Using Internet Data Sets to Understand Digital Threats
|
|
- Mark Reeves
- 5 years ago
- Views:
Transcription
1 Using Internet Data Sets to Understand Digital Threats
2 CONTENTS EXECUTIVE SUMMARY...1 ACTIONS LEAVE BREADCRUMBS. MAKE SURE TO FOLLOW THEM...2 INFRASTRUCTURE CHAINING...3 INTERNET DATA SETS...3 PASSIVE DNS...4 WHOIS...5 SSL CERTIFICATES...6 ANALYTICAL TRACKERS...7 HOST SEQUENCE PAIRS...8 WEB COMPONENTS...9 OPEN SOURCE INTELLIGENCE (OSINT)...10 COOKIES...11 ABOUT PASSIVETOTAL...12
3 EXECUTIVE SUMMARY As businesses adapt to the rapidly changing digital landscape, more customer and business operations are shifting from behind the protection of firewalls to the open internet. This new level of exposure makes your company, customers, and prospects vulnerable to extremely skilled, persistent threats across the web, mobile, social, and . However, the good news for threat hunters and defenders is that data exists to help expose the infrastructure being used by attackers, which allows them to find, block, and prevent attacks. Internet data can be sorted, classified, and monitored over time to provide a complete picture of your attackers and their evolving techniques. Infrastructure chaining leverages the relationships between these highly connected data sets to build out a thorough investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response. In this white paper, we ll explore the data sets available to security professionals and how to use them to proactively protect your organization s digital presence. 1
4 ACTIONS LEAVE BREADCRUMBS. MAKE SURE TO FOLLOW THEM One of the byproducts of using the internet is the concept of creating signals, or breadcrumbs. It doesn t matter if an action is malicious in nature or not, chances are, impressions will be made, and if observed, could be used to correlate activity. As an example, consider the series of actions that take place when sending an from one person to another. At a high level, sending an requires two people to have valid addresses with registered service providers. Those providers need servers in place to host the applications and a way to transmit data from one end of the action to the other, which often requires routers and switches. The act of sending an generates hundreds, if not thousands, of breadcrumbs online across various systems, services, and networks. Now, imagine you are a malicious actor looking to steal financial data from some people at a bank. If your goal is to compromise specific users within the organization, then sending a phishing is a viable avenue of attack. As some first steps, you would scan for information about the financial institution and identify the individuals you want to target. After finding a few, you would search for their work history or any public personal data you can use to engage them. Then, you would register a legitimate-looking business domain, setup an address, and craft a convincing message directing the user to a page meant to steal their credentials. Upon successfully phishing the users, you would start a VPN, authenticate to the financial provider s network, and take as much data as you can. This example is something that occurs on a regular basis across the internet. Users get phished for credentials, their workplace accounts are compromised, and data is stolen from under their noses. But, from an analyst s perspective, all those actions taken by the malicious actor reveal breadcrumbs that can be used to trace their activity. To begin investigations, analysts must ask a few key questions: What IP address was used to perform the initial target research? Were there any services the actor used to perform research that required having an account? What information was used when registering the domain? What server did the phishing come from? Who was the hosting provider for the credential phishing? Normally, questions like these would go unanswered without the proper data, but modern technology has afforded the ability to scan the internet in short periods of time to collect many of these impressions. RiskIQ s extensive global network of egress points deploys virtual users (web crawlers) to visit web pages and save the content of the visit to collect the data necessary to answer these questions. Collecting this data at scale opens up the opportunity to begin surfacing the breadcrumbs of malicious actors in places where they can t hide. 2
5 INFRA- STRUCTURE CHAINING Having a database of breadcrumbs from interactions on the internet lends itself well to identifying relationships between disparate entities. Infrastructure chaining, a powerful methodology leveraged by analysts, uses the highly connected nature of these internet breadcrumbs to expand one indicator into many based on overlapping details or shared characteristics. Building infrastructure chains also allows analysts to quickly build context around an incident or investigation, allowing for more effective triage of alerting and actioning of incidents within an organization. Starting with a single point, analysts can look at any connected data sets to find more indicators. As the analyst continues to branch out at each stage, they form links back to the original starting point. Not only does this process expand the scope of the investigation and potentially find more malicious content, but it is also self-documenting in the fact that any other analyst can see how connections were made from one data set to the next. Since 2009, RiskIQ has been collecting data from web pages, global sensors, and a robust proxy network to provide analysts with a look back in time at how given parts of the internet once appeared. PassiveTotal supports the concept of infrastructure chaining and extracts all RiskIQ data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection and processing. INTERNET DATA SETS Internet data sets are best defined as any source of content that describes a portion of or process on the internet. These data sets are vast and ever-changing, but provide immense insight into actions taken by malicious actors and give defenders an advantage when combating attacks. The following data sets are tracked and exposed through RiskIQ PassiveTotal. 3
