SlideShare ist ein Scribd-Unternehmen logo

Stalking the Kill Chain

E
EMC

This Solution Overview approaches the threat landscape from a holistic viewpoint and identifies strategies and techniques to establish a good defense. It discusses the concept of a "kill chain" and identifies key indictors for attack events with a focus on network analysis.

Technologie
1 von 11
Downloaden Sie, um offline zu lesen
STALKING THE KILL CHAIN RSA FirstWatchSM Research Note White Paper
INTRODUCTION Shady Rat, Aurora, Poison Ivy, ZueS, Spyeye, Ice IX, Stuxnet and Flame. This strange combination of terms may have no immediate relation to the layman, but for those involved in computer security and incident response, they speak of events that have sparked press coverage, executive interest and late nights. Admittedly, the information security threat landscape has drastically changed over the past decade. What was once the realm of tricksters and troublemakers has become the operational environment of professional hackers, nation-state sponsored teams, hacktivists and organized crime. Each threat group seeks to penetrate organizations of interest to accomplish targeted objectives, often with an intellectual approach and backed with plenty of resources. Their overall objectives can be focused into four primary areas: - - Theft of Intellectual Property i - Theft of Financial Data ii - Denial of Service iii Technology-based influence causing physical results iv Among these objectives, a vital and persistent theme is the use of malicious software and the leveraging of related network infrastructure to allow stealth remote manipulation and control of compromised systems anonymously without an onsite presence at the target location. This foothold is typically followed by “going quiet” with the attacker using valid credentials and remote access systems to traverse through the network. In this whitepaper, we will approach the threat landscape from a holistic viewpoint and identify strategies and techniques to establish a good defense. We will discuss the concept of a “kill chain” and identify key indicators for attack events with a focus on network analysis within the context of the RSA NetWitness framework. POSITION BEFORE SUBMISSION In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack resulting in submission. Embracing the concept allows the fighter to increase his chances of winning the confrontation by making sure he is in control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical approach has direct relevance to cyber security as the same approach can be taken to establish a more proactive defense based on threat intelligence and network-wide visibility. The notion of establishing an “active defense” can be approached using the following guiding principles: - - Know your enemy - Know your network Know your people Know Your Enemy Advanced Persistent Threats (APTs) has been spoken of over the past few years as both a descriptive term for a class of attacker as well as an industry buzzword to describe the effectiveness of a particular product (“Our insert device here stops APTs!”). While this term is most commonly applied to nation-states, the idea of an “Advanced Threat” can be applied almost across the board in today’s threat landscape. Regardless of nation- state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate a target organization. 2
Advanced – All modern threats use advanced, blended attacks. This may include targeting specific individuals or organizations with directed email attacks (spear phishing), hacking websites to serve malware from a “known good” or at least “not known bad” location, or using newly discovered zero-day attacks to increase the chances of a successful exploitation. Once entrenched, the attacker may then use encryption or other obfuscation techniques to further mask their presence and intentions. Persistent – Threat actors understand that repeated and coordinated attacks are likely to garner a penetration eventually. In the nation-state example, this may be repeatedly attacking a “target list” with spear-phishing until someone “takes the bait”, but it could also refer to being watchful for defender activity during a penetration operation and changing tactics as defenders respond, allowing continuous presence in the network. On the cybercrime side, this is increased to large-scale persistent modification of infrastructure, malware and domain names to allow continued operation among the ebb and flow of defender activity. Threat – Ultimately, for an event to be considered a “threat” it must meet a set of criteria. Intent + Opportunity + Capability = Threat Lacking any one of these criteria negates the threat, for example: Attacker A wants to attack organization B with a PDF-based spear-phishing attack against an HR manager. The attacker is using a known and reliable PDF exploit in Adobe Reader, has a “builder” that builds an attack PDF in a way that makes it undetectable by antivirus, and has the name of an HR manager that is responsible for hiring database developers. Organization B has a patching policy for Adobe Reader, and all organizational workstations are up to the current patch level. In this scenario, the attacker has the intent to attack, the capability with his attack PDF to compromise a workstation, and a target for the attack via the HR manager. He doesn’t, however, have the opportunity in this case, because the target workstation is patched and non-vulnerable to his attack. In this case, there is no threat because of the lack of opportunity provided by the patched PDF reader. While real-life scenarios are seldom this simple, it provides an example of things you might want to know about how common attackers operate in order to intelligently defend your network - - What are the common threat vectors (e.g., spear-phishing)? What exploits are commonly used? (Exploit kits target A, B and C vulnerabilities, spear-phishing attacks are often launched using PDF and Microsoft Office exploits) Attacker groups, especially in the nation-state arena, commonly attack organizations by industry vertical. It might be a good opportunity to establish relationships that may help you identify tactics, techniques and procedures of groups targeting your vertical, including: - - Threat Research groups and vendors - Threat teams from competitors (the enemy of my enemy is my friend). Industry Working Groups – Is there an ISAC v that supports your vertical? Know Your Network When an RSA NetWitness system engineer gets a new NetWitness deployment up and running at a customer location, a common reaction when network traffic is first observed is the customer being overwhelmed by the volume of data now readily available for analysis. The complexities and idiosyncrasies of a large network are very hard for a human being to visualize without additional framing, and NetWitness NextGen typically becomes that frame among customers. This framing typically leads to a number of “I don’t expect to see that, why is it there?” events over the next few weeks as the customer becomes more intimately acquainted with their network. 3
