Fraud Prevention APT Advanced threats
Industrial Security Abnormal Behavior Internal threats
KASPERSKY LAB METHODOLOGIES AND FRAMEWORKS FOR ENTERPRISE SECURITY
Ashraf Abdelazim Mikhail Nagorny Director, Enterprise Business – Emerging Markets Head of Security Services Enterprise Security Division Enterprise Security Division AGENDA Industrial Security Methodology and Framework Practical Multi-layer Examples and Fraud Success Detection and Stories Prevention
Kaspersky Leadership Overview
Anti-targeted Mitigating Attacks DDOS Attacks Platform Threat Intelligence and Early Warning System THREAT LANDSCAPE OVER 15+ YEARS
Enterprises KL detects lose about 260 000 threats survive 350 000 $ 800 000 in virtualization on each data new threats breach daily
1997 2001 2007 2010 2015
3 APT Landscape KL Announcements What’s NEXT Cosmic Duke Duqu v2.0 http://cybermap.kaspersky.com Cloud Atlas Cozy Duke BlueTraveller
Regin Naikon ATM Jackpotting Kimsuki Syrian EA Hellsing
IceFog CouchingYeti Desert Falcons Poseidon Net Traveller Animal Farm Group
Winti BlackEnergy2 ACECARD Carbanak Mini Flame Mini Duke DarkHotel GCMAN
GAUSS Teamspy Careto Metel Equation Group Stuxnet Duqu Flame Red October Epic Turla Adwind RAT
2010 2011 2012 2013 2014 2015 2016 THREATS PYRAMID
Stuxnet, EPIC Turla, ..etc State-Level Attacks - Governments
Equation Group, Desert Falcons Sensitive Organizations
Carbanak, BlackEnergy ..etc Industrial, Financial, Teleco
Organization-level
Individual-Level
DarkHotel ..etc
5 THREAT INTELLIGENCE – THE ENDURING ADVANTAGE One of The Most Advanced Global Threat Intelligence Ecosystem
Stuxnet 400M+ Endpoint; Flame 270,000 Corporate Cabir Customers Svpeng 200+ Countries
PRODUCT VISION VISIBILITY
Updates are globally Sophisticated threats require intelligent AUTOMATED distributed silently less then a RESPONSE DETECTION detection methodologies; 350,000+ Unique minute Samples Collected Daily
ACTIONABLE INTELLIGENCE RESEARCH & And LAW ANALYSIS ENFORCEMENT Intelligent interpretation GReAT of threat evolution and Largest global threat research trends allows us to build team protections for future 17 Countries threats 6 GLOBAL RESEARCH AND ANALYSIS TEAM - GREAT
7 SECURITY INTELLIGENCE IS IN OUR DNA
ENDPOINT SECURITY VIRTUALIZATION SECURITY MOBILE SECURITY
DDoS PROTECTION DATACENTER SECURITY
SECURITY INTELLIGENCE
INDUSTRIAL SECURITY FRAUD PREVENTION ANTI-APT 9
9 INDUSTRIAL CYBER SECURITY JANUARY 2016, UKRAINE deliberate attack into 2 Ukrainian electricity distribution companies • 23 Substations (35kV) • 7 Substations (110kV) • 80,000 customers affected
http://ics.sans.org/blog/2016/01/09/confirmat ion-of-a-coordinated-attack-on-the-ukrainian- power-grid INDUSTRIAL SECURITY APPROACH
Industrial Network Corporate Network
1. Availability 1. Confidentiality 2. Integrity 2. Integrity 3. Confidentiality 3. Availability
Corporate IT Security is about Data protection Industrial Security is about Process protection Process should be continuous and only then secure INDUSTRIAL CYBER SECURITY METHODOLOGY
Continuous Risk Assessment Risk Assessment ICS-Specific Regular PenTesting Knowledge, Cyber Intelligence, Security and Security Assessment, Gap Gap Assessment, Penetration Testing Assessment, IR and Managed Incident Response & Forensics, Managed Defense Defense,
Consultancy for ICS Security Risk and Threat Awareness regulations & compliance Awareness Training for ICS Consultancy, Incident Operators, Engineers and Response & Forensics, Managers from Business, ICS and Standards & Security InfoSec Requirements
24x7 Support Multi-layer Tailored ICS Security Technical Support, Emergent Nodes Integrity Control, Response, Regular Maintenance Network Integrity Control, Process Integrity Control, Anti-Malware Protection 18 ICS SECURITY EXECUTION APPROACH AND TIMEFRAMES
INITIAL PROJECT * ANNUAL SUPPORT
1 WEEK 2-4 WEEKS 3-11 MONTH 12 MONTH
TODAY TOMORROW
2 INDUSTRIAL TRAININGS INDUSTRIAL
EDUCATION 1 INTERACTIVE BUSINESS GAME
CSA SERVICE DESCRIPTION CYBERSECURITY ASSESSMENT CSA QUESTIONNAIRE
QUICK WINS (BASIC FEATURE) KICS IMPLEMENTATION INTEGRATION WITH ENT..ARCHITECTURE
SOLUTION B SUPPORT * - ESTIMATED DURATION (FROM…) BASED ON CASE DETAILS 19 ONLINE FINANCIAL SYSTEMS SECURITY MOBILE BANKING THREATS
21 MATCHING 5 LEVELS OF WEB FRAUD (GARTNER)
Level 1: Endpoint-centric, and it involves technologies deployed in the context of users and the endpoints they use.
