targeted attacks
DESCRIPTION
Imperva webinar 7/16/2013, Updated 11/7/2013 Covers insider threats and the compromised/malicious insider problem.TRANSCRIPT
Confidential1 © 2013 Imperva, Inc. All rights reserved.
Targeted Attacks
Barry ShteimanDirector of Security Strategy
© 2013 Imperva, Inc. All rights reserved. Confidential
Agenda
2
Compromised Insider Incident Analysis Anatomy of an Attack Current Controls Reclaiming Security
© 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman
3
Director of Security Strategy Security Researcher working
with the CTO office Author of several application
security tools, including HULK Open source security projects
code contributor CISSP Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. Confidential
Compromised Insider
4
Defining the Threat Landscape
© 2013 Imperva, Inc. All rights reserved. Confidential5
“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached.”
Shawn Henry, Former FBI Executive Assistant Director NY Times, April 2012
Confidential6 © 2013 Imperva, Inc. All rights reserved.
Insider Threat Defined
Risk that the access rights of a trusted person will be used to view, take or modify data or intellectual property.
Possible causes: Accident
Malicious intent
Compromised device
© 2013 Imperva, Inc. All rights reserved. Confidential
A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.
7
Compromised Insider Defined
Confidential8 © 2013 Imperva, Inc. All rights reserved.
Malicious vs Compromised Potential
1% < 100%
Source: http://edocumentsciences.com/defend-against-compromised-insiders
© 2013 Imperva, Inc. All rights reserved. Confidential9
Look who made the headlines
Hackers steal sensitive data related to a planned 2.4B acquisition.
Hacker stole 4-million Social Security numbers and bank account information from state tax payers and businesses
Confidential© 2013 Imperva, Inc. All rights reserved.
Evaluating Magnitude
10
Source: Verizon Data Breach Report, 2013
California 2012 Data Breach Report:
• More than half of the breaches were the result of intentional intrusions by outsiders or by unauthorized insiders.
Source: State of California Department of Justice, July 2013
© 2013 Imperva, Inc. All rights reserved. Confidential11
Know your Attacker
Governments• Stealing Intellectual Property (IP) and raw data, Espionage• Motivated by: Policy, Politics and Nationalism
Industrialized hackers• Stealing IP and data• Motivated by: Profit
Hacktivists• Exposing IP and data, and compromising the infrastructure• Motivated by: Political causes, ideology, personal agendas
Confidential© 2013 Imperva, Inc. All rights reserved.
What Attackers Are After
12
Source: Verizon Data Breach Report, 2013
© 2013 Imperva, Inc. All rights reserved. Confidential
Data & IP
13
Two Paths, One Goal
User with access rights (or his/her
device)
Hacking (various) used in 52% of breaches
Online Application
Malware (40%)Social Engineering
(29%)
Source: Verizon Data Breach Report, 2013
Servers 54%Users (devices) 71%
People 29%
© 2013 Imperva, Inc. All rights reserved. Confidential
Incident Analysis
14
The South Carolina Data Breach
Confidential15 © 2013 Imperva, Inc. All rights reserved.
What Happened?
4M Individual Records Stolen in a Population of 5M
80%.
Confidential16 © 2013 Imperva, Inc. All rights reserved.
A Targeted Database Attack
12-Sept-12 -14-Sept-12
Attacker steals the entire database
27-Aug-12
Attacker logs in remotely and accesses the
database
13-Aug-12
Attacker steals login credentials
via phishing email & malware
29-Aug-12 -11-Sept-12
Additional reconnaissance, more credentials
stolen
© 2013 Imperva, Inc. All rights reserved. Confidential
The Anatomy of an Attack
How does it work
17
Confidential18 © 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Spear Phishing
Confidential19 © 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Spear Phishing
C&C Comm
Confidential20 © 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Spear Phishing
C&C Comm
Data Dump & Analysis
Confidential21 © 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Confidential22 © 2013 Imperva, Inc. All rights reserved.
Anatomy of an Attack
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
Confidential23 © 2013 Imperva, Inc. All rights reserved.
Wipe Evidence
Anatomy of an Attack
Spear Phishing
C&C Comm
Data Dump & Analysis
Broaden Infection
Main Data Dump
Confidential24 © 2013 Imperva, Inc. All rights reserved.
Searching on Social Networks…
Confidential25 © 2013 Imperva, Inc. All rights reserved.
…The Results
© 2013 Imperva, Inc. All rights reserved. Confidential26
Next: Phishing and Malware
How easy is it? A three-month BlackHole license,
with Support included, is US$700
Specialized Frameworks and Hacking tools, such as BlackHole 2.0, allow easy setup for Host Hijacking and Phishing.
© 2013 Imperva, Inc. All rights reserved. Confidential27
Drive-by Downloads Are Another Route
September 2012 “iPhone 5 Images Leak” was caused by a Trojan Download Drive-By
© 2013 Imperva, Inc. All rights reserved. Confidential28
Cross Site Scripting Is Yet Another Path
Persistent XSS Vulnerable Sites provide the Infection Platform
GMAIL, June 2012
TUMBLR, July 2012
© 2013 Imperva, Inc. All rights reserved. Confidential
The Human Behavior Factor
29
Source: Google Research Paper “Alice in Warningland”, July 2013
© 2013 Imperva, Inc. All rights reserved. Confidential30
Current Controls
Wont the NGFW/IPS/AV Stop It?
Confidential31 © 2013 Imperva, Inc. All rights reserved.
What Are the Experts Saying?
“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Mikko Hypponen, F-Secure, Chief Research Officer
Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
Confidential© 2013 Imperva, Inc. All rights reserved.
Security Threats Have Evolved…
Sources: Gartner, Imperva analysis
32
20132001
AntiVirusFirewallIPS
AntiVirusFirewallIPS
© 2013 Imperva, Inc. All rights reserved. Confidential
Security Redefined
33
Forward Thinking
Confidential© 2013 Imperva, Inc. All rights reserved.
The DISA Angle
34
“In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data”
Lt. Gen. Ronnie Hawkins JR – DISA.AFCEA, July 2012
Confidential35 © 2013 Imperva, Inc. All rights reserved.
Rebalance Your Security Portfolio
Confidential© 2013 Imperva, Inc. All rights reserved.
Assume You Can Be Breached
36
Confidential© 2013 Imperva, Inc. All rights reserved.
Incident Response Phases for Targeted Attacks
37
Reduce Risk
Prevent Compromise
Detection
Containment
Insulate sensitive data
Password Remediation
Device Remediation
Post-incident Analysis
Size Up the Target
Compromise A User
Initial Exploration
Solidify Presence
Impersonate Privileged User
Steal Confidential Data
Cover Tracks
Confidential38 © 2013 Imperva, Inc. All rights reserved.
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group,Imperva Data Security Direct, for…
Webinar Materials
38
© 2013 Imperva, Inc. All rights reserved. Confidential
Questions?
39
www.imperva.com
© 2013 Imperva, Inc. All rights reserved. Confidential
Thank You!
40