The ability to pervasively know what your network looks like on a day-to-day basis is CRITICAL in helping to identify advanced attacks. If you’ve ever known a hunter that hunts a certain tract of land time and again, year after year, you will have an understanding of how this concept works. The hunter can typically look across a large field into a tree line, maybe even farther than he can really “see” and pick out a deer with a glance. That same deer may be invisible to you and I at that distance because the hunter is accustomed to his land, knows what it looks like on a “normal” day, and can quickly pick out the variance - the deer. The network hunter is similar. If I know what my network looks like on a day-to-day basis, I can better pick out the anomalies. In NetWitness training courses, we modify the “needle in the hay stack” analogy and refer to this concept as “removing hay until only needles remain”. This information may include: - - How is my network laid out? What are my allowed paths out of the network? Where are my likely weak points, either from a lack of visibility or business - needs that require a more relaxed security posture? Where is my data? If I have intellectual property, where is it stored and who has access to it? Know Your People Ultimately, the success of a modern attack often depends on the activities of the carbon- based unit between the keyboard and the chair. That is, the human being operating the computer and going about their daily business. While it is easy to get lost in the minutiae of the technical, the human operator is decisively the weakest point; as a result, the initial target of most attacks. The strategic objective may be financial data related to the person, or information that the person has access to, or maybe even just a tactical compromise of the computer that belongs to the person. With this in mind, it’s important to understand a few concepts in the paradigm of your environment. - Who in your environment has “enhanced access”, be it to critical information or - intellectual property, or critical systems or pivotal locations on the network? Does your enterprise have security policy that addresses common attack methodology? It could be as simple as an information security policy that is reviewed yearly, to as complex as common ideas on how to identify a spear- phishing attack. Policy is often looked at as a simple “box-check” for compliance reasons, but the ability to educate the end-user is one more layer in - a defensive strategy. Who are my likely targets? Do I have employees that are commonly in the press, speak at conferences, or have a job that routinely entails receiving “cold” electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc). If I search for “@mycompany.com” on Google, whose email addresses show - up? How about LinkedIn? Am I continuously tracking employees that have been targeted or compromised in the past? Repeat attacks are common and employee behavior that is risky is likely to reoccur. THE ATTACKER KILL CHAIN In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a series of articles that discussed security intelligence and leveraging indicators. In this series, he introduced a concept known as the “attacker kill chain”. 4
This concept breaks attacker methodology into a series of sequential stages. Each stage represents a focus on a particular aspect of an attack, both from an attacker perspective, as well as a defender perspective. “We have found that the phases of an attack can be described by 6 sequential stages. Once again loosely borrowing vernacular, the phases of an operation can be described as a "kill chain." The importance here is not that this is a linear flow - some phases may occur in parallel, and the order of earlier phases can be interchanged - but rather how far along an adversary has progressed in his or her attack, the corresponding damage, and investigation that must be performed.” vi Reconnaissance With the amount of publicly available information on the Internet, the ability for an attacker to do target reconnaissance in an unnoticed fashion is almost unlimited. Commonly used techniques include: - - Reading company websites for information on key initiatives and personnel Reading industry whitepapers to identify projects and personnel associated with - those projects. Searching Google for email addresses, contact points and other bits of - information. Identifying social network participation of likely targets, often providing attack vectors through trusted friends and associates. In the reconnaissance phase, the ability for the defender to take defensive actions is limited, as attacker reconnaissance is often done in a covert and hard to detect manner. Weaponization and Delivery At this point, the attacker has established a target or collection of targets, and weaponizes an attack payload and delivers it to the target. Let’s use a spear-phishing attack as an example scenario. In most APT-style spear-phishing attacks that NetWitness has observed a third party document is used as the delivery method for a malware payload. Typically, it will be a trojaned PDF or Office document. While 100% detection of this phase is difficult, information sharing and intelligence gathering on previous attacks helps to identify repeatable characteristics of attacker “playbooks” which can help identify recycled exploit document filenames, shellcode, PDF structure, etc. From a NetWitness perspective, the platform looks at the documents from a higher level, by analyzing for threatening characteristics in the sessions rather than specific malware or exploit signatures. Example 1: Jim in HR receives a PDF via an email link for a job applicant. As Jim downloads the PDF and it crosses from the Internet onto his workstation, the organization’s NetWitness NextGen platform: 1. Identifies that the file is forensically a PDF. 2. Identifies that the PDF has a “Launch” action in it. 3. Identifies that the PDF has embedded javascript. While these three factors don’t mean that the file is absolutely malicious, they identify enough threatening characteristics to warrant a second look, and to pull it from the likely high volume of PDFs that appear on the network daily; thereby “removing the hay until only needles remain”. 5
Exploitation Diverging from Cloppert’s approach here, consider immediate post-compromise activities as secondary parts of the exploitation event. During the exploitation phase of the attack, the host machine is compromised by the attacker and the delivery mechanism typically will take one of two actions: - - Install malware (a dropper) allowing attacker command execution. Install malware (a downloader) and download additional malware from the Internet, allowing attacker command execution. Once a foothold is established inside the network, the attacker will typically download additional tools, attempt privilege escalation, extract password hashes, etc. At this point, defensive strategies have ultimately failed, and the attacker has control of a resource. We would typically move to a detective model here and focus on identifying second-stage malware and toolsets being downloaded to the compromised workstation post-exploitation. - Forensically identify executable download, both un-obfuscated and obfuscated. Obfuscation and encryption methods vary, in some cases custom algorithms or none at all in others. A few methods tend to be re-used: - - Single-Byte XOR - Base64 Custom Base64 Command and Control Once the attacker has successfully exploited and taken control of a workstation, he will usually install malware that has a command and control mechanism. This allows persistent connectivity for continued access to the environment as well as a detective measure for defender activity. Command and control of a compromised resource is usually accomplished via a beacon over an allowed path out of the network. Beacons take many forms, but in most cases they tend to be: - - HTTP or HTTPS-based Made to look like benign traffic via falsified HTTP headers In cases that use encrypted communication, beacons tend to use self-signed certificates or use custom encryption over an allowed path (often TCP 443) Strategies for detection at this stage tend to revolve around: - - Identifying the use of self-signed certificates during encrypted communication. - Identifying falsified HTTP headers via anomaly detection strategies. Identifying recurring, consistent beacon activity to the same domain or IP - address over time. Identifying the use of non-standard or unapproved encryption over allowed paths. Keep in mind that immediate takedown of hosts that have identified beacon activity may clue attackers into defender activity (loss of a known beacon), causing them to switch to secondary (and potentially unknown) infrastructure. While incident response, as a program, is out of the scope of this whitepaper, this should be a consideration when faced with this type of discovery. 6
