Published on February 27, 2014
Anatomy of a Cyber Attack Understanding how the bad guys break into your network and wreak havoc Created by Mark Silver
Bringing Fortune 20 experience to you
Why should you care? Cyber criminals and some State-sponsored agencies want your information assets as a shortcut to creating wealth
Who is this presentation for? Boards of directors Executive Management Professionals interested in understanding cyber crime
Agenda Overview of “Anatomy of a Cyber Attack” Insight to each major step of the attack Principles of security that you can apply References About the author
5 Steps 1. Reconnaissance 2. Inﬁltration, intrusion and advanced attacks 3. Malware deployment 4. Data extraction 5. Cleanup
Reconnaissance Attacker will focus on “who”, or the network: “Who” will likely focus on privileged individuals (either for system access, or access to conﬁdential data “Network” will focus on architecture and layout; tools, devices and protocols; and critical infrastructure It’s like a military operation: attackers want to understand their target, it’s operations, processes and ﬂaws.
Inﬁltration — The Targets Typical Case Study Who are the board members and executives? Can the individual access company secrets that have commercial value? Where do they work? What information and systems do they have access to? Where do they hang out? Are they on the speaking circuit, or an occasional panelist? Attackers will focus on high-value targets and their activities. They will want to know if executives have access to company strategies, legal strategies, or high-value intellectual property, or critical company systems. Then they will focus on where can the target be accessed? For example, some executives are regular members of certain business or country clubs, providing motivated attackers with physical access to the target. Objectives can range from befriending them to start a relationship, to a sales call with a free market report on a USB drive that also contents malware (quite feasible), to an abduction for ransom (rarer, and depends on country). USB drives with malware, or simply an email with the attacker’s URL that also contains malware, are particularly dangerous as such malware can be custom-written, thus not being detected by today’s antivirus software. With this custom malware implemented, attackers now have access to the corporate network in a way that is difﬁcult to detect or correct.
Inﬁltration — The Network Attackers want to know the trust relationships in the network, and then how to exploit them Who can make changes (system administrators) to critical business applications? Think CRM, ERP, HR What is the security like? Which tools are in use? How often? On which systems? How to compromise trust?
Preparing the attack Once people and networks have been researched, the attacker prepares custom malware Attackers use software development life cycles to develop custom code to achieve objectives undetected Attackers test, reﬁne, retest etc to make sure attack is long-lasting, undetected, effective and efﬁcient It’s naive to assume attackers are disaffected teens. Crime syndicates pay hackers better than corporations do. Attackers are well resourced, funded and highly organized. There is now evidence of a sophisticated hacker economy.
Malware testing Attackers know corporations deploy security software that scans for known malware So they download known malware, change it by adding new code or changing existing code Attackers create virtual copies or the target environment and test their malware to see if it escapes company security software Year on year, malware threat alerts grew by 14%
Malware deployment Security experts say 80% of malware is uniquely present in one company (i.e. 20% of malware uses known “signatures”; 80% is custom malware) 99% of mobile malware targets Android smartphones Java comprises 90% of all web-based threats Watering hole traps being used to target vertical industry sectors
Extraction Once malware deployed, evidence for many corporations shows 99% of corporations are not aware of malware communication 99% of corporations did not detect malware on their own Malware now targets critical information assets (business strategies, IP, patents, emails, legal strategies, product design, customer lists etc.) encrypts the content and sends it outside the network
Cleanup Once the attacker has the information they want, they may consider cleaning up evidence of their presence (log ﬁles, accounts, permissions etc) However, in many cases, attacks are persistent, avoiding attention and detection and remain on the network for years, continuing to siphon valuable data.
Effective security strategies Strong focus on risk management. As risk to the business increases, more rigor around consistent application of process and policy should be implemented. Information Security leadership needs business savvy, strong risk understanding, and ability to communicate across organizational boundaries to build trust, understanding and consensus with business partners. Information Security requires executive management focus, funding and support. Information Security should not be “buried” in the organization, but understood by the board and senior management. Information Security processes should be embedded in all IT and business processes (not regarded as an afterthought).
