Anatomy Of A Data Breach:

Exploring The Current Threat Landscape

 Larry Chin: Sr. Security Architect

CISA, CISSP, PCI-QSA

 Moderator: Angela Moscaritolo, senior reporter, SC Magazine

Threat Landscape: 2010 Trends

Targeted Attacks
continued to evolve

Social Networking
+ social engineering = compromise

Hide and Seek

(zero-day vulnerabilities and rootkits)

Attack Kits
get a caffeine boost

Mobile Threats
increase

The Threats Behind The Numbers

February 2011 Tatanarg/Tatanga Trojan/rootkit/MITM, fraudulent banking transactions via browser Oddjob Trojan infostealer Night Dragon SQL injection and other vectors for information theft Data Breaches RSA Honda Lockheed Martin Northrop Grumman Sony Epsilon April 2011 Qakbot Internet Explorer or Quicktime vulnerability Rootkit, information theft Lizamoon SQL Injection to propagate FakeAV Ransomware

The Escalating Threat Landscape

In 2003 we released an average of 5 definitions a day. 2007 - 1431 daily. Over the second half of 2007 there was a 524% increase in the number of threats More detections were created in 2008, than in all the other years combined 7500 per day In 2009 we started releasing up to 12,000 new signatures a day Today, over 25,000 per day In 2010 there were over 10 million signatures written to catch 286 million threats and stop over 3.1B attacks

Infection Vectors:
Email Phishing Targeted attack
 These usually consist of an PDF or Office document with a built-in vulnerability, that drops a back door attack.  Targeted Email attacks are much more publicized these days

Example: RSA Attack

Email to HR staff with subject: 2011 Recruitment Plan Excel document titled: 2011 Recruitment plan.xls The document had a 0day Adobe vulnerability embedded in it. The vulnerability downloaded a custom backdoor from the Poison Ivy family

Infection Vectors: Malicious Websites and Toolkits

Advanced Persistent Threats

What is an Advanced Persistent Threat?

 An Advanced Persistent Threat (APT) is a sophisticated and well-planned network attack focused against a targeted organization.  APTs are usually well-funded and use state of the art, often customized, tools that help the attackers avoid detection by the usual methods.  In addition to funding and customized tools, APT attacks are distinguished by their level of perseverance and the patience needed on the part of the attacker to be successful.  While most APTs are focused on the government, financial and manufacturing sectors any organization can be a target.

APT: Targeted Attacks Continue To Evolve High profile attacks in 2010 raised awareness of impact of APTs

Stuxnet was incredibly sophisticated Four zero-day vulnerabilities Stolen digital signatures Ability to leap the air gap with USB key Potential damage to infrastructure

Sophistication

Degree Of Damage

Less sophisticated attacks also cause significant damage

Average # of Identities Exposed per Data Breach by Cause

Average cost of U.S. data breach in 2010: $7.2 million Average cost of CAN data breach in 2010: $1.9 million

Typical Attack Scenario - Noisy

Traditional Hacker Attack
In a typical attack scenario the attacker goes for the low hanging fruit. An attacker will either scan for vulnerable hosts, set up a malicious website or send out hundreds of thousands even millions of phishing emails.

Because of the large number of attempts they are bound to find unpatched systems, exploit those systems and extract data from those exploited systems.

The large scale of these types of attacks also means that it is easy to spot them and prevent them from infecting your network.

APT Attack Low And Slow



An APT Attack

An APT attack takes a different approach because it is starting from a different perspective: with a target already in place. In the case of an APT, the attacker starts by finding out as much information as possible about the target and storyboarding that information. Information can come from the organizations website, Google searches, social media sites and various business research tools. In this case, the attacker is looking for weaknesses in the organization itself, as opposed to typical software vulnerabilities.

Cost of the attack: < $5000

Why does an APT work ?

APT attacks work because they are customized and focused on the biggest weakness in any organization

The People.

