SlideShare uma empresa Scribd logo

White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal

Invincea, Inc.
Invincea, Inc.

The single largest threat your organization faces today is network breach. Spear-phishing, poisoned search results, drive-by downloads, and legitimate sites being compromised to push malware are all part of our current reality. The most successful and common attacks vectors stem from targeted attacks on your employees. Organizations need to utilize solutions that protect their network from user error and support requirements for continuous monitoring, real-time situational awareness and providing actionable threat intelligence for their security teams.

TecnologiaNotícias e política
1 de 16
Baixar para ler offline
3975 University Drive, Suite 460, Fairfax, Virginia 22030 | 1-855-511-5967 | Invincea.com | @invincea DETECTION | PREVENTION | INTELLIGENCE Spear-Phishing, Watering Hole and Drive-By Attacks: The New Normal Secure the primary vulnerability exploited by your adversaries – protect every employee
Page 2 Executive Summary The news over the past 18 to 24 months proves one alarming fact - the single largest threat your organization faces today is network breach. Your employees have become the primary target of a diverse set of motivated adversaries bent on one objective: penetrating your network in order to gain access to sensitive information including financial data, research and development activities, intellectual property, and personally identifiable information on your clients and employees. Today’s most successful and common attack vectors involve tricking your users into opening the door to your network. Spear- phishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gaining entry into your network by enticing your employees to click on links and open document attachments and every time they go to the Internet or open the email client, they put your company at risk. The techniques used by your adversaries include:  Spear-phishing emails that deliver the employee to malicious websites that run drive-by download exploits or include weaponized document attachments  Watering hole attacks that involve hijacking legitimate, trusted sites to push malware to unsuspecting users  Poisoning search results behind trending news items on popular engines, such as Google, Yahoo!, and Bing  Pushing malware through popular social networks such as Twitter and Facebook Your organization is under a state of constant and sustained attack, and every employee represents a potential point of weakness in your security strategy. Innovation in endpoint security is a critical need. New approaches to insulate the employee against these attacks are required and Invincea is the solution. Diverse Adversaries – Common Objectives – Massive Gains Your adversaries range from nation states seeking to steal government secrets and intellectual property, to organized cyber criminals seeking to perpetrate financial fraud and identity theft, to hacktivists seeking to disclose your secrets in the public eye in an effort to shame your organization. Regardless of the actors, the common denominator is that your employees are the entry point. For nation states and cyber criminals the motivation is clear: massive financial gain on the back of your long-term investments. “Cyber-crime’s estimated cost is more than that of cocaine, heroin, and marijuana trafficking put together.” Khoo Boon Hui – President, Interpol
Page 3 No One is Immune The question from business leaders to their security teams was once “Can this happen to us?” The news over the past 18-24 months has answered that question with an emphatic “Yes…no one is immune.” Every organization is at risk for cyber breach. Depending on the size of the organization, the industry, and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses are most at risk from organized cyber criminals. Enterprises and governments face threats from all three of the main adversarial categories – nation states, cyber-crime, and hacktivists. The Hackmageddon blog covers the motives of adversaries, their targets, and includes a detailed graphic timeline of hacking incidents categorized by month in 2012. Below are a few real-world examples of recent attacks against a wide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply too many examples to cite.  Spear-phishing attack against RSA  Spear-phishing attack against Oak Ridge National Labs  Spear-phishing attacks against global energy companies “Night Dragon”  Spear-phishing attacks against dozens of industries “Operation Shady RAT”  Spear-phishing attacks against The Wall Street Journal, Washington Post and New York Times  Watering hole attacks against Facebook, Twitter and Apple  Watering hole attack against the U.S. Department of Labor and Energy  Drive-by download attack using popular site Speedtest.net  Drive-by download attack using major Washington D.C. area radio station websites  Hacktivist attack against Sony PlayStation Network  Spear-phishing attacks against private firms, think tanks, government organizations  Spear-phishing attacks against gas pipeline firms  Cyber-crime attacks against small and medium sized businesses Assessing the Cost of Data Breach The Ponemon Institute’s “2012 Cost of Cyber Crime” report places the cost of data breach at an average of roughly $8.4 million. A hefty sum to be sure; however, recent disclosures are even more alarming. When considering the risk of a breach, look at the following:  $66 million in losses at RSA – The Security Division of EMC  $171 million in losses suffered at Sony for breach of Sony PlayStation Network
Page 4  According to an anonymous source in the U.S. Intelligence community quoted in this Washington Post report, attacks by nation states in the past two years have resulted in: o Loss of $100 million worth of insecticide research o Loss of $400 million worth of chemical formulas o Loss of $600 million worth of proprietary electronics data “Trade secrets developed over thousands of working hours…are stolen in a split second.” Robert “Bear” Bryan – National Counterintelligence Executive The User as the Unwitting Accomplice We live in a constantly connected world, and every employee in your organization has multiple ways to access your network. They have free reign over the Internet to aide in productivity and are always connected to the email client, day or night, at work or home. Your adversaries know this and use it to their advantage. They also know that despite all of the effort you expend attempting to train your users to make good security decisions; a well-crafted attack has a high likelihood of success. Every employee in the organization is a potential unwitting accomplice to breach, from the intern to the chief executive. Why? The adversaries also know that internal network security is virtually non-existent. With access to, and residency on, a single machine, they can move laterally to seek out the keys to your kingdom. Looking at the 2011 Investigations report released by the U.S. Computer Emergency Response Team (US-CERT), it is clear that the employee is the primary target. When combining phishing and malicious website-based attacks (i.e. attacks involving employees), US-CERT found that roughly 58% of incidents in 2011 involved direct attacks against the employee. Phishing 55,153 51.20% Virus/Trojan/Worm/Logic Bomb 8,236 7.70% Malicious Website 6,795 6.30% Non Cyber 9,652 9% Policy Violation 7,927 7.40% Equipment Theft/Loss 6,635 6.20% Suspicious Network Activity 3,527 3.30% Total Incidents Reported to US-CERT FY 2011
