Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. However, this unilateral mindset ignores a much less interesting reality.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
1. Defending Against Broad-Based
Cyber Attacks with Unified & Collaborative Defenses
THE LAZY ATTACKER:
A CONVERSATION WITH JAIME BLASCO, DIRECTOR OF ALIENVAULT LABS
JUNE 2013
3. WHO ARE THESE PEOPLE AND WHAT ARE THEY DOING?
WHAT DO WE MEAN BY A “LAZY” ATTACKER?
3
4. Meet the “Lazy Attacker”
Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/
Not all of the attacks need to
be “advanced” / APTs to be successful.
In fact, most aren’t.
“Lazy” in terms of:
Recycled attack platform:
Same type of attacks against wide
surface area
Same toolset (exploits and malware)
Same set of source IP addresses
4
5. What are the differences between attack types?
Image source: http://imgur.com/r/pics/r20GpFI Image source: http://www.guardian.co.uk/commentisfree/2013/mar/17/dont-
judge-me-i-love-sniping-games
VS.
Broad-based attacks
APTs
5
6. 6
Broad-based Attacks vs. APTs
Broad-based Attacks Advanced Persistent Threats
Attacker Profile Opportunistic; uses the
tactics of “script kiddies” but
not always a “script kiddie”
Nation-state actors
Organized criminal actors
Corporate espionage actors
Attacker Technique Non-stealthy; easy to identify Stealthy; difficult to detect
Attack Surface Area Broad and dispersed Targeted and precise
Attack Tools Commonly used and old
exploits; automated
reconnaissance & probing
Zero-day exploits; “manual”
social engineering vs.
automated probes/scans
7. Broad-based Attacks: Some Examples
Malvertising; drive-by-downloads
How it works: Websites and advertising networks are infected with malware,
unsuspecting visitors get infected
How to avoid it: URLQuery Chrome Extension plug-in*; browser patch updates
Botnets
How they work: Bots are installed onto unsuspecting users’ devices and then
remotely controlled by attackers to execute more attacks, steal data, etc.
How to avoid them: Keep devices patched, install endpoint security protection;
implement egress filtering, threat detection and network monitoring to
identify/block connections to CnC servers.
Phishing (vs. Spear-phishing)
How it works: Emails sent to victims to lure them to infected
websites to steal credentials, data, etc.
How to avoid it: User education; IP/domain reputation data
7*For more info: http://labs.alienvault.com/labs/index.php/2013/urlquery-chrome-extension/
8. Lazy Attacker: Tools of the Trade
Black Hole
Sakura
Phoenix
RedKit
Sweet Orange
8
10. HOW TO DEFEND AGAINST
THESE ATTACKS
Collaboration, Correlation, Context and Simplified Security
10
11. Use the Power of Collaboration:
Shared Threat Intelligence
The “lazy attacker” is using
(and reusing) the same
exploits against others (and
you).
Sharing (and receiving)
collaborative threat
intelligence makes us all
more secure.
Using this data, identify, flag
and block known attackers
by source IP addresses.
11
12. 8,000+ contributors
120+ countries
17M URLs analyzed
AlienVault Open Threat Exchange (OTX)
12
14. The Need for Context…
Which alert do I need to worry about?
Adware-
HotBar.f!886F6F2A1226
FILE-PDF PDF with large
embedded JavaScript - JS
string attempt
FILE-IDENTIFY Microsoft Office
Access file magic detected
14
15. Use the Power of Simplified Security:
AlienVault Intuitive Alarm Taxonomy (4.3 “preview”)
Alarm Type Description Examples
Reconnaissance &
Probing
Behavior indicating an actor
attempting to discover information
about the organization
• Port scans
• Social engineering
Delivery & Attack Behavior indicating an attempted
delivery of an exploit
• Malicious email
attachments
• Network-based and analysis-based detection of
known attacks and attack payloads (e.g. SQL
injection)
Exploitation &
Installation
Behavior indicating a successful
exploit of a vulnerability or
backdoor/RAT being installed on a
system
• RAT installation
• Bot installation
System
Compromise
Behavior indicating a
compromised system
• Data exfiltration attempts
• Outbound traffic to CnC host
Informational:
Environmental
Awareness
Observed behavior and status
about the environment being
monitored
• Information about running
services
• User activity and behavior 15
FILE-IDENTIFY Microsoft Office
Access file magic detected
Adware-
HotBar.f!886F6F2A1226
FILE-PDF PDF with large embedded
JavaScript - JS string attempt
16. AlienVault Threat Intelligence:
Stay Ahead of Basic & Advanced Attacks
Network and host-based IDS signatures – detects the
latest threats in your environment
Asset discovery signatures – identifies the latest OS’es,
applications, and device types
Vulnerability assessment signatures – dual database
coverage to find the latest vulnerabilities on all your
systems
Correlation rules – translates raw events into
actionable remediation tasks
Reporting modules – provides new ways of viewing data
about your environment
Dynamic incident response templates – delivers
customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your
monitoring footprint
16
19. AlienVault: Unified and collaborative security
AlienVault Open Threat Exchange (OTX) helps you:
Know who the attackers are
Based on a diverse set of global threat data
AlienVault Labs Threat Intelligence:
Tells you what to do, when and how
Based on rich set of security research, best practices,
and guidance
AlienVault USM provides the foundation to:
Leverage this intelligence to prioritize incident
response efforts
Plus… it’s easy to deploy and manage over time
AlienVault Community serves and supports:
Experienced and aspiring cyber security professionals around the world
Shared intelligence makes us all more secure
19
20. Next Steps / Q&A
Request an AlienVault USM demo at:
www.alienvault.com/schedule-demo.html
Request a free trial of AlienVault USM:
http://www.alienvault.com/free-trial
Not quite ready for all that?
Test drive our open source project - OSSIM here:
communities.alienvault.com/
Need more info to get started?
Try our knowledge base here:
alienvault.bloomfire.com
These resources are also in the Attachments section
Join the
conversation!
@AlienVault
#AlienIntel
20
Which of the following are you most concerned about?APTsBroad-based attacksInsider threats Failed audits
Automated Correlation is a critical success factor for defending against broad-based attacks. With AlienVault’s Unified Security Management, we combine all of the essential security you need in a single platform, and give you a way to evaluate, respond and manage it all. This includes:Asset Discovery- in terms of active and passive network scanning, building dynamic asset inventories that include detailed information about the software that lives on each host.Vulnerability Assessment – you can schedule scans across your network – again both active and passive probing – to identify and remediate application and system vulnerabilities. Threat Detection – network IDS, host-based IDS, wireless IDS, and file integrity monitoring gives you ability to detect known threats whether it’s a rogue insider accessing unauthorized data on a database server or someone trying to access your wireless network.Behavioral Monitoring will give you the coverage you need for unknown threats – typically exemplified by strange or anomalous network or system behavior – this includes netflow analysis, service availability and of course log collection and analysis for in-depth forensic investigations.Finally, aggregation, correlation and analysis of this information provides the security intelligence you need in order to manage threats and maintain and demonstrate compliance.
Based on today’s discussion, which of the following do you think is easiest for your organization to implement?Reputation data monitoring (file-based, web, email, etc.)SIEM / event correlationLog managementI have already done all of the above