2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist
1 like766 views
The document discusses key strategies for understanding Advanced Persistent Threats (APTs) and the importance of identifying threat agents to prioritize cybersecurity risks. Matthew Rosenquist, a cybersecurity strategist at Intel Corp, highlights the inefficiencies in vulnerability-based security and advocates for a more strategic approach that includes recognizing attacker motivations and methods. The presentation emphasizes utilizing Open Source Intelligence (OSINT) for threat detection and formulates a proactive defense strategy based on understanding potential attack vectors.
2015 Global APT Summit - Understanding APT threat agent characteristics is key to prioritizing risks - Matthew Rosenquist
- 1. Global APT Defense Summit Los Angeles Matthew Rosenquist | Intel Corp Understanding APT Threat Agent Characteristics is Key to Prioritizing Risks February 25, 2015 – Los Angeles, California
- 2. Global APT Defense Summit New York #APTSummit2 Agenda 1. The problems with vulnerability based security strategies 2. Threat Agents are the genesis of risks 3. Intersecting the most likely attacks is key 4. APTs present a special case, directed attacks 5. APTs use of Open Source Intelligence (OSINT) 6. Inclusion of Threat Agent Aspects into the Risk Picture 7. Prioritizing your most important exposures
- 3. Global APT Defense Summit New York #APTSummit3 About the Speaker Matthew Rosenquist Cybersecurity Strategist, Intel Corp Matthew Rosenquist is passionate about cybersecurity! Benefiting from 20 years of experience, he thrives at establishing strategic organizations and capabilities which deliver cost effective security capabilities. His role is to champion the meaningfulness of security, advise on emerging opportunities and threats, and advocate an optimal balance of cost, controls, and productivity throughout the industry. Mr. Rosenquist built and managed Intel’s first global 24x7 SOC, overseen internal platform security products and services, was the first Incident Commander for Intel’s worldwide IT crisis team, and managed security for Intel’s multi-billion dollar worldwide M&A activities. He has conducted investigations, defended corporate assets, established policies, developed strategies to protect Intel’s global manufacturing, and owned the security playbook for the PC strategic planning group. Most recently, Matthew worked to identify the synergies of Intel and McAfee as part of the creation of the Intel Security Group, one of the largest security product organizations in the world.
- 4. Global APT Defense Summit New York #APTSummit4 History is Enlightening “He who defends everything, defends nothing” – Fredrick the Great
- 5. Global APT Defense Summit New York #APTSummit5 Problems with vulnerability based strategies Vulnerabilities Exist Everywhere • Never ending battle, not sustainable • ‘Vulnerability’ is relative to the threat • Not efficient on resources How can we improve defenses? The Impossible Challenge: • Identify ALL vulnerabilities • Close them before they are exploited • Do it continuously, forever • For all technology and users
- 6. Global APT Defense Summit New York #APTSummit6 History is Enlightening “Know your enemy and know yourself and you can fight a thousand battles without disaster” – Sun Tsu
- 7. Global APT Defense Summit New York #APTSummit7 Threat Agents are the Genesis of Risks • Threat Agent archetypes are collective descriptions of attackers, representing similar risk profiles • Intelligent attackers whose Motivations drive their Objectives • Attributes such as skills, access, and resources define their most likely Methods • Not all archetypes represent a significant threat to every organization • Knowing your opposition is very valuable Organized Criminals Motivation: Personal Financial Gain Objectives: Theft of digital assets, including money & valuables Methods: • Compromise payment systems • Access to financial assets • Copying IP or resalable data • Digital ransom (data or access) • Fraudulent use of digital assets External Threat Tech Skilled Indirect AttacksDirect Attacks Nation-State Cyberwarrior Motivation: Personal Financial Gain Objectives: Theft of digital assets, including money & valuables Methods: • Compromise payment systems • Access to financial assets • Copying IP or resalable data • Digital ransom (data or access) • Fraudulent use of digital assets External Threat Tech Skilled Indirect AttacksDirect Attacks Digital Thief Motivation: Personal Financial Gain Objectives: Theft of digital assets, including money & valuables Methods: • Compromise payment systems • Access to financial assets • Copying IP or resalable data • Digital ransom (data or access) • Fraudulent use of digital assets External Threat Tech Skilled Indirect AttacksDirect Attacks
- 8. Global APT Defense Summit New York #APTSummit8 Intersecting the Most Likely Attacks is Key Attack Methods Attacker Objectives Threat Agents Attack Methods Attack Methods Vulnerabilities without Controls for these attacks are likely Exposures Areas of highest Exposure All possible Threats, Objectives, and Methods Highest risk Threats, Objectives, and Methods Objectiv es Threat Agents Attack Method s Optimizing security resources
- 9. Global APT Defense Summit New York #APTSummit9 Targeting Victims… “Two types of victims exist... Those with something of value, and those who are easy targets. …therefore, don't be an easy target, and protect your valuables.”