Level 2: Navigation-centric; monitors and analyzes session navigation behavior and verifies it with expected patterns
Level 3: User- and account-centric for a specific channel (e.g. online sales); it analyzes user behavior and transactions.
Level 4: User- and account-centric across multiple channels and products (e.g. online sales and in-store sales).
Level 5: It is entity link analysis. It enables the analysis of relationships among internal and/or external entities and their attributes to detect organized or collusive criminal activities or misuse.
22 KASPERSKY FRAUD PREVENTION PLATFORM
Kaspersky Security Network
USER MANAGEMENT & PROTECTION PROTECTION
Endpoints & Mobile Console Clientless Engine
Professional Intelligence Education Management SERVICES Services Services Services Services FINANCIAL SYSTEMS FRAUD DETECTION AND PREVENTION
Continuous Risk Assessment Risk Assessment Financial-Specific Regular Knowledge, Cyber Intelligence, Security PenTesting and Security Gap Assessment, Penetration Testing Assessment, Gap Assessment, Incident Response & Forensics, Managed IR and Managed Defense Defense, Financial Systems Fraud Detection 24x7 Support and Prevention Risk and Threat Awareness Technical Support, Emergent Framework Awareness Training for Financial Response, Regular Systems Operators, Engineers and Maintenance Managers from Business, Technical and InfoSec Depts.
Multi-layer Tailored Fraud Detection and Prevention Secure Browsing for Internet Banking Mobile App Security, ATM – POS Specific Security Server-side Malware Detection, Account Takeover
24 and Behavior Analysis ANTI-TARGETED ATTACKS PLATFORM 1% BRINGS HIGH RISK AND HIGH LOSSES
Average loss from a single targeted attack
Enterprises 800K USD SMBs 84K USD
70% 29%
1%
APT
Known
Attacks
Threats
Threats
Threats
Targeted Targeted
Unknown
Advanced
* Based on Corporate IT Security Risks Survey, 2015, conducted by Kaspersky Lab and B2B International. Indicates an average loss from a single targeted attack, including direct losses and additional spend required to recover from an attack. TARGETED ATTACK IS NOT A ‘ONE-OFF’ OFFENSIVE: IT’S AN ONGOING PROCESS
EXFILTRATE PREPARE
• Stay dormant • Research target • Extract data • Create strategy • Cover Tracks • Build a toolset • Leave quietly
THE APT PROCESS MAY TAKE SEVERAL YEARS TO COMPLETE, AND MAY WELL NEVER BE DISCOVERED EXPAND ACCESS INFECT
• Obtain credentials • Leverage weaknesses • Raise privileges • Penetrate the perimeter • Establish links • Move laterally • Take control HOW TO ADDRESS THE ISSUE OF TARGETED ATTACKS
SMART PREDICT PREVENT MULTI-LAYERED
• Analyze the potential security • Mitigate the risks gaps • Raise the threat awareness • Adjust countermeasures • Implement the right accordingly approaches to mitigate • (if not already done) create potential risk with existing a dedicated SOC solutions DRIVEN BY GLOBAL THREAT INTELLIGENCE
EFFECTIVE RESPOND DETECT VIGILANT
• Analyze the incident • Discover of the incident • Take immediate steps • Track its immediate source to mitigate the consequences • Understand its nature STAGES .. FOR EFFECTIVE PROCESS
Data Acquisition Analysis Verdict Response • Sensors • Processing • Visualization • Security • Network engines Console Intelligence • Web/Proxy • Targeted Attack • SYSlog Services • EMail Analyzer • SB activity log • Endpoint • Advanced • Pcaps Sandbox • Detonated • Threat Intelligence samples (KSN) PLATFORM ARCHITECTURE
Network
Internet Sensors SIEM SOC
• network traffic Analysis Center • suspicious objects Logs Email
Analyst console • host network activity Incidents Server Forensic Verdicts DB Team
Security Officer
PC Advanced Endpoint Incident Sandbox alerts Sensors Laptop PC
Attack vectors Data Acquisition Data Analysis Verdict prioritizing Response BUILDING AN ADAPTIVE ENTERPRISE SECURITY STRATEGY
PREDICT PREVENT
KNOW • Penetration testing TRAIN: • Cybersecurity training YOURSELF: service • Security assessment PROTECT: • Kaspersky Lab Enterprise service security solutions • Targeted Attack Discovery Service EDUCATE: • Cyber-safety Games • Threat simulation
DETECT RESPOND EXPERTISE: • Targeted Attack REACTION: • Incident response Investigation Training service • APT reporting INVESTIGATE: • Malware analysis service THREATS • Botnet tracking LANDSCAPE: • Digital forensics services • Threat data feeds
SOLUTION: • Kaspersky Anti Targeted Attack Platform DDOS MITIGATION AND PROTECTION NEXT GENERATION DDOS PROTECTION DDOS ‘SERVICES’ ARE READILY AVAILABLE
$200 – black market cost of a day-long DDoS attack.
