BeyondToday’sPerimeterDefense:

LivingandcopingwithAdvancedPersistentThreatsFrancisWongWhatisAdvancedPersistentThreats?SixElementsForAPTPreparationFilPreparesfortheattack tools,includescanning draftingsocially engineeredemailsMaintenanceHackerwillattempttomaintaintheiraccessDataGatheringGatherthisinformationandexfiltrateitFurtherAccessTrytoidentifywhereinthenetworktheyareandmovelaterallywithinthenetworktoaccessdataofinterestInstalladditionalbackdoorsReconnaisanceGathersinformationIdentifythebesttargetingmethod.TargetinglaunchestheirattackandmonitorsforsignsofcompromiseorfailurePreparationTargetingFurtherAccessDataGatheringMaintenanceReconnaisanceInternalUsersTheInternetApplicationDDoSNetworkDDoSIISWebServersApplicationServersMSSQLDatabasesFirewallExcessiveRightsAdministratorsFirewallUnauthorizedAccessUnauthorizedAccessAPTiseverywhereIPS/WAFXSS/SQL-injectionExternalUsersHacker?WhereistheproblemAPTreallifeexampleAnticnn.exeTarget:

Action:1.Developanticnn.exe2:Sendoutspammail/phishingwebsiteConsequence:ThoseUScompanieswassufferedfromDOSanddataleakagesGET1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jspHTTP/1.1Accept:*/*Host:Connection:Keep-Alive

APTcannotbehandledbysingleproductAcompletesolutionforbothinternalandexternalattackTotalSolutionforRadwareDefensePro,AppWall,APSoluteVisionRadwareAPTsolutionisnotasingleproductTwoDimensionforAPTSlide8FurtherAccessDataGatheringMaintenanceReputationEngine:TheNeedandSolutionSlide10MaliciouswebsiteshaveshortlifespanandarecreatedinmatterofhoursStaticSignatureProtection,withperiodicupdates,doesn’tkeeppaceAntivirus&spywareremovalsoftwarecannotprotectagainstPharmingWorld-widereal-timeresearchisthewaytoprotectagainstsuchthreatsAnti-Fraud/Anti-TrojanserviceisarealdifferentiatorforISP/MSSPRSAFraudActionOneofthemostprovenandtrustedonlinethreatsolutions24x7commandcenterwhichconstantlyanalyzesworld-widetrafficWidestPhishingURLDBintheworldtodayTakespreventiveactionstoremovemaliciousserversfromthenetDefenseProServiceReal-timeupdatesofnewindentifiedmaliciouspointsbyRSAProtectionagainst:phishing,pharmingandMalware(FraudTrojan)attacksSlide11AboutRSAAntiFraudCommandCenter(AFCC)Theindustry’slargest,andmostexperiencedanti-fraudteamAworldleaderinwebfrauddetectionandprevention(*)24x7x365nexusofall

servicesImmediatetranslationsupportinover180+languagesDetermineattackvectors:TrojansInfectedsitesPhishing(*)accordingtoGartnerMagicQuadrantforWebFraudDetectionreport,February6,2009.Reputation EngineSlide12InternetAFCCAPSoluteVisionDefenseProFraudactivitiesdetectedbyAFCCserviceAFCCFeedtoRadwareInsitefeedsDefenseProwithareal-timesignatureMaliciousSite/DropPointTrojanCommunicationtodroppointPhishingMailUserclicksthePhishinglinkPhishingCampaignIPS&Radware’sSOCSlide13SignaturesProtectionagainst:ApplicationVulnerabilitiesandexploitsWeb,Mail,DNS,databases,VoIPOSVulnerabilitiesandexploitsMicrosoft,Apple,UnixbasedNetworkInfrastructureVulnerabilitiesSwitches,routersandothernetworkelementsvulnerabilitiesMalwareWorms,Bots,TrojansandDrop-points,SpywareAnonymizersIPv6attacksProtocolAnomaliesSecurityOperationCenterLeadingvulnerabilitysecurityresearchteamWeeklyandemergencysignatureupdates&ReputationEngineRadware’sSOC&SecuritySpecialistsSlide142009RadwareSOChasworldrecognitionbythesecurityindustryandapplicationvendors:

