Weitere ähnliche Inhalte Ähnlich wie IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threats (APT) - Webinar 28/1/2016 (20) Kürzlich hochgeladen (20) IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threats (APT) - Webinar 28/1/20161. © 2015 IBM Corporation
IBM ridefinisce la strategia e l'approccio verso gli
Advanced Persistent Threat (APT)
Webinar - 28 Gennaio 2016
Luigi Del Grosso, Endpoint & Threat
Fabrizio Patriarca, Security Architect
Nel caso il collegamento in streaming web non funzioni
correttamente, usare i seguenti collegamenti telefonici
tradizionali: 800-975100, 02-00621263 - Meeting
80326520
IBM Security
Advanced Persistent Threat
IBM Security
2. 2© 2015 IBM Corporation
APT and Targeted Attack Methods Evolve Quickly
1. Advanced evasive malware bypasses security controls
2. Credentials are exposed through phishing and 3rd party breach
3. Compromised endpoints and stolen credentials enable
access to enterprise networks, systems and data
Despite existing controls, employee endpoints are compromised
and are used as pivot points into the enterprise network.
Compromised
Credentials
Vulnerability
Exploit
Malware
Infection
Malicious Activity
Data Access
Malicious
Communication
A $1Billion APT Attack – Carbanak May
Just Be the Biggest Cyber Heist Ever
3. 3© 2015 IBM Corporation
Criminals attack the weak link
Customer Data and
Intellectual
Property
Employees /
Contractors /
Partners
Easy
Easy
Cyber
Criminals
Difficult
4. 4© 2015 IBM Corporation
APTs and Targeted Attacks
Credentials
Theft
****
Phishing
Site
WWW
APTs and
Targeted
Attacks
WWW
Exploit Site
Malware
Infection
Weaponized
Attachment
Malicious
Link
Credentials Theft
Watering Hole Attack
Spear Phishing
Exploit
Data
Exfiltration
1:500 PCs infected with Advanced Evasive APT malware!
IBM Trusteer Research
5. 5© 2015 IBM Corporation
IBM Security Trusteer Apex Advanced Malware Protection
Preemptive, multi-layered protection against advanced malware and credentials theft
Effective Real-Time Protection
Using multiple layers of defense to
break the threat lifecycle
Security Analysis and
Management Services
provided by IBM Trusteer security
experts
Zero-day Threat Protection
Leveraging a positive behavior-
based model of trusted application
execution
Trusteer
Apex
6. 6© 2015 IBM Corporation
Dynamic intelligence
Crowd-sourced expertise in threat research and dynamic intelligence
Global Threat Research and Intelligence
• Combines the renowned
expertise of X-Force with
Trusteer malware research
• Catalog of 70K+
vulnerabilities,17B+ web
pages, and data from
100M+ endpoints
• Intelligence databases
dynamically updated on
a minute-by-minute basis
Real-time sharing of
Trusteer intelligence
NEW
Threat
Intelligence
Malware
Analysis
Exploit
Research
Exploit
Triage
Malware
Tracking
Zero-day
Research
7. 7© 2015 IBM Corporation
Apex multi-layered defense architecture
KB to
create
icon
Threat and Risk Reporting
Vulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
Credential
Protection
Exploit Chain
Disruption
Advanced
Malware
Detection and
Mitigation
Malicious
Communication
Prevention
Lockdown
for Java
Global Threat Research and Intelligence
Global threat intelligence delivered in near-real time from the cloud
• Alert and prevent
phishing and
reuse on non-
corporate sites
• Prevent infections
via exploits
• Zero-day defense
by controlling
exploit-chain
choke point
• Mitigates mass-
distributed
advanced
malware
infections
• Cloud based file
inspection for
legacy threats
• Block malware
communication
• Disrupt C&C
control
• Prevent data
exfiltration
• Prevent high-risk
actions by
malicious Java
applications
8. 8© 2015 IBM Corporation
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and
malicious access
to content
Establish
communication
channels
Data
exfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101
1101000010
1111000110
0011001101
9. 9© 2015 IBM Corporation
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and
malicious access
to content
Establish
communication
channels
Data
exfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
10. 10© 2015 IBM Corporation
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and
malicious access
to content
Establish
communication
channels
Data
exfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Exploit Chain
Disruption
Lockdown for
Java
Malicious
Communication
Blocking
11. 11© 2015 IBM Corporation
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and
malicious access
to content
Establish
communication
channels
Data
exfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
Advanced
Malware
Prevention
Endpoint
Vulnerability
Reporting
Credential
Protection
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Exploit Chain
Disruption
Lockdown for
Java
Malicious
Communication
Blocking
12. 12© 2015 IBM Corporation
Exploit chain disruption
Disrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions
• Apply allow / block controls across the exploit chain
Write files
Breach
other
programs
Alter
registry
Other
breach
methods
Monitor post-
exploit actions
Evaluate
application states
Exploit propagationApplication states
Indicators
13. 13© 2015 IBM Corporation
Lockdown for Java
Monitor and control high risk Java application actions
• Malicious activity is blocked while legitimate Java applications are allowed
• Trust for specific Java apps is granted by Trusteer / IT administrator
Monitor and control high-risk activities
Malicious app
Rogue Java app
bypasses Java’s
internal controls
e.g., Display, local calculation
Trusted app
Untrusted app
Allow low-risk activities
e.g., Write to file system, registry change
Trusted app
Untrusted app
Trusted app
14. 14© 2015 IBM Corporation
Malicious communication blocking
Block suspicious executables that attempt to compromise other applications
or open malicious communication channels
1. Assess process trust level
2. Identify process breach
3. Allow / block external communication
Malicious site
Legitimate site
used as C&C
Direct user
download
Pre-existing
infection
External
Network
Zombie
process
COMMUNICATION
PASS-THROUGH
DIRECT
Identify application breach Allow / blockAssess trust level
15. 15© 2015 IBM Corporation
Corporate Credentials Protection
WWW
