Kaspersky Lab Methodologies and Frameworks for Enterprise Security

Fraud Prevention APT Advanced threats

Industrial Security Abnormal Behavior Internal threats

KASPERSKY LAB METHODOLOGIES AND FRAMEWORKS FOR ENTERPRISE SECURITY

Ashraf Abdelazim Mikhail Nagorny Director, Enterprise Business – Emerging Markets Head of Security Services Enterprise Security Division Enterprise Security Division AGENDA Industrial Security Methodology and Framework Practical Multi-layer Examples and Fraud Success Detection and Stories Prevention

Kaspersky Leadership Overview

Anti-targeted Mitigating Attacks DDOS Attacks Platform Threat Intelligence and Early Warning System THREAT LANDSCAPE OVER 15+ YEARS

Enterprises KL detects lose about 260 000 threats survive 350 000 $ 800 000 in virtualization on each data new threats breach daily

1997 2001 2007 2010 2015

3 APT Landscape KL Announcements What’s NEXT Cosmic Duke Duqu v2.0 http://cybermap.kaspersky.com Cloud Atlas Cozy Duke BlueTraveller

Regin Naikon ATM Jackpotting Kimsuki Syrian EA Hellsing

IceFog CouchingYeti Desert Falcons Poseidon Net Traveller Animal Farm Group

Winti BlackEnergy2 ACECARD Carbanak Mini Flame Mini Duke DarkHotel GCMAN

GAUSS Teamspy Careto Metel Equation Group Stuxnet Duqu Flame Red October Epic Turla Adwind RAT

2010 2011 2012 2013 2014 2015 2016 THREATS PYRAMID

Stuxnet, EPIC Turla, ..etc State-Level Attacks - Governments

Equation Group, Desert Falcons Sensitive Organizations

Carbanak, BlackEnergy ..etc Industrial, Financial, Teleco

Organization-level

Individual-Level

DarkHotel ..etc

5 THREAT INTELLIGENCE – THE ENDURING ADVANTAGE One of The Most Advanced Global Threat Intelligence Ecosystem

Stuxnet 400M+ Endpoint; Flame 270,000 Corporate Cabir Customers Svpeng 200+ Countries

PRODUCT VISION VISIBILITY

Updates are globally Sophisticated threats require intelligent AUTOMATED distributed silently less then a RESPONSE DETECTION detection methodologies; 350,000+ Unique minute Samples Collected Daily

ACTIONABLE INTELLIGENCE RESEARCH & And LAW ANALYSIS ENFORCEMENT Intelligent interpretation GReAT of threat evolution and Largest global threat research trends allows us to build team protections for future 17 Countries threats 6 GLOBAL RESEARCH AND ANALYSIS TEAM - GREAT

7 SECURITY INTELLIGENCE IS IN OUR DNA

ENDPOINT SECURITY VIRTUALIZATION SECURITY MOBILE SECURITY

DDoS PROTECTION DATACENTER SECURITY

SECURITY INTELLIGENCE

INDUSTRIAL SECURITY FRAUD PREVENTION ANTI-APT 9

9 INDUSTRIAL CYBER SECURITY JANUARY 2016, UKRAINE deliberate attack into 2 Ukrainian electricity distribution companies • 23 Substations (35kV) • 7 Substations (110kV) • 80,000 customers affected

http://ics.sans.org/blog/2016/01/09/confirmat ion-of-a-coordinated-attack-on-the-ukrainian- power-grid INDUSTRIAL SECURITY APPROACH

Industrial Network Corporate Network

1. Availability 1. Confidentiality 2. Integrity 2. Integrity 3. Confidentiality 3. Availability

Corporate IT Security is about Data protection Industrial Security is about Process protection Process should be continuous and only then secure INDUSTRIAL CYBER SECURITY METHODOLOGY

Continuous Risk Assessment Risk Assessment ICS-Specific Regular PenTesting Knowledge, Cyber Intelligence, Security and Security Assessment, Gap Gap Assessment, Penetration Testing Assessment, IR and Managed Incident Response & Forensics, Managed Defense Defense,

Consultancy for ICS Security Risk and Threat Awareness regulations & compliance Awareness Training for ICS Consultancy, Incident Operators, Engineers and Response & Forensics, Managers from Business, ICS and Standards & Security InfoSec Requirements

24x7 Support Multi-layer Tailored ICS Security Technical Support, Emergent Nodes Integrity Control, Response, Regular Maintenance Network Integrity Control, Process Integrity Control, Anti-Malware Protection 18 ICS SECURITY EXECUTION APPROACH AND TIMEFRAMES

INITIAL PROJECT * ANNUAL SUPPORT

1 WEEK 2-4 WEEKS 3-11 MONTH 12 MONTH

TODAY TOMORROW

2 INDUSTRIAL TRAININGS INDUSTRIAL

EDUCATION 1 INTERACTIVE BUSINESS GAME

CSA SERVICE DESCRIPTION CYBERSECURITY ASSESSMENT CSA QUESTIONNAIRE

QUICK WINS (BASIC FEATURE) KICS IMPLEMENTATION INTEGRATION WITH ENT..ARCHITECTURE

SOLUTION B SUPPORT * - ESTIMATED DURATION (FROM…) BASED ON CASE DETAILS 19 ONLINE FINANCIAL SYSTEMS SECURITY MOBILE BANKING THREATS

21 MATCHING 5 LEVELS OF WEB FRAUD (GARTNER)

Level 1: Endpoint-centric, and it involves technologies deployed in the context of users and the endpoints they use.