SOCresearchersandSecuritySpecialistspresenttheirlatestfindingsinindustryeventssuchasBlackHatandDefcon.RadwareSOCisthefirsttodiscoverapplicationvulnerabilitiesinAppleiPhoneSafariwebbrowser,Firefox3,YATEIPtelephonyengineandmore.WebQuarantineSpecifieswhetherthedevicequarantinesalloutboundWebtrafficfrominternalhostsinthedestinationsegmentinthenetworkpolicyaftermatchingasignatureconfiguredwithWeb-quarantineoptionSlide15Isthisoutboundtrafficsafe?Pass/BlockTheInternetDefenseProAppWallRoleBasedPolicyAppWallRoleBasedPolicyEnablesdefiningdifferentsecuritypoliciesfordifferentusersToprovideflexibleaccesstowebapplicationWhileproperlysecuringtheapplication.RoleBasedPolicyDelivers:AuthenticationandlogindetectionAuthorizationandaccesscontrolAccountingandAuditingWebbasedSingleSignOnSeparationofdutiesApplicationContentControlRoleBasedPolicyDefiningwebapprolebasedsecuritypolicyRetrievingtheusers’groupassociationfromLDAP.Configuredifferentpoliciesfordifferentroles:AdminEmployeePartnerCustomerPublicSlide18-EmployeeSlide19–adminuserSlide20Slide21RoleBasedPolicySlide22SharingPolicyAmongRolesSlide23SharedPolicyAcrossRoles(new)DifferentPolicies(old):Customer–AccessProhibitedPartner-AccessallowedbutCCNMaskedEmployee-AccessallowedandseeCNNAppWallDLPintegration24ErrorPageAppearFilerequestHumanDLPServerFileInspectedBlockedAppWallinspectsthecontentofdownloadedfilesfromthesecuredapplicationAppWallcanforwardthedownloadedcontenttotheDLPserverIfpolicyviolationisdetectedandthefilecanbemodified(e.g.MSExcelfiles),theICAPserverwillmodifythefile.DLPserverwillreplywithastatuscodenotifyingAppWallnottoforwardthefiletotheclientandAppWallwillredirecttheclienttoasecuritypageAppWallWebrolesbasedontheclientsourceIPaddressWebrolesbasedontheclientsourceIPaddress.Additionally,ageo-locationdatabaseisavailabletodefinegeo-location-basedpolicies.Forexample:YoucanprohibitaccesstoyouroperationapplicationtousersoutsidetheUS.Youcanallowonlyinternalusers(10.*.*.*)toaccessparticularapplications.YoucanallowonlyaddressesfromGermanytosubmitanenergyusagereporttothesecuredapplication.Youcanhavedifferentpoliciesforadministratorsdependingonwhethertheyareaccessingfromaninternaladdressorfromremotegeographies.Slide2525ErrorPageAppearIPAddress+UserIDHumanAppWallReconnaisancePreparationTargetingNetworkscanningandmalwarepropagationProtectionsSource-basedBehavioralAnalysisSlide28BehavioralReal-timeprotectionagainstZero-MinuteMalwarePropagationandnetworkscans:UDPspreadingwormsdetectionTCPspreadingwormsdetectionHighandlowratenetworkscansScanning/spreadingpatternidentificationInfectedsourceidentificationSource-basedAnalysisSlide29Port&IP2925335311270111Connectionbehavioralscore“Normal”DistributionPort&IP805078SourcebehavioranalysisAverageHeightWidth“Abnormal”DistributionConnectionbehavioralscoreNormalSuspectAttackWidthHeightOthers…DegreeofAttackDecision-MakingMitigationAutomaticRTSignaturesMitigation:Source-basedRealTimeSignatureSlide30BothRedandYellowobjectsrepresentmalwarespreadingactivities.TheRed‘Worms’representthemoreintensespreadingactivities.TheGreenobjectsrepresentlegitimatetraffic.AnalysisAnalysisAnalysis?XX??InitialPrevention

