The modern security lifecycle approach
Challenges, defense concepts, our solutions
Teodor Cimpoesu, Cyber Security BU Director
Cyber Security Day, Bucharest, 29 Oct, 2014 How CSOs think of their networks How the reality looks like – overwhelmed by bots Agenda
1 Outside your cyber walls 7 min
2 Defense - military imported cyber concepts 5 min
3 Solutions – CSIRT and Managed Services 8 min 1
2 Outside your cyber walls 3 Cyber threats evolution Danger Kinetic cyber- attacks Nation-state cyber attacks Chevron (1992), Gazprom (1999) Organized Stuxnet (2010), Aramco (2012) crime Cyber Agent.Btz(2008), Aurora (2010) espionage Energetic Bear (2012), Flame (2012), Uroburos (2014) Terrorist groups
Small criminal groups Freelance hackers Complexity Cybercrime Ecosystem
5% $50k $100 mil $150 bln
The cost of traditional crime In 2009 it cost $50k to going cyber is over 150 rent a botnet for a DDoS attack of 24h. Prices went billion, and total estimate at down 250 billion
5% true targeted attacks FBI takedown of SilkRoad led to 95% are consumer-grade seizing of $100mil in Bitcoins
70% individuals or small groups Most quantity: CN, Latin America, EE 20% criminal organizations Best quality: RU, UA, CN 5% cyber-terrorists 4% state-sponsored players RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions. Crime Gang Crime Group Syndicate Cartel Consortium Organization
Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market
Category Definition Examples Category Definition Examples
Vendors offer guarantees (e.g. 12h malware undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise). They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round. Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market
Exploit Kit Price Year
Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Nation-state campaigns
Attacker Targets Initial vector / Delivery Control / Persistence
Aurora / Chinese (supposed) Google, Adobe, Juniper, IE JavaScript exploit (3mon old). Backdoor, masq SSL Hydraq Elderwood Group / Yahoo, Symantec, Spear phish / watering hole with custom encrypted (2010) PLA Unit 61398 / Morgan Stanley suspected. Dynamic DNS. Comment Crew Night Chinese (supposed) Global Oil&Gas, energy SQL-injection exploits of extranet RAT (zwShell) on the Dragon and petrochemical web servers. Malware placed on users (2011) One attacker identified server and used to harvest AD. computers/laptops, being from Shandong Spear-phishing e-mail to mobile connection over user Province worker laptops containing malicious VPN. link (social engineering) Dropper + backdoor RSA (2011) Chinese (supposed) RSA SecurID to Spear phising email – Excel with Poison Ivy RAT. No Lockheed Martin, L-3 SWF exploit other info available. Communications, Stolen account (Lockheed) Lockheed claims it Northrop Grumman stopped it. RedOctober Russian (supposed) Gov, Diplomatic, Trade, Spear phising email with Excel and Multi-functional frame (2012) Possible links with Nuclear, Oil&Gas, Word (RTF) exploits > Dropper > work (34+ modules) Uroburos/Snake Military, Aerospace Loader Energetic Russian (supposed) Defense & aviation (US, Spear phishing email campaign Havex RAT Bear (2014) CA), energy ICS / (XDP packaged PDF with SWF expl) Sysmain Trojan SCADA vendors (EU), Watering hole – 3rd party site with Karagany backdoor EU Gov LightsOut exploit kit -> JAR Trojanized software installers Strategies of attack
Matryoshka Attack •Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet
Impossible Attack •Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress.
Panic Attack •Create disturbances or simulate threats to the victim to obtain intelligence about a target resource. •The deployment of additional monitoring in certain parts of the network reveals the location of high- value assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation.
Deceive&Decoy Attack •Conceals adversarial activity or stolen data within legitimate or benign-looking context. High- value assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means).
Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012) Exfiltration – should keep you up at night
• Encrypted communication • Over trusted protocols • Can you change your security policy?
