Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. However, this unilateral mindset ignores a much less interesting reality.

1. Defending Against Broad-Based
Cyber Attacks with Unified & Collaborative Defenses
THE LAZY ATTACKER:
A CONVERSATION WITH JAIME BLASCO, DIRECTOR OF ALIENVAULT LABS
JUNE 2013

2. 2
Meet today’s presenters
INTRODUCTIONS
Sandy Hawke, CISSP
Moderator
VP, Product Marketing
@sandybeachSF
Jaime Blasco
Presenter
Director of Research, AlienVault Labs
@jaimeblascob

3. WHO ARE THESE PEOPLE AND WHAT ARE THEY DOING?
WHAT DO WE MEAN BY A “LAZY” ATTACKER?
3

4. Meet the “Lazy Attacker”
Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/
Not all of the attacks need to
be “advanced” / APTs to be successful.
In fact, most aren’t.
“Lazy” in terms of:
Recycled attack platform:
Same type of attacks against wide
surface area
Same toolset (exploits and malware)
Same set of source IP addresses
4

5. What are the differences between attack types?
Image source: http://imgur.com/r/pics/r20GpFI Image source: http://www.guardian.co.uk/commentisfree/2013/mar/17/dont-
judge-me-i-love-sniping-games
VS.
Broad-based attacks
APTs
5

6. 6
Broad-based Attacks vs. APTs
Broad-based Attacks Advanced Persistent Threats
Attacker Profile Opportunistic; uses the
tactics of “script kiddies” but
not always a “script kiddie”
Nation-state actors
Organized criminal actors
Corporate espionage actors
Attacker Technique Non-stealthy; easy to identify Stealthy; difficult to detect
Attack Surface Area Broad and dispersed Targeted and precise
Attack Tools Commonly used and old
exploits; automated
reconnaissance & probing
Zero-day exploits; “manual”
social engineering vs.
automated probes/scans

7. Broad-based Attacks: Some Examples
Malvertising; drive-by-downloads
How it works: Websites and advertising networks are infected with malware,
unsuspecting visitors get infected
How to avoid it: URLQuery Chrome Extension plug-in*; browser patch updates
Botnets
How they work: Bots are installed onto unsuspecting users’ devices and then
remotely controlled by attackers to execute more attacks, steal data, etc.
How to avoid them: Keep devices patched, install endpoint security protection;
implement egress filtering, threat detection and network monitoring to
identify/block connections to CnC servers.
Phishing (vs. Spear-phishing)
How it works: Emails sent to victims to lure them to infected
websites to steal credentials, data, etc.
How to avoid it: User education; IP/domain reputation data
7*For more info: http://labs.alienvault.com/labs/index.php/2013/urlquery-chrome-extension/

8. Lazy Attacker: Tools of the Trade
Black Hole
Sakura
Phoenix
RedKit
Sweet Orange
8

9. POLLING QUESTION

10. HOW TO DEFEND AGAINST
THESE ATTACKS
Collaboration, Correlation, Context and Simplified Security
10

11. Use the Power of Collaboration:
Shared Threat Intelligence
The “lazy attacker” is using
(and reusing) the same
exploits against others (and
you).
Sharing (and receiving)
collaborative threat
intelligence makes us all
more secure.
Using this data, identify, flag
and block known attackers
by source IP addresses.
11

12.  8,000+ contributors
 120+ countries
 17M URLs analyzed
AlienVault Open Threat Exchange (OTX)
12

13. Asset
Discovery
Vulnerability
Assessment
Threat
Detection
Behavioral
Monitoring
Security
Intelligence
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
Vulnerability Assessment
• Network Vulnerability Testing
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence
• SIEM Correlation
• Incident Response
Use the Power of Automated Correlation: USM
13

14. The Need for Context…
Which alert do I need to worry about?
Adware-
HotBar.f!886F6F2A1226
FILE-PDF PDF with large
embedded JavaScript - JS
string attempt
FILE-IDENTIFY Microsoft Office
Access file magic detected
14

15. Use the Power of Simplified Security:
AlienVault Intuitive Alarm Taxonomy (4.3 “preview”)
Alarm Type Description Examples
Reconnaissance &
Probing
Behavior indicating an actor
attempting to discover information
about the organization
• Port scans
• Social engineering
Delivery & Attack Behavior indicating an attempted
delivery of an exploit
• Malicious email
attachments
• Network-based and analysis-based detection of
known attacks and attack payloads (e.g. SQL
injection)
Exploitation &
Installation
Behavior indicating a successful
exploit of a vulnerability or
backdoor/RAT being installed on a
system
• RAT installation
• Bot installation
System
Compromise
Behavior indicating a
compromised system
• Data exfiltration attempts
• Outbound traffic to CnC host
Informational:
Environmental
Awareness
Observed behavior and status
about the environment being
monitored
• Information about running
services
• User activity and behavior 15
FILE-IDENTIFY Microsoft Office
Access file magic detected
Adware-
HotBar.f!886F6F2A1226
FILE-PDF PDF with large embedded
JavaScript - JS string attempt

16. AlienVault Threat Intelligence:
Stay Ahead of Basic & Advanced Attacks
Network and host-based IDS signatures – detects the
latest threats in your environment
Asset discovery signatures – identifies the latest OS’es,
applications, and device types
Vulnerability assessment signatures – dual database
coverage to find the latest vulnerabilities on all your
systems
Correlation rules – translates raw events into
actionable remediation tasks
Reporting modules – provides new ways of viewing data
about your environment
Dynamic incident response templates – delivers
customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your
monitoring footprint
16

17. POLLING QUESTION

18. SUMMARY
18

19. AlienVault: Unified and collaborative security
AlienVault Open Threat Exchange (OTX) helps you:
Know who the attackers are
Based on a diverse set of global threat data
AlienVault Labs Threat Intelligence:
Tells you what to do, when and how
Based on rich set of security research, best practices,
and guidance
AlienVault USM provides the foundation to:
Leverage this intelligence to prioritize incident
response efforts
Plus… it’s easy to deploy and manage over time
AlienVault Community serves and supports:
Experienced and aspiring cyber security professionals around the world
Shared intelligence makes us all more secure
19

20. Next Steps / Q&A
Request an AlienVault USM demo at:
www.alienvault.com/schedule-demo.html
Request a free trial of AlienVault USM:
http://www.alienvault.com/free-trial
Not quite ready for all that?
Test drive our open source project - OSSIM here:
communities.alienvault.com/
Need more info to get started?
Try our knowledge base here:
alienvault.bloomfire.com
These resources are also in the Attachments section
Join the
conversation!
@AlienVault
#AlienIntel
20

21. #AlienIntel
@AlienVault
21