Page 5 (Source: US-CERT FY’2011 Investigations) Fighting an Uphill Battle When it comes to defending against today’s adversaries, the burden typically falls on under armed, overworked IT and Information Security teams. Shrinking budgets; limited human resources; wide swathing workloads; lack of innovative new solutions from trusted vendors; and constant push back from the business to minimize any changes to employee workflow are all working against these teams in their fight to protect your organization. When we combine these challenges with the fact that your adversaries are well-funded, staffed, motivated, and constantly evolving their techniques, it is little wonder that we see the pace of breaches increasing at an exponential rate. Your IT and Information Security teams need help. They need new solutions that can meet the demand of the business to keep the employee productive and at the same time protect every employee from becoming an unwitting accomplice to breach. Unfortunately, the adversary has you outnumbered. This isn’t a problem that can be addressed by scaling your internal team. In fact, every one of your employees is a potential target. This is a problem that demands a technology solution to aid the internal security team in identifying the adversary while not ceding the network to breach. Wash-Rinse-Repeat - The Security Insanity Cycle: Against the backdrop described above, these teams often find themselves in a game of “Whac-A-Mole” with your adversaries. The wash-rinse-repeat cycle of infection detection, remediation, and patching used to penetrate your network is what Invincea calls the “Security Insanity Cycle.” Attempted Access 863 0.80% Social Engineering 2,573 2.40% Others 6,294 5.80% Total 107,655 100%
Page 6 The fundamental problems with this reality are threefold: 1. Infections are usually detected months or years after the fact, meaning the damage is long since done and the adversary has had ample time to both colonize the network and steal sensitive data. “In over half of the incidents investigated, it took months – sometimes even years – for this realization to dawn.” Verizon Business Data Breach Investigations Report - 2012 2. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organization that impact the bottom line and add to the overall cost of network breach. Moreover, these millions are spent after the damage is done – they do nothing to protect your organization. 3. While your teams are fighting the newly discovered fire, the adversary continues to attack other parts of the organization. This is where the “Whac-A-Mole” analogy comes into play. Your adversaries are persistent – while you clean up one attack, they’ve already pivoted and are launching others against you.
Page 7 The Great Malware Arms Race One significant reason that your teams are at a severe disadvantage to your adversaries is that many of the technologies they rely upon are reactive. Most require a list of known bad malware or websites in order to detect or block malware. These technologies no longer work against today’s adversaries who continuously morph their signature while standing up and bringing down websites on an hourly basis. Consider the following when looking at the ability of signature-based defenses to protect your organization:  Malware authors are producing roughly 80,000 new variants per day (McAfee).  Malware authors are increasingly utilizing polymorphic techniques in which malware mutates itself to evade signatures.  The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primary endpoint security solution, yet an alarming (though somewhat dated) Cyveillance study shows that AV vendors detect less than 19% of attacks on average. Why Current Defenses Fall Short What we need to understand when looking at our defensive strategies is that for all intents and purposes, the user has become the new perimeter. As we have moved to an always-on, increasingly mobile lifestyle, we have changed the security paradigm. It has evolved from one of protecting assets that are statically placed behind our layered defenses to one of protecting those assets wherever they may be at any given point in time. If we accept the ample evidence that suggests the employee is the primary target, then we must also protect his or her computing device. To further support this assertion, consider two recent examples of adversaries targeting employees on the road:  Popular IBAHN wireless hotel network attack (December 2011)  IC3 warning of attacks through hotel wireless networks (May 2012)
Page 8 Assessing the Power of Anti-Virus Anti-virus (AV) software is inherently reactive because it discovers infections after they occur and is unable to detect new malicious code variants. Typically only a handful of the 40+ AV products will know about the malware. Again, this is because more than 80,000 new malware variants are being released into the wild on a daily basis and malware writers are now using polymorphic techniques to constantly avoid detection. Some AV offerings now feature heuristic patterning in which threats are grouped and analyzed according to common characteristics. However, heuristics are rarely deployed by the AV companies because they are subject to false-positives, which can result in severe damage to the system if a system file is quarantined as a false positive. Some AV vendors augment resident data repositories with a real-time, cloud-based service in order to reduce the time it takes to identify threats and provide updates to customers. However, the fundamental approach remains unchanged. These tools are still only stopping known threats, so they’re missing the most sophisticated elements of the threat landscape. Assessing the Power of Firewalls One traditional way of protecting the enterprise is to build a wall around the castle – a network firewall. However, firewalls are designed to stop inbound threats to services that should not be offered outside the organization. In the context of a Web browser or email client, firewalls are ineffective since they block only inbound attacks, and browser malware is initiated by outbound Web page requests that pass through the firewall. Additionally, email attachment based attacks often penetrate firewalls to reach employees if the malware is unknown to AV scanners running at firewalls. The bad actor doesn’t need to try to penetrate the network since the user pulls it in from the inside. Firewalls obviously maintain a role in a layered defense approach as they help to prevent inbound attacks against ports and services that should not be exposed to the outside. Also, if an attack occurs at the network layer, firewalls and filtering proxies can block the connection and prevent the attack from compromising other machines within the enterprise. It just isn’t enough against today’s threats, especially if we accept the assertion that the endpoint is the new perimeter. Assessing the Power of Web Gateways Web gateway solutions like Bluecoat, Websense, and those offered by some of the major AV vendors selectively block Web content from a known malicious source. Their effectiveness revolves around the ability to proactively blacklist untrusted sites or, more restrictively, only allow users to visit certain whitelisted sites so that when a user clicks a link, the gateway may prevent the browser from accessing the site. Similar to AV solutions, Web gateways need to know what bad is beforehand in order to stop your employees from accessing it. Gateways definitely deliver a broader solution than AV because they can blacklist IP addresses and URLs, but they still play a game of cat and mouse with the adversary. It just isn’t enough against today’s threats.
