SlideShare una empresa de Scribd logo

What's behind a cyber attack

Andreanne Clarke
Andreanne Clarke

This document discusses how advanced network forensics can help security teams investigate cyber attacks more effectively. It describes how IBM's QRadar Incident Forensics solution allows organizations to (1) retrace an attacker's steps through raw packet data reconstruction, (2) speed up investigations by indexing network activity into searchable information, and (3) give security teams better visibility into security incidents through a simplified search interface.

Tecnología
1 de 12
Descargar para leer sin conexión
IBM Software Thought Leadership White Paper April 2014 What’s behind a cyber attack? Gaining insight and clarity into the what, when and how of an enterprise security incident
2 What’s behind a cyber attack? Contents 2 Introduction 3 Attackers have an advantage—but they leave a retraceable trail 4 Advanced forensics can increase the enterprise advantage 4 Advanced forensics can enable a comprehensive security approach 5 Creating searchable information with QRadar Security Intelligence Platform 6 Investigations can be more comprehensive and productive 7 Security investigations can be faster and easier 8 How security teams view information is important to success 9 Building intelligence can help in navigating investigations 11 Conclusion 11 For more information 11 About IBM Security solutions Introduction Breaches happen. In today’s high-value, high-stakes enterprise environments, many organizations rightly assume not only that their data and computing systems will be attacked, but that a certain number of attacks will succeed. One study found, in fact, that 97 percent of organizations have experienced malware attacks.1 But recognizing the problem is only the first step—because the corollary to the assumption that future attacks are coming is the recognition that past attacks have already gained entry. So now what do you do? How do you learn the what, when and how of a security incident—and what its potential damage could be? The answers to these questions are critical to remediating damage and improving defense. When investigating a breach, organizations need better visibility and clarity into network activity. And they need it fast. A recent study by Verizon Communications found that in 66 percent of cases, discovering a breach took months,2 during which time organizations faced potential damage to business operations, private data, intellectual property and brand image. The challenge to avoiding damage stems from the complexity of using existing solutions for security-related data collection and breach investigation. With conventional solutions, gaining the necessary information and insight has been time consuming and difficult—if not impossible. Meanwhile, attackers employ increasingly sophisticated techniques and find surprising ease of success. Despite enterprise defenses, the Verizon study described 78 percent of initial intrusions as “low difficulty.”2 This white paper will examine the shortcomings of conventional breach investigation approaches and present IBM® Security QRadar® Incident Forensics, a fast, simple and comprehensive solution designed to help organizations defend against advanced persistent and internal threats, including fraud and abuse.
3IBM Software Using QRadar Incident Forensics, organizations can reassemble raw packet traffic data back into its original form for simplified analysis, and retrace the step-by-step actions of a potential attacker to help discover and remediate security incidents and reduce the chances of data exfiltration or recurrence of past breaches. Attackers have an advantage—but they leave a retraceable trail Theories of warfare call it an “asymmetrical advantage”—when the power, strategies or tactics of one army differ significantly from the other’s. It’s an appropriate term for the state of enter- prise security today. Enterprises and cyber attackers are at war. And they are operating with vastly different requirements, expertise and motivations in mind. The typical enterprise infrastructure contains thousands of devices and applications, an untold number of increasingly com- plex connections, and an undetermined number of unprotected vulnerabilities. To be successful, the external attacker or rogue insider needs to exploit only one weakness. The enterprise must address them all—and if the protection measures don’t work, it must find, track and remediate exploits that could be anywhere. As a result, enterprises face an enormous task. The tracking database maintained by IBM X-Force® research and develop- ment, which has collected data on 78,000 publicly disclosed security vulnerabilities, added 8,330 new vulnerabilities in 2013 alone.3 In the one-year period ending March 2013, mal- ware aimed at mobile platforms became a new attack vector that grew 614 percent, nearly 450 percent faster than a year earlier.4 On the side of the defenders, every action on the network— whether from inside or outside the organization, authorized or unauthorized—can be captured and analyzed as part of a security incident. Following these digital impressions can potentially reveal vulnerabilities, the actions an attacker takes to exploit them and the source of the attack. Many organizations have deployed traditional solutions, such as log management and security information and event management (SIEM) applica- tions, that give them the basic capabilities for gathering log source events and netflow data, but lack full packet captures (PCAPs), which provide richer network context. Yet SIEM applications yield mountains of data not only from attackers but also from legitimate users—and most organizations have neither the time nor the resources to sift through it all to find specific strings of incriminating characters. Conventional forensics solutions can be challenging to use • Analysts must be skilled in network security investigations. • Adding point security solutions with minimal integration typically increases complexity and cost. • Determining where and how to begin an investigation can lead to lost productivity. • Complex queries directed at packet capture repositories can be time-intensive, consume processing and storage resources, and fail to reveal the relationships necessary for remediation.