Exfiltration The final phase of the kill chain is exfiltration. In this phase, the attacker has successfully entered the target network, taken control of a host and potentially: - - Downloaded and staged tools - Elevated privileges - Moved laterally onto other hosts Located and packaged information At this point, the final goal is to gather the packaged information, and deliver it to a location under control by the attacker. These locations are typically hacked hosts that are used as temporary holding areas for stolen data or hosts that reside in an area that is under complete control of the attacker (bulletproof hosting). Exfiltration commonly takes the form of: - - Encrypted .rar or .zip files FTP’d or uploaded to a controlled host However, in the case of malware such as ZeuS, SpyEye, etc., exfiltration and C2 beacons often take place at the same time (the compromised host will export stolen data on a repeated schedule, basically an information stealing beacon). Exfiltration marks the point that data loss has occurred. Detection at this phase leads to damage control activities for lost data, invoking an IR process, and a move backwards through the kill chain to establish root cause. TYING IT ALL TOGETHER – STALKING THE KILL CHAIN The Single Event Mentality Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing on the ability to use a structured approach to watching the network with the idea of identifying kill chain events in progress, across the entire kill chain. Anti-virus is focused on the delivery and exploitation phases, attempting to detect known shellcode, previously identified malware, or heuristically interesting binaries Intrusion Detection is focused on detection of exploitation events or C2, based on known signatures or communication methods. 7
Content Filtering and proxy technologies are focused on blocking of known C2 or exploit sites or the categorization of sites for additional analysis. Tracking an Event Holistically in RSA NetWitness Ultimately, we seek to move our analysis techniques and ability from a single or dual stage approach, to a seamless approach that allows free flowing movement in any direction along the kill chain during an investigation, with the goal of being able to gauge the scope and magnitude of the intrusion quickly. If this is successful, the kill chain diagram would likely look like this: Using RSA NetWitness Live, a user is able to consume and leverage related content to help track events across the kill chain. While the detection of malware is important, a holistic approach to threat detection also needs to focus on the detection of “quiet” activity after a foothold is established by the attacker. According to industry reports on attack trends, attackers used malware in only 54 percent of a compromise and secondary detection was only possible through holistic analysis. Signs of Weaponization/Delivery/Exploitation For detection of weaponization, delivery and exploitation events within NetWitness, the following content can be consumed and utilized from NetWitness Live: FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003, Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis (Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable (Spectrum Subscribers), Advanced Executable (Spectrum Subscribers) To further augment the security analysis specifically, the following custom drills in Investigator should be employed: General PDF Identification filetype = pdf filetype = base64 encoded pdf Anomalous PDF Identification risk.warning begins pdf || risk.suspicious begins pdf || risk.info begins pdf 8
Office Documents General Office Document Identification: filetype = office2007 || filetype = office97-2003 filetype = base64 encoded office Suspicious Web Pages (potential exploit or browser fingerprinting activity) Existence of Java Applets: filetype = jar Existence of suspicious HTML elements: risk.suspicious = js scan for adobe risk.suspicious = iframe src pdf risk.suspicious = iframe src cgi risk.suspicious = iframe src htm risk.suspicious = iframe src html risk.info = embedded html applet risk.info = embedded html applet with params risk.info = embedded html codebase risk.info = embedded html object risk.suspicious = iframe embedded js risk.suspicious = iframe hidden values risk.suspicious = iframe inside hidden div risk.suspicious = iframe src php risk.suspicious = pdf inside hidden div risk.warning = iframe src pdf General Executable Detection filetype = windows executable filetype = base64 encoded exe Anomalous Executable Detection risk.info begins exe || risk.suspicious begins exe || risk.warning begins exe risk.warning = potential binary from duqu group risk.warning = hex encoded executable risk.warning = xor encoded executable Signs of Command and Control For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live: FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS, Duqu Binary Detection, Windows Command Shell To further augment the security analysis specifically, the following custom drills in Investigator should be employed: Specific Malware C2 Behavior risk.warning ends “botnet activity” risk.suspicious = “htran redirector” risk.suspicious = “shadyrat encoded command” 9
Generic HTML and DNS Anomaly Detection risk.info begins http risk.info begins dns Remote Windows Shell risk.warning = windows command shell risk.suspicious = windows cli admin command Remote Desktop Connection service = 3389 Signs of Exfiltration For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live. While this is not an exhaustive list, it provides a basic guideline for analysis of advanced threats across the kill chain. FlexParsers – Fingerprint RAR, Encoded Hashes, pkware To further augment the security analysis specifically, the following custom drills in Investigator should be employed: Generic FTP Detection service = 21 Generic Archive File Identification filetype = rar filetype = zip filetype = base64 encoded zip filetype = base64 encoded rar Password Hash Exfiltration or Movement risk.warning begins plaintext pwdump risk.warning begins xor encoded pwdump risk.warning begins base64 encoded pwdump 10
CONCLUSION Given the prevalence and velocity of malware production incorporated with sophisticated attack strategies , it is common for advanced threats to successfully infiltrate organizations, despite defenders having “checked all of the blocks” for a robust security infrastructure. Only through a comprehensive understanding of the organization’s current capabilities to detect and respond along the kill chain, the use of pervasive visibility and threat intelligence combined with intelligent security analytics and intuition can a defending organization hope to level the playing field. Let this whitepaper serve as high-level guidance and a starting point for identifying and tracking attacks which may pose a threat to your organization – happy hunting! i http://online.wsj.com/article/SB10001424052970204603004577269544215115670.html ii http://online.wsj.com/article/SB10001424052702304750404577318083097652936.html iii http://www.computerworld.com/s/article/9225980/Anonymous_attacks_trade_group_for_supporting _cybersecurity_bill iv http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all v http://itlaw.wikia.com/wiki/Information_Sharing_and_Analysis_Center vi http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com. EMC2, EMC, RSA, NetWitness, FirstWatch and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2012 EMC Corporation. All rights reserved. Published in the USA. 10/12 White Paper H11154 www.emc.com/rsa