Page 9 Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway when taking into account some of this recent news:  30,000 new malicious sites stood up on a daily basis  “Lizamoon” attack infects millions of legitimate websites  Amnesty International website hijacked to push malware  High-ranked sites hijacked and blacklisted by Google Assessing the Power of Application Whitelisting While application whitelisting is effective at preventing standalone malware executables from running, most attacks exploit known trusted applications including the browser, document readers, and document editors. Microsoft Internet Explorer, Adobe Reader and, increasingly, Microsoft Office documents are the most vulnerable, targeted, and widely used applications on the desktop. These applications present a rich environment for attackers to find and exploit vulnerabilities. They also provide fertile ground for adversaries to dupe users into clicking on links and opening documents. As malware exploits those applications, the cyber adversary gains a foothold in the enterprise via the whitelisted application. The malware has access to that machine, the data on that machine, and all network devices to which that machine is connected. A paper recently presented at SchmooCon 2012 entitled “Raising the White Flag” detailed the security gaps in leading whitelisting tools including:  ActiveX controls  PDF documents  Office documents  Shellcode injection  Java  Javascript  Browser exploits  Browser extensions  Scripting
Page 10 Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions and plug-ins of whitelisted applications including the browser and document readers and editors. This includes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applications themselves. Unfortunately, these are the most common real-world exploits. Most exploits work by either using a spear-phish to direct the user to click on a link or directing the user to open an attachment. Users also get infected using more opportunistic methods like poisoned search engine results or simply browsing the Web. It’s not unusual for malware to leverage a browser vulnerability to directly inject itself into the memory of a running process, such as an operating system service. In all of these cases, the exploited or infected process has been whitelisted and therefore is allowed to run with full and normal privileges. Assessing the Power of Network-Based Malware Detection Recently there has been a push for perimeter security solutions that promise to do behavioral analysis of content using virtual machines. However, there are fundamental limitations with this approach based on content analysis and scalability and they have already been circumvented by several countermeasures, some of which are quite simple. Network Boundary Limitations for In-Line Analysis: The fundamental limitation on deployments in practice is making the network appliance the bottleneck for all inbound content. While deep packet inspection (DPI) technologies have made progress to being able to do in-line inspection at gigabit speeds, DPI devices are doing pattern matching on hardware optimized for the purpose of matching network streams against known attack patterns, i.e., signature matching against known threats. Network appliances that attempt to run content in a virtual machine (VM) at the network boundary before passing on the content face a fundamental limitation on introducing unacceptable latency for each session or content type that must be analyzed prior to passing the content to the user. To do in-line monitoring with a VM-based technique, you will need to create a VM for each session nominally, and likely for each content type. For instance, if a user browses to a website and the device attempts to determine if that website is malicious, it will also need to browse to the website and attempt to observe any malicious behavior. Clearly the latency to perform this action pro-actively is infeasible, so best case is it determines the site is malicious while the breach happens or after the breach occurs. For example, in analyzing the content attached to an email, a VM must be created for each content type. If the email has a PowerPoint, Word, and .zip archive with executable type programs embedded, then a VM must be created for each of these content types – and that is just for a single email for a single user. There are significant scalability issues that arise with this approach: 1. Scaling to number of users 2. Scaling to number of sessions and emails per user
Page 11 3. Scaling to content types 4. Scaling to versions of software for each content type (e.g., Adobe 8.x, Adobe 9.x) to determine if a vulnerability is being exploited 5. Scaling within acceptable latency bounds for delaying delivery of content Points 1, 2, and 3 above set the requirement for a certain number of VMs to be created per user in your organization based on the network sessions they have and content type. Point 4 exacerbates this problem severely because most exploits are both specific to a particular version of the application running the content type and the operating system that runs the application. In other words, an in-line solution will need to include every version of every application/operating system combination present within the network to determine if it may be exploited by the untrusted content. The final point, Point 5, is extremely difficult to overcome because it cannot scale with hardware. The adversary can introduce arbitrary delays in running malicious code. For instance, when opening a Word or PDF document, the malicious code may choose to wait 15 or 20 minutes before running. Some exploits we have observed in practice will require a system reboot before running the malicious code. Finally, archiving content in a compressed, encrypted, or password-protected format where the password or key is shared with the user defeats in-line approaches, simply because the content cannot be scanned at the gateway. These tactics are all within control of the adversary and make in-line analysis of content fundamentally unscalable. In addition to all these drawbacks, hardware isn’t cheap. With a robustly configured server, you can host at least 64 and at best 128 virtual machines. Once you start to do the math on how many simultaneous virtual machines need to be created for your users, how many sessions will take place, and which content types will be used, this approach gets unscalable and uneconomical quite rapidly. As a result, the market quickly concluded that running this class of solution that inspects inbound content via virtualization at the network perimeter is infeasible. Because in-line analysis has become untenable, these devices are now being configured to examine outbound connections only. What this means in practice is the device can look at outbound connections (primarily http) to attempt to determine if an internal machine is communicating with a known command and control network. In this case, the device has simply become another pattern matching machine that is driven by the latest lists of known botnet command and control networks. Likewise, abandoning the virtualization approach for behavioral analysis is often used to simply compare signatures of content such as executable type files against known malicious signatures. Unfortunately this means the device has become another in a long list of security appliances that are reactive and can only detect known threats. If the detection efforts fail, then the effort becomes about the post facto discovery of the malware that takes root within the IT infrastructure. Network colonization by the adversary and the required network remediation to address the problem can be very expensive, typically costing seven figures to rid the network of an infection.
