Know Your Enemy - ISSA Mid Atlantic Information Security Conference

KNOW YOUR ENEMY
SUN TZU AND THE ART OF
CYBERWAR
孫子兵法
Mark D. Rasch
Mark.Rasch@verizon.com
PTE16117 10/14
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Proprietary Statement
This document and any attached materials are the sole property of Verizon and are not to be used by you other than to
evaluate Verizon's service.
This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout
your organization to employees without a need for this information or to any third parties without the express written
permission of Verizon.
© 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying
Verizon's products and services are trademarks and service marks or registered trademarks and service marks of Verizon
Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks
are the property of their respective owners.
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2
EVERYTHING I NEED TO
KNOW ABOUT
CYBERSECURITY I LEARNED
IN 512 BCE
Well, almost everything
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3
Caveats
• Cyberwar is not traditional war
• Lessons to be learned relate to both offensive and
defensive cyberwar
• For these purposes, “war” means any aggressive activity
by an adversary
– Nation-state
– Hacktivists
– Organized Crime
– Script Kiddies
– Thieves
– Opportunists
– Disgruntled insiders
– Fraudsters
• Cyberwar is asymmetric – many of Sun Tzu’s lessons do
not translate
• Cyberwar is mostly defensive (as practiced today)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
Know Your Enemy
“If you know the enemy and
know yourself, you need not fear
the result of a hundred battles. If
you know yourself but not the
enemy, for every victory gained
you will also suffer a defeat. If
you know neither the enemy nor
yourself, you will succumb in
every battle.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
Every Business is a Target
Opportunistic
Hackers
Activists
Organized Crime
State-Affiliated
Targeted
*Number of records stolen as a result of each breach
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
Pen Testing/Bounty Programs
“To know your Enemy, you must become
your Enemy.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
7
From Basic Monitoring to Analytics
Security maturity roadmap
Transition to Security
Advanced
1. Determine maturity level
2. Establish target maturity level
3. Design maturity roadmap
Intermediate
Foundational
• Basic log management
and monitoring
• Signature and IOC-based
alerting
• Limited event analysis
• Response plan with
capacity for businesscritical events
• Expanded visibility across
network and systems
• Enhanced incident
handling and analysis
• Basic intelligence and
response competency
• Payload analysis or
similar tech for targeted
threats
• Comprehensive visibility
across environment and
all phases of kill chain
• Advanced capabilities to
collect, analyze, apply,
and share intelligence
• Network and endpoint
forensics and “hunting”
tools and capabilities
• Dedicated expert staff w/
high org knowledge
“See more, analyze better, respond quicker”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
8
Cyberwar is Asymmetrical
“Great results, can be achieved with small forces.”
Greater powers and resources do not guarantee tactical
superiority.
Sun Bin
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
Whack-A-Mole
• “The skillful tactician may be
likened to the shuai-jan. Now the
shuai-jan is a snake that is found
in the Ch'ang mountains. Strike at
its head, and you will be attacked
by its tail; strike at its tail, and you
will be attacked by its head; strike
at its middle, and you will be
attacked by head and tail both.”
―
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
DBIR Tells Us You Will Come Under Attack
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
Threat Intelligence and Assessment
“Knowing the enemy enables you to take the
offensive, knowing yourself enables you to
stand on the defensive.”
Deliberate tactical errors and minor losses are
the means by which to bait the enemy.
Sun Bin
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
Risk Team: More than an Acronym
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
War of Attrition
“There is no instance of a nation benefitting
from prolonged warfare.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
Advanced Threat Intelligence and Monitoring Service
(ATIMS)
Threat Suppression System
Targeted attack underway
2
1
Immediate detection, tracking &
mitigation
IDPS
Customer Internet connectivity
ATIMS
Appliance
Remote triage,
incident containment,
threat eradication
3
Security Customer
7
Secure access to
alerts & intelligence
5
Security
Operations
Center
4
IOCdb Cyber
Intel Database
Hunter group performs
adversary attribution,
intelligence collection
Risk classification,
incident reporting,
alerts and security
intelligence
6
‘Gracie’ Security
Monitoring Platform
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
“Speed is the essence of war. Take
advantage of the enemy’s
unpreparedness; travel by
unexpected routes and strike him
where he has taken no precautions.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
Breaches: Happening Faster,
Still Harder to Discover
Percent of breaches where time to compromise (orange) and time to
discovery (blue) was days or less
In 2014,
78%
of attacks compromised
systems within days
or less;
60%
were compromised
within minutes.
Source: Verizon 2015 Data Breach Investigations Report
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
17
The time to discover an incident
Seconds
Minutes
Days
In 38% of cases,
it took attackers
just seconds to
compromise
systems.
It took attackers
just minutes to
exfiltrate data in
28% of cases.