6 PASSIVE DNS Passive DNS is a system of record that stores DNS resolution data for a given location, record, and time period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap. Historical repository of domains and IP addresses that could show overlap between values Provides a method to get second-order domains and IP addresses that may be related to your original query Identifies subdomains associated with a particular query, potentially revealing target details or more suspect infrastructure Do the passive DNS results line up with the period I am interested in? Infrastructure like domain names and IP addresses may trade hands or be assigned to new customers by service providers over time. Beginning analysis with a known time frame of interest can aid in narrowing down what may be larger data sets spanning years of unrelated activity, allowing analysts to pinpoint specific attacker activity. Are there other data points (WHOIS, SSL Certificates, Host Pairs, etc.) that could be used to improve a connection point? Observations based on one type of data, such as infrastructure relationships, are sometimes sufficient on their own, but many observations can be strengthened and confirmed when combined with other supporting data. Supporting data points may also reveal other avenues of investigation that analysts were not initially aware of at the beginning of their research. Has the domain or IP address had a lot of changes over time? Does it appear like the domain or IP address is part of a shared hosting network? 4
7 WHOIS WHOIS data, an internet database of ownership information about a domain, IP address, or subnet, can give an organization insight into those behind an attack campaign. WHOIS data helps determine the maliciousness of a given domain or IP address based on ownership records. Using domain registration information, an organization can unmask an attacker s infrastructure by linking a suspicious domain to other domains registered using the same or similar information. Allows for attack timeline analysis based on domain registration and update or expiration time periods Leverage history (hosting/record) to identify trends or specific patterns in data for a given owner or set of owners Use the content of the various WHOIS fields to find other records that share similar patterns or exact values How long has the domain been registered or owned? New or recently created domains may help confirm suspicions about malicious activity, as many domains are registered shortly before staging an attack. This may indicate dedicated attacker domain ownership and can strengthen an observation s value as an indicator of compromise. On the other hand, domains with older registration dates may indicate the use of compromised hosts, hijacked domains, or purchase of older domains from a reseller service. Is the WHOIS record privacy protected or using a third-party provider s information to obscure the real identity of the registrar? Does any data supplied by the user appear to be unique (i.e., spelling errors, strange names, conventions observed across multiple domains, etc.)? Even if a set of domains do not share obvious commonalities such as the domain registrant name or address, relations may be possible to establish based on multiple matching attributes such as domain registrar, nameserver domains (and second-order nameserver domain ownership), registration timeframe, and registrant contact domains. Do the nameservers listed on the WHOIS record appear unique or reveal any additional infrastructure that may be related? Does the WHOIS record have any history associated with it? If so, how long and what information has changed? 5
8 SSL CERTIFICATES SSL certificates are cryptographically generated files used to provide an encrypted channel between a client and a server. Delegated authorities are in charge of validating organization details, issuing certificates, and maintaining the health of certificates issued. SSL certificates are most often associated with publicly facing websites and, for them to function, need to be accessible via a routable internet address. Beyond securing your data, certificates are a great way for analysts to connect disparate malicious network infrastructure through identifying overlapping usage of IP addresses. Actors often use the same certificate across multiple attack campaigns to encrypt command and control communication or make a malicious website look legitimate. Identifies additional infrastructure based on a shared certificate or infrastructure that was used to host the certificate May identify connections when WHOIS or DNS data come up with nothing Data within the certificate may overlap with other certificates, revealing more infrastructure Is the SSL certificate valid (i.e., not expired, not self-signed) and issued by a reputable provider? Does the SSL certificate belong to a content provider or content distribution network? Does any of the user-supplied data in the certificate appear unique? Do any of the details in the certificate reveal WHOIS or passive DNS leads? Has the certificate been hosted on more than one IP address or has it been moved from or shared between multiple servers? Actors often use the same certificate across multiple attack campaigns to encrypt command and control communication or make a malicious website look legitimate. 6