Page 12 A final point to consider with network boundary devices is the case of the mobile user outside of the network. When this user is simply online on the road or at home, not VPN’d into the corporate network, they are essentially bypassing any protection provided by network perimeter devices. With the expansion of the mobile work force and personal email services, this is becoming a significant risk for enterprise security managers. The Invincea Solution Invincea addresses the gaps left by other security solutions by protecting the most important attack surface in the enterprise – the employee. Invincea employs application virtualization to create a protective “bubble” around applications that run untrusted content – including Web browsers, PDF readers, the Office suite, .zip and .exes files. We protect users against both known and zero-day malware delivered via spear-phishing, watering holes, drive-by downloads, social networking worms, fake anti-virus and other online threats. By creating secure virtual containers and running each of these applications in its own virtual environment on the endpoint, Invincea has created an enterprise “airlock” that seals the potential attack vector off from infecting the endpoint and prohibiting lateral movement in your network. Endpoint Security Software: Invincea deploys as a lightweight Windows application. This application is licensed on a subscription basis with flexible renewal options to meet your specific needs. The application has the ability to protect your users against all untrusted content by moving browsers, PDF readers, Office suite, .zip files and executables into a contained, virtual environment. You simply tell us which applications you want protected and we turn on the virtual environment to support. The endpoint solution deploys quickly and easily, just as you would push any Windows-based application. Threat Intelligence Appliance: To gather the rich pre-breach forensic intelligence your teams need related to thwarted attacks, the Invincea platform also includes our Threat Data Server, which is licensed and available on-premise as a physical or virtual appliance or as a cloud-based service. The Threat Data Server is built with scalability in mind, which means you won’t have to rack and stack large amounts of new gear.
Page 13 How it Works Containment Invincea takes the most highly targeted applications in your network (the Web browser, PDF reader, Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time the Web browser is opened, or anytime an attachment comes from outside the network, Invincea creates a segregated environment for these applications to operate. By creating this specialized virtual environment, Invincea contains all malware – whether zero-day or known – and prevents it from attacking the host operating system as a pathway for breach and lateral movement in your network. Detection Unlike other solutions, Invincea does not rely on malware signatures for detection. Instead, it automatically identifies malware attacks based on behaviors and actions inside the contained, controlled, and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart those attacks with ease.
Page 14 Prevention Over the past few years, we’ve been taught by repeated assertion from those that benefit from remediation and network forensic professional services that the breach cannot be stopped and that post facto detection is the new prevention. We can’t blame our fellow security professionals for their cynicism because the truth is that the prevention security industry has utterly failed us, our governments, corporations, and citizens. Reactive list-based approaches can no longer stop the threat; therefore the logical conclusion drawn and promulgated is that you can only attempt to detect the intruder in your network. Perhaps this conclusion was accurate at that point in time, but with the innovations delivered by Invincea’s breach prevention platform this is no longer a reality. When we detect an infection inside our contained environment, we immediately alert the user, discard the tainted environment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detail related to the attack and feed it on to your broader security infrastructure. Intelligence – The Invincea Threat Data Server Not only do we detect and prevent breaches from occurring, we capture rich forensic intelligence on every attempted attack at the point of detection and feed this to other leading security technologies. The primary value Invincea delivers is that we actually stop the attack at the point of detection. We take every one of your users and put them in an environment that protects them from spear-phishing, drive- by downloads, poisoned search engine results, malicious websites, sites that have been hijacked, etc. We take it one step further than even that: we turn your users into part of an enterprise-wide malware detection network. The instant that malicious activity is detected in the Invincea breach prevention platform, we begin collecting forensic information.
Page 15 We isolate and identify:  Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe file that triggered the infection  Timeline of Attack: We dissect the actions of the malware – what it did when it opened, unpacked, how it cleaned up after itself, etc.  Registry Changes: We capture all changes the malware attempted to make to the registry  Connections: We identify any and all connections – whether inbound or outbound showing you the command and control channels the adversary attempted to create This information is fed to the Invincea Threat Data Server where it is integrated with your Security Information and Event Management (SIEM) and presented for your teams in a single interface. Understanding that you need a method to push this information on to the rest of your infrastructure, we have integrated with a number of other leading security technologies such as:  McAfee ePO  ArcSight  Splunk  Q1 Radar  NetWitness  ThreatGrid The threat information, including command and control server IPs and domain names, combined with indicators of compromise including file names, hashes, and registry values are matched against Invincea partners’ threat intelligence feed to provide adversarial attribution and cross-vendor intelligence on adversarial motives. The Benefit of Invincea  Invincea protects the new perimeter – the endpoint – with an innovative solution that requires no signatures and keeps malware in an airlock  Invincea addresses zero-days and APTs and stops them dead in their tracks  Breaks the “Security Insanity Cycle” – eliminating costly detection, remediation, and patching cycles  Every employee in the organization is protected wherever they go  A single user virtual infection protects the entire enterprise by feeding rich forensic data to the rest of your security infrastructure to block requests from all users to URLs that infected the user that clicked on the link  Invincea’s threat data feeds extend the power and life of your current investments  Every enterprise license agreement includes licenses for home use, meaning your employees are protected both at work and at home
Page 16 Put Invincea to Work To find out more about how to deploy Invincea and feel the safety our solutions provide, contact us today at 1-855-511-5967. Learn More Visit our website at www.invincea.com for product summaries, video demonstrations, Invincea news stories, and much more. While you are there, check out the Invincea Blog for breakdowns of trending security news articles and why they are important to you and your organization at https://www.invincea.com/newsroom/blog/. Where to Find Us For information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life at Invincea, “like” our Invincea, Inc Facebook page. Or, check out what we are talking about on our Invincea YouTube channel. You can also find us here: Invincea, Inc. 3975 University Drive, Suite 460 Fairfax, VA 22030