4 What’s behind a cyber attack? Advanced forensics can increase the enterprise advantage In an enterprise attack, intrusions and defense are not the only asymmetrical elements. Events in the attack timeline typically weigh in favor of the attacker as well. Verizon has found that nearly 85 percent of such events take place in seconds, minutes or hours—with 68 percent of exfiltration occurring in the same period. Yet 62 percent of discovery occurs only after months have passed. And 77 percent of the remediation effort—including patching, configuration changes and intrusion blocking— requires days, weeks or months, all of it occurring after the initial discovery.2 Clearly, greater speed is a necessity in responding to a cyber attack. It can be critical to know immediately how widespread any related breach becomes. Discovering which devices or applications are affected and constructing an event timeline can tell administrators exactly where and when to apply their reme- diation efforts. For example: if physical devices were compro- mised by a person on site, locating the devices and tracking breach events can point investigators to security cameras that could identify the suspect. These defense operations are complex, however, and cannot be undertaken manually. Instead, organizations need compre- hensive, automated tools for converting their network packet captures into indexed, searchable information. Security teams can then use this information to rapidly determine threats and their characteristics, distinguish true attacks from false positives, and formulate proactive best practices for future actions based on a clearer understanding of the attack. Using an advanced network forensics solution, investigators can have a fuller view of the trail of events in an attack, with identify- ing components such as IP and MAC addresses, application protocols, webhosts, user queries and SSL certificates. They can identify stolen data, such as Social Security or credit card num- bers. And they can gather information that can help identify the source of the breach—whether an external attacker or an insider using proper authority for malicious purposes. Emerging threats require clarity to detect and resolve An advanced network forensics solution can give security analysts clarity of content, relationships and event sequence to resolve incidents. For example: • Network security—A retailer needed to detect unauthorized duplication of customer payment data from point-of-sale (POS) systems to compromised internal systems. • Fraud and abuse—A financial firm needed to uncover a sophisticated money-laundering scheme involving multiple seemingly unconnected interactions. • Insider threat—A manufacturing firm needed to find the perpetrator, identify collaborators, and pinpoint the systems and data involved in stolen intellectual property. • Evidence gathering—A security research firm needed to compile evidence against a malicious entity involved in breaching a secure system and stealing data. Advanced forensics can enable a comprehensive security approach In an effort to stop attacks and breaches, as well as comply with government and industry security regulations, many organiza- tions have deployed network forensics solutions. In many cases, however, the security solutions they choose are point products that provide insights and responses that are dependent upon the skills of technically trained analysts.
5IBM Software Such an approach treats network forensics as a job for simple PCAP searches. But the serial deployments that result—layering one point solution on top of another as new capabilities become necessary—can obscure the organization’s true network security posture with unnecessary complexity. A better approach is to deploy a comprehensive forensics solution that can investigate not only PCAP data in motion, but also documents, databases and other data at rest. Using the advanced, comprehensive network forensics solution from IBM, QRadar Incident Forensics, investigators can not only gather network information, they can also proactively search for possible breaches based on alerts issued by the X-Force threat intelligence feed. They can find network rela- tionships and help identify incident sources. Then, using security incident-related network data and insights to understand why certain attacks succeeded, they can more effectively eradicate malicious activities associated with a breach. Administrators can facilitate the production of evidence to support legal actions or fulfill compliance audits. Ultimately, the IT security team can use information and insights from QRadar Incident Forensics to help develop effective countermeasures and security best practices—updating perimeter defenses such as firewalls, endpoint patches and applications, frequently tuning anomaly detection capabilities, and writing multilevel SIEM correlation rules and proactive measures that reduce false positives and better identify attacks. Creating searchable information with QRadar Security Intelligence Platform So how does QRadar Incident Forensics work? In a nutshell: It begins after a security incident when a security analyst defines a search or a case, retrieving all associated PCAP data, recon- structing each embedded file, and then creating multiple indexes using the file contents and metadata. These steps produce searchable information that security teams can retain for long-term investigations of the incident. Creating searchable information with an Internet search engine Data source Security devices Unlimited data collection, storage and analysis Rapid reduction in time to resolution through intuitive forensic workflow Ability of users to leverage intuition more than technical training Support for determining root cause and preventing recurrences Automatic asset, service and user discovery and profiling Real-time correlation and threat intelligence Activity baselining and anomaly detection A t ti t i d Built-in data classification Out-of-the-box incident detection Network and virtual activity Servers and mainframes Data activity Configuration information Application activity Users and identities Vulnerabilities and threats Global threat intelligence Automated offense identification Directed forensics investigationsU a BB AA d A RR in AAA d OO R AAA SSS
6 What’s behind a cyber attack? Based on its core extraction and correlation capabilities, QRadar Incident Forensics can support the three principal operations of network security investigations: Security incident response Once a security breach is discovered, QRadar Incident Forensics can enable investigators to follow the attacker’s step-by-step actions in real time and develop a profile known as a digital impression—which traces a threat actor’s previous and current activity. The resulting insights can help the security team quickly remediate the incident and develop countermeasures against further damage. Alert triage SIEM solutions normally generate a limited number of suspected security offenses and then correlate them with other available security data. QRadar Incident Forensics, however, enables the security team to further investigate each potential offense to determine whether it is an actual attack or a false positive result. With conventional forensics solutions, these investigations can take weeks to resolve, depending upon analyst skill levels and responses from identified users. But by automati- cally combining information from the SIEM reports with historical information from the investigation and resolution of previous incidents, QRadar Incident Forensics can help dramati- cally reduce the time required to complete each investigation. Proactive, defensive data