Empfohlen

Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)
CloudMask inc.
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
Trend Micro
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics
EMC
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
JoAnna Cheshire
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 

Empfohlen

Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)
CloudMask inc.
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
Trend Micro
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics
EMC
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
JoAnna Cheshire
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaper
Daniel Coulbourne
 
Insa cyber intelligence 2011
Insa cyber intelligence 2011Insa cyber intelligence 2011
Insa cyber intelligence 2011
Mousselmal Tarik
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_final
Jerome Chapolard
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
Melissa Lim
 
Network Security
Network SecurityNetwork Security
Network Security
United Nations Development Program
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Practical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence CollectionPractical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence Collection
Seamus Tuohy
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
Svetlana Belyaeva
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Michael Bunn
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
ZaiffiEhsan
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
terriert
 
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityA Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
Hossam Al-Ansary
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
Windstream Enterprise
 
Advice of warren buffet
Advice of warren buffetAdvice of warren buffet
Advice of warren buffet
Chandan Dubey
 
Aplicaciones modernas con React.js
Aplicaciones modernas con React.jsAplicaciones modernas con React.js
Aplicaciones modernas con React.js
Octavio Luna Bernal
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_final
Jerome Chapolard
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
Melissa Lim
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Practical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence CollectionPractical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence Collection
Seamus Tuohy
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
Svetlana Belyaeva
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Michael Bunn
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
terriert
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
 

Was ist angesagt? (20)

Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaper
 
Insa cyber intelligence 2011
Insa cyber intelligence 2011Insa cyber intelligence 2011
Insa cyber intelligence 2011
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_final
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
 
Network Security
Network SecurityNetwork Security
Network Security
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Practical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence CollectionPractical and Actionable Threat Intelligence Collection
Practical and Actionable Threat Intelligence Collection
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
 
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityA Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
 

Andere mochten auch

Advice of warren buffet
Advice of warren buffetAdvice of warren buffet
Advice of warren buffet
Chandan Dubey
 
Slideshare Bse 2012
Slideshare Bse 2012Slideshare Bse 2012
Slideshare Bse 2012
Yvonne Allan
 
Cci report on indian retail
Cci report on indian retailCci report on indian retail
Cci report on indian retail
Mamta Binani
 
Under what circumstances do motivated
Under what circumstances do motivatedUnder what circumstances do motivated
Under what circumstances do motivated
DaleCarnegieIndia1
 
Linux kursu-gungoren
Linux kursu-gungorenLinux kursu-gungoren
Linux kursu-gungoren
sersld67
 
Money supply inflation
Money supply inflationMoney supply inflation
Money supply inflation
Travis Klein
 
Crowne Plaza Tysons Corner
Crowne Plaza Tysons CornerCrowne Plaza Tysons Corner
Crowne Plaza Tysons Corner
jenlynn10
 
generalguidanceholdtimeqas13-521rev320augskclean
generalguidanceholdtimeqas13-521rev320augskcleangeneralguidanceholdtimeqas13-521rev320augskclean
generalguidanceholdtimeqas13-521rev320augskclean
Goutam Dutta
 