- 10. Global APT Defense Summit New York #APTSummit10 APT’s Present a Special Case • Indirect Attacks – Seeks easy targets based upon vulnerability – Uses methods for widespread attacks for any victim – “Spray and pray” mentality – Seeks to satisfy objectives through whichever is the easiest target • Direct Attacks – APT’s – Target is selected based upon motivation and objectives – Easiest path for that target is determined – “Stalk and Sniper” mentality – Attacks against target continue until objectives are met CO N G R AT U L AT I O N S , YO U A R E A W I N N E R O F T H E I NT E RG A L AC T I C LOT T E RY ! C L I C K O N T H E L I N K T O R E C E I V E Y O U R $ 5 M I L L I O N D O L L A R P R I Z E … M i ke , W h a t a g a m e l a s t n i g ht ! G l a d yo u r s o n Ro g e r h i t t h a t h o m e r u n ! I t o o k t h i s v i d e o of h i s g ra n d s l a m i n t h e 6 t h i n n i n g . C l i c k t h i s l i n k a n d c h e c k i t o u t ! S e e yo u a t w o r k t o m o r ro w . - S a m
- 11. Global APT Defense Summit New York #APTSummit11 Phases of a Social Engineering Attack Source: Hacking the Human Operating System
- 12. Global APT Defense Summit New York #APTSummit12 APT’s use of Open Source Intelligence (OSINT) APT’s stalk their prey using OSINT – OSINT is the legal gathering of data without touching the target – Advanced attackers are seeking the path-of-least resistance – Understanding their target helps determine the method of attack – Reconnaissance of a target begins early – Search engines, social media, job boards, news stories, investor data, company profiles, suppliers, domain and network ownership – A wealth of information can be found…in as little as 20 minutes Recommendation: understand what the world can determine about you
- 13. Global APT Defense Summit New York #APTSummit13 Open Source Intelligence (OSINT) What could be learned • Names and details of employees & corporate officers • Projects & reporting structure • Roles and relationships • Physical and logical locations • HW, OS and Apps in use • Security controls • Trusted Vendors How it could be used • Phishing, spear-phishing • Confidence scams/schemes • Network & system targeting • Software vulnerabilities • Targeting security gaps • Vendor impersonation/compromise • Targeted malware • Custom extortion & manipulation
- 14. Global APT Defense Summit New York #APTSummit14 Inclusion of Threat Agent Aspects into the Risk Picture • Tools and process form a sustainable security capability • Prediction of threats feeds intelligent decisions • Smart security is the key to success Strategic Cybersecurity Capability Process Prevention Prevent or deter attacks so no loss is experienced Prediction Predict the most likely attacks, targets, and methods Response Rapidly address incidents to minimize losses and return to a normal state Proactive measures to identify attackers, their objectives and methods prior to materialization of viable attacks. Secure the computing environment with current tools, patches, updates, and best-known methods in a timely manner. Educating and reinforcing good user behaviors. Detection Identify attacks not prevented to allow for rapid and thorough response Efficient management of efforts to contain, repair, and recover as needed, returning the environment to normal operations Monitor key areas and activities for attacks which evade prevention. Identifies issues, breaches, and attacks
- 15. Global APT Defense Summit New York #APTSummit15 Prioritizing your Most Important Exposures • Understand the capabilities, methods, & objectives of your APT threats • Combine threat characteristics with vulnerability analysis to find the weak areas in your organization most likely to be exploited • Counter these threats with proper allocation of resources Threat prediction can improve Prevention, Detection, and Response