exploration From time to time, security teams search their network to deter- mine its security posture. These searches could be based on an alert received from a threat intelligence organization such as X-Force or an internal policy of planned security activities. In any case, a search can be streamlined and made more effective with the advanced QRadar Incident Forensics solution’s simpli- fied, search engine-like interface; categorization and filtering capabilities to reduce the volume of data returned; and pivot capabilities that enable a variety of search views. Investigations can be more comprehensive and productive QRadar Incident Forensics is designed to help organizations rapidly and thoroughly investigate malicious network activity by providing visibility and clarity into network security incidents. Available either as software or as a hardware appliance with software built in, the solution integrates seamlessly with IBM Security QRadar SIEM and IBM QRadar Security Intelligence Platform, as well as with most available third-party packet capture formats. The comprehensive approach gives IT security teams the ability to more easily and productively conduct investigations; make smarter, faster decisions by analyzing security data in the network context; and support effective remediation. Using a search engine-like interface to handle data within or flowing through the network, QRadar Incident Forensics supports both incident-driven and threat intelligence-directed investigations to provide security teams with the underlying evidence that retraces digital impressions, categorizes external content and labels suspect content. QRadar Incident Forensics indexes everything contained within the captured network traffic—ranging from documents to website images, and including the metadata and contents of both structured and unstructured data—to help reduce the time required to investigate offenses, in many cases from days to hours or even minutes. To enhance data intelligence and insights, the solution enables a powerful data pivoting capability for discovering and displaying extended relationships for search- able variables such as IP addresses, MAC addresses, email addresses, application protocols, SSL certificates and more.
7IBM Software The result is a richer, big-data view of network data, application and malicious user relationships than is provided by traditional network forensic tools that can use only processed PCAPs. With the help of electronic breadcrumbs, investigators can follow the path of malware or attackers and retrace the chronological inter- actions of incident events, helping investigators understand how to remediate breaches to reverse actions and prevent recur- rences. Organizations can also document regulatory compliance. Security investigations can be faster and easier Conventional security solutions require extensive training—in some cases, even the ability to write code—to navigate collected PCAP data, understand the data’s meaning, and know what to do with it in order to remediate an attack and prevent future incursions. QRadar Incident Forensics, on the other hand, gives virtually any member of the security team—even junior members without extensive knowledge of security data—the ability to determine the full network context of a security incident. An intuitive, free-form query interface built into QRadar Incident Forensics means that a search for network security inci- dents is as easy to formulate as looking for sports memorabilia using any popular Internet search engine. With the forensics solution integrated into the single-console management interface of QRadar Security Intelligence Platform, access to the full set of forensics capabilities is only a point and click away. And full network searches, in many cases, take only minutes or hours due to extensive indexing, rather than the days or weeks required by other solutions. In many cases, QRadar Incident Forensics searches can make investigations faster and more comprehensive—helping identify data that may have been missed. Once the solution has retrieved and processed the raw PCAPs into rich document files, its search Discovery Investigating security incidents with IBM Security QRadar solutions IBM Security QRadar IBM Security QRadar SIEM discovers an offense. Administrators can use this data to construct digital impressions leading them to the incident location. IT security teams can then assess the credibility of a true threat and use appropriate means to block the communication, patch the vulnerabilities, contain critical data in the event of an incident and remediate malicious actions to prevent a recurrence. IBM Security QRadar Incident Forensics reassembles and indexes the data. Locate breach Remediate and contain Collect and process
8 What’s behind a cyber attack? engine uses network, file and personal metadata indexes to return fast keyword searches of structured and unstructured data. It can even search stored network documents. The solution’s ability to provide information in context helps reveal threat levels and vulnerabilities. It generates multiple views of data that show relationships, timelines, and source and threat categories. And it enables users to refine searches with intelligent filtering for information such as IP and MAC addresses, application protocols or email addresses. How security teams view information is important to success Significantly, nothing on the network escapes the view of a directed QRadar Incident Forensics search case. A simple search for the word “confidential,” for example, can not only locate all documents labeled as such, but it can also uncover all events that involve an externally leaked document, identify paths where a copy may have been sent, and reveal the individual who initi- ated those actions. Equally important, the solution can present information in a number of ways, allowing investigators to create the view that is best suited for the insights they need. The interface allows security staff to simply click on metadata to locate related information. It further enables investigators to pivot searchable variables and change the metadata field to see extended and perhaps unsuspected relationships. Beginning with an email address, for example, an investigator can discover the associated IP address and Internet login ID, then use the combined information to achieve clarity on who the attacker is and the trail of the attacker’s actions on the network. Via IBM Security QRadar Incident Forensics, security teams can easily visualize relationships between suspect entities using IP addresses, email addresses, chat IDs and more.