9 ANALYTICAL TRACKERS Trackers are unique codes or values found within web pages and often are used to track user interaction. Website operators that maintain multiple sites may utilize the same analytic service account across all sites, and these trackers can be used to correlate a disparate group of websites to a central entity. PassiveTotal s tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, and Clicky, and is continuing to grow. Some analytical providers will share a top-level account and create subkeys for different web properties that could reveal a single source owner Copied web pages often contain analytical codes that may not be scrubbed and could be used in conjunction with other data sets to identify abuse May identify overlapping connections between domains that would normally go undetected or unlinked due to dissimilar content Do the analytical tracker codes appear to be unique and owned by a legitimate brand? Are malicious actors making use of any specific tracking providers in their pages? Is there a high degree of overlap between unrelated websites? What other web pages have made use of a given tracker? Is there any relationship between multiple analytics accounts? 7
10 HOST PAIRS Host pairs are two domains (a parent and a child) that shared a connection observed from a RiskIQ web crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex, like an iframe or script source reference. Each connection has a first time and last time observed that helps to establish a time period for the pair of web properties. Shows a natural sequence chain for a given set of websites that can be walked up or down to surface new hosts Preserves a given relationship between two web properties that may no longer exist or remain valid Context associated with the host pair dictates the nature of the relationship and could provide insight into the attack Are there any additional suspicious hosts redirecting or being redirected from the indicator being investigated? Are there any patterns with the redirections taking place? Does the amount of pairs for a given property help in dictating if it s malicious or non-malicious? 8
11 WEB COMPONENTS Web components are details describing a web page or server infrastructure gleaned from performing a web crawl using RiskIQ technology. These components provide analysts with a highlevel understanding of what was used to host the page and what technologies may have been loaded at the specific time of the crawl. When possible, we attempt to categorize the specific components and include version numbers. Provide insight into a given server infrastructure or web page, content of which may have changed or may not exist anymore Specific versions or technologies used could be combined to form a component signature about an attacker s operations Observation time periods are a good way to establish when an operation may have first been set up or went live for an attack Are there any unique or less-popular technologies used that could indicate a favored platform for attackers? Are any of the technologies used vulnerable to attack via live exploits or known bugs? Is there any sort of technology that could be leveraged to obfuscate or hide elements of an attack? 9
12 OPEN SOURCE INTELLIGENCE (OSINT) Open source intelligence (OSINT) is data that can be found publicly online and is freely available for use inside your organization. This data is often produced by individuals or companies and is either given away in the form of marketing material or shared amongst other companies as a source of goodwill for defenders. However, while great content can easily be found online, it may not be a full replacement for paid intelligence services. Some OSINT may draw incorrect conclusions or could be missing significant analysis, so any data collected should be processed before being applied within your organization. Provides additional context to indicators that may be linked to your original query Aids analysts in discovering a larger narrative around the threat Could help an analyst find malware or other artifacts Shows third-party perspectives and could be used to begin a conversation with another organization How does the indicator I am interested in relate to the OSINT? Are the OSINT claims backed up using data? Is the OSINT provided by an individual, trusted group, or larger organization? Does there appear to be any misleading material in the OSINT?...while great content can easily be found online, it may not be a full replacement for paid intelligence services. 10
13 COOKIES Web cookies are small pieces of data passed from the server to the client during web browsing. These values are associated with the domain being viewed and can be used to keep track of state or other information the server may use. Cookies can be encrypted with a secure flag and are restricted to specific domains to ensure a level of security. Named services or additional indicators that could be derived from the cookie name or path associated with the cookie Number of results, low or high, from pivoting on the cookie name or path Time period of when the cookie was observed being associated with the clients Whether or not cookies are associated with the indicator being searched Does the cookie name appear unique? Does the cookie path match the value of the indicator being viewed? Is there a low frequency of shared items based on the cookie name? Does the cookie name reveal any additional infrastructure, services, or indicators? 11
