©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice 1 Rohan Kotian | Author, NSA IAM,

©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

1

Rohan Kotian | Author, NSA IAM, CEHProduct Line Manager | Next Generation Security [email protected]

Next Generation Cyber Threats

Shining the Light on the Industries' Best Kept Secret

“Achieving victory in Cyber Security is not going to be won at the traditional point product” -JP

2 Footer Goes Here2

– Next Generation Cyber Threats

– Advanced Persistent Threats

– Question and Answer

Agenda

3 Footer Goes Here

Next Generation Cyber Threats

"The wonderful thing about the Internet is that you're connected to everyone else.  The terrible thing about the Internet is that you're connected to everyone else."Vint Cerf (Vice President and Chief Internet Evangelist Google)

4 Footer Goes Here4

Risks are Real & More Visible

Sophisticated worm attacks Iran’s Siemen’s SCADA & MS Windows industry control systems

Stuxnet Worm

The website of U.S Postal Service serving up malware

Blackhole Exploit Injected into USPS Website

77 million accounts

at risk of data theft

Sony PlayStation

Network Down

Applications and information are the business

The servers of RSA have

been breached and

sensitive information

from more than 40

million employees may

have been compromised.

RSA Hit By

Advanced

Persistent Threat

Confirmed that its

computer network

had been broken into

NASDAQ Stock

Market

5 Footer Goes Here5

If it Isn’t Secure, it is for Sale

6 Footer Goes Here6

If it Isn’t Secure, it is for Sale

7 Footer Goes Here7

Understanding data breaches

• Significant spike in 2011 for the number of data breaches

• Breaches are evolving from stolen laptops to more sophisticated techniques

2003 2004 2005 2006 2007 2008 2009 2010 2011 20120

200

400

600

800

1000

1200

*Data pulled from DataLossDB.com looking at incidents over time

8 Footer Goes Here8

Vulnerabilities Decreasing

• Vulnerabilities in commercial applications down 20 percent from 2010

• Spike in 2006, for most part steady decline

• But is not a good indicator or risk

*Vulnerabilities measured by OSVDB, 2000 - 2011

9 Footer Goes Here9

Vulnerability Severity Increasing

Mid level Severity (CVSS 5-7)

Low level Severity (CVSS 1-4)

High level Severity (CVSS 8-10)

• HS Vulnerabilities can cause remote code execution

• Percentage of HS vulnerabilities has increased by 17 percent in 5 years

*Data pulled from OSVDB, 2000 - 2011

10 Footer Goes Here10

Web applications – the “new” frontier• 4 of the 6 most

popular OSVDB vulnerabilities are exploitable via the Web

• Web application vulnerabilities (categorically) account for 36 percent of all vulnerabilities

• Further complicated by customization and add-ons – increased vulnerabilities *Data pulled from OSVDB, 2000 - 2011

11 Footer Goes Here11

The number and costs of breaches continue to rise

Web Applications Remain a Leading Issue

– 80% of successful attacks target the application layer (Gartner)

– 86% of applications are in trouble• Web App Security Consortium studied security tests across 12,186 applications

• 13% of applications could be compromised completely automatically

• 86% had vulnerabilities of medium or higher severity found by completely automated scanningX ~~

Total average cost of a data breach per

compromised record*

$202

Average # of compromised

records per breach^

30,000

Average Total Cost

per breach*

$6.65 M

* Ponemon Institute, 2008 Annual Study: $U.S. Cost of a Data Breach ^Source: The Open Security Foundation

The Cost of a Compromised Web Application/Server• Sony Play Station Network (PSN) Breach

• LulzSec claimed it only took a single SQL Injection

• What was compromised:– Usernames

– Passwords

– Credit card details

– Security answers

– Purchase history

– Address information

• Estimated Damages– $177 Million (USD)

Sony’s official earning forecast and we quote:

13 Footer Goes Here13

– Your Adversaries Count On Your Subscription and Resistance Toward Change

– Traditional security is a suckers bet as well!• ACLs

• AV / AS

• FW

• SMTP / Web Gateways

• HIPS

• Encryption

• IDS / IDS

• Logging / SIEM / SEM

• THEY COUNT ON YOUR ORGANIZATION BEING COMPLIANT AND THEY DON’T CARE!!!!