9IBM Software The visibility and clarity provided by QRadar Incident Forensics is fundamental to an organization’s efforts to eliminate and remediate security incidents. With more limited solutions, attacks can recur and malware can re-infect the infrastructure— because the security team missed an artifact of the attack. Anatomy of an attack—and an intelligent response Arriving at work, the enterprise security team discovers that its SIEM application found a number of new offenses overnight. Instead of working their way through the SIEM data manually, however, the team launches a QRadar Incident Forensics session with a simple click on the solution’s tab on the QRadar Security Intelligence Platform console, which assembles all the relevant packet captures, performs extensive indexing, and returns detailed, multi-level search results quickly, in most cases in minutes—if not seconds. From an extensive array of data, ranging from the IP address that originated the incident to a mailbox ID and a MAC address, the solution reveals metadata categories that provide identifying data for the attacker and the trail of events that the attack left on the enterprise network. Utilizing elements of the larger network context, the security team is able to determine whether the SIEM data reveals an actual attack or whether it is a false positive for an explainable event mistaken as an attack. If the event is a false positive, the team knows to tune its SIEM correlation rules so similar incorrect results are not returned in the future. If the attack is real, the team can take immediate actions to remediate the threat and help avoid future incidents that use the same source or the same techniques. Building intelligence can help in navigating investigations Attackers and breaches grow smarter and more sophisticated daily. Organizations, in response, need smart defenses, made even smarter by the intelligence in their networks. By finding and reconstructing security incidents on the network and presenting them in ways that support deeper interpretations, insight into root causes and support for remediation, QRadar Incident Forensics builds new intelligence for the defense orga- nizations need. The solution follows electronic breadcrumbs left by attackers, identifies code injections or rogue asset addi- tions, sees device configuration and firewall rule changes—and more. It achieves these defenses with three principal techniques: creation of digital impressions, identification of suspect content and categorization of network content. Digital impressions A digital impression is a powerful index of metadata that can help an organization identify suspected attackers or rogue insid- ers by following malicious user trails. In building these relation- ships, QRadar Incident Forensics can draw data from network sources such as IP addresses, MAC addresses and TCP ports and protocols. It can find information such as chat IDs, and it can read information such as author identification from word processing or spreadsheet applications. A digital impression can not only help the organization discover the identity of an entity who attacked the network one time, but it can also help uncover associations by linking the entity’s identity to identifying information for other users or entities, potentially revealing additional attacks.
10 What’s behind a cyber attack? Content categorization Categorizing where network traffic comes from and distinguish- ing between legitimate and malicious sources is key to protecting against breaches. Security research organizations such as X-Force maintain databases of URLs that track a location’s reputation so that organizations can tell whether it might be the source of an attack it has suffered—or of a potential attack in the future. Filtering and labeling data by category—for example, asking whether an attempt at network access is coming from a trusted business or a criminal organization—as well as limiting access based on metadata and correlating relationships between organi- zations can all play a role in keeping malware and harmful actions from breaching the network. IBM Security QRadar solutions are the centerpiece for visibility, clarity and protection IBM Security Access Manager IBM Security zSecure IBM Security Privileged Identity Manager IBM Security Identity Manager IBM InfoSphere Guardium Trusteer Apex IBM Security Network Protection XGS IBM Endpoint Manager IBM Security AppScanIBM Security Directory Server IBM Security Directory Integrator User activity protection IBM QRadar Security Intelligence Platform Data protection Advanced fraud protection Infrastructure protection Application security Suspect content A data breach typically targets specific types of information— Social Security numbers, credit card numbers, medical IDs or intellectual property labeled “confidential,” for example. QRadar Incident Forensics can help recognize those patterns of information (simply query “confidential” in the search engine) to quickly reveal theft, malicious damage or other activities that can harm the organization. The security team can then remedi- ate the action and put into place measures designed to prevent its recurrence.
11IBM Software Conclusion Today’s sophisticated cyber attacks require a rapid and effective response based on all available intelligence about the what, when and how of the attack. The comprehensive and easy-to-use capa- bilities of IBM Security QRadar Incident Forensics can provide the visibility and clarity into a network security incident as well as insight into the extent of breach activities that the security team needs in order to remediate and prevent recurrences. Using QRadar Incident Forensics, organizations can also strengthen their documentation of regulatory compliance. With insights gained through QRadar Incident Forensics, an IT security team can be well positioned to craft an action plan that leverages network intelligence and the organization’s full security resources for a next-generation approach to security incident forensics that supports network security, insider threat analysis— including fraud and abuse—and the documentation of incident- related evidence. For more information To learn more about IBM Security QRadar Incident Forensics, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/services/us/en/it-services/security-intelligence.html­ ­ ­ ­ ­ ­ ­ About IBM Security solutions IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applica- tions, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing­
­ ­ 1 Ponemon Institute, “2013 Cost of Cyber Crime Study: United States,” October 2013. http://media.scmagazine.com/documents/54/ 2013_us_ccc_report_final_6-1_13455.pdf 2 Verizon RISK Team, “2013 Data Breach Investigations Report,” Verizon Communications, April 2013. http://www.verizonenterprise.com/DBIR/2013/ 3 IBM X-Force, “IBM X-Force Threat Intelligence Quarterly – 1Q 2014,” IBM Security Systems, February 2014. https://www14.software.ibm.com/ webapp/iwm/web/signup.do?source=swg-WW_Security_Organic& S_PKG=ov21294 4 Juniper Networks Mobile Threat Center, “Third Annual Mobile Threats Report: March 2012 through March 2013,” Juniper Networks, 2013. http://www.juniper.net/us/en/local/pdf/additional-resources/ 3rd-jnpr-mobile-threats-report-exec-summary.pdf ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ Please Recycle WGW03056-USEN-00

