Friday, May 24, 2013

SANS Webinar: APT: It is Time to Act

This is the 2nd SANs webinar that I've watched.  The title is "APT: It is Time to Act."  It looked interesting because I've seen APT a few times and wasn't sure what it meant.  APT is Advanced Persistent Threat.  These notes are for my reference and for audit purposes as I log this for CPEs for CISSP.

Overview

APT is like cancer vs. the common cold threat of a few years ago.  Should think in terms of you are already infected, now go find it.  Despite best efforts, we will still get infected.

Advanced = advanced adversary.  Another interpretation of APT = average phishing technique.  Adversaries are going to used the easiest method that they can to break in.  I.e. phishing.  Usually buried in an attachment so you get compromised without even knowing.  That is the persistent part.

Too much focus on presentation and not enough on detection.

Solutions

Most dangerous applications are web browsers and email clients.  So sandbox/VM those applications.

3 Primary vectors
  1. Executable content in email
  2. Macros in an office document
  3. Executable code in embedded HTML in the email
So disable executable content, macros, and executable HTML in email.

Prevention vs. Detection

Prevention will eventually fail, so need to also have detection.  This will allow you to detect a breach after it gets through prevention and then stop it. Organizations have to focus more on detection.  Most security is preventative (85%) vs. detective (15%), and most of it is on inbound vs. outbound.  Need to examine outbound traffic to spot unusual activity.

Encrypted outbound traffic can sneak past detection.  Need to load crypto modules to decrypt, but if adversary controls keys, then that won't work.  Solution - create crypto free zones.  That is from understanding adversary and their strength, then turning it into a weakness.

5 Steps to Secure Future

  1. Identify Critical Data - can't protect what you don't know.  Determine your most important assets, biggest threats, and biggest vulnerabilities.  Get a unified focus from everyone.  Risk Based Thinking improves results.  Questions to ask:
    1. What is the risk?
    2. Is it the highest priority?
    3. Is it the most cost effective way to reduce risk?
  2. Align the defense with the offense.  Most attacks follow these five steps.  Most effort is spent defending steps 3 and 4.  If you do enough reconnaissance and scanning, then exploitation is fairly easy.
    1. Reconnaissance
    2. Scanning
    3. Exploitation
    4. Create backdoors
    5. Cover tracks
  3. Know your organization.  If offense knows more than defense, then they will win.  You need to have:
    1. Accurate network diagram - can't protect what you don't know about
    2. Network visibility map
    3. CM and change control
  4. Defense in depth.  There is no unstoppable adversary.  
    1. Inbound protection
    2. Outbound detection
    3. Log correlation - look at IP address destination countries
    4. Anomaly detection
  5. Common Metrics.  Use the critical controls
    1. Offense informing the defense
    2. Automation and continuous monitoring of security
    3. metrics to drive measurement and compliance

Conclusion

Need to focus on outbound detection - no prevention is perfect.  Use automation, current security devices, and a common focus.  Understand your assets and the adversary.



Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)