Scribd
Upload
86 views

APT: It Is Time To Act: Dr. Eric Cole

The document discusses advanced persistent threats (APTs) and outlines a 5 step approach to improving security against these sophisticated threats. It notes that APTs are a global problem and many organizations have been compromised. Traditional security controls are often ineffective against APTs. The 5 steps proposed are: 1) identify critical data, 2) align defenses with offensive tactics, 3) thoroughly understand internal networks, 4) implement defense in depth, and 5) establish common security metrics.

Uploaded by

megvik
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
86 views

APT: It Is Time To Act: Dr. Eric Cole

The document discusses advanced persistent threats (APTs) and outlines a 5 step approach to improving security against these sophisticated threats. It notes that APTs are a global problem and many organizations have been compromised. Traditional security controls are often ineffective against APTs. The 5 steps proposed are: 1) identify critical data, 2) align defenses with offensive tactics, 3) thoroughly understand internal networks, 4) implement defense in depth, and 5) establish common security metrics.

Uploaded by

megvik
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

A P T: It is Time to A ct

Dr. Eric Cole

2012 Secure Anchor Consulting. A ll rights reserved.

APT Defined
The APT is a cyber-adversary displaying
advanced logistical and operational
capability for long-term intrusion
campaigns with the goal of exploiting
information in a covert manner

APT is a sophisticated global threat posing serious


information security challenges and implications
Primary goal is long-term occupation for data mining,
malicious activities and to ensure future use
Based on current shared industry knowledge and
experience, a large number of global organizations that
deal with sensitive information are currently
compromised

Just a small sample of breaches

Aurora
Night Dragon
RSA Breach
Shady RAT

Most commercial organizations have little experience


dealing with these advanced threats
Sophisticated and well-funded APT adversaries do not
necessarily need to breach perimeter security controls to
access networks

APT adversaries are changing the game identification, detection, analysis and remediation
must evolve to keep pace with new challenges

The Future is Ours to Decide

Two roads diverged in a wood, and I - I took


the one less traveled by, and that has made
all of the difference Robert Frost

Why is this Happening?


PrivacyRights.org (updated weekly)
Here are some that are reported (most are not)
Just a small sample (financial records breached):

Heartland Payment Systems (130+ million)


Oklahoma Dept of Human Services (1 million)
International Finance Agency (22 million)
University of California (160,000 )
Network Solutions (5 million)
European Military Veterans Administration (76 million)
Australian BlueCross BlueShield Assn. (987,000)

Data Driven Threats

2001

End of 2010

Mid 2012

Vulnerabilities

440

28,500

34,100

Password Stealers
(Main variants)

400

80,000

380,000

24,000

26,000

17,000

358,000

484,000

Malware (main variants)

18,000 (?)

586,000

2,700,000

Malware Zoo
(Collection)

30,000 (?)

5,800,000

16,300,000

Potentially
Unwanted Programs
Malware (families)
(DAT related)

We cannot solve our problems


with the same thinking we used
when we created them.

Albert Einstein

Were Security Measures in Place?


Endpoint
Software
Management

Law Firm

IDS

Manufacture

Anti-virus

CDC 2

Host
Auditing
Enabled

CDC 1

Firewalls /
Proxy
Servers

Oversight
Compliance
Government

Traditional and common information security


defenses are not effective in the detection and
prevention

While traditional countermeasures can be


implemented, they often prove ineffective
requiring more advanced approaches

5 Step to a Secure Future

Step 1: Identify Critical Data

Align critical assets


with threats and
vulnerabilities to focus
on risk

Risk Based Thinking


1) What is the
risk?
2) Is it the highest
priority risk?
3) Is it the most
cost effective
way of
reducing the
risk?

Step 2: Align the Defense with


the Offense
1)
2)
3)
4)
5)

Reconnaissance
Scanning
Exploitation
Creating backdoors
Covering tracks

Step 3: Know thy Organization


If the offense knows more than
the defense you will lose

Requirements:
a) Accurate up to date network
diagram
b) Network visibility map
c) Configuration management and
change control

You Cannot Protect


What You Do Not Know About
10.10.5.3

10.10.5.9

10.10.5.10
10.10.5.x

21

25

80

53

Sendmail 8.12.10

21

443

Apache 1.3.26
10.10.5.3

25

80

Sendmail 8.12.10

80

10.10.5.9

53

443

Apache 1.3.26

10.10.5.10

80

Step 4: Defense in Depth

There is no such thing as an


unstoppable adversary
Requirements:
a) Inbound prevention
b) Outbound Detection
c) Log correlation
d) Anomaly detection

Step 5: Common Metrics


Everyone must be using the
same playbook in order to win
Requirements:
a) Utilize the critical controls
i.
ii.

Offense informing the defense


Automation and continuous monitoring
of security
iii. Metrics to drive measurement and
compliance

www.sans.org/critical-security-controls/

%RWWRP/LQH

It is time to take control of your data

/HWVVWRSPDNLQJLWHDV\IRUWKH
adversary

Final Thought

,WLVWLPHWRDFW
7DNHWKHSDWKOHVVWUDYHOHG

T H A N K Y O U for your time


Dr. Eric Cole

Twitter: drericcole
[email protected]
[email protected]
www.securityhaven.com

You might also like