Wednesday, April 23, 2014

[fireeye] Dissecting Advanced Attacks: FireEye Labs and the 2014 DBIR

With the release of this year’s Verizon Data Breach Investigations Report, it is clear that the cybersecurity landscape is once-again experiencing a drastic change in the type of attacks that are threatening organizations’ intellectual property, financial information and customer data.

In response to this change, this year’s report has added a critical new tactic for addressing the advanced threat landscape organization’s are operating in today: examining incident patterns. As attackers have already shifted their strategies, the cyber defense industry is too, now – moving away from a model built around identifying and remediating single attacks towards one where threat actors and their behaviors are identified and blocked globally.
As examples of this changing threat landscape and the new tactics needed, FireEye contributed forensic data from three of the advanced attack campaigns we uncovered in 2013:
  • Operation DeputyDogA campaign targeting organizations in Japan that began in August of 2013 and, upon behavioral analysis by FireEye systems.
  • Operation Ephemeral HydraActing from attack certain infrastructures shared with the DeputyDog campaign as well as code shared with the Remote Access Tool used in the Bit9 compromise, this campaign took advantage of an Internet Explorer zero-day to compromise visitors of a website focused on US national and international security.
  • The Sunshop CampaignTargeting a range of victims through the sites of Korean military and strategy think tanks and a science and technology journal, FireEye was able to link this campaign to a group responsible for attacking the Nobel Peace Prize Committee’s website in 2010.
In all three of these advanced attacks, behavioral analysis conducted by our researchers utilizing data from theFireEye Dynamic Threat Intelligence™ cloud, allowed us to provide Verizon the context behind these attacks and the patterns that identify their perpetrators. Ultimately, we were able to tie two of the attacks together and attribute one to a similar attack from three years prior. This involved creating a new paradigm in the security practice where real-time information sharing of malicious network behaviors between organizations is commonplace.
What we saw from these attacks and countless others is that, given the pace and stealth at which threat actors move today, organizations will need to rely less on traditional signatures and defenses and more on intelligence. Including this new intelligence information in this year’s DBIR is a great step towards recognizing this new paradigm and will certainly accelerate the fight against advanced attackers.
To read more about the changing attack behavior download a full version of the Verizon DBIR:

No comments:

Post a Comment