospective dataVerdicts

Data normalization

and analysis

Collected

Data

Global Threat

Intelligence Data

Relevant

incident

Data

Acquisition

Telemetry from Endpoints

Network Metadata

KTMD - Solution Overview

Network Detection

Network Detection

Sandbox Detection

On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages to customers. The outages were due to a third party’s illegal entry into the company’s computer and SCADA systems: Starting at approximately 3:35 p.m. local time, seven 110 kV and 23 35 kV substations were disconnected for three hours*

* SANS Analysis of the Cyber Attack on the Ukrainian Power Grid

“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2) used in the attack

Background - Black Energy 3

22

In late 2016, power systems in Ukraine suffered a new cyberattack

Experts believe that specially crafted phishing emails may have been used

At the time it was discovered by researchers, the malware had been fully deployed on the target system and was providing the attackers with a remote access channel

A single 330 kV to 110 kV to 10 kV electrical substation belonging to the Ukrenergo utility and serving the northern part of Kiev was attacked causing more relevant power outages than the Black Energy 2015 attack

Industroyer

Installed

Backdoor

New backdoor Persistence

New C&C serverC&C Server

Data Wiper

101 payload

Launcher

104 payload 61850 payload OPC DA payload

Kaspersky®

Cybersecurity Awareness

Training

Kaspersky®

Threat Management and

Defense

Kaspersky®

Industrial Cyber Security

APT x – ICS attack

KICS - Solution Components

LET’S TALK?

Kaspersky Lab

www.kaspersky.com

Securelist.com

Threatpost.com