Date post: | 07-Aug-2015 |
Category: |
Technology |
Upload: | abhinav-biswas |
View: | 461 times |
Download: | 0 times |
Information Technology Services Division , ITSD
Insights Into Modern Day
Threat Protection
ECIL
- Abhinav BiswasECIL Hyderabad
Information Technology Services Division , ITSD
Agenda
ECIL
Basic Terminologies Contemporary Threat Environment
- Corporate Threat Landscape Advanced Persistent Threats (APT)
- Multi-Phase (7 Stage Model) Traditional Defense Mechanism
- Signature Based(Known ) Advanced Threat Protection (ATP)
- Analytics based (Sandboxing & GTI ) Security Incident & Event Management (SIEM) Systems
- Log Correlation & Big Data Analysis Vulnerability Assessment & Penetration Testing
- Nessus, Acunetix Security Guidelines for End Users
Information Technology Services Division , ITSD
Terminologies
ECIL
Spyware - Gathers information secretly and sends to another entity without the user's consent.
Ransomware - Stops from using your PC until you pay a certain amount of money (the ransom).
e.g. Encryption Ransomware, CryptoLocker
Social Engineering - Psychological manipulation of people into performing actions or divulging confidential information.
Phishing / Spear-Phishing - Act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Vishing - Voice-over Phishing
Information Technology Services Division , ITSD
Terminologies
ECIL
Vulnerability - A weakness which allows an attacker to reduce a system's information assurance.
Threat - A possible danger that might exploit a vulnerability to breach security and thus cause possible harm.
Exploit - A piece of software or a sequence of commands that takes advantage of a bug or vulnerability.
Attack - An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.
(A realized Threat using an Exploit on Vulnerability is an Attack.)
Event - An observable change to the normal behavior of a system, environment, process, workflow or person.
Incident - An event attributable to a root cause. All incidents are events but many events are not incidents.
(An Attack is a series of security incidents.)
Information Technology Services Division , ITSD
Contemporary Threat Environment
ECIL
Rise in Coordinated Advanced Cyber Attacks like - Advanced Persistent Threats (APT) - Zero-day Attacks (ZDA) - Smart Mobile Malware (SMM) - Web-based Plug-in Exploits (WPE)
New avenues for Cyber-fraud - Free availability of Root-kits, SpamBots, Phishing Tools etc. - Digital Currencies (BitCoin) & Anonymous Payment Services.
State-Sponsored Data Exfiltration Attacks - Strategic Government institutions.
Challenges due to new technologies/Needs - Polymorphism, Dynamic URLs, Virtualization, Cloud, Smart Phone/ Mobiles, Social Sites, BYOD, Internet Of Things (IOT/IPv6)
Information Technology Services Division , ITSD
Advanced Persistent Threats (APT)
ECIL
Lure Redirect ExploitKit
DropperFile
CallHome
DataTheft
Recon
7 Stage Process
Information Technology Services Division , ITSDECIL
Traditional & Advanced Threats
Traditional Threats APTs
Signature Based Zero-Day: No signature Rule-based
Reactive Response Proactive/Predictive/Adaptive Response
Opportunistic/Generic attack Targeted/Customized Attack
Visible Stealthy- Low-flying
Short-term & Bursty Long-term & Persistent
Static - Relatively easy to detect (based on signature)
Polymorphic - Take months to detect (no specific pattern)
Getting attention/Bragging is motive Data-exfiltration & Disruption of services is motive
Limited Resources (people, money, technologies)
Sponsored by Nation States – Large no. of quality resources
Eg: Common Cold Eg: Cancer
Information Technology Services Division , ITSD
Victims funneled to the Web
ECIL
8
Social Media
Mobile
Attack Vectors
Web Redirects
Malware
Recon
XSS
Dropper Files
CnCExploit
Kits
Phishing
Information Technology Services Division , ITSD
Watering Hole Attacks
ECIL
1a) Identify target
1b) Determine browsing
habits
2) Select favorite website
3) Compromise and host
exploits
3)Drop malware
4)Determine target profile
4)Wait for opportunity to
further compromise
Information Technology Services Division , ITSD
Attack on ADSL Routers
ECIL
InternetInternet
Customer
Attacker
Vuln. ADSL Router
Changes the DNS server entries in the modem to rogue DNS servers and changes the password of the DSL router
Rogue DNS Server
Attacker scans for the DSL router and logs onto Admin console via WAN interface by exploiting vulnerabilities in the router firmware or configuration flaws; or by infecting connected computer
Information Technology Services Division , ITSD
Traditional Defense Mechanism
ECIL
3 FORWARD FACING ONLY, LACK OUTBOUND PROTECTION
No contextual analysis of Internal Threats.
