Академический Документы
Профессиональный Документы
Культура Документы
Roger Cressey
Sharm el Sheikh, Egypt
April 12, 2012
4 One of the oldest, largest and most experienced With deep expertise in both strategy and
strategy and technology consulting firms technology, Booz Allen transcends conventional
categories of consulting
– Founded in 1914
Booz Allen teams work together with clients to
– 25,000+ professionals help them succeed...
– $5 Billion in Annual Sales …through the continual interplay of insight and
4 Our business model is driven by global industry action
practices emphasizing industry expertise to better Producing results that endure tomorrow
serve clients
4 Booz Allen delivers end-to-end strategy-based
4 We bring a global perspective — have served clients transformation solutions through multi-disciplinary
in over 40 countries skills…
4 We are not aligned with any other integration firms 4 … and through our industry expertise which spans
or software vendors – we bring an objective and virtually every major industry sector
independent viewpoint to all of our clients
Mission:
Mission: Booz
Booz Allen
Allen combines
combines strategy
strategy with
with technology,
technology, and
and insight
insight with
with
action,
action, working
working with
with clients
clients to
to deliver
deliver results
results today
today that
that endure
endure
tomorrow
tomorrow
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
The significant increase in the sophistication and frequency of cyber
attacks (public and non-public) presents material risks to organizations
Lockheed
LockheedMartin
Martin(2011)
(2011) Citibank
Citibank(2009)
(2009)
Night
NightDragon
Dragon(2011)
(2011) Perpetrators
Perpetratorsinfiltrated
infiltrated RSA
RSA(2011)
(2011) Computer-security
Computer-securitybreach
breach
Representative Covert
Covertand
andmultidimensional
multidimensional
Representative cyber
major
majornetwork
networklinked
linkedto
to Alleged
Allegednation-state
nation-stateattack
attack targeting
targetingCitigroup
Citigroupthat
that
cyberattacks
attacksconducted
conductedagainst
against
Attacks
Attacks global
Departments
Departments of Defenseand
of Defense and against
againstSecurID
SecurIDtokens
tokens resulted
resultedininaatheft
theftof
oftens
tensofof
globaloil,
oil,energy,
energy,and
and millions
petrochemical
Homeland
HomelandSecurity
Security victimized
victimizedover
over760
760 millionsofofdollars
dollars
petrochemicalcompanies;
companies; companies
endangers companiesworldwide
worldwide
endangerscritical
criticalinfrastructure
infrastructure
3
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
A variety of cyber threat actors have emerged over the recent years that target
the vulnerabilities across cyber programs worldwide
High
Threat Low (APT)
Sophistication
Website defacement,
Website defacement, Viruses, worms, trojans, Physical access to Remote access tools (RAT),
Capabilities Denial of Service Distributed Denial of malware, botnets, web- transmit, download, or custom exploits, spear-
Service (DDoS), web-based
(DoS), Phishing scams based attacks copy information phishing, zero-day exploits
attacks , SQL injection
(1) Costs are UNITED STATES ONLY and based on disparate data, individual cases studies, and broad estimates
Sources: “Foreign Spies Stealing US Economic Secrets in Cyberspace.” Office of the National Counterintelligence Executive. October 2011 ; “Second Annual Cost of Cybercrime Study.”
Ponemon Institute. August 2011; “Sony Data Breach Cleanup to Cost $171 Million.” Information Week. May 23, 2011.
