ICT Security: Defence strategies against targeted attack
Presentation of my master degree thesis. I propose a business process and a conceptual framework for defence against targeted attacks.
- 1. ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKS RELATORE: Prof. Franco Callegati CORRELATORE: Ing. Marco Ramilli PRESENTATA DA: Daniele Bellavista
- 2. INTERNSHIP AT AEPI INDUSTRIE, IMOLA Defined a defence service for an external company (referred as ACME corporation). Analyzed model and taxonomies of cyber attacks and defence methodologies. Implemented a simulated cyber attack as part of the defence service. Proposed a defence strategy against targeted attacks and applied it to clean existing infections and to detect new threats. ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKS
- 3. FROM OPPORTUNISTIC TO TARGETED ATTACK Cyber attacks targeting any vulnerable system are called opportunistic. In the last few years, a new kind of attack, called targeted, is spreading. Targeted attacks were once directed against nations or military organizations. Now, cyber criminals are targeting companies to compromise their services and steal their data.
- 4. CYBER CRIME: OPPORTUNISTIC AND TARGETED ATTACKS OPPORTUNISTIC ATTACKS: Target any vulnerable systems for general motives (e.g. money) Thousands of malware variants Common Poor social engineering techniques Advanced knowledge NOT required TARGETED ATTACKS: Specific target (company, nation), motives are fulfilled by compromising the target Unknown and unseen malware Rare Advanced social engineering techniques Requires advanced knowledge and complex attack process
- 5. MODELS FOR THE ATTACK PROCESS RECONNAISSANCE WEAPONIZATION ACTIONS ON OBJECTIVE EXPLOITATION INSTALLATION COMMAND AND CONTROL DELIVERY INCURSION DISCOVERY CAPTURE DATA EXFILTRATION
- 6. TARGETED ATTACK AGAINST ACME Many papers claim that targeted attacks are able to bypass conventional defence systems. THE ATTACK Information gathering to know involved defence systems, email addresses, names and communication protocols. Multi-staged malware to bypass defence systems. First stage deployed physically, the second via email. RESULT Bypassed every defence system. Performed keylogging and file stealing.
- 7. Signature based detection doesnt work against unseen malware. Automatic behavior detection can be fooled by complex malware. Defence systems focus was to narrow. Defence systems didnt take into account the whole attack process. WHY DID DEFENCE SYSTEMS FAIL?
- 8. DEFENCE SERVICES Defence against opportunistic attacks: they still are the most numerous cyber attacks and IDSs can counter them. Defence from unknown attacks: exploit of rules and policies to define detection of suspicious events for further analysis. Systems check: analysis and test of existing systems. PROPOSAL HAZARD: a business process. WASTE: a conceptual framework, used by HAZARD. DEFENCE STRATEGY AS SERVICES OFFERED BY A SECURITY TEAM
- 9. DEFENCE STRATEGY: ANALYSIS OF SUSPICIOUS EVENTS WASTE: Warning Automatic System for Targeted Events Detection of malicious events is based on automatic auditing of system or network events. Some events are not malicious per se, but may be suspicious in the company context. WASTE is a conceptual framework to define detection methods for suspicious events. The architecture cannot be defined a priori.
- 10. WASTE use cases
- 11. HAZARD: BUSINESS PROCESS FOR CYBER ATTACKS DEFENCE HAZARD: Hacking Approach for Zealot Attack Response and Detection ACTORS: Analysis Team Detection Team Vulnerability Team Hacking Team Company IT PROCESSES: Incident Analysis WASTE warning analysis WASTE issues managements Vulnerability Assessment Targeted attack evaluation Targeted attack test HAZARD is studied to share information between actors in order to provide an effective defence strategies against targeted attacks.
- 12. DEFENCE STRATEGY APPLICATION INSIDE ACME: RESULTS Found some opportunistic malware programs reported as non malicious by the IDS. No sign of targeted attacks was found. Reduction of infection events reported by the IDS.
- 13. FURTHER WORKS Use HAZARD for information sharing to better understand targeted attacks. Test the defence strategy against a real targeted attack: How to test if a defence approach is effective against a targeted attack?
- 14. ICT SECURITY: DEFENCE STRATEGIES AGAINST TARGETED ATTACKS Daniele Bellavista GRAZIE PER LATTENZIONE