Mon post war europe
Mon post war europeMon post war europe
Mon post war europe
Travis Klein
 

Andere mochten auch (20)

Advice of warren buffet
Advice of warren buffetAdvice of warren buffet
Advice of warren buffet
 
Aplicaciones modernas con React.js
Aplicaciones modernas con React.jsAplicaciones modernas con React.js
Aplicaciones modernas con React.js
 
Slideshare Bse 2012
Slideshare Bse 2012Slideshare Bse 2012
Slideshare Bse 2012
 
Mit2 092 f09_lec11
Mit2 092 f09_lec11Mit2 092 f09_lec11
Mit2 092 f09_lec11
 
Cci report on indian retail
Cci report on indian retailCci report on indian retail
Cci report on indian retail
 
Jaringan komputer pti
Jaringan komputer ptiJaringan komputer pti
Jaringan komputer pti
 
Under what circumstances do motivated
Under what circumstances do motivatedUnder what circumstances do motivated
Under what circumstances do motivated
 
Hadoop Hands-On by @techmilind
Hadoop Hands-On by @techmilindHadoop Hands-On by @techmilind
Hadoop Hands-On by @techmilind
 
Monopsony graphs
Monopsony graphsMonopsony graphs
Monopsony graphs
 
Linux kursu-gungoren
Linux kursu-gungorenLinux kursu-gungoren
Linux kursu-gungoren
 
Money supply inflation
Money supply inflationMoney supply inflation
Money supply inflation
 
Crowne Plaza Tysons Corner
Crowne Plaza Tysons CornerCrowne Plaza Tysons Corner
Crowne Plaza Tysons Corner
 
Projects
ProjectsProjects
Projects
 
generalguidanceholdtimeqas13-521rev320augskclean
generalguidanceholdtimeqas13-521rev320augskcleangeneralguidanceholdtimeqas13-521rev320augskclean
generalguidanceholdtimeqas13-521rev320augskclean
 
Mon post war europe
Mon post war europeMon post war europe
Mon post war europe
 
Angelfalls
AngelfallsAngelfalls
Angelfalls
 
Awesome
AwesomeAwesome
Awesome
 
A Semantic Web Approach for defining Building Views
A Semantic Web Approach for defining Building ViewsA Semantic Web Approach for defining Building Views
A Semantic Web Approach for defining Building Views
 
Deployment Day Session 2 MDT 2012 Advanced
Deployment Day Session 2 MDT 2012 AdvancedDeployment Day Session 2 MDT 2012 Advanced
Deployment Day Session 2 MDT 2012 Advanced
 
Business models for a progressive world, 2011 highlights
Business models for a progressive world, 2011 highlightsBusiness models for a progressive world, 2011 highlights
Business models for a progressive world, 2011 highlights
 

Ähnlich wie Stalking the Kill Chain

F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker Final
Shallu Behar-Sheehan FCIM
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
forladies
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
Austin Eppstein
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
 

Ähnlich wie Stalking the Kill Chain (20)

Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker Final
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Web Attack Survival Guide
Web Attack Survival GuideWeb Attack Survival Guide
Web Attack Survival Guide
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digital
 
M1_Introduction_IPS.pptx
M1_Introduction_IPS.pptxM1_Introduction_IPS.pptx
M1_Introduction_IPS.pptx
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
 

Mehr von EMC

Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
EMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
EMC
 

Mehr von EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Stalking the Kill Chain