More than a
quarter of
breaches took
days or months to
discover.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
18
First Step - Asessment
“know yourself and you will win all battles”
“Hence that general is skillful in attack
whose opponent does not know what to
defend; and he is skillful in defense
whose opponent does not know what to
attack.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
19
Network Based Defense
“To win one hundred victories in one
hundred battles is not the acme of skill. To
subdue the enemy without fighting is the
acme of skill”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
20
Comprehensive Protection
Security Portfolio
Market Threats
CYBER TERRORISTS
Market Drivers
HACKTIVISTS
CLOUD
Network Security
MOBILITY
Managed Security
Market Trends
BIG DATA/ANALYTICS
Advanced
Security Programs
Pain Points
Convenience: Policy
compliance, integration, bundled
services
Security: Manage TCO; address
skill gaps, device visibility, policy
compliance, best practices
Risk: Risk mitigation, brand
protection, loss of revenue,
business continuity
Feature/
Functionality
• DoS detection and
mitigation
• NetFlow analysis
• Unified threat devices
•
•
•
•
•
• DoS Defense
• NetFlow Monitoring
• Secure Gateway
• Managed Security
Services-Premises
• Advanced Security Operation
Services
• RSA SA, ArcSight, Splunk
• Packet Inspection Services
• Investigative Packet Analytic
(IPA) Service
• Diagnostic Services
• Cyber Insurance Diagnostic
• SMP Revamp
• Custom Built Services
Offerings
Security device monitoring
Log analysis
Anomaly detection
Incident filtering/response
Security benchmarking and
risk scoring
Professional Services
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
21
Have a Plan
“One may know how to conquer
without being able to do it. ”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
22
Verizon Analytics Platform
Increasing Security Optics
Verizon Network, Mobility, Cloud & Security Services
Any Machine Data
Online
Services
Security
Search and
Investigation
Web
Services
Proactive
Monitoring
Business
Intelligence
Real-time
Security
Insights
GPS
Location
Servers
Smart
Credentials
Networks
Desktops
Storage
Messaging
Telecoms
Custom
Applications
RFID
Online
Shopping
Cart
Security Next Gen Analytics Platform
(SNAP) Addresses Adjacent Markets
• Internet-of-things
• Mobility
• Cloud
Energy
Meters
Databases
Web
Clickstrea
ms
Call Detail
Records
Mobile
Devices
Enhance Visibility Across
Any Machine Data
Critical National Infrastructure Solutions
Manage Risk with Deep,
Consistent Controls
Accelerate Business with
Secure Access
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
23
Create a Security Culture
“When one treats people with benevolence,
justice, and righteousness, and reposes
confidence in them, the army will be united in
mind and all will be happy to serve their
leaders'.”
“Rewards for good service should not be
deferred a single day.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
24
Risk Based Analytics
•“who wishes to fight must first
count the cost”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
25
Incident Investigation and Preparedness
• “Rouse him, and learn the principle of his activity or
inactivity. Force him to reveal himself, so as to find
out his vulnerable spots.”
• “Convince your enemy that he will gain very little by
attacking you; this will diminish his enthusiasm”
• “Those skilled at making the enemy move do so by
creating a situation to which he must conform; they
entice him with something he is certain to take, and
with lures of ostensible profit they await him in
strength.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
26
The Enterprise Security Landscape
Awareness
Overconfident
Empowered
Ignorance
Our goal is to help you become an empowered enterprise—instead of
becoming the victim of a breach.
Imprisoned
Overspending
Compliance
Security
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
27
Prepare Three Envelopes
“If quick, I survive.
If not quick, I am lost.
This is "death.”
“Anger may in time change to gladness;
vexation may be succeeded by content.
But a kingdom that has once been destroyed
can never come again into being; nor can the
dead ever be brought back to life.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
28
Security through Obscurity
“The whole secret lies
in confusing the
enemy, so that he
cannot fathom our
real intent.”
“mystify, mislead, and
surprise the enemy”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
29
Take a Deep Breath….
“Ponder and deliberate before
you make a move.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
30
Coordinate with Law Enforcement
•“Wheels of justice grind
slow but grind fine”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
31
Incident Readiness
“Attack is the secret of
defense; defense is the
planning of an attack.”
―
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
32
Plan Ahead
• “If words of command are not clear
and distinct, if orders are not
thoroughly understood, then the
general is to blame. But, if orders
are clear and the soldiers
nevertheless disobey, then it is the
fault of their oficers.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33
Intel-Intel-Intel
• “It is only the enlightened ruler and the wise general who will use the
highest intelligence of the army for the purposes of spying, and thereby
they achieve great results.”
• “The end and aim of spying in all its five varieties is knowledge of the
enemy; and this knowledge can only be derived, in the first instance, from
the converted spy. Hence it is essential that the converted spy be treated
with the utmost liberality.”
• “Foreknowledge cannot be gotten from ghosts and spirits, cannot be had
by analogy, cannot be found out by calculation. It must be obtained from
people, people who know the conditions of the enemy.”
• “He will win who, prepared himself, waits to take the enemy unprepared.”
• “do many calculations lead to victory, and few calculations to defeat”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
34
Intelligence at Work
15%
Incidents detected
by threat signatures
35%
Incidents detected
by threat behaviors
50%
23.7 billion
Incidents detected
by threat reputations
events from customer log file data
- Jan 2015, Verizon Managed Security Services results
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
35
Threat Intelligence Capabilities
to Detect Malicious Activities
Verizon
Intelligence
ASOC
Analytics
Active Defense
Big Data
Analytics/Packet
Capture
Global
Backbone
Vendors
External
Sources
Professional
Services
Verizon
Security
Intel Team
IR Team
Threat Intel &
Applied Intel
Verizon Managed
Security Services
Customer
Alerts
SOCs
Customer Data
24x7x365
Follow-the-Sun
Retainer
Services
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
36
Advanced Threat Intelligence
and Monitoring
The greatest depth of collection and detection, providing proactive
packet-level monitoring and investigation (“hunting”) for a powerful line of
defense against attacker-specific techniques.
• Proactive threat hunting and discovery
to identify active adversaries
• Our highest collection and detection
intensity monitoring service
• Advanced analysis for detection,
investigation, and the development
of remediation strategies
• Comprehensive retracing of steps in an
attack (including identifying footholds
through to the point of discovery) so you
can better prevent future attempts
• Customized indicators and detection
methods to enhance current monitoring
and detection infrastructure
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
37
Questions?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
38
Walt Kelly - Pogo
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure, or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
39