Source: TrendMicro Labs Today
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it” – Gartner Inc. (2012)
Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014) CEE Cyber Security Readiness
We have best protection for We had 3rd party vulnerability assessments in the last 3 years 0% 20% 40% 60% 80% 100% 0% 10% 20% 30% 40% 50% 60%
Austria 57%
... External attacks 38% 47% 13% Cehia 50%
Ungaria 50%
Polonia 45%
…disruptions and data loss 37% 44% 16% Romania 38%
Slovacia 34%
Highly Agree Agree Depends Turcia 46%
Companies do not regularly check their Total 46% security standing and hope for the best
Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014) 1
Military Imported cyber 2 security concepts 3 The Terms Exploit – the defined way (specific steps/application) to use a vulnerability in practice, to breach a system. The exploit range can be local or remote. Zero-Day Vuln – Vulnerability for which there is no patch (solution/countermeasure) from the vendor of the system or application. Zero-Day Exploit – the actual means to use that vulnerability Attack – The realization of a threat, through the means of exploits on existing vulnerabilities. Attack vector - the method that the (exploit) code uses to breach or propagate. A vulnerability can have several attack vectors. Attack surface – the sum of all attack vectors Impact – financial and non-financial loss estimate = value of services, capabilities, data etc. after a threat materializes into an attack (if we take cyber attacks, not accidents). Controls - Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent. Stages
1 • Intelligence gathering – OSINT, CYBINT, HUMINT
2 • Infecting the target – SE, BYOD, spear phishing, water holing
3 • System exploitation – zero-day exploits, half-day exploits + RATs
4 • Internal recon - lateral movement and maintaining control
5 • Data exfiltration – over FTP/HTTP, known/fake protocols Military concepts in cyber use
Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions Kill OPSEC Chain OPSEC - sytematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations
Cyber Targeting - the process of selecting and prioritizing Targeting Terrain targets and matching them against the appropriate response to them
Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary Disinformation Threat Diversion Intelligence Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data The Kill Chain
Find
Fix
Track
Target
Engage
Assess
Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/ Intelligence-driven Computer Network Defense
Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. The Defense Chain
Plan – what to protect, what are your Detect – check the output of monitoring assets, policies, what type of protective systems, validate the alerts and do controls proactive search of IoA (indicators of attack) Build – acquire competencies, build skills specialists, acquire tools (after teams). Respond – exercise the incident Implement the solutions in your company response plans; investigate, contain and remediate Monitor – operate the technical solutions have operational NSM/SIEM Report – gather information, analyze systems, perform reviews and drills it, communicate to the right people (incident response excercises) Improve – keep the tools, procedures and processes in a maturing loop
Plan Build Monitor Detect Respond Report Improve
Source: http://detect-respond.blogspot.ro/2014/10/the-defense-chain.html Step 1 - Risk Management
Risk Assessment
Asset Management Threat Modeling Attack Modeling
Asset Values Threat Vectors Attack Trees
Asset Exposure Attack Centric Scenarios 1
Solutions – CSIRT and 2 Managed Services 3 Why use Managed Services
1 Fast track to legal/regulatory 4 Smarter investment – all those compliance and risk management technologies are yours, as a service
2 Import of skills and capabilities – the 5 Smarter execution – translating large specialists you wished you had upfront costs into operational costs
3 Focus your IT resources on support 6 Build solid trust for solid quality – you for core processes and competencies have a commercial contract, not HR What we do
Technology MSSP Portfolio UTI CERT Solutions - - - Security Consulting Incident Response Complete cyber Audit & Pentest Data Forensics defenses projects Security Management Malware analysis & Managed Network more - Security Cisco, Juniper, FireEye, IBM , Symantec, Websense, Sk Managed Endpoint yBox, Microsoft, BAE Security Systems, Rapid7 and Network Security others. Monitoring
Training: EC-Council, (ISC)², ISACA, Mile2, Mandiant, CompTIA + Microsoft, Cisco, Fortinet and others. Managed Security Service Provider & CERT SOC
Consulting Vulnerability Security validation Security Policy Network Assessment (Pentesting) Design Security Design
Managed Monitoring Network Communication Data Endpoint Services (SIEM) Security Security Security Security
Malwar Alerting Incident Vulnerability Data Vulnerability e CSIRT Services Handling Handling Forensics Analysis Analysis
Special Cyber Threat Advanced Special Research & Services Investigation Intelligence Correlation Projects Development What we can do for you
1 • Help do proper risk evaluation and update your cyber policy
2 • Test and validate the technical vulnerabilities – in the key points
3 • Implement the right security controls with the best technologies
4 • Monitor the security for you, or help you do it right (SIEM based)
5 • Be your SWAT team when incident strikes – do Incident Response
6 • Be your Investigator – if you may be the target of cyber-espionage CSIRT Services
Security Management Proactive Services Reactive Services Risk Analysis Announcements Alerts and warnings Security Consulting Technology Watch Incident Handling Security Validation Configuration Management Incident analysis Education/Training Network Security IR on site, support, BC & DR Plans Management coordination Intrusion Detection Services Vulnerability Handling Security Tools Development Vuln analysis Security Analytics Vuln response, coordination Data Forensics Artifact analysis DF response, coordination
[email protected] @cteodor, +40724.039.254 [email protected] Referenced/Quoted Material
• RAND Corporation, “Markets for Cybercrime Tools and Stolen Data - Hackers’ Bazaar” (2014) • IBM, “IBM X-Force Threat Intelligence Quarterly, 3Q 2014” (2014) • RSA, “THE CURRENT STATE OF CYBERCRIME 2014 - An Inside Look at the Changing Threat Landscape” (2014) • SANS Institute, “Critical Security Controls: From Adoption to Implementation” (2014) • CrowdStrike, “Global Threat Report – 2013 Year in Review (2014) • Adita Sood, Richard Ebody, “Targeted Cyber Attacks – multi stage attacks driven by exploits and malware”, Elsevier Publishing (2014) • Jason Luttgens, Matthew Pepe, Kevin Mandia “Incident Response and Computer Forensics – 3rd edition”, Mc Graw Hill Education (2014) • Symantec, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers” (2014) • Kaspersky Lab, "Red October" Diplomatic Cyber Attacks Investigation (2013) • IBM, “IT executive guide to security intelligence - Transitioning from log management and SIEM to comprehensive security intelligence (2013) • DarkReading, “Top 15 Indicators Of Compromise” (2013) • Ari Jues, Ting-Fang Yen , RSA, “Sherlock Holmes and The Case of the Advanced Persistent Threat” (2012) • McAfee, “Global Energy Cyberattacks: “Night Dragon” (2011) • Eric M. Hutchins et al., Lockheed Martin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (2011) • HB Gary, Operation Aurora (2010) • Alexander Opel, “Design and Implementation of a Support Tool for Attack Trees” (2005)