persistent threats - CSC

Download PDF
33 downloads 232 Views 164KB Size Report
Comment
tactics, tools and techniques until they successfully penetrate the desired systems and data. The goal ... According to
INDUSTRY PERSPECTIVE

COUNTERING ADVANCED

PERSISTENT THREATS

CYBERSECURITY By Nicholas Handy

MODERN APTS PRESENT A BUSINESS CHALLENGE If advanced persistent threats (APTs) have not yet penetrated your systems and data, they will. To counter APTs, organizations require a multidisciplinary defensive posture that delivers continuous intelligence and awareness, responds rapidly to disrupt APTs that have penetrated their systems, and provides a proactive defense that allows them to anticipate and respond to APTs as they rapidly change and evolve. Modern APTs are sophisticated hacking processes designed to gain unauthorized access to public and private networks without detection. Sponsored by nation-states, organized criminal groups, terror organizations and hacktivists, APTs are well funded, and the adversaries using them are patient and continuously evolve their hacking tactics, tools and techniques until they successfully penetrate the desired systems and data. The goal of adversaries in using APTs is to gain access to high-value information over an extended period while hiding within normal network traffic. Once the adversary gains a foothold, they can expand across an organization’s infrastructure to introduce further malware attacks. Successful attacks can cause breaches that tarnish an organization’s image, alienate customers as their personal information is compromised, result in the theft of valuable data and intellectual property, and even shut down global networks and supply chains. The cost of data breaches is growing. According to the Ponemon Institute’s 2015 Cost of Data Breach Study, which surveyed 350 companies in 11 countries, the average total cost of a breach is $3.79 million — a 23 percent jump in the past 2 years. Heavily regulated industries — such as healthcare, education, pharmaceuticals and financial services — face substantially higher data breach costs than other industries. When breaches occur, these industries must spend more to alleviate their customers’ concerns about identity theft and personal records being compromised. In the era of highly sophisticated APTs, cybersecurity is not just about protecting equipment, people and data: It’s about countering APTs on a global scale to protect both traditional enterprise and cloud-based environments, so that organizations may protect their business.

FROM PERIMETER DEFENSE TO ACTIONABLE INTELLIGENCE Cloud, social media, smart devices and other technology innovations give organizations new opportunities to collaborate with customers and partners, expand into new markets, and reduce costs. However, they also give today’s determined, well-funded adversaries new avenues to steal intellectual property, wreak havoc on systems through denial-of-service attacks and harm an organization’s reputation. In the past, it was possible to protect against adversaries by locking down networks with perimeter defenses and signature-based tools, such as antivirus, firewalls and intrusion prevention systems.

2 | INDUSTRY PERSPECTIVE: COUNTERING ADVANCED PERSISTENT THREATS

While malware and intrusion detection systems remain necessary to protect data from a variety of threats, they are no match for today’s APTs. This is because APTs are constantly evolving as they identify and exploit network vulnerabilities. Skilled adversaries work night and day to develop techniques to penetrate each individual organization. For instance, an APT might identify a “zero-day” vulnerability — an unaddressed and previously unknown vulnerability — in antivirus software. The APT would attempt to trick an employee into clicking an infected Web link in a spear-phishing email that would introduce malware onto that employee’s computer. Since the malware is designed to exploit a specific zero-day flaw in the antivirus software, it would evade antivirus detection. The APT adversary then gains remote access to the organization’s network, via the employee’s computer, and is able to move across the enterprise and access servers with highly sensitive data. APTs demand a shift in defensive thinking. Organizations must move from traditional perimeter defenses, designed solely to keep adversaries out, to strategies that detect when APTs are present and quickly disable them before they can cause harm. The Evolution of Cybersecurity Programs Threat Focus: Computer intrusion

Threat Focus: APT

Threat Focus: Insider

Protection: Network perimeter, firewalls, IDS, p  roxies, A/V, D  HCP, DNS

Protection: + Internal network, host A/V, OS, application logs, email, net flow

Protection: + DLP, DRM,  personnel data, data object interaction, non-network data

Detection Technique: Signature-based

Detection Technique: + Network anomaly + Security intelligence

Detection Technique: + Data mining, b  ehavioral

MULTIDISCIPLINARY APPROACH NEEDED To counter APTs on a global scale, organizations require a multidisciplinary approach that integrates: • Actionable intelligence and countermeasures generated by monitoring and analysis tools that detect unknown threats • Rapid incident-response capabilities to isolate and shut down APTs before they can damage the business • Proactive, ongoing defense techniques to anticipate and guard against rapidly evolving APT tools, tactics and procedures

3 | INDUSTRY PERSPECTIVE: COUNTERING ADVANCED PERSISTENT THREATS

SECURITY EXPERTS WHO UNDERSTAND YOUR BUSINESS CSC combines more than 40 years of experience in information security with leading tools and methods to support your security program and protect your operations. Our deep industry knowledge, more than 1,800 security specialists, and our end-to-end solutions for traditional and next-generation technologies enable clients to securely adapt as their businesses and risks change.