  • 1. STALKING THE KILL CHAIN RSA FirstWatchSM Research Note White Paper
  • 2. INTRODUCTION Shady Rat, Aurora, Poison Ivy, ZueS, Spyeye, Ice IX, Stuxnet and Flame. This strange combination of terms may have no immediate relation to the layman, but for those involved in computer security and incident response, they speak of events that have sparked press coverage, executive interest and late nights. Admittedly, the information security threat landscape has drastically changed over the past decade. What was once the realm of tricksters and troublemakers has become the operational environment of professional hackers, nation-state sponsored teams, hacktivists and organized crime. Each threat group seeks to penetrate organizations of interest to accomplish targeted objectives, often with an intellectual approach and backed with plenty of resources. Their overall objectives can be focused into four primary areas: - - Theft of Intellectual Property i - Theft of Financial Data ii - Denial of Service iii Technology-based influence causing physical results iv Among these objectives, a vital and persistent theme is the use of malicious software and the leveraging of related network infrastructure to allow stealth remote manipulation and control of compromised systems anonymously without an onsite presence at the target location. This foothold is typically followed by “going quiet” with the attacker using valid credentials and remote access systems to traverse through the network. In this whitepaper, we will approach the threat landscape from a holistic viewpoint and identify strategies and techniques to establish a good defense. We will discuss the concept of a “kill chain” and identify key indicators for attack events with a focus on network analysis within the context of the RSA NetWitness framework. POSITION BEFORE SUBMISSION In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack resulting in submission. Embracing the concept allows the fighter to increase his chances of winning the confrontation by making sure he is in control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical approach has direct relevance to cyber security as the same approach can be taken to establish a more proactive defense based on threat intelligence and network-wide visibility. The notion of establishing an “active defense” can be approached using the following guiding principles: - - Know your enemy - Know your network Know your people Know Your Enemy Advanced Persistent Threats (APTs) has been spoken of over the past few years as both a descriptive term for a class of attacker as well as an industry buzzword to describe the effectiveness of a particular product (“Our insert device here stops APTs!”). While this term is most commonly applied to nation-states, the idea of an “Advanced Threat” can be applied almost across the board in today’s threat landscape. Regardless of nation- state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate a target organization. 2
  • 3. Advanced – All modern threats use advanced, blended attacks. This may include targeting specific individuals or organizations with directed email attacks (spear phishing), hacking websites to serve malware from a “known good” or at least “not known bad” location, or using newly discovered zero-day attacks to increase the chances of a successful exploitation. Once entrenched, the attacker may then use encryption or other obfuscation techniques to further mask their presence and intentions. Persistent – Threat actors understand that repeated and coordinated attacks are likely to garner a penetration eventually. In the nation-state example, this may be repeatedly attacking a “target list” with spear-phishing until someone “takes the bait”, but it could also refer to being watchful for defender activity during a penetration operation and changing tactics as defenders respond, allowing continuous presence in the network. On the cybercrime side, this is increased to large-scale persistent modification of infrastructure, malware and domain names to allow continued operation among the ebb and flow of defender activity. Threat – Ultimately, for an event to be considered a “threat” it must meet a set of criteria. Intent + Opportunity + Capability = Threat Lacking any one of these criteria negates the threat, for example: Attacker A wants to attack organization B with a PDF-based spear-phishing attack against an HR manager. The attacker is using a known and reliable PDF exploit in Adobe Reader, has a “builder” that builds an attack PDF in a way that makes it undetectable by antivirus, and has the name of an HR manager that is responsible for hiring database developers. Organization B has a patching policy for Adobe Reader, and all organizational workstations are up to the current patch level. In this scenario, the attacker has the intent to attack, the capability with his attack PDF to compromise a workstation, and a target for the attack via the HR manager. He doesn’t, however, have the opportunity in this case, because the target workstation is patched and non-vulnerable to his attack. In this case, there is no threat because of the lack of opportunity provided by the patched PDF reader. While real-life scenarios are seldom this simple, it provides an example of things you might want to know about how common attackers operate in order to intelligently defend your network - - What are the common threat vectors (e.g., spear-phishing)? What exploits are commonly used? (Exploit kits target A, B and C vulnerabilities, spear-phishing attacks are often launched using PDF and Microsoft Office exploits) Attacker groups, especially in the nation-state arena, commonly attack organizations by industry vertical. It might be a good opportunity to establish relationships that may help you identify tactics, techniques and procedures of groups targeting your vertical, including: - - Threat Research groups and vendors - Threat teams from competitors (the enemy of my enemy is my friend). Industry Working Groups – Is there an ISAC v that supports your vertical? Know Your Network When an RSA NetWitness system engineer gets a new NetWitness deployment up and running at a customer location, a common reaction when network traffic is first observed is the customer being overwhelmed by the volume of data now readily available for analysis. The complexities and idiosyncrasies of a large network are very hard for a human being to visualize without additional framing, and NetWitness NextGen typically becomes that frame among customers. This framing typically leads to a number of “I don’t expect to see that, why is it there?” events over the next few weeks as the customer becomes more intimately acquainted with their network. 3