Recomendados

IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
thinkASG
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
EMC
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
Joseph DeFever
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
Splunk for security
Splunk for securitySplunk for security
Splunk for security
Greg Hanchin
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 

Recomendados

IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
thinkASG
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
EMC
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
Joseph DeFever
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
Splunk for security
Splunk for securitySplunk for security
Splunk for security
Greg Hanchin
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Asaduzzaman Kanok
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
Constantine Karbaliotis
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015
Scott Van Valkenburgh
 
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
Steven Aiello
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
AlienVault
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
Steven Aiello
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
Martin Lindgren
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
barbara bogue
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
Mighty Guides, Inc.
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
cclay3
 

Más contenido relacionado

La actualidad más candente

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015
Scott Van Valkenburgh
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
AlienVault
 

La actualidad más candente (20)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015A_New_Perspective_Whitepaper_05122015
A_New_Perspective_Whitepaper_05122015
 
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 

Destacado

Chapter 12
Chapter 12Chapter 12
Chapter 12
cclay3
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
rajakhurram
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
leminhvuong
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
Wajahat Rajab
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
Jayaseelan Vejayon
 

Destacado (11)

Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 

Similar a What's behind a cyber attack

Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
forladies
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
CNSHacking
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
amrutharam
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
Resilient Systems
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 

Similar a What's behind a cyber attack (20)

What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Cloud & Sécurité
Cloud & SécuritéCloud & Sécurité
Cloud & Sécurité
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Get The Information Here For Mobile Phone Investigation Tools
Get The Information Here For Mobile Phone Investigation ToolsGet The Information Here For Mobile Phone Investigation Tools
Get The Information Here For Mobile Phone Investigation Tools
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