Recomendados

Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
 
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based Approach
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachMitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based Approach
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachIJLT EMAS
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...IJECEIAES
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...IJCSIS Research Publications
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaperAlan Rudd
 

Recomendados

Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
 
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based Approach
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachMitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based Approach
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachIJLT EMAS
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...IJECEIAES
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...
ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detect...IJCSIS Research Publications
 
Common Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesCommon Types of DDoS Attacks | MazeBolt Technologies
Common Types of DDoS Attacks | MazeBolt TechnologiesMazeBolt Technologies
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaperAlan Rudd
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...Clifton M. Hasegawa & Associates, LLC
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpointvoliverio
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)idsecconf
 
The Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessThe Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessCisco Security
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET Journal
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Michael Bunn
 
Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system IJECEIAES
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANrahulmonikasharma
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappearsUlf Mattsson
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standardsUlf Mattsson
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv
 
Final report
Final reportFinal report
Final reportRaja Farhat
 
Review Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using MLReview Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using MLijtsrd
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 

Mais conteúdo relacionado

Mais procurados

Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...Clifton M. Hasegawa & Associates, LLC
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpointvoliverio
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)idsecconf
 
The Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessThe Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessCisco Security
 
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET Journal
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Michael Bunn
 
Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system IJECEIAES
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANrahulmonikasharma
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappearsUlf Mattsson
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standardsUlf Mattsson
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv
 
Review Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using MLReview Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using MLijtsrd
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
 

Mais procurados (18)

Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...President Donald Trump - Cybersecurity - National Institute of Standards and ...
President Donald Trump - Cybersecurity - National Institute of Standards and ...
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010
 
Institucional proofpoint
Institucional proofpointInstitucional proofpoint
Institucional proofpoint
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
 
The Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessThe Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network Access
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014
 
Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system Developed security and privacy algorithms for cyber physical system
Developed security and privacy algorithms for cyber physical system
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLAN
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappears
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
 
Final report
Final reportFinal report
Final report
 
Review Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using MLReview Paper on Predicting Network Attack Patterns in SDN using ML
Review Paper on Predicting Network Attack Patterns in SDN using ML
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 

Semelhante a White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonUlf Mattsson
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
FireEye Advanced Threat Report
FireEye Advanced Threat ReportFireEye Advanced Threat Report
FireEye Advanced Threat ReportFireEye, Inc.
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018Panda Security
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
 

Semelhante a White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal (20)

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
FireEye Advanced Threat Report
FireEye Advanced Threat ReportFireEye Advanced Threat Report
FireEye Advanced Threat Report
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 

Mais de Invincea, Inc.

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Invincea, Inc.
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Invincea, Inc.
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioInvincea, Inc.
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea, Inc.
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Invincea, Inc.
 
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea, Inc.
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 

Mais de Invincea, Inc. (13)

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in Tapio
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
 
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 

Último

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Último (20)

