insights into modern day threat protection

Information Technology Services Division , ITSD

Insights Into Modern Day

Threat Protection

ECIL

- Abhinav BiswasECIL Hyderabad


Agenda

ECIL

Basic Terminologies Contemporary Threat Environment

- Corporate Threat Landscape Advanced Persistent Threats (APT)

- Multi-Phase (7 Stage Model) Traditional Defense Mechanism

- Signature Based(Known ) Advanced Threat Protection (ATP)

- Analytics based (Sandboxing & GTI ) Security Incident & Event Management (SIEM) Systems

- Log Correlation & Big Data Analysis Vulnerability Assessment & Penetration Testing

- Nessus, Acunetix Security Guidelines for End Users


Terminologies

ECIL

Spyware - Gathers information secretly and sends to another entity without the user's consent.

Ransomware - Stops from using your PC until you pay a certain amount of money (the ransom).

e.g. Encryption Ransomware, CryptoLocker

Social Engineering - Psychological manipulation of people into performing actions or divulging confidential information.

Phishing / Spear-Phishing - Act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Vishing - Voice-over Phishing


Terminologies

ECIL

Vulnerability - A weakness which allows an attacker to reduce a system's information assurance.

Threat - A possible danger that might exploit a vulnerability to breach security and thus cause possible harm.

Exploit - A piece of software or a sequence of commands that takes advantage of a bug or vulnerability.

Attack - An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.

(A realized Threat using an Exploit on Vulnerability is an Attack.)

Event - An observable change to the normal behavior of a system, environment, process, workflow or person.

Incident - An event attributable to a root cause. All incidents are events but many events are not incidents.

(An Attack is a series of security incidents.)


Contemporary Threat Environment

ECIL

Rise in Coordinated Advanced Cyber Attacks like - Advanced Persistent Threats (APT) - Zero-day Attacks (ZDA) - Smart Mobile Malware (SMM) - Web-based Plug-in Exploits (WPE)

New avenues for Cyber-fraud - Free availability of Root-kits, SpamBots, Phishing Tools etc. - Digital Currencies (BitCoin) & Anonymous Payment Services.

State-Sponsored Data Exfiltration Attacks - Strategic Government institutions.

Challenges due to new technologies/Needs - Polymorphism, Dynamic URLs, Virtualization, Cloud, Smart Phone/ Mobiles, Social Sites, BYOD, Internet Of Things (IOT/IPv6)


Advanced Persistent Threats (APT)

ECIL

Lure Redirect ExploitKit

DropperFile

CallHome

DataTheft

Recon

7 Stage Process

Information Technology Services Division , ITSDECIL

Traditional & Advanced Threats

Traditional Threats APTs

Signature Based Zero-Day: No signature Rule-based

Reactive Response Proactive/Predictive/Adaptive Response

Opportunistic/Generic attack Targeted/Customized Attack

Visible Stealthy- Low-flying

Short-term & Bursty Long-term & Persistent

Static - Relatively easy to detect (based on signature)

Polymorphic - Take months to detect (no specific pattern)

Getting attention/Bragging is motive Data-exfiltration & Disruption of services is motive

Limited Resources (people, money, technologies)

Sponsored by Nation States – Large no. of quality resources

Eg: Common Cold Eg: Cancer


Victims funneled to the Web

ECIL

8

Social Media

Email

Mobile

Attack Vectors

Web Redirects

Malware

Recon

XSS

Dropper Files

CnCExploit

Kits

Phishing


Watering Hole Attacks

ECIL

1a) Identify target

1b) Determine browsing

habits

2) Select favorite website

3) Compromise and host

exploits

3)Drop malware

4)Determine target profile

4)Wait for opportunity to

further compromise


Attack on ADSL Routers

ECIL

InternetInternet

Customer

Attacker

Vuln. ADSL Router

Changes the DNS server entries in the modem to rogue DNS servers and changes the password of the DSL router

Rogue DNS Server

Attacker scans for the DSL router and logs onto Admin console via WAN interface by exploiting vulnerabilities in the router firmware or configuration flaws; or by infecting connected computer


Traditional Defense Mechanism

ECIL

3 FORWARD FACING ONLY, LACK OUTBOUND PROTECTION

No contextual analysis of Internal Threats.

2 LACK OF REAL-TIME INLINE CONTENT ANALYSIS

No Byte-Range Data Packet Analysis for Data Loss/ Theft Detection

4 LACK OF ADVANCED ANALYTICS& ANOMALY DETECTION

No Sandboxing in existing UTMs, NGFWs.No SSL packet inspection.

1 PRIMARILY BASED ON SIGNATURE & REPUTATION

Signature history cannot keep up with the dynamic future of threats


Defense in Depth Architecture

ECIL


Threat Landscape

ECIL


Solution Map

ECIL

WEB

Content AnalysisMalware

SandboxForensic ReportsSSL InspectionVideo Controls

EMAIL

Spear-PhishingURL

SandboxingAnti-SpamTLS Encryption Image Analysis

DATA

Content Aware DLPDrip Data Theft

DetectionOCR of Image TextGeo-Location

MOBILE

Cloud ServiceMalicious AppsBYOD PolicyReporting/

Inventory

CUSTOMER LIST

NEW DESIGN

CONFIDENTIAL

Monitor

Discover

Classify

DISCOVER

MO

NITO

RCLAS

SIFY

PROTECT

WHERE

WHATWHO

HOW

ESSENTIALINFORMATIONPROTECTION

External Risks Internal Risks


Advanced Threat Protection (ATP) –Two key elements

ECIL

1.Sandboxing Systems (Similar to Bomb Detonation Sandbox) - Tightly controlled access to resources - URL sandbox/File sandbox - Isolated environment/network - Multiple Detection Environment (Virtual Machines) - Customizable & Realistic Virtual environment - Behavior based classification & Risk scoring - Instrumented Forensic Data Collection

2. Big-Data Analytics - SIEM Systems - Big log Data interpretation

- Post-incident data (SIEM - Security Incident Event Management) - Real-time Threat Intelligence (GTI)

- Integration with other sources (local/national/international) - PCAP (Packet Capture) & Replay


SIEM Components

ECIL

Log Data Collection - Content & Context Aware logs - Device & Application logs, Authentication & IAM log,

Endpoint security devices, user identity, location, VA scan data, Netwrk flows, OS events, DB transaction logs

Aggregation & Normalization - Remove redundancy.

Correlation Engine - Threat Intelligence & Risk Analysis

Retention & Forensic Analysis Alert Reporting & Workflow Manager


SIEM Correlation Intelligence

ECIL


Vulnerability Assessment &Penetration Testing

ECIL


Golden Rule in Security

ECIL

Prevention is better than Cure (Old Proverb)

Prevention is Ideal ; & Early Detection is a Must followed by quick Remediation.

ECIL Information Technology Services Division , ITSD

Security Guidelines for End UsersSecurity is Everybody’s Responsibility. It’s a moving Target.

It’s a race between the Good & the Bad.

Use Legal software only Keep upto-date patches and fixes of the Operating System

and Application SoftwareExercise caution while opening unsolicited emails and do not

click on a link embedded withinOpen only email attachments from trusted parties Use latest browsers having capability to detect phishing/

malicious sites Harden the Operating SystemWhitelist the Applications Deploy software for controlled use of USB Pen Drives.

ECIL

Thank You !Information Technology Services Division , ITSD

“Failure is not when we fall down, but when we fail to get up”

ECIL

Q & A


insights into modern day threat protection

Technology

confidential information

systems information

signature rule

signature polymorphic

phishing tools

root cause

series of security incidents

voiceover phishing