Stopping An APT Attack

 Stopping APT attacks is almost impossible because they rely on a combination of software and human weakness.  The best hope is to contain the attack and work to ensure that no data is leaked.  Because of the sophistication of these attacks traditional, signature-based detection, does not usually work.  Instead, detecting an APT attack requires anomaly detection, pattern extraction from those anomalies and the ability to block the attack, or information egress.

Food For Thought Mobile & Social Media

Mobility Challenges

Mobile Consumerization
Corporate data on personal devices raises security, liability and manageability issues How to allow these large number of devices to securely connect to the enterprise?

Endpoint Heterogeneity
Multiple mobile platforms with widely varying and ever changing capabilities and form factors; IT cannot have in-depth details about all platforms Point solutions make it difficult to enforce an overall corporate policy

Application Management & Enterprise Integration

Mobile apps need to connect to enterprise backends and viceversa; what is the framework to allow this communication? Enterprise IT has existing investments. How can they be leveraged for mobility?

Mobile Data Loss

2008 Ponemon/Dell Study: 12,000 laptops lost in airports each week 2011: ?

Mobile Threats
 Most malware for mobiles are Trojans posing as legitimate apps 2011: already > 150
vulnerabilities targeting mobile platforms!

163
115
vulnerabilities

vulnerabilities

2009

2010

 Mobiles will be targeted more when used for financial transactions

Mobile Threats - Android

Eight Versions in 2.5 years Currently being used on 310 different devices Activated on 100 million phones in 2011 425,000 apps available by Fall 2011
Google does not test or pre-vet these

Open Source means its easy for cyber criminals to get a quick financial hit $1500 - $4500 for tools required to make much much more
schemes that involve premium billing rates, spyware, search engine poisoning, adware, and pay-per installs.

Thirty Trojanized Apps removed from the Android store Pre-packaged crypters can create fully undectable trojanized apps

Social Media Facebook Statistics as of June 7, 2011

 Mobile
There are more than 250 million active users currently accessing Facebook through their mobile devices. People that use Facebook on their mobile devices are twice as active on Facebook than non-mobile users. There are more than 200 mobile operators in 60 countries working to deploy and promote Facebook mobile products

Platform
Entrepreneurs and developers from more than 190 countries build with the Facebook Platform People on Facebook install 20 million applications every day Every month, more than 250 million people engage with Facebook on external websites Since social plugins launched in April 2010, an average of 10,000 new websites integrate with Facebook every day More than 2.5 million websites have integrated with Facebook, including over 80 of comScore's U.S. Top 100 websites and over half of comScore's Global Top 100 websites

People on Facebook
More than 600 million active users 50% of our active users log on to Facebook in any given day Average user has 130 friends People spend over 700 billion minutes per month on Facebook

If Facebook where a country it would be the 3rd largest in the world

Social Networking + Social Engineering = Compromise

Hackers have adopted social networking

Use profile information to create targeted social engineering Impersonate friends to launch attacks Leverage news feeds to spread spam, scams and massive attacks

Canadian Trends in Mobility Adoption and Social Networking

 Demand for access to social networking sites and the desire to Bring your device to work continue to grow  Many organizations are looking at this as an opportunity rather than a threat
Research and Development, Marketing, Human resources, Sales, Customer service Innovation, Create brand recognition, Hire and retain employees, Generate revenue, Improve customer satisfaction.

 Social Networking creates instant access to millions of consumers or constituents  Bring your device to work can:
Reduce Training Costs and subsequent Support Increase Employee Productivity in and outside of an organization Used as a strategy to attract Top Talent in the marketplace Accelerate the process of IT transforming itself from a cost center that says no to the business partner that helps drive new revenue

Enterprises must develop an appropriate strategy and controls to manage their use of social media and new smart devices

Risks Of Social Media In The Enterprise

         Introduction of viruses and malware to the organizational network Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence Unclear or undefined content rights to information posted to social media sites A move to a digital business model may increase customer service expectations. Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery Use of personal accounts to communicate work-related information Employee posting of pictures or information that link them to the enterprise Excessive employee use of social media in the workplace Employee access to social media via enterprise-supplied mobile devices (smartphones, personal digital assistants [PDAs]) There are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks

