1 / 20

Anatomy Of A Breach And The Threat Landscape

Anatomy Of A Breach And The Threat Landscape. Larry Chin CISA, CISSP, Sr. Security Architect Moderator - Eric Green, program director, SC World Congress. Symantec Global Intelligence Network and Presence. 4 MSS Security Operations Centers. 29 Global Support Centers.

sumi
Download Presentation

Anatomy Of A Breach And The Threat Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomy Of A Breach And The Threat Landscape Larry Chin CISA, CISSP, Sr. Security Architect Moderator - Eric Green, program director, SC World Congress

  2. Symantec Global Intelligence Network and Presence 4 MSS Security Operations Centers 29 Global Support Centers 11 Security Research Centers Gotheburg, Sweden Aschheim, Germany Wiesbaden, Germany Calgary, Alberta, CA Ratingen, Germany Dublin, Ireland Warsaw, Poland Roseville, MN Shannon, Ireland Seattle, WA Bloomfield Hills, MI Toronto, CA Zaltbommel, NLD Reading, Green Park, GBR Milan, Italy Springfield, OR Brussels, Belgium Englewood, CO Newton/Waltham, MA Seoul, South Korea San Francisco, CA Herndon, VA Beijing, China Madrid, Spain Oak Brook, IL Mountain View, CA Tokyo, Japan Orem, UT Durham, NC Cupertino, CA Chengdu, China Atlanta, Georgia Shanghai, China Dallas, TX Santa Monica, CA Dubai, UAE Riyadh, Saudi Arabia Heathrow, FL Houston, TX Alexandria, VA San Luis Obispo, CA Austin Texas Miami, FL Taipei, Taiwan Culver City, CA Mumbai, India Hong Kong, China Mexico City, Mexico Pune, India Singapore Chennai, India Brisbane, Aus Sao Paola, Brazil Sandton, South Africa Buenos Aires, Argentina Melbourne, Aus Sydney, Aus • Vulnerabilities • 32,000+ vulnerabilities • 11,000 vendors -72k techs • Malcode Intelligence • 130M+ clients, servers, gateways • Spam/Phishing • 2.5M decoy accounts • 8B+ emails analyzed daily • Attack Activity • 240,000 sensors • 200+ countries Government – Commercial - Consumer 2 2

  3. Sources Of A Breach WellMeaningInsider MaliciousInsider Organized Criminal

  4. Stages Of A Breach

  5. Prelude to a • Breach Poorly Protected Infrastructure

  6. Prelude to a • Breach Lack of IT Policies

  7. Prelude to a • Breach Poorly Protected Information

  8. Prelude to a • Breach Poorly Managed Systems

  9. Overarching Themes: 2009-1st Half 2010 Social Networking Sites • Regionally targeted attacks are on the rise • PDF and Client-side vulnerabilities • Misleading Applications • Targeted Attacks • Social Media

  10. Billion attacks blocked Million new malware variants. Double the number variants observed in 2008 Core OS and Application vulnerabilities. Down 18% from 2008 Cyber security: 2009 by the numbers 3.2 240 4501

  11. Threat Trends: Top ConcernsMajor shifts over 2009-1st half 2010 • 37% of data breaches caused by Theft/Loss, 26% Insecure Policies, 15% Hacking, 9% Insiders • 3-5 day attack timelines (e.g. Sobig, Blaster, Nimda) to long-term campaigns (e.g. Vundo, FakeAV, Mebroot) • Constant monitoring, hundreds of def updates, third-party cooperation, source acquisition Top 10 New File Submissions to SPS (2009-1st Half 2010)

  12. Regional ThreatsThreats increasingly local focused • Banking Trojans in Brazil, Game key stealers in Asia • Derivatives of globally exposed attacks adapted for local environments (e.g. Mebroot --> Trojan.Mebratix) • Functionality is often better than the original. Samples can be difficult to keep up with • Ping volumes are low, but attack volume is increasing • Global companies require regional vigilance over security policies and technologies • Reputation security can help short-circuit potentially slower response times Winny Virus - Japan Trojan.Mebratix Pings per day Panda Virus - China