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal

  • 1. 3975 University Drive, Suite 460, Fairfax, Virginia 22030 | 1-855-511-5967 | Invincea.com | @invincea DETECTION | PREVENTION | INTELLIGENCE Spear-Phishing, Watering Hole and Drive-By Attacks: The New Normal Secure the primary vulnerability exploited by your adversaries – protect every employee
  • 2. Page 2 Executive Summary The news over the past 18 to 24 months proves one alarming fact - the single largest threat your organization faces today is network breach. Your employees have become the primary target of a diverse set of motivated adversaries bent on one objective: penetrating your network in order to gain access to sensitive information including financial data, research and development activities, intellectual property, and personally identifiable information on your clients and employees. Today’s most successful and common attack vectors involve tricking your users into opening the door to your network. Spear- phishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gaining entry into your network by enticing your employees to click on links and open document attachments and every time they go to the Internet or open the email client, they put your company at risk. The techniques used by your adversaries include:  Spear-phishing emails that deliver the employee to malicious websites that run drive-by download exploits or include weaponized document attachments  Watering hole attacks that involve hijacking legitimate, trusted sites to push malware to unsuspecting users  Poisoning search results behind trending news items on popular engines, such as Google, Yahoo!, and Bing  Pushing malware through popular social networks such as Twitter and Facebook Your organization is under a state of constant and sustained attack, and every employee represents a potential point of weakness in your security strategy. Innovation in endpoint security is a critical need. New approaches to insulate the employee against these attacks are required and Invincea is the solution. Diverse Adversaries – Common Objectives – Massive Gains Your adversaries range from nation states seeking to steal government secrets and intellectual property, to organized cyber criminals seeking to perpetrate financial fraud and identity theft, to hacktivists seeking to disclose your secrets in the public eye in an effort to shame your organization. Regardless of the actors, the common denominator is that your employees are the entry point. For nation states and cyber criminals the motivation is clear: massive financial gain on the back of your long-term investments. “Cyber-crime’s estimated cost is more than that of cocaine, heroin, and marijuana trafficking put together.” Khoo Boon Hui – President, Interpol
  • 3. Page 3 No One is Immune The question from business leaders to their security teams was once “Can this happen to us?” The news over the past 18-24 months has answered that question with an emphatic “Yes…no one is immune.” Every organization is at risk for cyber breach. Depending on the size of the organization, the industry, and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses are most at risk from organized cyber criminals. Enterprises and governments face threats from all three of the main adversarial categories – nation states, cyber-crime, and hacktivists. The Hackmageddon blog covers the motives of adversaries, their targets, and includes a detailed graphic timeline of hacking incidents categorized by month in 2012. Below are a few real-world examples of recent attacks against a wide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply too many examples to cite.  Spear-phishing attack against RSA  Spear-phishing attack against Oak Ridge National Labs  Spear-phishing attacks against global energy companies “Night Dragon”  Spear-phishing attacks against dozens of industries “Operation Shady RAT”  Spear-phishing attacks against The Wall Street Journal, Washington Post and New York Times  Watering hole attacks against Facebook, Twitter and Apple  Watering hole attack against the U.S. Department of Labor and Energy  Drive-by download attack using popular site Speedtest.net  Drive-by download attack using major Washington D.C. area radio station websites  Hacktivist attack against Sony PlayStation Network  Spear-phishing attacks against private firms, think tanks, government organizations  Spear-phishing attacks against gas pipeline firms  Cyber-crime attacks against small and medium sized businesses Assessing the Cost of Data Breach The Ponemon Institute’s “2012 Cost of Cyber Crime” report places the cost of data breach at an average of roughly $8.4 million. A hefty sum to be sure; however, recent disclosures are even more alarming. When considering the risk of a breach, look at the following:  $66 million in losses at RSA – The Security Division of EMC  $171 million in losses suffered at Sony for breach of Sony PlayStation Network
  • 4. Page 4  According to an anonymous source in the U.S. Intelligence community quoted in this Washington Post report, attacks by nation states in the past two years have resulted in: o Loss of $100 million worth of insecticide research o Loss of $400 million worth of chemical formulas o Loss of $600 million worth of proprietary electronics data “Trade secrets developed over thousands of working hours…are stolen in a split second.” Robert “Bear” Bryan – National Counterintelligence Executive The User as the Unwitting Accomplice We live in a constantly connected world, and every employee in your organization has multiple ways to access your network. They have free reign over the Internet to aide in productivity and are always connected to the email client, day or night, at work or home. Your adversaries know this and use it to their advantage. They also know that despite all of the effort you expend attempting to train your users to make good security decisions; a well-crafted attack has a high likelihood of success. Every employee in the organization is a potential unwitting accomplice to breach, from the intern to the chief executive. Why? The adversaries also know that internal network security is virtually non-existent. With access to, and residency on, a single machine, they can move laterally to seek out the keys to your kingdom. Looking at the 2011 Investigations report released by the U.S. Computer Emergency Response Team (US-CERT), it is clear that the employee is the primary target. When combining phishing and malicious website-based attacks (i.e. attacks involving employees), US-CERT found that roughly 58% of incidents in 2011 involved direct attacks against the employee. Phishing 55,153 51.20% Virus/Trojan/Worm/Logic Bomb 8,236 7.70% Malicious Website 6,795 6.30% Non Cyber 9,652 9% Policy Violation 7,927 7.40% Equipment Theft/Loss 6,635 6.20% Suspicious Network Activity 3,527 3.30% Total Incidents Reported to US-CERT FY 2011
  • 5. Page 5 (Source: US-CERT FY’2011 Investigations) Fighting an Uphill Battle When it comes to defending against today’s adversaries, the burden typically falls on under armed, overworked IT and Information Security teams. Shrinking budgets; limited human resources; wide swathing workloads; lack of innovative new solutions from trusted vendors; and constant push back from the business to minimize any changes to employee workflow are all working against these teams in their fight to protect your organization. When we combine these challenges with the fact that your adversaries are well-funded, staffed, motivated, and constantly evolving their techniques, it is little wonder that we see the pace of breaches increasing at an exponential rate. Your IT and Information Security teams need help. They need new solutions that can meet the demand of the business to keep the employee productive and at the same time protect every employee from becoming an unwitting accomplice to breach. Unfortunately, the adversary has you outnumbered. This isn’t a problem that can be addressed by scaling your internal team. In fact, every one of your employees is a potential target. This is a problem that demands a technology solution to aid the internal security team in identifying the adversary while not ceding the network to breach. Wash-Rinse-Repeat - The Security Insanity Cycle: Against the backdrop described above, these teams often find themselves in a game of “Whac-A-Mole” with your adversaries. The wash-rinse-repeat cycle of infection detection, remediation, and patching used to penetrate your network is what Invincea calls the “Security Insanity Cycle.” Attempted Access 863 0.80% Social Engineering 2,573 2.40% Others 6,294 5.80% Total 107,655 100%
  • 6. Page 6 The fundamental problems with this reality are threefold: 1. Infections are usually detected months or years after the fact, meaning the damage is long since done and the adversary has had ample time to both colonize the network and steal sensitive data. “In over half of the incidents investigated, it took months – sometimes even years – for this realization to dawn.” Verizon Business Data Breach Investigations Report - 2012 2. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organization that impact the bottom line and add to the overall cost of network breach. Moreover, these millions are spent after the damage is done – they do nothing to protect your organization. 3. While your teams are fighting the newly discovered fire, the adversary continues to attack other parts of the organization. This is where the “Whac-A-Mole” analogy comes into play. Your adversaries are persistent – while you clean up one attack, they’ve already pivoted and are launching others against you.