Measure(e.g.,sourceIP->port135(TCP))Optimization(e,g.,sourceIP->port135(TCP)ORport445(TCP))Afterthefirstfilteragainstawormisimplemented,theClosed-FeedbackMechanismdecidesthattherestofthemalwarespreadingactivitiesmaydisturbthenetworkoperation.ItaddsadditionalpreventionmeasuresaccordingtoalessintensecriteriaontopofthepreviousmeasureIntenseMalwareActivitiesAdditionalSpreadingActivitiesSafeEnvironmentOptimization(e,g.,sourceIP->port135(TCP)ORport445(TCP))AND(packetsizeANDTTLAND,…)Real-TimeSignatureReal-TimeSignatureModificationReal-TimeSignatureOptimizationServiceCrackingBehavioralProtectionsServiceCrackingBehavioralProtectionsSlide32Real-timeprotectionsagainstinformationstealth:HTTPserversWebvulnerabilityscansBruteforceSIPservers(TCP&UDP)SIPspoofedfloodsPre-SPITactivitiesSIPscanningSMTP/IMAP/POP3,FTP,…ApplicationBruteforceApplicationscansApplicationBehaviorAnalysis–ServiceCrackingSlide33LaunchesscantoolNon-detectableattackbystandardsignature-basedIPSAlltransactionsarelegitimateAttackvolumebelowratethresholdWebServersWebVulnerabilityScanScenarioAttackerHEAD/HTTP/1.0GET/cgi/websendmailHTTP/1.0GET/cgi/textcounterHTTP/1.0…GET/examples/HTTP/1.0Get/_vti_bin/shtml.exeHTTP/1.0GET/scripts/admin.plHTTP/1.0200OK404NotFound200OK404NotFound404NotFound200OKSlide34LegitimateresponsecodeErrorresponsecodeLegitimateresponsecodeHighfrequencyOnetimeerrorErrorresponsecodePublicWebServersRadwareAMSApproachAdvancedbehavioralanalysistoeliminatefalsepositiveAutomaticdetectionandpreventionBlockedStandardIPSApproachNosignatureprotection-AllrequestsarelegalRate-limitthresholdsHighfalse-positiveRequiresconstanttuningApplicationBehaviorAnalysis–ServiceCracking

/config//hotels//register//info//reserve/AdaptiveAutoPolicyGeneration(1of4)App

Mapping/admin/Slide35

/config//hotels//register//info//reserve/SQLInjectionCCNbreachBufferOverflowDirectoryTraversalAdaptiveAutoPolicyGeneration(2of4)App

MappingInformationleakageGainrootaccesscontrolUnexpectedapplicationbehavior,systemcrash,fullsystemcompromiseThreatAnalysisRiskanalysisper“application-path”/admin/Spoofidentity,stealuserinformation,datatamperingSlide36

/config//hotels//admin//register//info//reserve/SQLInjectionCCNbreachBufferOverflowDirectoryTraversal***********9459PAdaptiveAutoPolicyGeneration(3of4)App

MappingPolicyGenerationPreventaccesstosensitiveappsectionsMaskCCN,SSN,etc.inresponses.ParametersinspectionThreatAnalysisTrafficnormalization&HTTPRFCvalidationSlide37

/config//hotels//admin//register//info//reserve/SQLInjectionCCNbreachBufferOverflowDirectoryTraversalAdaptiveAutoPolicyGeneration(4of4)TimetoprotectApp

MappingPolicyActivationAddtailoredapplicationrulesOptimizerulesforbestaccuracyPolicyGenerationThreatAnalysis***********9459VirtuallyzerofalsepositiveBestSecuritycoverageSlide38PApplicationPathViewRapidPolicyOnSlide40ExtendedPolicyonSlide41NetworkServerApplicationBusinessRadwareSecurityProtectionToolsSlide42LargevolumenetworkfloodattacksHigh&LowrateapplicationDoSattacks“Low&Slow”DoSattacksBruteforceattackWebapplicationattacks

(e.g.XSS,Injections,CSRF)SYNfloodPortscanNetworkscanIntrusionIntrusion,MalwareDoSProtectionBehavioralAnalysisIPReputationIPSWAFSHUTDOWNTheConceptofRiskManagementRiskManagement–TheConceptSlide44Time28/4/2012PreattackprobeeventNetworklevelscanning1/5/2012PreattackprobeeventApplicationlevel5/5/2012XSSEventEventdetailsEventdetailsDynamicThreatLevelProActiveCountermeasuresSecurityEventManagementEngineAutomaticeventcorrelationexpertrulesSamesource->HighrisksourceSametarget->HostunderhighriskConclusion:IncidentwithHighThreatLevelSecurityEvents–Behavioral&DeterministicEventTypesAdditionalLayerofIntelligenceRadwareAttackMitigationSystem(AMS)Slide4