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
4
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
APTs constitute a mature attack and introduce
a new paradigm of cyber security threats
Basic Advanced APTs
Examples: Examples: Examples:
Generic phishing scams Distribute Denial of Service Highly sophisticated
Attacks against organizations Targeted private data adversaries who can bypass
with little-to-no security – extraction virtually all of today’s “best
weakest in the practice” security controls
Extortion as motive
heard/opportunistic Primary goal is long-term,
approach Customized tools persistent occupation for data
Cyber techniques available Developed techniques theft, intelligence espionage,
on internet/open source and other malicious activities
Types of Attackers:
Extortionists Types of Attackers:
Types of Attackers: Nation states
Mature cyber criminals
Amateur hackers Sophisticated adversaries
Scam artists
Maturity Level
Simple, easily accessed Technical mature, developed by Sophisticated, planned
tools, done by amateur advanced individuals or teams, over long-periods,
hacker and not but not coordinated or extremely complex, and targeted
particularly targeted targeted
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Because APTs are targeted at one specific organization, they
must be treated as a primarily agent-oriented (people) problems
APTs Differ from Traditional Threats in Two Significant Ways
APTs are Persistent (Targeted ) APTs are Advanced
Underlying cause of APTs is desire to acquire Because attackers are interested in breaching
assets from or disrupt a single organization a specific organization regardless of cost, most
technological attacks are highly-customized
Because of high cost of mounting an APT
attack, only large, highly-influential – Attacks tend to be over multiple vectors and
organizations are typically targeted sometimes crafted around 0-day exploits
– Target of high strategic value to attacker – Traditional signature-based detection (AV
and IDS), are generally ineffective
– Attackers typically well-funded, organized
Given a breach, because APTs are agent-
Attackers will not use commodity attacks: will
oriented threats, simply patching the
find and breach any potential vulnerability technology is insufficient
– Many APT entry-points are social in nature – If organization remains unhardened,
Must consider APTs as an actor threat attacker will simply craft new payload
requiring a comprehensive mitigation – Traditional cyber security focuses mainly on
strategy technological vulnerability, not the
attacker: will not work for APTs
Because
Because attackers
attackers are
are persistent
persistent during
during an
an APT,
APT, attacks
attacks are
are advanced
advanced (i.e.
(i.e. many
many vectors,
vectors, complex)
complex)
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
APTs make a significant investment in their target and will vary and
escalate their techniques and not move on to another victim
Notional APT Approach Network Compromised
1. Adversary collects non- There is no “typical” APT
approach…
traditional attack information attackers will keep trying
until they gain network
2. The adversary creates a highly access
socialized, targeted e-mail
message that potentially
contains previously unknown
malicious code – spear
phishing
3. If phishing attempt successful,
the adversary immediately
connects to the victim’s
workstation
4. The adversary will quickly
install additional channels to
ensure access to the internal
network
5. The APT will quickly entrench
themselves at the enterprise
level
6. Data is collected and
exfiltrated from the network
Your opponent is a determined individual or organization, not a technology
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Organizations with sensitive data need to be especially
wary of APTs: marginal improvements in traditional
Target
security are not enough
Motivation Result
Anti-Virus Attackers have planted common Anti-viral software unable to detect custom-
attack vectors on organization created exploits
computers APTs require custom-crafted detection and
Anti-viral software detects and removal solutions
removes such vectors
Network Security Organization enacts strict firewalls APTs planted internally already open holes
and network security to exclude through firewall and network security
external traffic Attackers have access to user accounts,
Internal access controls prevent wide bypassing internal access controls
data breaches
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Organizations must immediately take mitigation steps to
specifically discover and protect against APTs
APTs require a fundamentally different
approach from typical cyber threats
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Threat/Risk Landscape
The
The APT
APT Challenge
Challenge
New paradigm: multiple vectors, custom-crafted
Undetectable and unpreventable by normal remediation
Advanced
Advanced techniques
Defies typical best practices
APTs are highly targeted: attackers will not easily relent even if a
counterstrike is launched
Persistent
Persistent
Attackers will find and breach any vulnerability, including social
and organizational ones
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Traditional Best Practices
Current Best Practices APT Countermeasure
Anti-Virus Compile malicious code immediately before use, protect with kernel driver, run code in
Windows safe mode, pack with unknown packing utility
Vulnerability Assessments Generally don’t rely on known system vulnerabilities, focus on mis-configured systems,
non-vulnerability based targeted spear-phishing attacks, or application vulnerabilities
(Adobe PDF Reader, MS Office)
Network Firewall Target workstations, malicious code will beacon out, establishing a TCP session, attack
over an open port (80, 53, 443, or email)
Host Firewall Malicious code adds itself to the host firewall white list
