Protecting Against the Top 5 Attack Vectors Stay Secure from the Most Common Threats Seen by Arctic Wolf’S Security Team

Home , SQL injection

Protecting Against the Top 5 Attack Vectors Stay secure from the most common threats seen by Arctic Wolf’s security team

Major Cyberattacks in the News...... 3

The Top 5 Attack Vectors ...... 4

The Cyber Kill Chain...... 7

Protecting Against the Top 5 Attacks

Malware/Ransomware ...... 8

Phishing Attack...... 9

PUP/Adware ...... 10

Account Hijacking...... 11

Unpatched/Outdated Software...... 12

Why Focus on Detection and Response? ...... 13

Essential Components of Protection ...... 15

The Industry’s Most Fierce SOC-as-a-Service ...... 16

Uber 57 million users’ and drivers’ personal data was exposed— addresses, driver license numbers, and credit cards were stolen. Hackers gained unauthorized access to customer data via Uber’s GitHub instance in AWS to steal data.

Equifax 145 million consumers’ SSNs, addresses, drivers license numbers, and credit cards were stolen. An unpatched Apache web server was exploited. It was very similar to intrusions into Anthem and the US Office of Personal Management.

WannaCry Multiple ransomware attacks hit a number of multinational companies across Europe and brought their businesses to a halt. They all exploited a vulnerability in Microsoft Windows that could have been easily patched.

Spectre/Meltdown Most modern processors are susceptible to malicious code that can gain unauthorized access to portions of memory and steal passwords and crypto-keys. Patches are available for most OS’s running on these processors.

As you will see, nefarious hackers, cybercriminals, and bad actors seek means, pathways, and vulnerabilities to gain unauthorized access to a computer device or network for exploitation purposes.

Malware/Ransomware Modus Operandi: Malicious software that spreads via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link. 1 Ransomware is a specialized malware that encrypts all the files on the system that it infects, and prevents you from accessing data unless you pay a ransom. Counter-Measure: Ongoing security awareness training for end users, to teach them not to open email attachments from unknown users and not to click on suspicious URLs and download browser plug-ins from suspicious websites.

Password Phishing Attack Modus Operandi: Malicious email that tricks users to surrender their user credentials. The email may appear legitimate, as if coming from your bank, and ask you to reset your password. Everything looks above board; it even warns the recipient not to fall for 2 fraudulent emails. The only thing that gives it away is the rogue link asking for confidential information. Counter-Measure: Ongoing security awareness training for end users, to teach them not to open email attachments from unknown users and not to click on suspicious URLs and download browser plug-ins from suspicious websites.

PUP Adware Modus Operandi: Potentially unwanted programs (PUPs) are trojans, spyware, or adware that surreptitiously monitor your keystrokes, scan files on your hard drive, and read your 3 browser cookies. Hackers make money using PUPs by marketing software products with annoying ads that BUY pop up on your screen. Counter-Measure: Avoid downloading and installing apps, browser extensions, and programs from untrusted websites. Backup your system to an external drive or online backup service.

Account Hijacking Modus Operandi: Hackers gain access to user accounts by repeatedly entering in different “guesses” of stolen passwords or words from the dictionary with combinations of numbers until they successfully log in. 4 Such attacks are typically launched with automated tools, where thousands of passwords are submitted from multiple bots (botnets) in a matter of seconds. Counter-Measure: Brute-force attacks can be prevented, by 1) account lockout after a designated number of failed login attempts; 2) using a challenge-response test (reCAPTCHA) to prevent automated submission.

Unpatched/Outdated Software Modus Operandi: Hackers exploit vulnerabilities in systems software and web applications to execute unauthorized code, enabling them to gain extra privileges or steal information. Shellshock exploited a bug in Unix in 2014 to take over systems 5 and convert them to bots. SQL-injection attacks are used to exploit vulnerable web applications. Counter-Measure: Run vulnerability scanning software at regular intervals, and patch all systems which have high-priority vulnerabilities.

The cyber kill chain, created by Lockheed Martin, describes the seven stages of any targeted attack. Each stage presents an opportunity to detect and mitigate that attack.

Attackers probe for a weakness Deliver the weaponized bundle to Installing malware on Attacker remotely carries by harvesting email addresses the victim via email, compromised the target asset out their intented goal and social networks websites, or other means

Reconnaissance Delivery Installation Actions

1 2 3 4 5 6 7

Weaponization Exploit Command and Control Build a deliverable payload Executing code on Creating a channel using an exploit and the victim’s system to remotely control backdoor the victim’s system

Malicious software that spreads via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link.

Send $600 worth of Network sensors can bitcoin to this address detect connections to known hacker User unknowingly Malware installs on Malware encrypts all files User decrypts all files domains and C&C opens email laptop and sends crypto with encryption key and with key and recovers sites and block traffic attachment key-pair to C&C displays ransom note to user from shutdown

Reconnaissance Delivery Installation Actions Actions

1 2 3 4 5 6 7A 7B 7C

Weaponization Exploit Command and Control Actions Hacker sends email Malware exploits C&C saves decryption Hacker sends decrypt key to with malware in vulnerability in key and waits for user from C&C when attachment OS/app instructions ransom is paid

Endpoint protection software can alert on malware exploits

Malicious email that tricks users to surrender their user credentials. The email may appear legitimate, as if coming from your bank, and ask you to reset your password.

