Upload
srmv59
View
13
Download
0
Embed Size (px)
Citation preview
Exploring Modern Threat Vectors and Trends
Brian Contos, Director Global Security Strategy and Risk Management, McAfee
February 2011
Insider Threats
Industrialized Hacking
Advanced Persistent Threats
The Consumerization of IT and Virtualization
Cloud and Web 2.0
Uniting Data Protection and Network Security
Connected Security Strategy
Provides open system for 3rd parties
Provides ability to automate key workflows
Connects on a platform
Provides enterprise security
Provides reputation based security
Connects security together
Connects the business to security
Provides risk based view of security
Provides situational awareness
Your Actions
Identify the threats most critical to
your organization
Understand key trends in IT
Define mechanisms for security to
enable business priorities
Select solutions that embrace a
connected security framework
Drive an implementation project to
address the above
Connected:
One Billion Today, 50 Billion by 2020
Circa Event/Technology Circa Event/Technology
20,000 B.C. Cave Paintings 1969 ARPANET
3,100 B.C. Sumerian Cuneiform Markings - First language-based writing system 1969 Telnet
500 B.C. Pre-Columbian civilizations use paper 1970 Banking ATMs
350 B.C. Greek Ionic alphabet of 24 letters 1971 FTP
1100 Wax seals used to sign documents 1972 email, C Programming Language
1455 Guttenberg produces printed bibles using movable type 1973 NCP Later renamed TCP/IP
1755 First comprehensive/authoritative English dictionary 1979 Xerox introduces Ethernet
1800 Library of Congress opens in Washington 1980 Personal Computer
1804 Joseph-Marie Jacquard of France devises an automatic loom 1982 Lotus 1-2-3
1822 Charles Babbage builds a prototype of his difference engine 1983 Cellular Technology
1837 Samuel Morse develops telegraph and Morse Code 1988 Internet
1877 Photography 1989 Web Browser based on HTTP
1877 Telephone 1997 Blogs
1897 Radio 1998 Google
1923 Credit Cards 2000 Wikipedia
1928 Television 2001 iPod
1931 Telex (Antecedent to FAX) 2003 Social Networks
1946 Mobile Phones 2004 Podcasting
1958 ARPA Created by President Eisenhower 2005 YouTube
1966 ASCII 2006 Twitter
Digitization, Access, DependenceInformation Gone Viral
Comparative Threat Windows
Sea 3,000 BC people in the Mediterranean distributed goods 1,300 first recorded pirates Threat Window 1,700 years
Air 1859 John Wise distributed mail via air balloon India to NY 1931 first hijacking (Peru) Threat Window 72 years
Space 1962 first commercial satellite just five years after Sputnik Access and cost have made it less attractive
Cyber ARPANET1969 / Commercial use NSFNET/MCI Mail 1988 Threat Window zero
Different
Cultures
International
Boundaries
Complex
Jurisdiction
Motives
Why do you rob banks?
Willie "The Actor" Sutton
(19011980)
NOW
THEN
Money AND Politics
Curiosity AND Excitement
Insiders
Anything done
unintentionally can also
be done intentionally with greater impact
Low-tech Trumps Hi-tech
Trust & Access
Who Are They
Why hack when you can recruit
or plant?
It is very important to concentrate on hitting the U.S. economy through all possible means.