What's behind a cyber attack

  • 1. IBM Software Thought Leadership White Paper April 2014 What’s behind a cyber attack? Gaining insight and clarity into the what, when and how of an enterprise security incident
  • 2. 2 What’s behind a cyber attack? Contents 2 Introduction 3 Attackers have an advantage—but they leave a retraceable trail 4 Advanced forensics can increase the enterprise advantage 4 Advanced forensics can enable a comprehensive security approach 5 Creating searchable information with QRadar Security Intelligence Platform 6 Investigations can be more comprehensive and productive 7 Security investigations can be faster and easier 8 How security teams view information is important to success 9 Building intelligence can help in navigating investigations 11 Conclusion 11 For more information 11 About IBM Security solutions Introduction Breaches happen. In today’s high-value, high-stakes enterprise environments, many organizations rightly assume not only that their data and computing systems will be attacked, but that a certain number of attacks will succeed. One study found, in fact, that 97 percent of organizations have experienced malware attacks.1 But recognizing the problem is only the first step—because the corollary to the assumption that future attacks are coming is the recognition that past attacks have already gained entry. So now what do you do? How do you learn the what, when and how of a security incident—and what its potential damage could be? The answers to these questions are critical to remediating damage and improving defense. When investigating a breach, organizations need better visibility and clarity into network activity. And they need it fast. A recent study by Verizon Communications found that in 66 percent of cases, discovering a breach took months,2 during which time organizations faced potential damage to business operations, private data, intellectual property and brand image. The challenge to avoiding damage stems from the complexity of using existing solutions for security-related data collection and breach investigation. With conventional solutions, gaining the necessary information and insight has been time consuming and difficult—if not impossible. Meanwhile, attackers employ increasingly sophisticated techniques and find surprising ease of success. Despite enterprise defenses, the Verizon study described 78 percent of initial intrusions as “low difficulty.”2 This white paper will examine the shortcomings of conventional breach investigation approaches and present IBM® Security QRadar® Incident Forensics, a fast, simple and comprehensive solution designed to help organizations defend against advanced persistent and internal threats, including fraud and abuse.
  • 3. 3IBM Software Using QRadar Incident Forensics, organizations can reassemble raw packet traffic data back into its original form for simplified analysis, and retrace the step-by-step actions of a potential attacker to help discover and remediate security incidents and reduce the chances of data exfiltration or recurrence of past breaches. Attackers have an advantage—but they leave a retraceable trail Theories of warfare call it an “asymmetrical advantage”—when the power, strategies or tactics of one army differ significantly from the other’s. It’s an appropriate term for the state of enter- prise security today. Enterprises and cyber attackers are at war. And they are operating with vastly different requirements, expertise and motivations in mind. The typical enterprise infrastructure contains thousands of devices and applications, an untold number of increasingly com- plex connections, and an undetermined number of unprotected vulnerabilities. To be successful, the external attacker or rogue insider needs to exploit only one weakness. The enterprise must address them all—and if the protection measures don’t work, it must find, track and remediate exploits that could be anywhere. As a result, enterprises face an enormous task. The tracking database maintained by IBM X-Force® research and develop- ment, which has collected data on 78,000 publicly disclosed security vulnerabilities, added 8,330 new vulnerabilities in 2013 alone.3 In the one-year period ending March 2013, mal- ware aimed at mobile platforms became a new attack vector that grew 614 percent, nearly 450 percent faster than a year earlier.4 On the side of the defenders, every action on the network— whether from inside or outside the organization, authorized or unauthorized—can be captured and analyzed as part of a security incident. Following these digital impressions can potentially reveal vulnerabilities, the actions an attacker takes to exploit them and the source of the attack. Many organizations have deployed traditional solutions, such as log management and security information and event management (SIEM) applica- tions, that give them the basic capabilities for gathering log source events and netflow data, but lack full packet captures (PCAPs), which provide richer network context. Yet SIEM applications yield mountains of data not only from attackers but also from legitimate users—and most organizations have neither the time nor the resources to sift through it all to find specific strings of incriminating characters. Conventional forensics solutions can be challenging to use • Analysts must be skilled in network security investigations. • Adding point security solutions with minimal integration typically increases complexity and cost. • Determining where and how to begin an investigation can lead to lost productivity. • Complex queries directed at packet capture repositories can be time-intensive, consume processing and storage resources, and fail to reveal the relationships necessary for remediation.
  • 4. 4 What’s behind a cyber attack? Advanced forensics can increase the enterprise advantage In an enterprise attack, intrusions and defense are not the only asymmetrical elements. Events in the attack timeline typically weigh in favor of the attacker as well. Verizon has found that nearly 85 percent of such events take place in seconds, minutes or hours—with 68 percent of exfiltration occurring in the same period. Yet 62 percent of discovery occurs only after months have passed. And 77 percent of the remediation effort—including patching, configuration changes and intrusion blocking— requires days, weeks or months, all of it occurring after the initial discovery.2 Clearly, greater speed is a necessity in responding to a cyber attack. It can be critical to know immediately how widespread any related breach becomes. Discovering which devices or applications are affected and constructing an event timeline can tell administrators exactly where and when to apply their reme- diation efforts. For example: if physical devices were compro- mised by a person on site, locating the devices and tracking breach events can point investigators to security cameras that could identify the suspect. These defense operations are complex, however, and cannot be undertaken manually. Instead, organizations need compre- hensive, automated tools for converting their network packet captures into indexed, searchable information. Security teams can then use this information to rapidly determine threats and their characteristics, distinguish true attacks from false positives, and formulate proactive best practices for future actions based on a clearer understanding of the attack. Using an advanced network forensics solution, investigators can have a fuller view of the trail of events in an attack, with identify- ing components such as IP and MAC addresses, application protocols, webhosts, user queries and SSL certificates. They can identify stolen data, such as Social Security or credit card num- bers. And they can gather information that can help identify the source of the breach—whether an external attacker or an insider using proper authority for malicious purposes. Emerging threats require clarity to detect and resolve An advanced network forensics solution can give security analysts clarity of content, relationships and event sequence to resolve incidents. For example: • Network security—A retailer needed to detect unauthorized duplication of customer payment data from point-of-sale (POS) systems to compromised internal systems. • Fraud and abuse—A financial firm needed to uncover a sophisticated money-laundering scheme involving multiple seemingly unconnected interactions. • Insider threat—A manufacturing firm needed to find the perpetrator, identify collaborators, and pinpoint the systems and data involved in stolen intellectual property. • Evidence gathering—A security research firm needed to compile evidence against a malicious entity involved in breaching a secure system and stealing data. Advanced forensics can enable a comprehensive security approach In an effort to stop attacks and breaches, as well as comply with government and industry security regulations, many organiza- tions have deployed network forensics solutions. In many cases, however, the security solutions they choose are point products that provide insights and responses that are dependent upon the skills of technically trained analysts.
