This talk was given on 03 March 2016 at the RSA Conference in San Francisco by:
Araceli Treu Gomes, Subject Matter Expert – Intelligence and Investigations, Dell SecureWorks @sleepdeficit_
I'm providing a brief reaction/summary, and then my notes. The notes are my sort-of free-form notes, so if they are only semi-comprehensible.
Nothing really new or revolutionary here, but a good summary overview of what adversaries are and aren’t doing to perpetrate attacks, and what organizations are and aren’t doing to stop them. Key takeaways:
- Even most high-profile attacks really aren’t all that sophisticated, just persistent, adaptive, and opportunistic.
- Security needs to be adaptive.
- Assume you won’t achieve perfect prevention, so ensure you can backstop prevention with detection and response.
- The role of the human is vital; it’s not just a technology problem.
Why the Hype Matters to Us (Why it Hurts Our Efforts)
- It destroys our focus
- It changes the story
- It leads to asking the wrong questions
- It deflects blame
- If the attacks are so “sophisticated” and even the top organizations can be hit, nobody will expect us to actually stop attacks.
“Sophisticated” Attack: (the Hacking Team hack)
- Password was “passw0rd"
- Able to access and download data as engineer
- The network was apparently flat, allowing open access to data
- Sophisticated? HELL NO!
- 400k plus records compromised
- ~$50M dollars stolen
- Compromised authentication scheme
- Required information “only the taxpayer had” (info from credit report/tax returns)
- IRS Commissioner said they couldn’t have stopped this, because:
- Smart criminals used lots of advanced computers and hired smart people
- Went undetected for the first 400k attempts
- Compromise of clients and client info
- Violated terms of service (didn’t delete accounts and data as promised)
- Probably carried out via SQL injection (one doc stolen and released by the attackers was an internal security audit saying they had a SQL injection problem!)
- Pass1234 was the root password on all servers
- Poor password encryption
- Network was poorly segmented, allowing for easy lateral movement
Anthem & Premera (and 275 other healthcare orgs):
- 80M records lost at Anthem, 11M at Premera
- Watering hole attack suspected at Anthem
- Phishing attack suspected at Premera
- Admin creds stolen
- Both went undetected for ~9 months
- Massive querying of data (i.e., it should have been detectable)
- Improperly segmented networks
- Poor monitoring/detection
- Not monitoring what matters
- No whitelisting
- No multi-factor authentication
- Phishing messages
So what IS a sophisticated attack?
- Not caused by phishing
- Malware not detectable by signature
- Not an easily-guessable password
- Not exploiting a know vuln for which a patch was available
- Multifactor auth was in use
- Decent detection tech was in use and being paid attention to
- Proper network segmentation in use
- Least privilege in effect
Advanced Persistent Threat?
No. ADAPTIVE Persistent Threat
- “Advanced” implies they are sophisticated and unstoppable
- “Adaptive” implies that they are finding the weakness in your system
- Successful APT attacks exploit unforced errors on your part
Advanced Persistent Security Program
- be adaptive
- assume failure
- exfiltration prevention > intrusion prevention
- disruption is an acceptable strategy