2 LACK OF REAL-TIME INLINE CONTENT ANALYSIS
No Byte-Range Data Packet Analysis for Data Loss/ Theft Detection
4 LACK OF ADVANCED ANALYTICS& ANOMALY DETECTION
No Sandboxing in existing UTMs, NGFWs.No SSL packet inspection.
1 PRIMARILY BASED ON SIGNATURE & REPUTATION
Signature history cannot keep up with the dynamic future of threats
Information Technology Services Division , ITSD
Defense in Depth Architecture
ECIL
Information Technology Services Division , ITSD
Threat Landscape
ECIL
Information Technology Services Division , ITSD
Solution Map
ECIL
WEB
Content AnalysisMalware
SandboxForensic ReportsSSL InspectionVideo Controls
Spear-PhishingURL
SandboxingAnti-SpamTLS Encryption Image Analysis
DATA
Content Aware DLPDrip Data Theft
DetectionOCR of Image TextGeo-Location
MOBILE
Cloud ServiceMalicious AppsBYOD PolicyReporting/
Inventory
CUSTOMER LIST
NEW DESIGN
CONFIDENTIAL
Monitor
Discover
Classify
DISCOVER
MO
NITO
RCLAS
SIFY
PROTECT
WHERE
WHATWHO
HOW
ESSENTIALINFORMATIONPROTECTION
External Risks Internal Risks
Information Technology Services Division , ITSD
Advanced Threat Protection (ATP) –Two key elements
ECIL
1.Sandboxing Systems (Similar to Bomb Detonation Sandbox) - Tightly controlled access to resources - URL sandbox/File sandbox - Isolated environment/network - Multiple Detection Environment (Virtual Machines) - Customizable & Realistic Virtual environment - Behavior based classification & Risk scoring - Instrumented Forensic Data Collection
2. Big-Data Analytics - SIEM Systems - Big log Data interpretation
- Post-incident data (SIEM - Security Incident Event Management) - Real-time Threat Intelligence (GTI)
- Integration with other sources (local/national/international) - PCAP (Packet Capture) & Replay
Information Technology Services Division , ITSD
SIEM Components
ECIL
Log Data Collection - Content & Context Aware logs - Device & Application logs, Authentication & IAM log,
Endpoint security devices, user identity, location, VA scan data, Netwrk flows, OS events, DB transaction logs
Aggregation & Normalization - Remove redundancy.
Correlation Engine - Threat Intelligence & Risk Analysis
Retention & Forensic Analysis Alert Reporting & Workflow Manager
Information Technology Services Division , ITSD
SIEM Correlation Intelligence
ECIL
Information Technology Services Division , ITSD
Vulnerability Assessment &Penetration Testing
ECIL
Information Technology Services Division , ITSD
Golden Rule in Security
ECIL
Prevention is better than Cure (Old Proverb)
Prevention is Ideal ; & Early Detection is a Must followed by quick Remediation.
ECIL Information Technology Services Division , ITSD
Security Guidelines for End UsersSecurity is Everybody’s Responsibility. It’s a moving Target.
It’s a race between the Good & the Bad.
Use Legal software only Keep upto-date patches and fixes of the Operating System
and Application SoftwareExercise caution while opening unsolicited emails and do not
click on a link embedded withinOpen only email attachments from trusted parties Use latest browsers having capability to detect phishing/
malicious sites Harden the Operating SystemWhitelist the Applications Deploy software for controlled use of USB Pen Drives.
ECIL
Thank You !Information Technology Services Division , ITSD
“Failure is not when we fall down, but when we fail to get up”
ECIL
Q & A
Information Technology Services Division , ITSD