Two-Factor Authentication Rootkit installed when user is logged in, then authenticate to the rootkit for future access,
(Common Access Cards) CAC not required for lateral movement
Email Filtering Send link to malicious code vice the code itself, send from trusted email account, send
from trusted network
Intrusion Detection Systems Port 443, Open SSL, WinRAR, other encryption
Disabling HTML email APTs don’t attempt to “hide” the link they are sending
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Non-Traditional Risk Factors - Host
There are a number of traditional and non-traditional host-based risk factors
that contribute substantially to your organization’s risk to Threat entrenchment
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Non-Traditional Risk Factors - Network
There are a number of non-traditional network-based risk factors that
contribute substantially to your organization’s risk to a sophisticated Threat
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
The preeminent organizational cyber challenges of 2012 consist
of a blend of technical and organizational issues
Hypotheses on Top Cybersecurity Program Challenges
11
• Abundance of sensors and data available; not enough analytics
Threat
Threat Management
Management • Monitoring capabilities need to more inclusive of threat environment
• Threat intelligence and analysis needs to be broader / more relevant
22
Information •
Information Risk
Risk •
Control selection/implementation not risk-based in divisions/regions
Identified ‘cyber risks’ are narrowly focused on technology
Management
Management • Lack of interdependency analysis in risk management processes
33
• Attackers / malicious code can move laterally throughout enterprise
Infrastructure
Infrastructure Security
Security • Infrastructure security budget insufficient compared to growth
• Expanding use of insecure mobile devices
44
• Massive global penetration of programmable logic controllers (PLCs) and other software-controlled
Application
Application Security
Security products
• Secure software/products soon to be competitive differentiator
55
• Large concentrations of sensitive data exist outside of well-protected environments
Information
Information Protection
Protection • Sensitive information often flows across inadequately protected channels
• Unsophisticated mechanisms are employed to assist and enforce end-user document labeling
66
Awareness,
Awareness, Training,
Training, &
& • A more dedicated and robust cybersecurity awareness, training, and education program needed
• Internal users are not prepared for the modern threat environment
Education
Education • Third parties (e.g., contractors) require more engagement
77
Communications •
Communications &
& •
Internal change management and security consulting entities are insufficient for engaging business units
Need for prioritization and phasing of interaction with stakeholders to address cybersecurity risks
Engagement
Engagement • Customers and third parties (e.g., vendors, contractors, partners) require more enhanced engagement
88 • Inconsistent monitoring and reporting of events or a lack of dedicated continuous monitoring capabilities
Event
Event Management
Management • Reporting of real-time situational views are not tailored for stakeholders across the enterprise
• Guidelines on internal and external escalation processes are not clear nor promulgated
99 • Governance is not addressed as a senior executive issue
Governance
Governance • Inconsistent and infrequent interaction with divisions to understand business risks and requirements
• Organizational silos lead to ineffective processes / solutions
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Resiliency must be integrated beyond purely technological areas, to
include policies, human capital, management, and operations
16
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Organizations need to develop all aspects of a cyber
security workforce, including:
Leadership
Education and
Development
Training
To provide leaders with To create a highly skilled
new cybersecurity cybersecurity workforce
competencies
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
There are defined 11 cyber roles that outline the skills and training
requirements needed for a successful cyber workforce
Skills Needed/Training
Cyber Intel Analyst Benefits
Requirements
Cyber Business Professional
Cyber Policies, Plans, &
Cyber Policy Analyst Procedures Establishes a common lexicon and
Cyber Program Design
point of reference across all human
Cybersecurity Analyst Threat Assessment
Continuity of Operations capital management activities
Cyber Offense Analyst Incident Response
Allows stakeholders to immediately
Cyber Roles
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
A “Dynamic Defense” approach will meet today’s need for resiliency by
establishing a network of integrated processes, technologies, and people
22 Rapid Response
Find and react to adversarial
threats
• Recognize attack
• Conduct triage
Le e a r
• Perform forensics
ne al
L
ss ne
ss
are ti on
• Respond to attack
on d
• Recover/reconstitute
Aw i t u a
s
S
11 Threat Vector Intelligence Mitigation
44 Integrated
Integrated Remediation
Remediation
Gather insights on adversary Build/implement better systems
threats, intentions, and capabilities and constructs to keep
• All-source analysis Risk Informed Response • Policy adversaries out
• Indications of “early warning” Decisions • Operations
• Threat education • Technology
• Support to operations, • Management
planning and institutional • People
cybersecurity programs Mitigation
33 Evolutionary Response
Ac In s i
tio ght
es
ac st
ble
adversarial threats
Pr B e
tic
• Capability maturity evolution
• Vulnerability assessment
• Trade-off analysis
• Operational planning
• Exercises/M&S
• Strategic road-mapping
19
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Contact Information
Roger Cressey
Senior Vice President
USA
+1 703 9841421
Cressey_roger@bah.com
20
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.