  • 4. The ability to pervasively know what your network looks like on a day-to-day basis is CRITICAL in helping to identify advanced attacks. If you’ve ever known a hunter that hunts a certain tract of land time and again, year after year, you will have an understanding of how this concept works. The hunter can typically look across a large field into a tree line, maybe even farther than he can really “see” and pick out a deer with a glance. That same deer may be invisible to you and I at that distance because the hunter is accustomed to his land, knows what it looks like on a “normal” day, and can quickly pick out the variance - the deer. The network hunter is similar. If I know what my network looks like on a day-to-day basis, I can better pick out the anomalies. In NetWitness training courses, we modify the “needle in the hay stack” analogy and refer to this concept as “removing hay until only needles remain”. This information may include: - - How is my network laid out? What are my allowed paths out of the network? Where are my likely weak points, either from a lack of visibility or business - needs that require a more relaxed security posture? Where is my data? If I have intellectual property, where is it stored and who has access to it? Know Your People Ultimately, the success of a modern attack often depends on the activities of the carbon- based unit between the keyboard and the chair. That is, the human being operating the computer and going about their daily business. While it is easy to get lost in the minutiae of the technical, the human operator is decisively the weakest point; as a result, the initial target of most attacks. The strategic objective may be financial data related to the person, or information that the person has access to, or maybe even just a tactical compromise of the computer that belongs to the person. With this in mind, it’s important to understand a few concepts in the paradigm of your environment. - Who in your environment has “enhanced access”, be it to critical information or - intellectual property, or critical systems or pivotal locations on the network? Does your enterprise have security policy that addresses common attack methodology? It could be as simple as an information security policy that is reviewed yearly, to as complex as common ideas on how to identify a spear- phishing attack. Policy is often looked at as a simple “box-check” for compliance reasons, but the ability to educate the end-user is one more layer in - a defensive strategy. Who are my likely targets? Do I have employees that are commonly in the press, speak at conferences, or have a job that routinely entails receiving “cold” electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc). If I search for “@mycompany.com” on Google, whose email addresses show - up? How about LinkedIn? Am I continuously tracking employees that have been targeted or compromised in the past? Repeat attacks are common and employee behavior that is risky is likely to reoccur. THE ATTACKER KILL CHAIN In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a series of articles that discussed security intelligence and leveraging indicators. In this series, he introduced a concept known as the “attacker kill chain”. 4
  • 5. This concept breaks attacker methodology into a series of sequential stages. Each stage represents a focus on a particular aspect of an attack, both from an attacker perspective, as well as a defender perspective. “We have found that the phases of an attack can be described by 6 sequential stages. Once again loosely borrowing vernacular, the phases of an operation can be described as a "kill chain." The importance here is not that this is a linear flow - some phases may occur in parallel, and the order of earlier phases can be interchanged - but rather how far along an adversary has progressed in his or her attack, the corresponding damage, and investigation that must be performed.” vi Reconnaissance With the amount of publicly available information on the Internet, the ability for an attacker to do target reconnaissance in an unnoticed fashion is almost unlimited. Commonly used techniques include: - - Reading company websites for information on key initiatives and personnel Reading industry whitepapers to identify projects and personnel associated with - those projects. Searching Google for email addresses, contact points and other bits of - information. Identifying social network participation of likely targets, often providing attack vectors through trusted friends and associates. In the reconnaissance phase, the ability for the defender to take defensive actions is limited, as attacker reconnaissance is often done in a covert and hard to detect manner. Weaponization and Delivery At this point, the attacker has established a target or collection of targets, and weaponizes an attack payload and delivers it to the target. Let’s use a spear-phishing attack as an example scenario. In most APT-style spear-phishing attacks that NetWitness has observed a third party document is used as the delivery method for a malware payload. Typically, it will be a trojaned PDF or Office document. While 100% detection of this phase is difficult, information sharing and intelligence gathering on previous attacks helps to identify repeatable characteristics of attacker “playbooks” which can help identify recycled exploit document filenames, shellcode, PDF structure, etc. From a NetWitness perspective, the platform looks at the documents from a higher level, by analyzing for threatening characteristics in the sessions rather than specific malware or exploit signatures. Example 1: Jim in HR receives a PDF via an email link for a job applicant. As Jim downloads the PDF and it crosses from the Internet onto his workstation, the organization’s NetWitness NextGen platform: 1. Identifies that the file is forensically a PDF. 2. Identifies that the PDF has a “Launch” action in it. 3. Identifies that the PDF has embedded javascript. While these three factors don’t mean that the file is absolutely malicious, they identify enough threatening characteristics to warrant a second look, and to pull it from the likely high volume of PDFs that appear on the network daily; thereby “removing the hay until only needles remain”. 5
  • 6. Exploitation Diverging from Cloppert’s approach here, consider immediate post-compromise activities as secondary parts of the exploitation event. During the exploitation phase of the attack, the host machine is compromised by the attacker and the delivery mechanism typically will take one of two actions: - - Install malware (a dropper) allowing attacker command execution. Install malware (a downloader) and download additional malware from the Internet, allowing attacker command execution. Once a foothold is established inside the network, the attacker will typically download additional tools, attempt privilege escalation, extract password hashes, etc. At this point, defensive strategies have ultimately failed, and the attacker has control of a resource. We would typically move to a detective model here and focus on identifying second-stage malware and toolsets being downloaded to the compromised workstation post-exploitation. - Forensically identify executable download, both un-obfuscated and obfuscated. Obfuscation and encryption methods vary, in some cases custom algorithms or none at all in others. A few methods tend to be re-used: - - Single-Byte XOR - Base64 Custom Base64 Command and Control Once the attacker has successfully exploited and taken control of a workstation, he will usually install malware that has a command and control mechanism. This allows persistent connectivity for continued access to the environment as well as a detective measure for defender activity. Command and control of a compromised resource is usually accomplished via a beacon over an allowed path out of the network. Beacons take many forms, but in most cases they tend to be: - - HTTP or HTTPS-based Made to look like benign traffic via falsified HTTP headers In cases that use encrypted communication, beacons tend to use self-signed certificates or use custom encryption over an allowed path (often TCP 443) Strategies for detection at this stage tend to revolve around: - - Identifying the use of self-signed certificates during encrypted communication. - Identifying falsified HTTP headers via anomaly detection strategies. Identifying recurring, consistent beacon activity to the same domain or IP - address over time. Identifying the use of non-standard or unapproved encryption over allowed paths. Keep in mind that immediate takedown of hosts that have identified beacon activity may clue attackers into defender activity (loss of a known beacon), causing them to switch to secondary (and potentially unknown) infrastructure. While incident response, as a program, is out of the scope of this whitepaper, this should be a consideration when faced with this type of discovery. 6