Complacency Is a Suckers Bet

14 Footer Goes Here14

– You have to think beyond tradition

– Abandon those ideas which may be promoted by analysts and / or cleverly crafted reports

– You must get outside the norms

– Embrace ulterior technology and philosophy

– Cannot fight a symmetrically wwhen the war requires asymmetric approaches be embraced, employed and acted out n

Traditional Security Is a Suckers Bet

15 Footer Goes Here

None(Normal End-User)

Classifying the Cyber Actor(The technical threat telemetry is endless)

Fame

Destruction

MotivationExpertise Result

Moral Agenda

Money

Notoriety

Theft

Espionage

Corporate/Government

Fun

Unwitting

Compromise of an Asset/Policy and/or

Intellectual Property

Novice(Script Kiddie)

Intermediate(Hacker for Hire)

Expert(Foreign Intel Service, Terrorist Organization

and/or Organized Crime)

Intentional ActNon-Intentional Act

Attack Vector

IM,IRC,P2P

Open Ports

Web Browsers

Email and

Attachments

VulnerableOperating System

+ + =

16 Footer Goes Here16

– Non-traditional intelligence acquisition and digestion

– Aggressive, pro-active forensic analytic analysis

– Baseline establishment and monitoring

– Cyber Reputation Management ® techniques

– Advanced & aggressive adoption and deployment of new, innovative, purpose built solutions

Embracing Asymmetry

17 Footer Goes Here17

– What’s in a name and MS Tuesday

– Hacking as a Service

– Botnetting as a Service

– Spamming as a Service

– DDoSing as a Service

– Opportunistic Targets (Retail -> Critical Infrastructure)

Next Generation Cyber Threats

(Here Today, Gone Tomorrow)

18 Footer Goes Here18

– People• Underestimate threat introduce risk• Lack InfoSec knowledge and experience • Often not empowered by stake holders due

to lack of alignment with business

– Process • What Gets Measured Is Supposed

To Get Results

− Horrible IT metrics at best• Focus on compliance vs. security

– Technology • Deep holes in network visibility that must be addressed

Threats Have Advanced

19 Footer Goes Here19

Focus on Compliance Versus Security

Compliance Security

20 Footer Goes Here20

Network Visibility and Situational Awareness (Gaps Are Critical)

• Firewalls

• Intrusion Detection/Prevention

• Content Monitoring

• Anomaly Detection

• End-Point Protection

• SIEM

Defense in Depth

Expecting different results using the same technology

Massive Gaps

Without insight/visibility…what you don’t know will

hurt you.

21 Footer Goes Here

Advanced Persistent Threat’s

22 Footer Goes Here22

– Slow, silent and deadly

– What’s in not having a name: Encryption, Beacon’s, Custom, Blended…

– Recent Examples

Advanced Persistent Threat(Selective, Sophisticated and Silent)

23 Footer Goes Here23

Historic Overview:

Solar Sunrise

Eligible Receiver

MoonlightMaze

Titan Rain

Byzantine Foothold

US PowerGrid

OperationShockwave

The Classics The Subversives

Aurora

Exxon

The Subversives

1997 1998 1999 2004 2007 2009 2010

Ghostnet

Stuxnet

2011

“The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools.“

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

24 Footer Goes Here24

Advanced Persistent Threat Lifecycle

25 Footer Goes Here

Lifecycle Similarities & DifferencesThreat APT Botnet

Initial Entry Recon & social engineering perhaps via e-mail (phishing, link, or attachment)

Spam, phishing, malicious links (all perhaps leveraging social engineering)

Intrusion Vulnerability, obfuscation, exploitation

Vulnerability, obfuscation, exploitation,

Infection Malware – custom, off the shelf, DIY

Malware – custom, off the shelf, DIY

Repeat Lateral movement, data extrusion, persistence

Zombie used to send more spam or drive by web application attacks

26 Footer Goes Here26

– What Happened• Verified in 103 countries

▫ Over 1,295 infected hosts identified▫ Impacts + / - a dozen computers on a weekly basis

• Commonly Used Tools (Not Too Sophisticated):▫ Remote access tool called gh0st RAT (Remote Access Tool)▫ Data harvest▫ Email siphoning▫ Listening / Recording of Conversations via microphone and / or webcams

Public APT Activity(Ghost Net) aka Byzantine Foothold

27 Footer Goes Here27

•Known Current Solutions Not Good Enough

•Regulatory Compliance != Security

•Advanced Persistent Threat Will Become Pervasive

•What are you doing to tackle the problem?

Key Point’s

28 Footer Goes Here

Outcomes that matter.