Osama Bin Laden
Unstructured Data
Downloading
Structured Data
Sending and Posting
Executive Leadership
Beyond IT
Users & Data
Beyond Prevention
Augment Human Intuition
The Countermeasures
Industrial Revolution
19th century
Mass Production
Automation,
Efficiency, Scalability
1997 EarthLink & AOL
2002 eBay
2003 Amazon,
Banks, ISPs (Grammar)
Old School
New School
If crime didnt pay thered be no crime. G. Gordon Liddy
350,000+ Apps 100,000+ Apps
Malware Continues to Be the Biggest Threat to
Enterprises and Consumers
New pieces of malware
per day:
2007: 16,000
2008: 29,000
2009: 46,000
2010: 60,000
Number of malware
samples in our database
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
Q108
Q208
Q308
Q408
Q109
Q209
Q309
Q409
Q110
Q210
Q310
Botnets By The Numbers
Number of Systems: 160,000 Bandwidth: 500 Gbps
Number of Systems: 500,000 Bandwidth: 1,500 Gbps
Number of Systems: 6,400,000 Bandwidth: 28 Terabits Across over 230 Countries
Industrialized Hacking Maturity Model
Hacking Is a Profitable Industry
Roles Optimization Automation
Its not fair and its not personal; its just business
Researching Vulnerabilities
Developing Exploits Growing Botnets Exploiting Targets Consuming
Direct Valuei.e. IP, PII, CCN
Command & Control Malware Distribution Phishing & spam DDoS Blackhat SEO
Growing Botnets and Exploiting
Vulnerabilities
Selecting Targets via Search Engines
Templates & Kits Centralized
Management
Service Model
Black Hat SEO
2010s Most Dangerous Internet Searches
60% of Popular Google Searches Yield Malicious
Sites in First 100 Results
Cameron Diaz Julia Roberts Jessica Biel Gisele Bndchen
Rome Is the Mob
Neptune, Poseidon, Oceanus
Mister Splashy Pants
78% of Votes
Zeus: An Abbreviated Love Story
Discovered July 2007More recent versions with over 150 variants
Doesnt self propagaterequires spam, phishing, drive-by downloads
C&C 196 countries; 2,400 companies impacted, 3.6M PCs in U.S. alone
Targeted: email accounts, social networking sites and banking
Control, steal credentials, transfer funds
Man in the Browser
Kit: $700-$4,000 USD plus add-ons & plug-ins $500-$10,000 USD
Binary generator to evade detection
Copy protection and license keys
Money mules in U.S. recruited and paid on commission
Create bank accounts using fake documents and phony names
Wire fund to Eastern Europe or smuggle cash
Stole around $70M USD
100+ arrested across U.S., U.K., & Ukraine 2010
Charges of bank fraud & money laundering
Zitmo: SMS (Blackberry & Symbian-based phones)
The Countermeasures
The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in
anarchy that we have ever had.
Eric E. Schmidt, Chairman of the Board and CEO Google
Reputation
Reduce complexity
Wolverines not mosquitoes
Damn the whalessave the plankton Anti-social engineering
APT
APTIndustrialized Hacking
Advanced: Custom exploits and other mature tools
Persistent: Not a crime of opportunityon a missionThreat: They have money and they are motivated
APT Maturity Model
Stealth intrusion, backdoors
Sensitive data, Monitoring, Sabotage
Leave no traces
GoalsActors Motives Targets
Nation-States Insiders &
Ex-employees
Unscrupulous Competitors
Terrorist/Activist/Criminal
Organizations
Political Economic
Large corporations Critical infrastructure Governments Academic & Media
Early weapons
Technology Shifts Advantage
Circa 323 BC Greeks
Bronze, Iron, Phalanx
Fight as a unit
Circa 120 BC Romans
Steel, Gladius Sword
Fight in multiple directions and terrain
New weaponsold tactics
Technology Shifts Advantage
Circa 1500 Ottoman Empire
Matchlock musket; armor ineffective
1st time used in infantry in force
Circa 1862 American Civil War
Rifled muskets
Accurate, mass produced
Like taking a knife to a gun fightalmost
Technology Shifts Advantage
Today: AK-47
Simple, Cheap, Reliable
100,000,000 Made
Today: Modern Warrior
Boron Carbide Body Armor
Night Vision; Robots
Drones; Satellites
Prompt Global Strikes < 60 minutes
Smart Dust (bio, chemical or mechanical)
Technology becomes an equalizeragain
Technology Shifts Advantage
Simple
Excellent Range
Inexpensive
Anonymous
Espionage
Propaganda
Attack
State & Non-state
Participants
God made man, but Samuel Colt made them equal.
EstoniaMay 2007: Three weeks of cyber attacks following the removal of a bronze soldier
Russian mafia and Russian sympathizers in Latvia, Ukraine, and the US (80,000 IP address sources)
Convergence of Kinetic and Non-Kinetic Warfare
Georgia - August 2008: Kinetic + Non-kinetic attacks where radio station towers were being shot by tanks,
as DDoS was taking out online capabilities
Others attacks 2007 Lithuania, Ukraine 2009 Kyrgyzstan
April 2008
CNN reports on Tibet
5,000 Chinese forums recruit patriots antiCNN.exe
CNN blocks traffic from .CN Double win
Patriotic DDoS
The essence of espionage is access Allen Dulles, longest serving director of the CIA (1953 1961)
Espionage
2003Titian Rain
April 2009 $300 Billion Fighter (F-35)
Equivalent to about 4,600 tanks
The US has about 8,000
Critical Infrastructure Meltdown: Theres An App
36
According to a CNN interview with economist Scott Borg
A multi month attack on a small part of the U.S. is equivalent to being hit by about 50 hurricanes at once with economic damage greater than any modern economy has ever experienced.