Level 2: Navigation-centric; monitors and analyzes session navigation behavior and verifies it with expected patterns

Level 3: User- and account-centric for a specific channel (e.g. online sales); it analyzes user behavior and transactions.

Level 4: User- and account-centric across multiple channels and products (e.g. online sales and in-store sales).

Level 5: It is entity link analysis. It enables the analysis of relationships among internal and/or external entities and their attributes to detect organized or collusive criminal activities or misuse.

22 KASPERSKY FRAUD PREVENTION PLATFORM

Kaspersky Security Network

USER MANAGEMENT & PROTECTION PROTECTION

Endpoints & Mobile Console Clientless Engine

Professional Intelligence Education Management SERVICES Services Services Services Services FINANCIAL SYSTEMS FRAUD DETECTION AND PREVENTION

Continuous Risk Assessment Risk Assessment Financial-Specific Regular Knowledge, Cyber Intelligence, Security PenTesting and Security Gap Assessment, Penetration Testing Assessment, Gap Assessment, Incident Response & Forensics, Managed IR and Managed Defense Defense, Financial Systems Fraud Detection 24x7 Support and Prevention Risk and Threat Awareness Technical Support, Emergent Framework Awareness Training for Financial Response, Regular Systems Operators, Engineers and Maintenance Managers from Business, Technical and InfoSec Depts.

Multi-layer Tailored Fraud Detection and Prevention Secure Browsing for Internet Banking Mobile App Security, ATM – POS Specific Security Server-side Malware Detection, Account Takeover

24 and Behavior Analysis ANTI-TARGETED ATTACKS PLATFORM 1% BRINGS HIGH RISK AND HIGH LOSSES

Average loss from a single targeted attack

Enterprises 800K USD SMBs 84K USD

70% 29%

APT

Known

Attacks

Threats

Targeted Targeted

Unknown

Advanced

* Based on Corporate IT Security Risks Survey, 2015, conducted by Kaspersky Lab and B2B International. Indicates an average loss from a single targeted attack, including direct losses and additional spend required to recover from an attack. TARGETED ATTACK IS NOT A ‘ONE-OFF’ OFFENSIVE: IT’S AN ONGOING PROCESS

EXFILTRATE PREPARE

• Stay dormant • Research target • Extract data • Create strategy • Cover Tracks • Build a toolset • Leave quietly

THE APT PROCESS MAY TAKE SEVERAL YEARS TO COMPLETE, AND MAY WELL NEVER BE DISCOVERED EXPAND ACCESS INFECT

• Obtain credentials • Leverage weaknesses • Raise privileges • Penetrate the perimeter • Establish links • Move laterally • Take control HOW TO ADDRESS THE ISSUE OF TARGETED ATTACKS

SMART PREDICT PREVENT MULTI-LAYERED

• Analyze the potential security • Mitigate the risks gaps • Raise the threat awareness • Adjust countermeasures • Implement the right accordingly approaches to mitigate • (if not already done) create potential risk with existing a dedicated SOC solutions DRIVEN BY GLOBAL THREAT INTELLIGENCE

EFFECTIVE RESPOND DETECT VIGILANT

• Analyze the incident • Discover of the incident • Take immediate steps • Track its immediate source to mitigate the consequences • Understand its nature STAGES .. FOR EFFECTIVE PROCESS

Data Acquisition Analysis Verdict Response • Sensors • Processing • Visualization • Security • Network engines Console Intelligence • Web/Proxy • Targeted Attack • SYSlog Services • EMail Analyzer • SB activity log • Endpoint • Advanced • Pcaps Sandbox • Detonated • Threat Intelligence samples (KSN) PLATFORM ARCHITECTURE

Network

Internet Sensors SIEM SOC

• network traffic Analysis Center • suspicious objects Logs Email

Analyst console • host network activity Incidents Server Forensic Verdicts DB Team

Security Officer

PC Advanced Endpoint Incident Sandbox alerts Sensors Laptop PC

Attack vectors Data Acquisition Data Analysis Verdict prioritizing Response BUILDING AN ADAPTIVE ENTERPRISE SECURITY STRATEGY

PREDICT PREVENT

KNOW • Penetration testing TRAIN: • Cybersecurity training YOURSELF: service • Security assessment PROTECT: • Kaspersky Lab Enterprise service security solutions • Targeted Attack Discovery Service EDUCATE: • Cyber-safety Games • Threat simulation

DETECT RESPOND EXPERTISE: • Targeted Attack REACTION: • Incident response Investigation Training service • APT reporting INVESTIGATE: • Malware analysis service THREATS • Botnet tracking LANDSCAPE: • Digital forensics services • Threat data feeds

SOLUTION: • Kaspersky Anti Targeted Attack Platform DDOS MITIGATION AND PROTECTION NEXT GENERATION DDOS PROTECTION DDOS ‘SERVICES’ ARE READILY AVAILABLE

$200 – black market cost of a day-long DDoS attack.