Security strategies (2) Rigorously document the network, servers, applications, protocols, endpoints and trusts. Assume a breach will occur, but build a program for steady state operations, during the attack, and post-attack activity. Principles of least trust for accounts (trust users and systems enough to do their work, but no more). Continue with the basics: patching and correct conﬁguration of networked devices
Security strategies (3) Defense in depth using information security infrastructures critical. Attributes include: Implement tools that provide integrated solutions, not point of activity analysis Rigorous validation of network trust relationships Typical components include: antivirus, ﬁrewalls, intrusion detection systems (IDS), intrusion protection system (IPS), encryption, automated patch management, mobile device management, strong user authentication, and end-user security training Big data analytics to catch and aggregate multiple separate security events for correlation and meaningful analysis
Beneﬁts Secure product brings commercial advantage Demonstrating security as part of supply chain brings commercial advantage Limits risk to the organization, it’s business partners and its employees It’s more cost effective to protect information than to litigate after its compromise. (Once the horse is bolted..
Reference In preparing this presentation, I used my own 20 years of IT experience, security work and the following as reference material. I’ve provided dates when I secured the documentation, and web addresses when I had them: The 7 best habits of effective security pros, CSO Online, Jan 9, 2014, http://www.csoonline.com/article/print/745655 Anatomy of a Cyber Attack, The Strategies and Tools of Cyber Criminals and how to stop them, Dell Software, January 8, 2014 at 12:57 PM, http://resources.idgenterprise.com/original/AST-0100349_EB_Anatomy_of_a_CyberAttack.pdf Four Keys to Effective 'Next-Generation' Security, October 17, 2013 at 4:35 PM, Source Fire web publication InfoSec Defense in Depth, CDW.com, Jan 8, 2014, http://resources.idgenterprise.com/original/ AST-0104557_NC_DefenseInDepth_0508.pdf Nine Critical Threats Against Mobile Workers, Marble, December 19, 2013 at 5:01 PM, http://resources.idgenterprise.com/ original/AST-0105397_MS_Nine_Threats_2013_0212.pdf NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations Predictions and Protection Capabilities to Consider While Preparing for Advanced Malware in 2014 Securing Executives and Highly Sensitive Documents of Corporations Globally, December 6, 2013 at 11:23 PM, http:// f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/securing-executives-highly-sensitivedocuments-corporations-globally-pdf-w-871.pdf Taking a Proactive Approach to Today’s Cyber Threats - Deloitte CIO - WSJ, http://deloitte.wsj.com/cio/2013/05/14/taking-aproactive-approach-to-todays-cyber-threats/
The author: Mark Silver Mark is an international business executive who understands business, process, and using technology to drive business value while managing risk. Mark holds a Master of Business degree from the Queensland University of Technology, from Queensland Australia. He has worked in 16 countries (much of Europe, Americas, AsiaPac) and speaks two languages (English and German). Having worked for a Fortune 20 company, governments, and medium sized businesses, Mark's focus for the past 30 years has been on building proﬁtable business processes leveraging enterprise IT systems and infrastructure as both a CIO, CISO, Compliance Ofﬁcer and Privacy Ofﬁcer. Mark can be contacted through Linked In at www.linkedin.com/in/markasilver/ and is happy to provide executive brieﬁngs and discuss managing risk as either a keynote speaker or panelist.
It is only a matter of time really, the 'hacktivists' responsible are only going to get better at this. Sooner or later there is going to be a breach and ...
The Six Steps of an APT Attack. To improve your cyber security and successfully prevent, detect, and resolve advanced persistent threats, you need to ...
Industry Analyst Robin Layland is joined by Steve Povolny of HP and Brian Foster of Damballa to focus on what you need to do to stop attacks that have made ...
eBook Shop: Anatomy of a cyberattack als Download. Jetzt eBook sicher bei Weltbild runterladen & bequem mit Ihrem Tablet oder eBook Reader lesen.
INDUSTRY INSIGHT. Anatomy of a cyberattack. By Barry Barlow; Oct 22, 2015; It seems a day doesn’t go by without news of a new cyberattack, and the ...
The Anatomy of an Enterprise Social Cyber Attack ... Employees are directly in the crosshairs and the “Anatomy of an Enterprise Social Cyber Attack ...
Introduction 2 Attack step 1: Reconnaissance and enumeration 3 Attack step 2: Intrusion and advanced attacks 4 Attack step 3: Malware insertion 5
The Anatomy of a Cyber-Attack. Do you know how to contain a data breach before it poisons the rest of your business? It can take 229 days before your ...
Mikko Niemela - Anatomy of a cyberattack - Buchhandel.de - Bücher lokal kaufen
Lesen Sie Anatomy of a cyberattack von Mikko Niemelä mit Kobo. They have the power to destroy lives, shut down businesses, and affect every one of us all ...