Specialized online marketplaces exist where you can buy and sell botnets or individual DDoS attacks.
Would-be DDoS attackers simply pay by PayPal, Bitcoin or credit card and choose desired attack.
If you don’t want to do the dirty yourself, you can hire someone to perform the service for you, known as a ‘booter.’
33 KDP | Understanding DDoS KASPERSKY DDOS PROTECTION
34 KDP ADVANTAGES
In-house Emergency Protection of Technology KL DDoS developed Response resources, not partnership Intelligence Solution Team 24x7 channels with ISP The way the Filter rules can be Monitoring traffic Filtering most of Our proven threat solution works can modified more thoroughly the traffic on the expertise helps to be changed flexibly individually in real and repelling even provider’s side and identify an attack at and rapidly in time depending on very big and/or decreasing burden a very early stage response to current situation sophisticated of attack changes attacks
35 THREAT AND SECURITY INTELLIGENCE BUILDING AN EARLY WARNING SYSTEM AGAINST ADVANCED THREATS INTEGRATE THREAT INTELLINGENCE INTO YOUR INFOSEC FRAMEWORK
ALERTING ExternalGlobal Security Intelligence Intelligence Notifications Feeds Botnet Tracking Feed your internal systems Intelligence Reporting and with external trusted Early IOC security &threat intelligence
SuspiciousGlobal Security Activity Intelligence CyberGlobal-Threat Security Intelligence Analysis & Forensics EDUCATION Malware Analysis, Digital 1) Malware Analysis and DF, Forensics, IR, PenTesting, Reverse Engineering Security Assessment. 2) CyberSafety Games
37 3737 1ST: ALERTING – THREAT INTELLIGENCE
Real-time Notification for External Threats APT Reporting & External Threat Reporting
Monitor Mobile, Online and Payment Systems Identification of Threat Actors for threats targeting the entity or its consumers Malware and Cyber-Attacks Tracking Analysis Real-time notification – within 20 minutes Third-Party Attacks Notification Includes Target System, Attack Information Leakage Description, Attack Distribution, Malware Hash, Attack Rules, C&C …etc Current Attack Status and APT Private Reporting Two Level: Standard and Premium
38 2ND: EXTERNAL THREAT DATA FEEDS
Feed your existing security controls with external intelligence to add advanced layer of protection.
SIEM: Qradar, ArcSight, Splunk
Gateways: Firewalls, UTMS ..etc
39 3RD: CYBER SAFETY TRAINING PROGRAM
Cyber Safety Games Cyber Safety Culture Cyber Safety Online Assessment Training Platform
• Interactive Games that cover 9 • Assessment for 12 cyber security • Online Training modules to cover cyber security domains in domains across the organization 11 different domains. teams’ format. • Help in understanding the gaps • Skills Assessment • Impersonate Cybercriminials, and areas of focus in the • Analytics and Reporting Focus on Dos not Don’ts, Play in organization’s culture • Supporting security teams for maximum benefit. • At least 15% of the organization posters, email templates, • At least 10% of the organization staff screensaver images. staff 40 4TH: SUSPICIOUS ACTIVITY SERVICES
The Expert! Incident Investigation Targeted Attack Proactive Response! Discovery Service •Malware Analysis •Digital Forensics •Incident Response Analyze different threat sources and
Security Penetration Testing perform tool aided scanning Assessment •Internal/External Web •Telecom-Specific •Internal/External Is this single incident or part of a chain! •ICS-Specific Network •ATM/POS Specific •App Assessment Continuous Process!
41 ENHANCING SOC OPERATIONS AND CAPABILITIES
Security Awareness & Fundamentals Digital Forensics Malware Analysis Malware Analysis & Reverse Engineering Digital Forensics Cyber Safety Games APT Discovery and Incident Response
SECURITY EDUCATION INVESTIGATION SERVICES
THREAT INTELLIGENCE SECURITY ASSESSMENT
Threat Data Feeds Pen Testing Botnet Tracking Application Security Assessment Intelligence Reporting Telco-Specific Assessment Threat Lookup Financial-Specific Assessment
42 PRACTICAL EXAMPLES SUCCESS STORIES SUCCESS STORY — INTERPOL
44 SUCCESS STORY — TELEFONICA
http://www.kaspersky.com/about/news/business/2014/Kaspersky-Lab-and-Telefonica-join- forces-to-improve-cyber-protection-for-European-and-Latin-America-customers
http://www.eurocomms.com/industry-news/49-online-press/9898-telefonica-signs-cyber- security-deal-with-kaspersky-lab
45 LET’S TALK!
Ghareeb Saad Ashraf Abdelazim Senior Security Researcher Director, Enterprise Business Global Research and Analysis Team Emerging Markets [email protected] [email protected]
Amr Ismail Mikhail Nagorny Senior Security Consultant Head of Security Services Enterprise Business Enterprise Business [email protected] [email protected]