14 ABOUT PASSIVETOTAL ABOUT RISKIQ PassiveTotal is a platform for security operations and analysis teams to simplify and accelerate the investigation processes for events, threats, and attacks. For example, any attack conducted via the internet is likely to leave behind traces or fingerprints. The PassiveTotal platform automatically aggregates and correlates the most comprehensive internet data sets available, including passive DNS, , SSL certificates, host pairs, web trackers, and WHOIS data to deliver insights about the ownership, use, and activity of specific assets involved in an event or attack, as well as show related assets that might otherwise go unknown. These insights allow security teams to investigate, respond to, and eliminate threats. PassiveTotal leverages the RiskIQ crawl data set to provide deeper contextual understanding of assets through our virtual user technology. Understanding and interacting with web assets as a real user would experience them provides an unparalleled view into techniques employed by attackers. PassiveTotal uses these vast data sets and predictive analytics to automate investigative processes and keep pace with the shifting threat landscape. Pivot between data relationships to gain the offensive edge against an attacker by preventing their next move. Community Editions of RiskIQ products, including PassiveTotal, are now available. Cyberthreat hunters and defenders can sign up for RiskIQ Community for free to get started on the path to superior discovery, investigation, and research of threats. All RiskIQ products utilize the data sets that we discuss in this white paper. RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures. Trusted by thousands of security analysts, RiskIQ s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures. THINK OUTSIDE THE FIREWALL riskiq.com 22 Battery Street, 10th Floor, San Francisco, CA 94111, USA sales@riskiq.com RiskIQ, Inc. All rights reserved. RiskIQ and PassiveTotal are registered trademarks and Outside the Firewall is a trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 12
Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness
Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness Introduction Drowning in data but starving for information. It s a sentiment that resonates with most security analysts. For
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationSIEM Solutions from McAfee
SIEM Solutions from McAfee Monitor. Prioritize. Investigate. Respond. Today s security information and event management (SIEM) solutions need to be able to identify and defend against attacks within an
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationUsing Threat Analytics to Protect Privileged Access and Prevent Breaches
Using Threat Analytics to Protect Privileged Access and Prevent Breaches Under Attack Protecting privileged access and preventing breaches remains an urgent concern for companies of all sizes. Attackers
More informationwith Advanced Protection
with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationKen Hines, Ph.D GraniteEdge Networks
Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed
More informationMcAfee Endpoint Threat Defense and Response Family
Defense and Family Detect zero-day malware, secure patient-zero, and combat advanced attacks The escalating sophistication of cyberthreats requires a new generation of protection for endpoints. Advancing
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationReducing the Cost of Incident Response
Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationTHE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION
BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive
More informationWhitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response
Advanced Threat Hunting with Carbon Black Enterprise Response TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage
More informationAutomated Context and Incident Response
Technical Brief Automated Context and Incident Response www.proofpoint.com Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts
More informationNEXT GENERATION SECURITY OPERATIONS CENTER
DTS SOLUTION NEXT GENERATION SECURITY OPERATIONS CENTER SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 - SUCCESS FACTORS SOC 2.0 - FUNCTIONAL COMPONENTS DTS SOLUTION SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 Protecting
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationTOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS
TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS 1 Introduction Your data and infrastructure are at the heart of your business. Your employees, business partners, and
More informationThe Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It
The Credential Phishing Handbook Why It Still Works and 4 Steps to Prevent It Introduction Phishing is more than 20 years old, but still represents more than 90% of targeted attacks. The reason is simple:
More informationSymantec Security Monitoring Services
24x7 real-time security monitoring and protection Protect corporate assets from malicious global threat activity before it impacts your network. Partnering with Symantec skilled and experienced analysts
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationBehavioral Analytics A Closer Look
SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2 Patterns
More informationSOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD
RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD OVERVIEW Information security has been a major challenge for organizations since the dawn of the
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationCognito Detect is the most powerful way to find and stop cyberattackers in real time
Overview Cognito Detect is the most powerful way to find and stop cyberattackers in real time HIGHLIGHTS Always-learning behavioral models use AI to find hidden and unknown attackers, enable quick, decisive
More informationManaged Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts
Managed Enterprise Phishing Protection Comprehensive protection delivered 24/7 by anti-phishing experts MANAGED ENTERPRISE PHISHING PROTECTION 24/7 expert protection against phishing attacks that get past
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationCisco Advanced Malware Protection (AMP) for Endpoints Security Testing
Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing 7 September 2018 DR180821E Miercom.com www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Test Summary... 4 3.0 Product Tested...