Credential theft
via phishing
Corporate
credential reuse
Legitimate
corporate site
Enter Password
Submit: Allow
• Detect submission
• Validate destination
Phishing
site
Unauthorized
legitimate site
*******
Authorized site
16. 16© 2015 IBM Corporation
Threat and risk reporting, vulnerability mapping and critical
event reporting
Identify risks from vulnerabilities and user behavior, help ensure compliance
Vulnerability reports
Detailed reporting to visualize and
understand which endpoints and
apps are vulnerable to exploits
Corporate credential reports
Reporting on which users
are re-using credentials and
out of security policy guidelines
Incident reports
Reporting on security incidents –
exploits, suspicious
communication, infections
17. 17© 2015 IBM Corporation
IBM is uniquely positioned to offer integrated protection
A dynamic, integrated system to disrupt the lifecycle of advanced attacks
and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security
Intelligence Ecosystem
IBM Security Network
Protection XGS
Smarter Prevention Security Intelligence
IBM Emergency
Response Services
Continuous Response
IBM X-Force
Threat Intelligence
• Leverage threat intelligence
from multiple expert sources
• Prevent malware installation and
disrupt malware communications
• Prevent remote network exploits and limit the
use of risky web applications
• Discover and prioritize vulnerabilities
• Correlate enterprise-wide threats and
detect suspicious behavior
• Retrace full attack activity, Search for breach
indicators and guide defense hardening
• Assess impact and plan strategically and
leverage experts to analyze data and contain
threats
• Share security context
across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint
Malware Protection
IBM Security QRadar
Security Intelligence
IBM Security QRadar
Incident Forensics
IBM Guardium Data
Activity Monitoring
• Prevent remote network exploits and limit
the use of risky web applications
IBM Endpoint Manager
• Automate and manage continuous
security configuration policy compliance
18. 18© 2015 IBM Corporation
Apex integration with the customer SIEM
The integration enables organizations to gain full end-to-end visibility into targeted attack,
consolidating security event information from targeted endpoints with data gathered from
multiple enterprise security controls.
Correlate endpoint
security events with
multiple enterprise events
for end-to-end visibility
Automate endpoint
security event notification
and response
Integrate with enterprise
security controls for wide-
spread protection
Enable integration with
additional log
management/SIEM
solutions that support
generic Syslog messages
19. 19© 2015 IBM Corporation
IBM Trusteer Apex and IBM BigFix
Extend BigFix ROI by stopping
exploits before patches are
available
Continuously monitor
and protect endpoints
– Enforce secure configurations
– Deploy security patches
– Detect and mitigate
advanced malware infections
Effectively respond
to security incidents
Create the most robust enterprise endpoint security solution available!
IBM
Trusteer Apex
and
IBM BigFix
Apex– continuously
protects in the window
between threat and fix
Maintenance Patch:
BigFix ensures it is
quickly deployed on all
endpoints
Apex identifies and
mitigates malware
infections in real-time
stops zero-day exploits
BigFix Incident
Response quarantines
infected machines
BigFix enforces secure
configurations
Everyone goes back to
work on higher value
projects
Unscheduled Patch:
BigFix ensures it is
quickly deployed on all
endpoints
20. 20© 2015 IBM Corporation
Why Apex
Credential protection
Exploit chain disruption
Malware detection
and mitigation
Lockdown for Java
Malicious
communication blocking
Low impact to IT
security team
Low-footprint threat
prevention
Exceptional turnkey
service
Combines the renowned
expertise of X-Force
with Trusteer malware
research
100,000,000+ endpoints
collecting intelligence
Protection dynamically
updated near real-time
Apex is redefining endpoint protection against advanced threats
with a holistic approach
Advanced
Multi-Layered Defense
Low
Operational Impact
Dynamic
Intelligence
21. 21© 2015 IBM Corporation
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
IBM Internal and Business Partner Use Only
Hinweis der Redaktion Despite existing controls, employee endpoints are compromised and are used as pivot points into the enterprise network.
The methods used in APTs and targeted attacks constantly evolve:
New evasive malware designed to bypass security controls
Credentials exposed through sophisticated phishing schemes and 3rd party breach
Compromised endpoints and stolen credentials enable access to networks, systems and data.
Examples of recent events in the news: Sony breach, JPMorgan Chase and the Carbanak APT attack – all these examples involve compromised credentials and advanced malware.
APTs and targeted attacks are currently the biggest concern of enterprise organizations. This slide explains how these attacks unfold:
The attacker can use a spear-phishing email to send an employee a weaponized document (i.e. contains hidden exploit code). When the user opens the document with a viewer (Adobe Acrobat, MS-Word, MS-Excel, etc.) the exploit code executes and exploits an application vulnerability to silently download malware on the employee machine. The employee is never aware of this download.
Another option is to send a user a link to a malicious site. It can be an exploit site: a malicious website that contains an exploit code, or a legitimate website that was compromised (watering hole attack). When the employee clicks on the link and the browser renders the HTML content, the exploit code executes and exploits a browser (or browser plug-in) vulnerability to silently download malware on the employee machine.
The link can also direct the user to a phishing site (a fake web app login page) trying to convince the user to submit his/her corporate credentials.
Once the attacker was able to infect the machine with advanced malware, or compromise corporate credentials, the attacker has a foothold within the corporate network and can advance the attack.
In blue are 5 attack case studies – each bubble leads to a relevant slide.