  • 7. Page 7 The Great Malware Arms Race One significant reason that your teams are at a severe disadvantage to your adversaries is that many of the technologies they rely upon are reactive. Most require a list of known bad malware or websites in order to detect or block malware. These technologies no longer work against today’s adversaries who continuously morph their signature while standing up and bringing down websites on an hourly basis. Consider the following when looking at the ability of signature-based defenses to protect your organization:  Malware authors are producing roughly 80,000 new variants per day (McAfee).  Malware authors are increasingly utilizing polymorphic techniques in which malware mutates itself to evade signatures.  The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primary endpoint security solution, yet an alarming (though somewhat dated) Cyveillance study shows that AV vendors detect less than 19% of attacks on average. Why Current Defenses Fall Short What we need to understand when looking at our defensive strategies is that for all intents and purposes, the user has become the new perimeter. As we have moved to an always-on, increasingly mobile lifestyle, we have changed the security paradigm. It has evolved from one of protecting assets that are statically placed behind our layered defenses to one of protecting those assets wherever they may be at any given point in time. If we accept the ample evidence that suggests the employee is the primary target, then we must also protect his or her computing device. To further support this assertion, consider two recent examples of adversaries targeting employees on the road:  Popular IBAHN wireless hotel network attack (December 2011)  IC3 warning of attacks through hotel wireless networks (May 2012)
  • 8. Page 8 Assessing the Power of Anti-Virus Anti-virus (AV) software is inherently reactive because it discovers infections after they occur and is unable to detect new malicious code variants. Typically only a handful of the 40+ AV products will know about the malware. Again, this is because more than 80,000 new malware variants are being released into the wild on a daily basis and malware writers are now using polymorphic techniques to constantly avoid detection. Some AV offerings now feature heuristic patterning in which threats are grouped and analyzed according to common characteristics. However, heuristics are rarely deployed by the AV companies because they are subject to false-positives, which can result in severe damage to the system if a system file is quarantined as a false positive. Some AV vendors augment resident data repositories with a real-time, cloud-based service in order to reduce the time it takes to identify threats and provide updates to customers. However, the fundamental approach remains unchanged. These tools are still only stopping known threats, so they’re missing the most sophisticated elements of the threat landscape. Assessing the Power of Firewalls One traditional way of protecting the enterprise is to build a wall around the castle – a network firewall. However, firewalls are designed to stop inbound threats to services that should not be offered outside the organization. In the context of a Web browser or email client, firewalls are ineffective since they block only inbound attacks, and browser malware is initiated by outbound Web page requests that pass through the firewall. Additionally, email attachment based attacks often penetrate firewalls to reach employees if the malware is unknown to AV scanners running at firewalls. The bad actor doesn’t need to try to penetrate the network since the user pulls it in from the inside. Firewalls obviously maintain a role in a layered defense approach as they help to prevent inbound attacks against ports and services that should not be exposed to the outside. Also, if an attack occurs at the network layer, firewalls and filtering proxies can block the connection and prevent the attack from compromising other machines within the enterprise. It just isn’t enough against today’s threats, especially if we accept the assertion that the endpoint is the new perimeter. Assessing the Power of Web Gateways Web gateway solutions like Bluecoat, Websense, and those offered by some of the major AV vendors selectively block Web content from a known malicious source. Their effectiveness revolves around the ability to proactively blacklist untrusted sites or, more restrictively, only allow users to visit certain whitelisted sites so that when a user clicks a link, the gateway may prevent the browser from accessing the site. Similar to AV solutions, Web gateways need to know what bad is beforehand in order to stop your employees from accessing it. Gateways definitely deliver a broader solution than AV because they can blacklist IP addresses and URLs, but they still play a game of cat and mouse with the adversary. It just isn’t enough against today’s threats.
  • 9. Page 9 Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway when taking into account some of this recent news:  30,000 new malicious sites stood up on a daily basis  “Lizamoon” attack infects millions of legitimate websites  Amnesty International website hijacked to push malware  High-ranked sites hijacked and blacklisted by Google Assessing the Power of Application Whitelisting While application whitelisting is effective at preventing standalone malware executables from running, most attacks exploit known trusted applications including the browser, document readers, and document editors. Microsoft Internet Explorer, Adobe Reader and, increasingly, Microsoft Office documents are the most vulnerable, targeted, and widely used applications on the desktop. These applications present a rich environment for attackers to find and exploit vulnerabilities. They also provide fertile ground for adversaries to dupe users into clicking on links and opening documents. As malware exploits those applications, the cyber adversary gains a foothold in the enterprise via the whitelisted application. The malware has access to that machine, the data on that machine, and all network devices to which that machine is connected. A paper recently presented at SchmooCon 2012 entitled “Raising the White Flag” detailed the security gaps in leading whitelisting tools including:  ActiveX controls  PDF documents  Office documents  Shellcode injection  Java  Javascript  Browser exploits  Browser extensions  Scripting
  • 10. Page 10 Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions and plug-ins of whitelisted applications including the browser and document readers and editors. This includes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applications themselves. Unfortunately, these are the most common real-world exploits. Most exploits work by either using a spear-phish to direct the user to click on a link or directing the user to open an attachment. Users also get infected using more opportunistic methods like poisoned search engine results or simply browsing the Web. It’s not unusual for malware to leverage a browser vulnerability to directly inject itself into the memory of a running process, such as an operating system service. In all of these cases, the exploited or infected process has been whitelisted and therefore is allowed to run with full and normal privileges. Assessing the Power of Network-Based Malware Detection Recently there has been a push for perimeter security solutions that promise to do behavioral analysis of content using virtual machines. However, there are fundamental limitations with this approach based on content analysis and scalability and they have already been circumvented by several countermeasures, some of which are quite simple. Network Boundary Limitations for In-Line Analysis: The fundamental limitation on deployments in practice is making the network appliance the bottleneck for all inbound content. While deep packet inspection (DPI) technologies have made progress to being able to do in-line inspection at gigabit speeds, DPI devices are doing pattern matching on hardware optimized for the purpose of matching network streams against known attack patterns, i.e., signature matching against known threats. Network appliances that attempt to run content in a virtual machine (VM) at the network boundary before passing on the content face a fundamental limitation on introducing unacceptable latency for each session or content type that must be analyzed prior to passing the content to the user. To do in-line monitoring with a VM-based technique, you will need to create a VM for each session nominally, and likely for each content type. For instance, if a user browses to a website and the device attempts to determine if that website is malicious, it will also need to browse to the website and attempt to observe any malicious behavior. Clearly the latency to perform this action pro-actively is infeasible, so best case is it determines the site is malicious while the breach happens or after the breach occurs. For example, in analyzing the content attached to an email, a VM must be created for each content type. If the email has a PowerPoint, Word, and .zip archive with executable type programs embedded, then a VM must be created for each of these content types – and that is just for a single email for a single user. There are significant scalability issues that arise with this approach: 1. Scaling to number of users 2. Scaling to number of sessions and emails per user