Stages Of A Breach
The #1 vector is email, a trend that has accelerated The web is becoming an increasing vector for malware coming into companies. 90% of breaches due to un-patched vulnerabilities Advanced Persistent Threats Phishing/Spear Phishing Compromise of endpoints Data Theft Bundling of information for egress Survey for egress points ( mail, ftp, dns, web ) 400,000 military documents posted by Wikileaks
Oct. 2010

> Incursion > Discovery > Capture

> Exfiltration

Dumpster Dives Turn Up Personal Information Toronto

Oct. 2010

Copy Machines Spill Identity Secrets

Oct. 2010

What Caused The Breach

Poorly Protected Infrastructure Lack of IT Policies Poorly Protected Information Poorly Managed Systems

SQL Injection Siloed, Inconsistent Protection, Physical Security Proactive Threat Information

81% Of Targeted Companies Were Not PCI Compliant 67% Of Breaches Are Due To Insider Negligence Or Lack Of Knowledge Encryption, Particularly On Mobile Devices And Detachable Storage Data Loss Prevention Application And Device Control Reporting And Enterprise Wide Visibility Timely Patching Or Mitigating Measures Policy And Procedure

Preventing The Breach: A Holistic Security Strategy

Monitoring
No Log Aggregation, & Log Collection From All Systems Correlation for Reporting No Operational Visibility Reporting L O G S L O G S No Ability to Mitigate Proactive Measures Impact of New Threats

W O R K F L O W

Protection (Data / Information / Intellectual Property)

Workstation Config & Endpoint Compromise Security Enterprise Compromise Servers Config & Security Web Security Web Borne Threats Data Protection & Backup Confidential Info Loss Mail Security Spam,Phising,Trojans etc.

Management ( TCO )
Server Management Unplanned outages, data loss, operational costs Excessive SW/HWCosts, No Service & Asset Mgmt. Asset Mgmt., support costs TCO, LOE, & Management Workstation support cost. levels of control and security

W O R K F L O W

Policy, Procedure (Compliance & Audit )

Standards, Legislation, Legal Action & Financial Penalties Regulations ( PCI, SOX etc )
Lack Procedure (Internal Policy / of Standardization, operational costs and External) Flawed Operations, User Awareness Liability, Data Loss

The Consequences

Monitoring
No Log Aggregation, & Log Collection From All Systems Correlation for Reporting L O G S No Operational Visibility Reporting L O G S No Ability to Mitigate Proactive Measures Impact of New Threats

Protection (Data / Information / Intellectual Property)

Workstation Config & Endpoint Compromise Security Enterprise Compromise Servers Config & Security Web Security Web Borne Threats Data Protection & Backup Confidential Info Loss Mail Security Spam,Phising,Trojans etc.

Management ( TCO )
Server Management Unplanned outages, data loss, operational costs Excessive SW/HWCosts, No Service & Asset Mgmt. Asset Mgmt., support costs TCO, LOE, & Management Workstation support cost. levels of control and security

Policy, Procedure (Compliance & Audit )

Standards, Legislation, Legal Action & Financial Penalties Regulations ( PCI, SOX etc )
Lack Procedure (Internal Policy / of Standardization, operational costs and External) Flawed Operations, User Awareness Liability, Data Loss

Eight Questions To Security

Can You Respond To Threats Proactively ? Do You Know Where Your Sensitive Information Resides? Can You Enforce IT Policies And Remediate Deficiencies ? Is Your Infrastructure Management As Cost Effective As Possible ?

Are Your Policies Current And Relevant ? Do You Know Who Is Using Your Information

Can You Easily Manage The Lifecycle Of Your IT Assets? Do You Have Visibility Across The Enterprise ?

Thank You
Larry Chin Larry_Chin@symantec.com