Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
APT Webinar
1. ADVANCED PERSISTENT THREAT
BREAKING THE ATTACK CYCLE
Presented By:
Joe Schorr
Enterprise Security Practice Manager
800.747.8585 | help@cbihome.com
2. CBI Introduction
Information Technology and Security Solutions Provider
• Symantec Partner of the Year, Finalist
• Symantec Platinum Partner
• Globally capable, superior technical service
Experienced Professionals
• Operating for 20 years serving more than 500 clients world wide.
• Broad customer base ranging from mid-size to Fortune 100
Experienced in Variety of Industries
• Healthcare • Government
• Banking & Financial Services • Legal
• Manufacturing • Retail
• Education
2 800.747.8585 | help@cbihome.com
3. Enterprise Security Practice
Joe Schorr: Enterprise Security Practice Manager
Managing Consultant for the BT Ethical Hacking Center of Excellence
CIO for a large non-profit
Global Program Manager – International Network Services
Endpoint
Enterprise Server Datacenter
IT GRC Managemen
Security Management Management
t
3 800.747.8585 | help@cbihome.com
4. APT Defined
APT is a group of sophisticated,
determined and coordinated attacks
and attackers that have been
systematically targeting, exploiting
and compromising U.S. Government
and private networks.
4 800.747.8585 | help@cbihome.com
5. “APT”
Advanced means the adversary can operate in the full spectrum
of computer intrusion. They can use the most pedestrian publicly
available exploit against a well-known vulnerability, or they can
elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target’s posture.
Persistent means the adversary is formally tasked to
accomplish a mission. They are not opportunistic
intruders. Like an intelligence unit they receive directives
and work to satisfy their masters. Persistent does not
necessarily mean they need to constantly execute
malicious code on victim computers. Rather, they
maintain the level of interaction needed to execute their
objectives.
Threat means the adversary is not a piece of mindless code. This point is
crucial. Some people throw around the term “threat” with reference to
malware. If malware had no human attached to it (someone to control the
victim, read the stolen data, etc.), then most malware would be of little
worry (as long as it didn’t degrade or deny data). Rather, the adversary
here is a threat because it is organized and funded and motivated. Some
people speak of multiple “groups” consisting of dedicated “crews” with
various missions.
5 800.747.8585 | help@cbihome.com
7. Recent Events & Evidence
A picture of the hacking
software shown during
the Chinese military
program. The large
writing at the top says
"Select Attack Target."
Next, the user choose
an IP address to attack
from (it belongs to an
American university).
The drop-down box is a
list of Falun
Gong websites, while
the button on the left
says "Attack."
7 800.747.8585 | help@cbihome.com
8. RSA and .gov Contractors
8 800.747.8585 | help@cbihome.com
13. ‘Duqu’ the Son of STUXNET
13 800.747.8585 | help@cbihome.com
14. Attack Cycle
Step 4
• Obtain User
Credentials
• Install Tools
• Escalate privs
Step 6
Step 2 •Persistence
Step 5
• Delivery of •Residency
Expoit • Data Theft and
• Enter target Exfltration
Step 3
• Create
Backdoor
• Contact
Command &
Control (C&C)
Step 1 servers
• Reconnaissance
14 800.747.8585 | help@cbihome.com
15. What does this look like?
1. Target selected from shopping list
2. Passive searching – ‘Google-Fu’
3. Cyber-stalking via Facebook and Linked In
4. Select individuals for Spear-phishing attack
5. Social Engineer custom mail to targets
6. Payload deploys, begins harvest of credentials
7. ‘Owns’ servers and establishes backdoor,
establishes tunnels, typically via Port 443 and 53
8. Take data, encrypt and compress and send it
home
9. Dormancy until further orders
15 800.747.8585 | help@cbihome.com
17. 6 recommendations
MONITOR! Yes, this means SIM and it also means
monitoring your monitor DAILY. If you have challenges
in this area consider a MSS solution.
MANAGE! access control systems. User management
and passwords are not sexy but weak management of
this important, basic operational task provides a HUGE
attack vector.
ENGINEER! your WHOLE network to be secure. The
security architecture is not just routers and firewalls.
Server, endpoint and application security are as
important to a healthy, well-defended enterprise.
PATCH! Don’t let the ‘I’ll wait for others to go first….’
mentality lead to inertia. Bad patch management has a
direct role in most server and application exploits
TEST! your security. Early and often.
STOP! The leaks.