  • 11. Page 11 3. Scaling to content types 4. Scaling to versions of software for each content type (e.g., Adobe 8.x, Adobe 9.x) to determine if a vulnerability is being exploited 5. Scaling within acceptable latency bounds for delaying delivery of content Points 1, 2, and 3 above set the requirement for a certain number of VMs to be created per user in your organization based on the network sessions they have and content type. Point 4 exacerbates this problem severely because most exploits are both specific to a particular version of the application running the content type and the operating system that runs the application. In other words, an in-line solution will need to include every version of every application/operating system combination present within the network to determine if it may be exploited by the untrusted content. The final point, Point 5, is extremely difficult to overcome because it cannot scale with hardware. The adversary can introduce arbitrary delays in running malicious code. For instance, when opening a Word or PDF document, the malicious code may choose to wait 15 or 20 minutes before running. Some exploits we have observed in practice will require a system reboot before running the malicious code. Finally, archiving content in a compressed, encrypted, or password-protected format where the password or key is shared with the user defeats in-line approaches, simply because the content cannot be scanned at the gateway. These tactics are all within control of the adversary and make in-line analysis of content fundamentally unscalable. In addition to all these drawbacks, hardware isn’t cheap. With a robustly configured server, you can host at least 64 and at best 128 virtual machines. Once you start to do the math on how many simultaneous virtual machines need to be created for your users, how many sessions will take place, and which content types will be used, this approach gets unscalable and uneconomical quite rapidly. As a result, the market quickly concluded that running this class of solution that inspects inbound content via virtualization at the network perimeter is infeasible. Because in-line analysis has become untenable, these devices are now being configured to examine outbound connections only. What this means in practice is the device can look at outbound connections (primarily http) to attempt to determine if an internal machine is communicating with a known command and control network. In this case, the device has simply become another pattern matching machine that is driven by the latest lists of known botnet command and control networks. Likewise, abandoning the virtualization approach for behavioral analysis is often used to simply compare signatures of content such as executable type files against known malicious signatures. Unfortunately this means the device has become another in a long list of security appliances that are reactive and can only detect known threats. If the detection efforts fail, then the effort becomes about the post facto discovery of the malware that takes root within the IT infrastructure. Network colonization by the adversary and the required network remediation to address the problem can be very expensive, typically costing seven figures to rid the network of an infection.
  • 12. Page 12 A final point to consider with network boundary devices is the case of the mobile user outside of the network. When this user is simply online on the road or at home, not VPN’d into the corporate network, they are essentially bypassing any protection provided by network perimeter devices. With the expansion of the mobile work force and personal email services, this is becoming a significant risk for enterprise security managers. The Invincea Solution Invincea addresses the gaps left by other security solutions by protecting the most important attack surface in the enterprise – the employee. Invincea employs application virtualization to create a protective “bubble” around applications that run untrusted content – including Web browsers, PDF readers, the Office suite, .zip and .exes files. We protect users against both known and zero-day malware delivered via spear-phishing, watering holes, drive-by downloads, social networking worms, fake anti-virus and other online threats. By creating secure virtual containers and running each of these applications in its own virtual environment on the endpoint, Invincea has created an enterprise “airlock” that seals the potential attack vector off from infecting the endpoint and prohibiting lateral movement in your network. Endpoint Security Software: Invincea deploys as a lightweight Windows application. This application is licensed on a subscription basis with flexible renewal options to meet your specific needs. The application has the ability to protect your users against all untrusted content by moving browsers, PDF readers, Office suite, .zip files and executables into a contained, virtual environment. You simply tell us which applications you want protected and we turn on the virtual environment to support. The endpoint solution deploys quickly and easily, just as you would push any Windows-based application. Threat Intelligence Appliance: To gather the rich pre-breach forensic intelligence your teams need related to thwarted attacks, the Invincea platform also includes our Threat Data Server, which is licensed and available on-premise as a physical or virtual appliance or as a cloud-based service. The Threat Data Server is built with scalability in mind, which means you won’t have to rack and stack large amounts of new gear.
  • 13. Page 13 How it Works Containment Invincea takes the most highly targeted applications in your network (the Web browser, PDF reader, Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time the Web browser is opened, or anytime an attachment comes from outside the network, Invincea creates a segregated environment for these applications to operate. By creating this specialized virtual environment, Invincea contains all malware – whether zero-day or known – and prevents it from attacking the host operating system as a pathway for breach and lateral movement in your network. Detection Unlike other solutions, Invincea does not rely on malware signatures for detection. Instead, it automatically identifies malware attacks based on behaviors and actions inside the contained, controlled, and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart those attacks with ease.
  • 14. Page 14 Prevention Over the past few years, we’ve been taught by repeated assertion from those that benefit from remediation and network forensic professional services that the breach cannot be stopped and that post facto detection is the new prevention. We can’t blame our fellow security professionals for their cynicism because the truth is that the prevention security industry has utterly failed us, our governments, corporations, and citizens. Reactive list-based approaches can no longer stop the threat; therefore the logical conclusion drawn and promulgated is that you can only attempt to detect the intruder in your network. Perhaps this conclusion was accurate at that point in time, but with the innovations delivered by Invincea’s breach prevention platform this is no longer a reality. When we detect an infection inside our contained environment, we immediately alert the user, discard the tainted environment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detail related to the attack and feed it on to your broader security infrastructure. Intelligence – The Invincea Threat Data Server Not only do we detect and prevent breaches from occurring, we capture rich forensic intelligence on every attempted attack at the point of detection and feed this to other leading security technologies. The primary value Invincea delivers is that we actually stop the attack at the point of detection. We take every one of your users and put them in an environment that protects them from spear-phishing, drive- by downloads, poisoned search engine results, malicious websites, sites that have been hijacked, etc. We take it one step further than even that: we turn your users into part of an enterprise-wide malware detection network. The instant that malicious activity is detected in the Invincea breach prevention platform, we begin collecting forensic information.
  • 15. Page 15 We isolate and identify:  Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe file that triggered the infection  Timeline of Attack: We dissect the actions of the malware – what it did when it opened, unpacked, how it cleaned up after itself, etc.  Registry Changes: We capture all changes the malware attempted to make to the registry  Connections: We identify any and all connections – whether inbound or outbound showing you the command and control channels the adversary attempted to create This information is fed to the Invincea Threat Data Server where it is integrated with your Security Information and Event Management (SIEM) and presented for your teams in a single interface. Understanding that you need a method to push this information on to the rest of your infrastructure, we have integrated with a number of other leading security technologies such as:  McAfee ePO  ArcSight  Splunk  Q1 Radar  NetWitness  ThreatGrid The threat information, including command and control server IPs and domain names, combined with indicators of compromise including file names, hashes, and registry values are matched against Invincea partners’ threat intelligence feed to provide adversarial attribution and cross-vendor intelligence on adversarial motives. The Benefit of Invincea  Invincea protects the new perimeter – the endpoint – with an innovative solution that requires no signatures and keeps malware in an airlock  Invincea addresses zero-days and APTs and stops them dead in their tracks  Breaks the “Security Insanity Cycle” – eliminating costly detection, remediation, and patching cycles  Every employee in the organization is protected wherever they go  A single user virtual infection protects the entire enterprise by feeding rich forensic data to the rest of your security infrastructure to block requests from all users to URLs that infected the user that clicked on the link  Invincea’s threat data feeds extend the power and life of your current investments  Every enterprise license agreement includes licenses for home use, meaning your employees are protected both at work and at home
  • 16. Page 16 Put Invincea to Work To find out more about how to deploy Invincea and feel the safety our solutions provide, contact us today at 1-855-511-5967. Learn More Visit our website at www.invincea.com for product summaries, video demonstrations, Invincea news stories, and much more. While you are there, check out the Invincea Blog for breakdowns of trending security news articles and why they are important to you and your organization at https://www.invincea.com/newsroom/blog/. Where to Find Us For information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life at Invincea, “like” our Invincea, Inc Facebook page. Or, check out what we are talking about on our Invincea YouTube channel. You can also find us here: Invincea, Inc. 3975 University Drive, Suite 460 Fairfax, VA 22030