Intelligence & CounterIntelligence Tools

Expertise All three are needed for a full-featured

APT Service Incident Response

Proactive Defense

INTELLIGENCE AND COUNTERINTELLIGENCE As organizations embrace a range of mobile, cloud and social media technologies, they are also enlarging their attack surface, giving APT adversaries multiple new opportunities to strike. Signature-based methods often do not detect APTs — since adversaries are successfully penetrating networks — so organizations must expand their intelligence and counterintelligence capabilities to detect and disrupt APTs once they breach systems. This requires a 24x7 monitoring and analysis platform that uses heuristics, behaviors and internal and external sensors to detect even the most nuanced of anomalies. It also requires highly skilled security analysts who can help organizations develop a comprehensive detect-analyze-adapt-respond life cycle based on their unique risk profiles. Effective APT monitoring extends dynamic protection across a network where traditional antivirus software typically does not reach. By attaining real-time visibility into all adversarial activity across every endpoint, the time between APT compromise and detection can be dramatically shortened. Flexibility is a key consideration. To manage costs, organizations may consider a service that allows them to purchase targeted APT analysis services ad hoc, quarterly or yearly to determine if and where their environment has been compromised.

INCIDENT RESPONSE Preparation is the key to responding rapidly and aggressively to APTs. Having in place and executing a plan can make the difference between an organization’s successfully weathering an APT or having it destroy or degrade consumer confidence and share price, or negatively affect compliance with contracts, laws and regulations. Organizations need trained cybersecurity specialists who can perform internal and external vulnerability assessments. Assessments should cover everything from single systems through entire enterprise systems, and provide services ranging from nonintrusive compliance scans to full-scale penetration tests. These assessments should also identify areas in which organizations are falling short of emerging regulatory compliance. Once all vulnerabilities are understood, organizations should develop comprehensive incident response plans, implement and test those plans, and be prepared to respond to APTs with well-trained responders, investigators and forensic-data collectors.

4 | INDUSTRY PERSPECTIVE: COUNTERING ADVANCED PERSISTENT THREATS

INDUSTRY PERSPECTIVE: COUNTERING ADVANCED PERSISTENT THREATS PROACTIVE DEFENSE

ABOUT NICHOLAS HANDY A senior principal in CSC’s Emerging Business Group, as well as a global offering manager for cybersecurity, Nicholas Handy has more than 16 years of experience in information security, intelligence operations, exploitation and leadership with a variety of private and public organizations (CSC, ManTech, NSA, FBI and U.S. Army). Currently the leader of Global Cybersecurity Offerings for Counter-APT Services, Consulting Security Services and Application Security Services, Handy works closely with CSC’s design and delivery teams to create and implement industry-best security solutions.

As organizations produce actionable intelligence and respond to incidents, they need to collect this information to understand the nature, motives and patterns of their adversaries. Who are they, and what do they want? What organizational assets are they after? APTs can be tracked by their behavior, methods and tactics. Some leave signatures. Some have well-established profiles that can be mined for information. As knowledge is gained about each APT’s operating style, organizations will improve their ability to predict, anticipate and disrupt future attacks. In addition to monitoring the threat surface for APT penetration, it is important to have access to a global threat intelligence service. Through spotting and correlating anomalies, organizations gain visibility into breaking events that may impact their industry, brand, infrastructure, users and customers. By understanding the motives of evolving adversaries, organizations also can anticipate their actions and prevent them from causing damage.

CONDUCT BUSINESS WITH CONFIDENCE Cybersecurity is no longer a mere compliance matter or the “cost of doing business.” It has become a primary business challenge organizations must address. To properly counter APTs, organizations need a next-generation approach that continually integrates threat-intelligence-based security services to track threat actors and groups and determine their tactics, techniques and procedures so infrastructure and sensitive data can be properly secured. When organizations incorporate an effective counter-APT approach into their cybersecurity program, they’ll be able to conduct business with confidence and assurance that their brand, shareholder value and business are resistant to rapidly emerging APTs. ììLearn more at csc.com/cybersecurity.

Regional CSC Headquarters The Americas 3170 Fairview Park Drive Falls Church, Virginia 22042 United States +1.703.876.1000

Australia 26 Talavera Road Macquarie Park, NSW 2113 Australia +61(2)9034.3000

Nordic and Baltic Region Retortvej 8 DK-2500 Valby Denmark +45.36.14.4000

Asia, Middle East, Africa Level 9, UE BizHub East 6 Changi Business Park Avenue 1 Singapore 468017 Republic of Singapore +65.6809.9000

Central and Eastern Europe Abraham-Lincoln-Park 1 65189 Wiesbaden Germany +49.611.1420

South and West Europe Immeuble Balzac 10 place des Vosges 92072 Paris la Défense Cedex France +33.1.55.707070

© 2015 Computer Sciences Corporation. All rights reserved. MD_8296a-16 11/2015

UK, Ireland and Netherlands Floor 4 One Pancras Square London N1C 4AG United Kingdom +44.20.3696.3000