1 Copyright © 2014, FireEye, Inc. All rights reserved. Real-time Threat Intelligence For Trusted Relationships VERSION 1.0 November 5, 2014 Dave Davis Ward Perry
Jun 20, 2015
1 Copyright © 2014, FireEye, Inc. All rights reserved.
Real-time Threat Intelligence For Trusted Relationships
VERSION 1.0 November 5, 2014Dave Davis
Ward Perry
2 Copyright © 2014, FireEye, Inc. All rights reserved.
We Live the Headlines
2
Hacking of US media
is 'widespread
phenomenon‘
- Wired, Feb 2013
J.P. Morgan Says About 76 Million
Households Affected By Cyber Breach
- Wall Street Journal, October 2014
LivingSocial Hack Exposes Data for 50 Million Customers
- New York Times, April 2013
NASDAQ Confirms a Breach in Network
- Wall Street Journal, Feb 2011
Target Corp. was hit by an extensive theft of its customers' credit-card and debit-card data
– Wall Street Journal, December 2013
RSA Faces Angry Users After Breach- New York Times, June 2011
Russia gang hacks 1.2
billion usernames and
passwords
-BBC, August 2014
Hackers in China Attacked the Times for Last 4 Months- New York Times, Jan 2013
Evernote Says Cyber Breach Which Cost Millions Wasn't From China -- BusinessWeek, May 2013
Fed Acknowledges Cybersecurity Breach
- Wall St. Journal, Feb 2013
The European Central Bank's website has been hacked and personal information has been stolen by a cybercriminal. -ZDNet, July 2014
Israeli Iron Dome firms 'infiltrated by Chinese hackers‘ -BBC, July 2014
3 Copyright © 2014, FireEye, Inc. All rights reserved.
Are You Compromised?
One Question To Ask Yourself
3
4 Copyright © 2014, FireEye, Inc. All rights reserved.
Terms
Threat Actor – An individual or organization which conducts cyber attacks
Targeted Attack – An attack on a specific individual, company, industry or software.
IOC - Indicators of Compromise. Specific artifacts left by an intrusion, sets of information that allow for the detection of intrusions or other activities conducted by attackers.
C2 – Command and Control. Infrastructure attackers use to initiate or maintain persistence in a compromised network.
APT – Advanced Persistent Threat. A threat actor with the ability to carry out a sustained attack against a target, typically with the mission of financial gain, political advantage, terrorism, or publicity.
5 Copyright © 2014, FireEye, Inc. All rights reserved.
All Threat Actors Are Not Equal
5
Economic Espionage
Organized Crime
Nuisance Threats
Hacktivists
Objective
Example
Targeted
Persistent
Launch Points & Nuisance
Economic Advantage
FinancialGain
Defamation, Press & Policy
Botnets & Spam
Advanced Persistent Threat
Credit Card Theft
Anonymous & Lulzsec
Attacks which are targeted and persistent pose
the greatest challenge and the greatest risk.
6 Copyright © 2014, FireEye, Inc. All rights reserved.
Targeted Attacks Routinely Bypass Preventive Defenses
CommodityThreats
Worms& Bots
Advanced PersistentThreat (APT)
AdvancedTargeted Attacks
100%Of Victims Had
Up-To-Date Anti-Virus Signatures
67%Of Companies Learned
They Were Breached froman External Entity
46%Of Compromised
Systems HadNo Malware on Them
100%Of Breaches Involved
Use of StolenCredentials
7 Copyright © 2014, FireEye, Inc. All rights reserved.
The Statistics
7
8 Copyright © 2014, FireEye, Inc. All rights reserved.
Anatomy of a Targeted Attack
8
Of all of the compromised machines Mandiantidentified in the last year, only 54% had malware on them.
While attackers use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks
EVIDENCE OF COMPROMISE
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
MoveLaterally
MaintainPresence
Unauthorized Use of Valid Accounts
Known & Unknown Malware
Command & Control Activity
Suspicious Network Traffic
Files Accessed by
Attackers
Valid Programs Used for Evil
Purposes
Trace Evidence & Partial Files
9 Copyright © 2014, FireEye, Inc. All rights reserved.
Now What?
People: Security experts to use the tools to analyze the data
Process: Pulling the data together for analysis
Technology: Products that enable data analysis
Technology
Process
People
10 Copyright © 2014, FireEye, Inc. All rights reserved.
Event Data as Evidence
Layer: Perimeter – Internet & ExtranetLogs: connection, bytes, durationExamples: Firewall, Proxy, VPN
Layer: Host Logs: Authentication, processes Examples: Win Events, AD
Layer: ApplicationsLogs: Access, Errors, transactionsExamples: IIS, database, email
Layer: DataLogs: Authorization, Activity, AuditExamples: File Auditing, DLP, HIDS
What is the value to an Incident Responder?
Perimeter: Proof of connectivity, policy violations, unauthorized access attempts
Host: Confirm the compromise, identify post exploit activity.
Application: Confirm the compromise, identify post exploit activity.
Data: What are they after? Was the attack successful?
11 Copyright © 2014, FireEye, Inc. All rights reserved.
Detecting Evil In Event Data
• Expert knowledge expressed through tools
• Updated based on latest FireEye incident response work, headlines
• Detects non-malware attacker methodology as well as malware family behavior
Rules
• Detects previously unknown attacker behavior
• Focused on non-malware activity: e.g., lateral movement & exfiltration
• Drives visualizations and explorations of your event data
Analytics
• Simple facts about known-bad behavior
• Collected via multiple proprietary methods—no purchased indicators
• Domains, IP addresses, email addresses, MD5 hashes
Indicators
12 Copyright © 2014, FireEye, Inc. All rights reserved.
Using Identity Data to Find Anomalous Behavior
12
13 Copyright © 2014, FireEye, Inc. All rights reserved.
Threat Intel and IRM – Pulling It Together
Prevention will eventually fail
Start integrating data sources
Invest in IRM technology Ensure technology teams
are trained, enabled and aligned