More informationMachine-Powered Learning for People-Centered Security
White paper Machine-Powered Learning for People-Centered Security Protecting Email with the Proofpoint Stateful Composite Scoring Service www.proofpoint.com INTRODUCTION: OUTGUNNED AND OVERWHELMED Today
More informationForeScout Extended Module for Splunk
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look
More informationWHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS
WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS 1 INTRODUCTION Mergers & Acquisitions (M&A) are undertaken for a variety of strategic reasons that aim for greater synergy,
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationSOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE
RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE KEY CUSTOMER BENEFITS: Gain complete visibility across enterprise networks Continuously monitor all traffic Faster analysis reduces risk exposure
More informationTHE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE
THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE International Maritime Organization Regulations IMO has given shipowners and managers until 2021 to incorporate cyber risk management into
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationDiscover threats quickly, remediate immediately, and mitigate the impact of malware and breaches
Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches Introduction No matter how hard you work to educate your employees about the constant and evolving threats
More informationSourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data
SEE everything in your environment LEARN by applying security intelligence to data ADAPT defenses automatically ACT in real-time Sourcefire Solutions Overview Security for the Real World Change is constant.
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationFOR FINANCIAL SERVICES ORGANIZATIONS
RSA BUSINESS-DRIVEN SECURITYTM FOR FINANCIAL SERVICES ORGANIZATIONS MANAGING THE NEXUS OF RISK & SECURITY A CHANGING LANDSCAPE AND A NEW APPROACH Today s financial services technology landscape is increasingly
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationPALANTIR CYBERMESH INTRODUCTION
100 Hamilton Avenue Palo Alto, California 94301 PALANTIR CYBERMESH INTRODUCTION Cyber attacks expose organizations to significant security, regulatory, and reputational risks, including the potential for
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationTraditional Security Solutions Have Reached Their Limit
Traditional Security Solutions Have Reached Their Limit CHALLENGE #1 They are reactive They force you to deal only with symptoms, rather than root causes. CHALLENGE #2 256 DAYS TO IDENTIFY A BREACH TRADITIONAL
More informationOUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER HOW TO ADDRESS GARTNER S FIVE CHARACTERISTICS OF AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER 1 POWERING ACTIONABLE
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationDATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.
DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS. KEY ANALYSTS BENEFITS: Gain complete visibility across your network Alleviate pressures from security staff shortages with
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More information2018 Edition. Security and Compliance for Office 365
2018 Edition Security and Compliance for Office 365 [Proofpoint has] given us our time back to focus on the really evil stuff. CISO, Global 500 Manufacturer Like millions of businesses around the world,
More informationDATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.
RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE. KEY CUSTOMER BENEFITS: Gain complete visibility into all endpoints, regardless of whether they are on or off the
More informationEnhanced Threat Detection, Investigation, and Response
Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution
More informationZimperium Global Threat Data
Zimperium Global Threat Report Q2-2017 700 CVEs per Year for Mobile OS 500 300 100 07 08 09 10 11 12 13 14 15 16 17 Outdated ios Outdated ANDROID 1 of 4 Devices Introduces Unnecessary Risk 1 out of 50
More informationRFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template
RFP/RFI Questions for Managed Security Services Sample MSSP RFP Template Table of Contents Request for Proposal Template Overview 1 Introduction... 1 How to Use this Document... 1 Suggested RFP Outline
More informationATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK INTRODUCTION Attivo Networks has partnered with Cisco Systems to provide advanced real-time inside-the-network
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationWHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT
WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT THREE DECADES OF COMPUTER THREATS In 1986, the Brain boot sector virus caused the first widespread realization
More informationDefend Against the Unknown
Defend Against the Unknown Stay ahead of new threats with McAfee Endpoint Threat Defense solutions Targeted exploits. Ransomware. Explosive growth in zero-day malware. Organizations are locked in an ongoing
More informationThreat Hunting in Modern Networks. David Biser
Threat Hunting in Modern Networks David Biser What is Threat Hunting? The act of aggressively pursuing and eliminating cyber adversaries as early as possible in the Cyber Kill Chain. Why Perform Threat