  • 5. 5IBM Software Such an approach treats network forensics as a job for simple PCAP searches. But the serial deployments that result—layering one point solution on top of another as new capabilities become necessary—can obscure the organization’s true network security posture with unnecessary complexity. A better approach is to deploy a comprehensive forensics solution that can investigate not only PCAP data in motion, but also documents, databases and other data at rest. Using the advanced, comprehensive network forensics solution from IBM, QRadar Incident Forensics, investigators can not only gather network information, they can also proactively search for possible breaches based on alerts issued by the X-Force threat intelligence feed. They can find network rela- tionships and help identify incident sources. Then, using security incident-related network data and insights to understand why certain attacks succeeded, they can more effectively eradicate malicious activities associated with a breach. Administrators can facilitate the production of evidence to support legal actions or fulfill compliance audits. Ultimately, the IT security team can use information and insights from QRadar Incident Forensics to help develop effective countermeasures and security best practices—updating perimeter defenses such as firewalls, endpoint patches and applications, frequently tuning anomaly detection capabilities, and writing multilevel SIEM correlation rules and proactive measures that reduce false positives and better identify attacks. Creating searchable information with QRadar Security Intelligence Platform So how does QRadar Incident Forensics work? In a nutshell: It begins after a security incident when a security analyst defines a search or a case, retrieving all associated PCAP data, recon- structing each embedded file, and then creating multiple indexes using the file contents and metadata. These steps produce searchable information that security teams can retain for long-term investigations of the incident. Creating searchable information with an Internet search engine Data source Security devices Unlimited data collection, storage and analysis Rapid reduction in time to resolution through intuitive forensic workflow Ability of users to leverage intuition more than technical training Support for determining root cause and preventing recurrences Automatic asset, service and user discovery and profiling Real-time correlation and threat intelligence Activity baselining and anomaly detection A t ti t i d Built-in data classification Out-of-the-box incident detection Network and virtual activity Servers and mainframes Data activity Configuration information Application activity Users and identities Vulnerabilities and threats Global threat intelligence Automated offense identification Directed forensics investigationsU a BB AA d A RR in AAA d OO R AAA SSS
  • 6. 6 What’s behind a cyber attack? Based on its core extraction and correlation capabilities, QRadar Incident Forensics can support the three principal operations of network security investigations: Security incident response Once a security breach is discovered, QRadar Incident Forensics can enable investigators to follow the attacker’s step-by-step actions in real time and develop a profile known as a digital impression—which traces a threat actor’s previous and current activity. The resulting insights can help the security team quickly remediate the incident and develop countermeasures against further damage. Alert triage SIEM solutions normally generate a limited number of suspected security offenses and then correlate them with other available security data. QRadar Incident Forensics, however, enables the security team to further investigate each potential offense to determine whether it is an actual attack or a false positive result. With conventional forensics solutions, these investigations can take weeks to resolve, depending upon analyst skill levels and responses from identified users. But by automati- cally combining information from the SIEM reports with historical information from the investigation and resolution of previous incidents, QRadar Incident Forensics can help dramati- cally reduce the time required to complete each investigation. Proactive, defensive data exploration From time to time, security teams search their network to deter- mine its security posture. These searches could be based on an alert received from a threat intelligence organization such as X-Force or an internal policy of planned security activities. In any case, a search can be streamlined and made more effective with the advanced QRadar Incident Forensics solution’s simpli- fied, search engine-like interface; categorization and filtering capabilities to reduce the volume of data returned; and pivot capabilities that enable a variety of search views. Investigations can be more comprehensive and productive QRadar Incident Forensics is designed to help organizations rapidly and thoroughly investigate malicious network activity by providing visibility and clarity into network security incidents. Available either as software or as a hardware appliance with software built in, the solution integrates seamlessly with IBM Security QRadar SIEM and IBM QRadar Security Intelligence Platform, as well as with most available third-party packet capture formats. The comprehensive approach gives IT security teams the ability to more easily and productively conduct investigations; make smarter, faster decisions by analyzing security data in the network context; and support effective remediation. Using a search engine-like interface to handle data within or flowing through the network, QRadar Incident Forensics supports both incident-driven and threat intelligence-directed investigations to provide security teams with the underlying evidence that retraces digital impressions, categorizes external content and labels suspect content. QRadar Incident Forensics indexes everything contained within the captured network traffic—ranging from documents to website images, and including the metadata and contents of both structured and unstructured data—to help reduce the time required to investigate offenses, in many cases from days to hours or even minutes. To enhance data intelligence and insights, the solution enables a powerful data pivoting capability for discovering and displaying extended relationships for search- able variables such as IP addresses, MAC addresses, email addresses, application protocols, SSL certificates and more.
  • 7. 7IBM Software The result is a richer, big-data view of network data, application and malicious user relationships than is provided by traditional network forensic tools that can use only processed PCAPs. With the help of electronic breadcrumbs, investigators can follow the path of malware or attackers and retrace the chronological inter- actions of incident events, helping investigators understand how to remediate breaches to reverse actions and prevent recur- rences. Organizations can also document regulatory compliance. Security investigations can be faster and easier Conventional security solutions require extensive training—in some cases, even the ability to write code—to navigate collected PCAP data, understand the data’s meaning, and know what to do with it in order to remediate an attack and prevent future incursions. QRadar Incident Forensics, on the other hand, gives virtually any member of the security team—even junior members without extensive knowledge of security data—the ability to determine the full network context of a security incident. An intuitive, free-form query interface built into QRadar Incident Forensics means that a search for network security inci- dents is as easy to formulate as looking for sports memorabilia using any popular Internet search engine. With the forensics solution integrated into the single-console management interface of QRadar Security Intelligence Platform, access to the full set of forensics capabilities is only a point and click away. And full network searches, in many cases, take only minutes or hours due to extensive indexing, rather than the days or weeks required by other solutions. In many cases, QRadar Incident Forensics searches can make investigations faster and more comprehensive—helping identify data that may have been missed. Once the solution has retrieved and processed the raw PCAPs into rich document files, its search Discovery Investigating security incidents with IBM Security QRadar solutions IBM Security QRadar IBM Security QRadar SIEM discovers an offense. Administrators can use this data to construct digital impressions leading them to the incident location. IT security teams can then assess the credibility of a true threat and use appropriate means to block the communication, patch the vulnerabilities, contain critical data in the event of an incident and remediate malicious actions to prevent a recurrence. IBM Security QRadar Incident Forensics reassembles and indexes the data. Locate breach Remediate and contain Collect and process