Send $600 worth of bitcoin to this address

Network sensors can Phishing email Nothing is installed Hacker gets your detect connection to appears to be coming on your computer username and known phishing sites from a bank password from C&C and block traffic Reconnaissance Delivery Installation Actions

1 2 3 4 5 6 7 8

Weaponization Exploit Command and Control Actions Hacker sends User enters his Phishing site captures Hacker logs in phishing email bank username your passwords for all to your bank account to user and password websites you visit and transfers funds

Email security gateways can alert on suspicious URLs and block them

Potentially unwanted programs (PUPs) are trojans, spyware, or adware that surreptitiously monitor your keystrokes, scan files on your hard drive, and read your browser cookies.

Firewalls or network sensors can detect PUP is delivered as update PUP as a startup program Hacker makes money by connections to known from known software annoys you with a pop-up at getting you to purchase PUP download sites download portals regular intervals software products and C&C servers Reconnaissance Delivery Installation Actions

1 2 3 4 5 6 7

Weaponization Exploit Command and Control PUP/adware is bundled with No exploit required since PUP contacts C&C sites “free” apps on suspicious you have approved the to download actual app software portals software download for purchase

BUY

Hackers gain access to user accounts by repeatedly entering in different “guesses” of stolen passwords or words from the dictionary with combinations of numbers until they successfully log in.

SOC

Security operations center (SOC) can detect account hijacking when it sees a successful login Uses command & control after multiple failed login Hacker breaks in to your server to recruit botnets to attempts in a span of account after trying 20 other Send $600 worth of do his dirty work a couple of minutes accounts, transfersbitcoin to this funds address

Reconnaissance Delivery Installation Actions

1 2 3 4 5 6 7

Weaponization Exploit Command and Control Hacker purchases a trove of Botnets try multiple stolen usernames/passwords usernames/ passwords to from the dark web break into bank website

Hackers exploit vulnerabilities in systems software and web applications to execute unauthorized code, enabling them to gain extra privileges or steal information.

Hacker gets version Identifies unpatched Hacker sells customer number of web servers version of Apache Struts data for top dollars running on all major websites web server on the dark web

Reconnaissance Delivery Installation Command and Control

1 2 3 4 5 6 7

Weaponization Exploit Actions Runs remote command Hacker transfers customer to access database sitting confidential data from behind web server database to C&C sever

Network sensors detect anomalous probing requests to web servers, and connections to known C&C sites during customer data theft

Protect Detect f Access Control ct f Anomalies and Events e D f Awareness and Training ot e f Security Continuous f r t Monitoring Data Security P e f Information c f Detection Process t Protection Processes and

Procedures

Requires Managed f Maintenance

Detection and Response f Protective Technology

i R

t Respond

n Cybersecurity

s f Response Planning

d Framework f Communications o

f Analysis

Identify

f Mitigation

Asset Management

f Improvements

R v e f o Business Environment c f Governance f Risk Assessment f Risk Management Strategy Recover f Recovery Planning f Improvements f Communications

Lower Your Cost of Handling Security Breaches by Speeding up the Time to Identify and Contain the Attack

365 Days

291 Days The lifecycle of a breach caused by a malicious attack. The mean time to identify (MTTI) the breach for most businesses is 214 days.

77 Days The mean time to contain (MTTC) the breach for most businesses.

1. Source: 2017 Ponemon Cost of Data Breach Incident Report

53% of cost per breach is spent on detection and response

Concierge ecurity ervice Monitoring Security Team CST

aa Application Monitoring

Secure Transport Secure Transport Cloud Infrastructure Monitoring

On-remises Arctic Wolf Arctic Wolf ensors Cloud Collects Network Arctic Wolf OC-as-a-ervice Connectors Flows, Log Data irtual ensors for Cloud Monitoring Users, Apps, Data, Infrastructure Activity

f Managed detection and response f Compliance reporting f Fully managed cloud-based SIEM f Cloud monitoring – IaaS, SaaS, SECaaS f Human-assisted machine learning f Periodic external vulnerability scans f External threat intelligence included f Advisory services – FW, AD, IR audits f 24x7 monitoring and alerting f Simple, predictable pricing

A security operation center (SOC) is the most essential element of modern security. But SOCs are expensive, complicated, and far beyond the reach of most small to medium enterprises (SMEs). So, many take the easy route and invest in security products, but not in the people and processes required to manage a SOC. The Arctic Wolf SOC-as-a-service differs from traditional managed security services. It is a dynamic combination of world-class Concierge Security™ Teams (CSTs), advanced machine learning, and comprehensive, up-to-the-minute threat intelligence. Your CST conducts both routine and non-routine tasks to protect you from known and emerging threats.

The Arctic Wolf SOC-as-a-service provides: f Dedicated security experts f Managed detection and response f Security incident and crisis support f Regulatory compliance f Simple, predictable pricing

For More Information

Call: 1-888-272-8429

PERSONAL | PREDICTABLE | PROTECTION

AW_G_Protecting_Against_Top5_Vectors-1219