Specialized online marketplaces exist where you can buy and sell botnets or individual DDoS attacks.

Would-be DDoS attackers simply pay by PayPal, Bitcoin or credit card and choose desired attack.

If you don’t want to do the dirty yourself, you can hire someone to perform the service for you, known as a ‘booter.’

33 KDP | Understanding DDoS KASPERSKY DDOS PROTECTION

34 KDP ADVANTAGES

In-house Emergency Protection of Technology KL DDoS developed Response resources, not partnership Intelligence Solution Team 24x7 channels with ISP The way the Filter rules can be Monitoring traffic Filtering most of Our proven threat solution works can modified more thoroughly the traffic on the expertise helps to be changed flexibly individually in real and repelling even provider’s side and identify an attack at and rapidly in time depending on very big and/or decreasing burden a very early stage response to current situation sophisticated of attack changes attacks

35 THREAT AND SECURITY INTELLIGENCE BUILDING AN EARLY WARNING SYSTEM AGAINST ADVANCED THREATS INTEGRATE THREAT INTELLINGENCE INTO YOUR INFOSEC FRAMEWORK

ALERTING ExternalGlobal Security Intelligence Intelligence Notifications Feeds Botnet Tracking Feed your internal systems Intelligence Reporting and with external trusted Early IOC security &threat intelligence

SuspiciousGlobal Security Activity Intelligence CyberGlobal-Threat Security Intelligence Analysis & Forensics EDUCATION Malware Analysis, Digital 1) Malware Analysis and DF, Forensics, IR, PenTesting, Reverse Engineering Security Assessment. 2) CyberSafety Games

37 3737 1ST: ALERTING – THREAT INTELLIGENCE

Real-time Notification for External Threats APT Reporting & External Threat Reporting

Monitor Mobile, Online and Payment Systems Identification of Threat Actors for threats targeting the entity or its consumers Malware and Cyber-Attacks Tracking Analysis Real-time notification – within 20 minutes Third-Party Attacks Notification Includes Target System, Attack Information Leakage Description, Attack Distribution, Malware Hash, Attack Rules, C&C …etc Current Attack Status and APT Private Reporting Two Level: Standard and Premium

38 2ND: EXTERNAL THREAT DATA FEEDS

Feed your existing security controls with external intelligence to add advanced layer of protection.

SIEM: Qradar, ArcSight, Splunk

Gateways: Firewalls, UTMS ..etc

39 3RD: CYBER SAFETY TRAINING PROGRAM

Cyber Safety Games Cyber Safety Culture Cyber Safety Online Assessment Training Platform

• Interactive Games that cover 9 • Assessment for 12 cyber security • Online Training modules to cover cyber security domains in domains across the organization 11 different domains. teams’ format. • Help in understanding the gaps • Skills Assessment • Impersonate Cybercriminials, and areas of focus in the • Analytics and Reporting Focus on Dos not Don’ts, Play in organization’s culture • Supporting security teams for maximum benefit. • At least 15% of the organization posters, email templates, • At least 10% of the organization staff screensaver images. staff 40 4TH: SUSPICIOUS ACTIVITY SERVICES

The Expert! Incident Investigation Targeted Attack Proactive Response! Discovery Service •Malware Analysis •Digital Forensics •Incident Response Analyze different threat sources and

Security Penetration Testing perform tool aided scanning Assessment •Internal/External Web •Telecom-Specific •Internal/External Is this single incident or part of a chain! •ICS-Specific Network •ATM/POS Specific •App Assessment Continuous Process!

41 ENHANCING SOC OPERATIONS AND CAPABILITIES

Security Awareness & Fundamentals Digital Forensics Malware Analysis Malware Analysis & Reverse Engineering Digital Forensics Cyber Safety Games APT Discovery and Incident Response

SECURITY EDUCATION INVESTIGATION SERVICES

THREAT INTELLIGENCE SECURITY ASSESSMENT

Threat Data Feeds Pen Testing Botnet Tracking Application Security Assessment Intelligence Reporting Telco-Specific Assessment Threat Lookup Financial-Specific Assessment

42 PRACTICAL EXAMPLES SUCCESS STORIES SUCCESS STORY — INTERPOL

44 SUCCESS STORY — TELEFONICA

http://www.kaspersky.com/about/news/business/2014/Kaspersky-Lab-and-Telefonica-join- forces-to-improve-cyber-protection-for-European-and-Latin-America-customers

http://www.eurocomms.com/industry-news/49-online-press/9898-telefonica-signs-cybersecurity-deal-with-kaspersky-lab

45 LET’S TALK!

Ghareeb Saad Ashraf Abdelazim Senior Security Researcher Director, Enterprise Business Global Research and Analysis Team Emerging Markets [email protected] [email protected]

Amr Ismail Mikhail Nagorny Senior Security Consultant Head of Security Services Enterprise Business Enterprise Business [email protected] [email protected]