  • 7. Exfiltration The final phase of the kill chain is exfiltration. In this phase, the attacker has successfully entered the target network, taken control of a host and potentially: - - Downloaded and staged tools - Elevated privileges - Moved laterally onto other hosts Located and packaged information At this point, the final goal is to gather the packaged information, and deliver it to a location under control by the attacker. These locations are typically hacked hosts that are used as temporary holding areas for stolen data or hosts that reside in an area that is under complete control of the attacker (bulletproof hosting). Exfiltration commonly takes the form of: - - Encrypted .rar or .zip files FTP’d or uploaded to a controlled host However, in the case of malware such as ZeuS, SpyEye, etc., exfiltration and C2 beacons often take place at the same time (the compromised host will export stolen data on a repeated schedule, basically an information stealing beacon). Exfiltration marks the point that data loss has occurred. Detection at this phase leads to damage control activities for lost data, invoking an IR process, and a move backwards through the kill chain to establish root cause. TYING IT ALL TOGETHER – STALKING THE KILL CHAIN The Single Event Mentality Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing on the ability to use a structured approach to watching the network with the idea of identifying kill chain events in progress, across the entire kill chain. Anti-virus is focused on the delivery and exploitation phases, attempting to detect known shellcode, previously identified malware, or heuristically interesting binaries Intrusion Detection is focused on detection of exploitation events or C2, based on known signatures or communication methods. 7
  • 8. Content Filtering and proxy technologies are focused on blocking of known C2 or exploit sites or the categorization of sites for additional analysis. Tracking an Event Holistically in RSA NetWitness Ultimately, we seek to move our analysis techniques and ability from a single or dual stage approach, to a seamless approach that allows free flowing movement in any direction along the kill chain during an investigation, with the goal of being able to gauge the scope and magnitude of the intrusion quickly. If this is successful, the kill chain diagram would likely look like this: Using RSA NetWitness Live, a user is able to consume and leverage related content to help track events across the kill chain. While the detection of malware is important, a holistic approach to threat detection also needs to focus on the detection of “quiet” activity after a foothold is established by the attacker. According to industry reports on attack trends, attackers used malware in only 54 percent of a compromise and secondary detection was only possible through holistic analysis. Signs of Weaponization/Delivery/Exploitation For detection of weaponization, delivery and exploitation events within NetWitness, the following content can be consumed and utilized from NetWitness Live: FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003, Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis (Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable (Spectrum Subscribers), Advanced Executable (Spectrum Subscribers) To further augment the security analysis specifically, the following custom drills in Investigator should be employed: General PDF Identification filetype = pdf filetype = base64 encoded pdf Anomalous PDF Identification risk.warning begins pdf || risk.suspicious begins pdf || risk.info begins pdf 8
  • 9. Office Documents General Office Document Identification: filetype = office2007 || filetype = office97-2003 filetype = base64 encoded office Suspicious Web Pages (potential exploit or browser fingerprinting activity) Existence of Java Applets: filetype = jar Existence of suspicious HTML elements: risk.suspicious = js scan for adobe risk.suspicious = iframe src pdf risk.suspicious = iframe src cgi risk.suspicious = iframe src htm risk.suspicious = iframe src html risk.info = embedded html applet risk.info = embedded html applet with params risk.info = embedded html codebase risk.info = embedded html object risk.suspicious = iframe embedded js risk.suspicious = iframe hidden values risk.suspicious = iframe inside hidden div risk.suspicious = iframe src php risk.suspicious = pdf inside hidden div risk.warning = iframe src pdf General Executable Detection filetype = windows executable filetype = base64 encoded exe Anomalous Executable Detection risk.info begins exe || risk.suspicious begins exe || risk.warning begins exe risk.warning = potential binary from duqu group risk.warning = hex encoded executable risk.warning = xor encoded executable Signs of Command and Control For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live: FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS, Duqu Binary Detection, Windows Command Shell To further augment the security analysis specifically, the following custom drills in Investigator should be employed: Specific Malware C2 Behavior risk.warning ends “botnet activity” risk.suspicious = “htran redirector” risk.suspicious = “shadyrat encoded command” 9
  • 10. Generic HTML and DNS Anomaly Detection risk.info begins http risk.info begins dns Remote Windows Shell risk.warning = windows command shell risk.suspicious = windows cli admin command Remote Desktop Connection service = 3389 Signs of Exfiltration For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live. While this is not an exhaustive list, it provides a basic guideline for analysis of advanced threats across the kill chain. FlexParsers – Fingerprint RAR, Encoded Hashes, pkware To further augment the security analysis specifically, the following custom drills in Investigator should be employed: Generic FTP Detection service = 21 Generic Archive File Identification filetype = rar filetype = zip filetype = base64 encoded zip filetype = base64 encoded rar Password Hash Exfiltration or Movement risk.warning begins plaintext pwdump risk.warning begins xor encoded pwdump risk.warning begins base64 encoded pwdump 10
  • 11. CONCLUSION Given the prevalence and velocity of malware production incorporated with sophisticated attack strategies , it is common for advanced threats to successfully infiltrate organizations, despite defenders having “checked all of the blocks” for a robust security infrastructure. Only through a comprehensive understanding of the organization’s current capabilities to detect and respond along the kill chain, the use of pervasive visibility and threat intelligence combined with intelligent security analytics and intuition can a defending organization hope to level the playing field. Let this whitepaper serve as high-level guidance and a starting point for identifying and tracking attacks which may pose a threat to your organization – happy hunting! i http://online.wsj.com/article/SB10001424052970204603004577269544215115670.html ii http://online.wsj.com/article/SB10001424052702304750404577318083097652936.html iii http://www.computerworld.com/s/article/9225980/Anonymous_attacks_trade_group_for_supporting _cybersecurity_bill iv http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all v http://itlaw.wikia.com/wiki/Information_Sharing_and_Analysis_Center vi http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com. EMC2, EMC, RSA, NetWitness, FirstWatch and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2012 EMC Corporation. All rights reserved. Published in the USA. 10/12 White Paper H11154 www.emc.com/rsa