17 800.747.8585 | help@cbihome.com
18. Symantec DLP Overview
Storage Endpoint Network
Symantec™
Data Loss Prevention Symantec™ Symantec™
Network Discover Data Loss Prevention Data Loss Prevention
Endpoint Discover Network Monitor
Symantec™
Data Loss Prevention
Data Insight
Symantec™ Symantec™
Symantec™ Data Loss Prevention Data Loss Prevention
Data Loss Prevention Endpoint Prevent Network Prevent
Network Protect
Management Platform
Symantec™ Data Loss Prevention Enforce Platform
18 800.747.8585 | help@cbihome.com
19. DLP Progress Model
Baseline Remediation Notification Prevention
1000
Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week
Business Unit
Processes
600 Communication
Fix Broken
Enable EDM/IDM Business
Processes
400
Sender Auto
Notification
200
Business Unit
Risk Scorecard
0
Risk Reduction Over Time
Client Company
19 800.747.8585 | help@cbihome.com
20. EndPoint Progress
Baseline Remediation Notification Prevention
1000
Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week
Business Unit
Processes
600 Communication
Fix Broken
Enable EDM/IDM Business
Processes
400
Sender Auto
Notification
200
Business Unit
Risk Scorecard
0
Risk Reduction Over Time
Client Company
20 800.747.8585 | help@cbihome.com
21. Network Progress
Baseline Remediation Notification Prevention
1000
Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week
Business Unit
Processes
600 Communication
Fix Broken
Enable EDM/IDM Business
Processes
400
Sender Auto
Notification
200
Business Unit
Risk Scorecard
0
Risk Reduction Over Time
Client Company
21 800.747.8585 | help@cbihome.com
22. Storage Progress
Baseline Remediation Notification Prevention
1000
Establish Initial
Policies
800
Identify Broken
Employee and
Business
Incidents Per Week
Business Unit
Processes
600 Communication
Fix Broken
Enable EDM/IDM Business
Processes
400
Sender Auto
Notification
200
Business Unit
Risk Scorecard
0
Risk Reduction Over Time
Client Company
22 800.747.8585 | help@cbihome.com
23. Desired State for Data Loss
The primary goals of using Symantec’s DLP solution are to:
1. Protect confidential and regulated data from leaking or misuse based
on corporate business practices
2. Meet or exceed all government regulatory data protection
requirements
3. Protect the Client Company brand and image.
23 800.747.8585 | help@cbihome.com
24. Desired State for Data Loss
The DLP solution should perform the following functions:
1. Identify data based on current government regulations and
company policies
2. Tuned to minimize false positives
3. Educate Users on proper data handling policies.
4. Notify appropriate parties of data leakage or misuse.
5. Block data leakage or misuse
6. Find sensitive data in file shares and SharePoint
7. Determine who is using data
24 800.747.8585 | help@cbihome.com
25. Examples of Successful DLP Outcomes
1. Internet traffic is monitored and incidents are created when
suspected or confidential data leaves via email or other web
process.
2. Endpoint activity is monitored and incidents are created when
suspected or confidential data is transferred to USB drives.
3. Manual searches on datastores can be performed if needed
4. General process for handling data breach incidents is established
25 800.747.8585 | help@cbihome.com
26. Recommendations
1. Upgrade to Symantec Data Loss Prevention version 11.1
2. Refine Existing Policies and Responses
3. Run Network Discover scans
4. Begin using notifications
5. Deploy Email Network Prevent with Symantec Messaging
Gateway
6. Deploy Web Network Prevent with Symantec Web Gateway or
other ICAP proxy server.
7. Deploy Data Insight
26 800.747.8585 | help@cbihome.com
27. Global Intelligence Network
Identifies more threats, takes action faster & prevents impact
Calgary, Alberta Dublin, Ireland
Reading, England
Tokyo, Japan
San Francisco, CA
Mountain View, CA Austin, TX Chengdu, China
Alexandria, VA
Culver City, CA
Taipei, Taiwan
Chennai, India
Pune, India
Chennai, India
Sydney, Australia
Worldwide Coverage Global Scope and Scale 24x7 Event Logging
Rapid Detection
Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing
• 240,000 sensors • 150M client, server, • 35,000+ vulnerabilities • 5M decoy accounts
• 200+ countries and gateways monitored • 11,000 vendors • 8B+ email messages/day
territories • Global coverage • 80,000 technologies • 1B+ web requests/day
Preemptive Security Alerts Information Protection Threat Triggered Actions
800.747.8585 | help@cbihome.com
28. Next Steps
Security and Advisory Assessments
– In-depth, consultative engagements
– Evaluate and improve your overall security program
– Address specific concerns (e.g. PCI/ mobile security issues)
28 800.747.8585 | help@cbihome.com