More informationSecurity and Compliance for Office 365
Security and Compliance for Office 365 [Proofpoint has] given us our time back to focus on the really evil stuff. CISO, Global 500 Manufacturer Like millions of businesses around the world, you may be
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationThe Cognito automated threat detection and response platform
Overview The Cognito automated threat detection and response platform HIGHLIGHTS Finds active cyberattackers inside cloud, data center and enterprise environments Automates security investigations with
More informationSecurity for an age of zero trust
Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea
More informationCisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics
Solution Overview Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics BENEFITS Gain visibility across all network conversations, including east-west and north-south
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationAre we breached? Deloitte's Cyber Threat Hunting
Are we breached? Deloitte's Cyber Threat Hunting Brochure / report title goes here Section title goes here Have we been breached? Are we exposed? How do we proactively detect an attack and minimize the
More informationPutting security first for critical online brand assets. cscdigitalbrand.services
Putting security first for critical online brand assets cscdigitalbrand.services 2 As the most security conscious digital brand service provider, our clients trust us to take care of their businesses and
More informationEvolution of Spear Phishing. White Paper
Evolution of Spear Phishing White Paper Executive Summary Phishing is a well-known security threat, but few people understand the difference between phishing and spear phishing. Spear phishing is the latest
More informationCLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS
CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS Introduction The world of cybersecurity is changing. As all aspects of our lives become increasingly connected, businesses have made
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More information4/13/2018. Certified Analyst Program Infosheet
4/13/2018 Certified Analyst Program Infosheet Contents I. Executive Summary II. Training Framework III. Course Structure, Learning Outcomes, and Skills List IV. Sign-up and More Information Executive Summary
More informationBRING SPEAR PHISHING PROTECTION TO THE MASSES
E-Guide BRING SPEAR PHISHING PROTECTION TO THE MASSES SearchSecurity phishing. I n this expert tip, David Sherry describes how a combination of technical controls and user awareness training can help put
More informationGDPR: An Opportunity to Transform Your Security Operations
GDPR: An Opportunity to Transform Your Security Operations McAfee SIEM solutions improve breach detection and response Is your security operations GDPR ready? General Data Protection Regulation (GDPR)
More informationService. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution
Service SM Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution Product Protecting sensitive data is critical to being
More informationClosing the Biggest Security Hole in Web Application Delivery
WHITE PAPER JANUARY 2014 Closing the Biggest Security Hole in Web Application Delivery Addressing Session Hijacking with CA SiteMinder Enhanced Session Assurance with DeviceDNA Martin Yam CA Security Management
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationThe Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015
The Cost of Phishing Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015 Executive Summary.... 3 The Costs... 4 How To Estimate the Cost of an Attack.... 5 Table
More informationThe Art and Science of Deception Empowering Response Actions and Threat Intelligence
SESSION ID: SPO1-W05B The Art and Science of Deception Empowering Response Actions and Threat Intelligence Ray Kafity Vice President Attivo Networks Why Today s Security Defenses are Failing Attackers
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE
ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE Vectra Cognito HIGHLIGHTS Finds active attackers inside your network Automates security investigations with conclusive
More informationInfoblox Dossier User Guide
Infoblox Dossier User Guide 2017 Infoblox Inc. All rights reserved. ActiveTrust Platform Dossier and TIDE - June 2017 Page 1 of 16 1. Overview of Dossier... 3 2. Prerequisites... 3 3. Access to the Dossier
More informationBomgar Discovery Report
BOMGAR DISCOVERY REPORT Bomgar Discovery Report This report is designed to give you important information about the privileged credentials regularly being used to access endpoints and systems on your network,
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationPredicting and Preventing Cyber Threats. Paolo Passeri, Consulting Systems Engineer
Predicting and Preventing Cyber Threats Paolo Passeri, Consulting Systems Engineer The way we work has changed Internet Critical infrastructure Amazon, Rackspace, Windows Azure, etc. Business apps Salesforce,
More informationTechnical Brief: Domain Risk Score Proactively uncover threats using DNS and data science
Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science 310 Million + Current Domain Names 11 Billion+ Historical Domain Profiles 5 Million+ New Domain Profiles Daily
More information