Download PDF - Codenomicon

More documents

Recommendations

Info

CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) Rapid Detection Attack Impact Advanced attacks are typically hard to detect, because they are designed to stay under the radar [15]. Moreover, there is a lot scattered information about Internet abuse and local security experts tend to lag behind the latest knowledge. They use detection rules that defend against latest threats to the best of their knowledge. However, their latest knowledge can be quite outdated when compared to global state-of-the-art abuse situation awareness. Good abuse situation awareness provides information on the current security landscape, making it easier to identify attacks. For example, when new C&C servers are reported by the security community, local actors can automatically deploy this new information to their sensors. Thus, abuse situation awareness allows you to discover incidents earlier, and also to detect advanced attacks that might not otherwise be noticed. With better abuse situation awareness, the human factor can be reduced [14]. STOP ABUSE HERE Infection Malware <strong>Download</strong>ed More devices corrupted The key to reducing the impact of cyber attacks is rapid detection [15]. According to the Verizon 2012 Security report, in 85% of incidents it took the attackers only a few minutes to compromise the victim, but it took them a day or longer to locate and exfiltrate data [16]. There is a window for mitigating the impact of cyber attacks, but according to the same report, it took the victims months or even years to discover the breaches [16]. To detect APTs at the earliest possible moment, security experts need quick access to the latest security information. To achieve this they need to actively monitor all possible sources of abuse information, something which cannot be executed manually. Information flood Better awareness of network incidents and internet abuse enables you to detect and react to attacks earlier. In most cases, organizations already have access to the correct information, but they are not fully using it [14]. Security personnel are drowned in disparate information from internal sources like log files, IDS/IPS alerts, network management tools and SIEM platforms [3]. In addition, there are many good external sources of threat information such as government channels, industry associations, commercial data feeds and abuse feeds provided by non-profit organizations such as Shadowserver. This information comes in a variety Critical resources accessed of formats, meaning that security personnel spend a lot of their manually collecting and processing the information [3]. The vast amount of information and poor processes result in security personnel being overwhelmed and susceptible to missing critical bits of information [14].
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) 8 Automating Abuse Situation Awareness By automating the collection and processing of abuse information, security personnel can handle more information in shorter time and discover relevant information faster. Automating basic tasks frees up the security personnel’s time to do the actual analysis [3]. However, the lack of a common information sharing standard has been a major hindrance to automating abuse situation awareness [15]. Security notifications and abuse feeds come in a variety of formats, including not machine-readable formats [3]. Especially following external threat information sources involves sifting through emails, website postings and other human communications. Instead of waiting for an ideal information sharing format, organizations should employ practical security collaboration solutions [15], such as AbuseSA. Collaboration The best results are achieved by fully automating the feedersproxies-cleaners information chain. Through collaboration, each organization can scale their security expertise, speed up attack detection and improve remediation [15]. The feeders are best at discovering Internet abuse [17]. The proxies have the best expertise and resources for collecting, aggregating and reporting abuse information provided by the international security community [17]. Actual attack mitigation needs to be done by the cleaners, because only they have access to their networks [17]. However, the availability of actionable abuse information collected and reported by the feeders and proxies makes their task a lot easier. 9 Botnet-Inspired Situation Awareness System (AbuseSA) Feeders, Proxies and Cleaners Actors in the abuse situation awareness field can be divided into three groups: feeders, proxies and cleaners [17]. Feeders monitor network incidents and provide data for abuse notifications which can be fed to other organizations [17]. Feeders are security vendors, industry organizations, government channels and non-commercial organizations, like Shadowserver, Zone-H and DShield [17]. The proxies, that is CERTs, ISP abuse teams and government defense organizations, are in charge of informing their stakeholders about abuse [17]. The stakeholders or the cleaners are organizations, enterprises, ISPs, critical infrastructure providers that are responsible for keeping their own networks clean [17]. The AbuseSA is a botnet-inspired system for automatically collecting and sharing abuse situation awareness [17]. Similar systems have been used by the Finnish and Estonian national CERTs for automated abuse handling [17]. Before they became associated with malicious purposes, small software modules, or bots, were used for administrating Internet relay chat (IRC) rooms [18]. Administrating chat rooms was time consuming and bots could be used automate this task [18]. Criminals took this approach and used it to create huge botnets. By joining hundreds of thousands of infected PCs to IRC command and control (C&C) channels the criminals could control their net- Feeders produce data which AbuseSA users collect, process and report systematically to protect Abuse Feeds / Intelligence Proxies Cleaners Citizens • Non-profit and commercial organizations • Shadowserver, Zone-H, DShield, Abuse.ch, Malwaredomainlist and tens or more. • National and Governmental CERTS • Cyber Defense Organizations • ISP Abuse Teams • ISPs • Critical Infrastructure Providers • Govermental Organizations Critical Infra Figure 5: Feeders, Proxies and Cleaners. [17]
Page 1 and 2: Codenomicon whitepaper: Proactive C
Page 3 and 4: CODENOMICON WHITEPAPER - Proactive
Page 5: CODENOMICON WHITEPAPER - Proactive

Download PDF - Codenomicon

Create successful ePaper yourself

Delete template?

Save as template?