Redefining Cyber Security in the Age of Targeted Attacks Freddy Tan, SMSCS, CISSP, MAISP March 24, 2015 1 Agenda • • • • New Threat Landscape What is Zero-Day? Who is being targeted? Real Attack Use Cases 2 Current State of Cyber Security Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks 3 4 Source : http://venturebeat.com/2014/08/29/jp-morgans-security-breach-points-to-broader-issues-in-cyber-security/ Global cyber threat landscape is fast evolving 95% 67% 100% of companies in APAC compromised of companies learned they were breached from an external entity of victims had up-to-date anti-virus signatures THREAT UNDETECTED REMEDIATION INITIAL BREACH 205 DAYS Median # of days attackers are present on a victim network before detection. ~9 months • Source: Mandiant M-Trends 2014 Report 5 5 What is a Zero Day? 6 The Basics Attacker’s Goal : Issue instructions on the victim PC 7 Types of attack Fool the Human: Social Engineering Fool the Computer: Exploitation 8 Types of attack : End User Social Engineering Requirements: Malware must not be caught by signature Examples: Performance.exe freeAVtool.exe Resume.pdf.exe Pros: Easy to build Cons: Fool the Human: Social Engineering Hard to trick users to run EXEs 9 Types of attack : Vulnerability Exploitation Requirements: Malware must not be caught by signature Vulnerable application must be present Vulnerability must not be patched Examples: Visit a Web Page, Open a PDF, open a DOC Pros: Easy to get users to open documents Don’t need to trick users to run exe Cons: Hard to build to meet requirements Fool the Computer: Exploitation 10 For Example … 11 The good news is vulnerabilities are patched Patch Tuesday From Wikipedia, the free encyclopedia Patch Tuesday occurs on the second Tuesday of each month in North America, on which Microsoft regularly releases security patches. A vulnerability for which a patch does not exist or is not yet released is a zero day vulnerability or zero day attack 12 Who is being attacked? 13 Countries in APJ are 35% more likely to be targeted by advanced cyber attacks than the world as a whole 75.0% 61.4% 60.5% APT Exposure Global vs. APJ Countries 56.3% 50.0% 49.2% 41.7% 38.5% 36.5% 36.1% 25.6% Taiwan South Hong Kong Philippines Australia Korea >40% of global DDoS attacks from APAC APJ >80% of APTs in APAC in South Korea, HK, Taiwan and Japan Singapore Thailand Global >95% of APAC enterprises unknowingly host compromised PCs India Japan Govt & High Tech account for 50% of all APT detections in APAC 14 Structure of a Multi-Flow APT Attack Exploit Server 1 Embedded Exploit Alters Endpoint 15 Structure of a Multi-Flow APT Attack Exploit Server 1 Embedded Exploit Alters Endpoint Callback Server 2 Callback 16 Structure of a Multi-Flow APT Attack Exploit Server 1 Embedded Exploit Alters Endpoint Callback Server 2 Callback Encrypted Malware 3 Encrypted malware downloads 17 Structure of a Multi-Flow APT Attack Exploit Server 1 Embedded Exploit Alters Endpoint Callback Server 2 Callback Command and Control Server Encrypted Malware 3 Encrypted malware downloads 4 Callback and data exfiltration 18 Disclaimer: This material that follows is a presentation of general background information about Singtel’s activities current at the date of the presentation. The information contained in this document is intended only for use during the presentation and should not be disseminated or distributed to parties outside the presentation. It is information given in summary form and does not purport to be complete. It is not to be relied upon as advice to investors or potential investors and does not take into account the investment objectives, financial situation or needs of any particular investor. This material should be considered with professional advice when deciding if an investment is appropriate.