Four Zero Days
Stolen encryption Advanced & Expensive
PLC not SCADA
DOE/DHS Test beds
Patching..oops
The Countermeasures
The best poker players walk a tightrope between their business sense and their passion. As professionals, they
seek out the most profitable opportunities and control as many
factors as possible to create a positive result. As gamblers,
they want the risk and excitement of something important on
the line with the outcome in the balance.
Michael Craig Full Tilt Poker Blog
Discover
Connect
Assume
Risk Awareness
Partnerships
Trends in IT
Consumerization of IT: What
Consumerization will force more IT change over the next 10
years than any other trend.
Gartner 2009
Consumerization of IT: Why
Pick Your Metaphor
Consumerization of IT: Approach
Maximize employee flexibility, capabilities while minimizing organizational risk
Happier and more effective employees with lower procurement costs
Manage provisioning, revocation, access and control where sensitive data resides
Mobility Management (lock, track, backup, wipe (partial) | NAC | Virtualization
Virtualization: What
ServersEndpoints
Operating Systems | Applications | Profiles
Virtualization: Why
Bring Your Own
Computer
Use of Home
Computer
Power to the Data
Center (Centralization)
Management
Efficiencies
Unmanaged Devices
Used for Business-
Related Work
Minimize Hardware
Footprint/Costs
Virtualization: Approach
Data Center Hardware
Type 1 Hypervisor (Bare Metal)
Citrix | VMWare | Microsoft | Etc.
Virtual Machines (VMs)
Virtual Desktop Image (VDI) VM
VDI VM VDI VM Anti-Virus VM
Optimization |On-Access AV | Management | Reporting | Intelligence
Cache
Cache
Cache
Cache
Cloud: What
IaaS | PaaS | SaaS
Cloud: Why
Accelerate ability to use business applications email, CRM
Leverage infrastructure with greater resources at lower cost
Cloud: Approach
Security FROM the cloud- Security-as-a-Service (SaaS)
Security IN the cloud- Global Threat Intelligence (GTI)
Security FOR the cloud- Security for the cloud ecosystem
48March 4, 2011
Spans the entire Internet
including millions of sensors
Identify-1 new malicious web server/60 sec
-60k new pieces of malware/day
-5M new zombies/month
Across all threat vectorsNetwork/IPS Signatures Malware
Vulnerability Management Spam
Outbound Web Protection
Real-time in the cloud threat collection and
distribution model
Providing reputation
based capabilities-20B mail queries/month
-75B web queries/month
450+ Dedicated
researchers in 30+
countries
48
GLOBAL
THREAT
INTELLIGENCE
DesktopContentNetwork CloudData DBs
Ma
na
ge
me
nt
Apps
Cloud: Approach (Threat Intelligence)
Web 2.0: Whatreally
Rank Country Population Date of Estimate
1 China 1,340,950,000 December 2nd 2010
2 India 1,190,930,000 December 2nd 2010
3 Facebook 500,000,000 December 2nd 2010
4 USA 310,829,000 December 2nd 2010
5 Indonesia 237,556,000 May 10th 2010
6 Brazil 190,732,000 August 1st 2010
#1 Site On The Internet
If Facebook Was a Country
People spend over 700 billion minutes per month on Facebook
Web 2.0: Why
Just saying no doesnt scale and misses business opportunities
The next generation sees email and traditional web as archaic
Web 2.0: Approach
Leverage application-aware controls
Control application access, downloads, and posts
Dont block manage interactions based on roles, permissions, and business requirements
Educate users on social engineering and other Web 2.0 attacks
Uniting Data Protection and
Network Security: What
Data has value & people want it; network-centric controls alone wont protect it
Resources are limited; adding more solutions in a silo isnt desirable
Network controls in parity with data controls represent symbiotic mutualism
Uniting Data Protection and
Network Security: Why
Data at rest, in motion, and in use (transactions) must be considered
Across applications, databases, laptops, mobile phones
So patterns & anomalies of users interacting with data can be gleaned
Uniting Data Protection and
Network Security: Approach
Monitor user behavior
Protect data across the network and on endpoints
from careless and malicious activity
Achieve enhanced analytics, expansive reporting,
accurate alerting and streamlined management
Address questions such as:
Where is the data that needs protection?
Who has access to it?
What uses is it being put to; for example, is it being
copied to insecure locations/devices?
Who else is involved, what else might be
happening, and how long has this been occurring?
More Information on McAfee
McAfee