  • 8. 8 What’s behind a cyber attack? engine uses network, file and personal metadata indexes to return fast keyword searches of structured and unstructured data. It can even search stored network documents. The solution’s ability to provide information in context helps reveal threat levels and vulnerabilities. It generates multiple views of data that show relationships, timelines, and source and threat categories. And it enables users to refine searches with intelligent filtering for information such as IP and MAC addresses, application protocols or email addresses. How security teams view information is important to success Significantly, nothing on the network escapes the view of a directed QRadar Incident Forensics search case. A simple search for the word “confidential,” for example, can not only locate all documents labeled as such, but it can also uncover all events that involve an externally leaked document, identify paths where a copy may have been sent, and reveal the individual who initi- ated those actions. Equally important, the solution can present information in a number of ways, allowing investigators to create the view that is best suited for the insights they need. The interface allows security staff to simply click on metadata to locate related information. It further enables investigators to pivot searchable variables and change the metadata field to see extended and perhaps unsuspected relationships. Beginning with an email address, for example, an investigator can discover the associated IP address and Internet login ID, then use the combined information to achieve clarity on who the attacker is and the trail of the attacker’s actions on the network. Via IBM Security QRadar Incident Forensics, security teams can easily visualize relationships between suspect entities using IP addresses, email addresses, chat IDs and more.
  • 9. 9IBM Software The visibility and clarity provided by QRadar Incident Forensics is fundamental to an organization’s efforts to eliminate and remediate security incidents. With more limited solutions, attacks can recur and malware can re-infect the infrastructure— because the security team missed an artifact of the attack. Anatomy of an attack—and an intelligent response Arriving at work, the enterprise security team discovers that its SIEM application found a number of new offenses overnight. Instead of working their way through the SIEM data manually, however, the team launches a QRadar Incident Forensics session with a simple click on the solution’s tab on the QRadar Security Intelligence Platform console, which assembles all the relevant packet captures, performs extensive indexing, and returns detailed, multi-level search results quickly, in most cases in minutes—if not seconds. From an extensive array of data, ranging from the IP address that originated the incident to a mailbox ID and a MAC address, the solution reveals metadata categories that provide identifying data for the attacker and the trail of events that the attack left on the enterprise network. Utilizing elements of the larger network context, the security team is able to determine whether the SIEM data reveals an actual attack or whether it is a false positive for an explainable event mistaken as an attack. If the event is a false positive, the team knows to tune its SIEM correlation rules so similar incorrect results are not returned in the future. If the attack is real, the team can take immediate actions to remediate the threat and help avoid future incidents that use the same source or the same techniques. Building intelligence can help in navigating investigations Attackers and breaches grow smarter and more sophisticated daily. Organizations, in response, need smart defenses, made even smarter by the intelligence in their networks. By finding and reconstructing security incidents on the network and presenting them in ways that support deeper interpretations, insight into root causes and support for remediation, QRadar Incident Forensics builds new intelligence for the defense orga- nizations need. The solution follows electronic breadcrumbs left by attackers, identifies code injections or rogue asset addi- tions, sees device configuration and firewall rule changes—and more. It achieves these defenses with three principal techniques: creation of digital impressions, identification of suspect content and categorization of network content. Digital impressions A digital impression is a powerful index of metadata that can help an organization identify suspected attackers or rogue insid- ers by following malicious user trails. In building these relation- ships, QRadar Incident Forensics can draw data from network sources such as IP addresses, MAC addresses and TCP ports and protocols. It can find information such as chat IDs, and it can read information such as author identification from word processing or spreadsheet applications. A digital impression can not only help the organization discover the identity of an entity who attacked the network one time, but it can also help uncover associations by linking the entity’s identity to identifying information for other users or entities, potentially revealing additional attacks.
  • 10. 10 What’s behind a cyber attack? Content categorization Categorizing where network traffic comes from and distinguish- ing between legitimate and malicious sources is key to protecting against breaches. Security research organizations such as X-Force maintain databases of URLs that track a location’s reputation so that organizations can tell whether it might be the source of an attack it has suffered—or of a potential attack in the future. Filtering and labeling data by category—for example, asking whether an attempt at network access is coming from a trusted business or a criminal organization—as well as limiting access based on metadata and correlating relationships between organi- zations can all play a role in keeping malware and harmful actions from breaching the network. IBM Security QRadar solutions are the centerpiece for visibility, clarity and protection IBM Security Access Manager IBM Security zSecure IBM Security Privileged Identity Manager IBM Security Identity Manager IBM InfoSphere Guardium Trusteer Apex IBM Security Network Protection XGS IBM Endpoint Manager IBM Security AppScanIBM Security Directory Server IBM Security Directory Integrator User activity protection IBM QRadar Security Intelligence Platform Data protection Advanced fraud protection Infrastructure protection Application security Suspect content A data breach typically targets specific types of information— Social Security numbers, credit card numbers, medical IDs or intellectual property labeled “confidential,” for example. QRadar Incident Forensics can help recognize those patterns of information (simply query “confidential” in the search engine) to quickly reveal theft, malicious damage or other activities that can harm the organization. The security team can then remedi- ate the action and put into place measures designed to prevent its recurrence.
  • 11. 11IBM Software Conclusion Today’s sophisticated cyber attacks require a rapid and effective response based on all available intelligence about the what, when and how of the attack. The comprehensive and easy-to-use capa- bilities of IBM Security QRadar Incident Forensics can provide the visibility and clarity into a network security incident as well as insight into the extent of breach activities that the security team needs in order to remediate and prevent recurrences. Using QRadar Incident Forensics, organizations can also strengthen their documentation of regulatory compliance. With insights gained through QRadar Incident Forensics, an IT security team can be well positioned to craft an action plan that leverages network intelligence and the organization’s full security resources for a next-generation approach to security incident forensics that supports network security, insider threat analysis— including fraud and abuse—and the documentation of incident- related evidence. For more information To learn more about IBM Security QRadar Incident Forensics, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/services/us/en/it-services/security-intelligence.html­ ­ ­ ­ ­ ­ ­ About IBM Security solutions IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applica- tions, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing­
  • 12. ­ ­ 1 Ponemon Institute, “2013 Cost of Cyber Crime Study: United States,” October 2013. http://media.scmagazine.com/documents/54/ 2013_us_ccc_report_final_6-1_13455.pdf 2 Verizon RISK Team, “2013 Data Breach Investigations Report,” Verizon Communications, April 2013. http://www.verizonenterprise.com/DBIR/2013/ 3 IBM X-Force, “IBM X-Force Threat Intelligence Quarterly – 1Q 2014,” IBM Security Systems, February 2014. https://www14.software.ibm.com/ webapp/iwm/web/signup.do?source=swg-WW_Security_Organic& S_PKG=ov21294 4 Juniper Networks Mobile Threat Center, “Third Annual Mobile Threats Report: March 2012 through March 2013,” Juniper Networks, 2013. http://www.juniper.net/us/en/local/pdf/additional-resources/ 3rd-jnpr-mobile-threats-report-exec-summary.pdf ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ Please Recycle WGW03056-USEN-00