  13. Vulnerabilities: Exploiting PDFWeb-based attacks • Drive-by Downloads • CY2008 -> 18 Million blocked • CY2009 -> 51 Million blocked (+65%) • PDF attacks are up 15% since 2008, half of all web-based attacks • Attackers are exploiting the PDF reader as well 3rd party apps that render PDF files, making it easier than infecting each file itself • Now being seen as part of targeted attacks • Attackers are leveraging the complexity of Flash or JS within PDF. (Trojan.Pidef) AV Ping -> PDF Pings per day IPS Ping -> PDF Pings per day

  14. Misleading Applications: Top ConcernsMajor Trends for 2009-1st 2010 • Scareware or Rogueware • The #1 Enterprise submitted threat over the last 12 months • Multitude of propagation methods • Most infections are from Intermediate files (e.g., Zlob, FakeAVAlert) rather than Misleading Applications • All components change quickly including domains and EXEs

  15. Misleading ApplicationsHow do they get on your machine? Torrent and p2p files that are malicious EXEs bound to legitimate files Spammed out emails with links Blogs, social networking sites, comment areas (e.g. YouTube), and forums are spammed with links to adult videos and other supposed content Sites hosting exploits Hijacked (Google) search results via sites exploited with search terms via SQL injection Banner ads and malicious ads that cause pop-up windows Postings to auction sites (e.g. eBay) Pirated software and pornography sites Many of these initial vectors first lead to an intermediate site

  16. Targeted AttacksWhat and who are they targeting? • Targeted attacks focus on enterprises but leverage social media sites • These threats remain undetected to penetrate deep into the network • Key personnel are targeted and sent information related to their • business activities via email and instant messaging • Attackers then performed reconnaissance and obtained key intellectual • property and classified information Targeted Organizations Targeted Individuals Based on a Symantec study of a random selection of targeted Trojan attacks from the second half of 2009

  17. Social Media AttacksKoobface at a Glance • Originally observed in August 2008 • Large sample volume, >~20k for different variants • Early samples propagated through Twitter accounts and Facebook cookies, resulting in a misleading app download • Recent variants create Blogspot accounts, with top news stories. User is then redirected to a malicious site and tricked into downloading a fake Flash update • Expect social media attacks to become more pervasive with added focus on corporate networking sites, e.g. LinkedIn, Spokeo, Socialcast, etc.. AV Ping -> KoobFace Pings per day

  18. An Integrated, Strategic Approach to Enterprise Security Management ( TCO ) Protection (Data / Information / Intellectual Property) Monitoring W O R K F L O W L O G S L O G S W O R K F L O W Policy, Procedure (Compliance & Audit ) Policy / Procedure (Internal and External) Lack of Standardization, ↑operational costs Excessive SW/HWCosts, No Asset Mgmt., ↑support costs ↑TCO, LOE, & support cost. ↓levels of control and security Enterprise Compromise Log Collection From All Systems No Log Aggregation, & Correlation for Reporting Workstation Config & Security Web Security Web Borne Threats Flawed Operations, Liability, Data Loss No Ability to Mitigate Impact of New Threats Proactive Measures Mail Security Data Protection & Backup Workstation Management Service & Asset Mgmt. Unplanned outages, data loss, ↑operational costs User Awareness Server Management Servers Config & Security Spam,Phising,Trojans etc. Endpoint Compromise Confidential InfoLoss No Operational Visibility Reporting Legal Action & Financial Penalties Standards, Legislation, Regulations ( PCI, SOX etc )

  19. Summary • The “arms” race continues • Long-term threat campaigns will continue to evolve • Customers need to enable, configure and monitor newer technologies now and in the upcoming release of Amber • Be cautious about how and why social media sites are used • More than ever, people are entrenched with doing everything online • It only takes one social connection • Patch! Patch! Patch! • Re-evaluate device security policies regularly

  20. Thank You

More Related