The modern security lifecycle approach

Challenges, defense concepts, our solutions

Teodor Cimpoesu, Cyber Security BU Director

Cyber Security Day, Bucharest, 29 Oct, 2014 How CSOs think of their networks How the reality looks like – overwhelmed by bots Agenda

1 Outside your cyber walls 7 min

2 Defense - military imported cyber concepts 5 min

3 Solutions – CSIRT and Managed Services 8 min 1

2 Outside your cyber walls 3 Cyber threats evolution Danger Kinetic cyber- attacks Nation-state cyber attacks Chevron (1992), Gazprom (1999) Organized (2010), Aramco (2012) crime Cyber Agent.Btz(2008), Aurora (2010) espionage Energetic Bear (2012), (2012), Uroburos (2014) Terrorist groups

Small criminal groups Freelance Complexity Cybercrime Ecosystem

5% $50k $100 mil $150 bln

The cost of traditional crime In 2009 it cost $50k to going cyber is over 150 rent a botnet for a DDoS attack of 24h. Prices went billion, and total estimate at down 250 billion

5% true targeted attacks FBI takedown of SilkRoad led to 95% are consumer-grade seizing of $100mil in Bitcoins

70% individuals or small groups Most quantity: CN, Latin America, EE 20% criminal organizations Best quality: RU, UA, CN 5% cyber-terrorists 4% state-sponsored players RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions. Crime Gang Crime Group Syndicate Cartel Consortium Organization

Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market

Category Definition Examples Category Definition Examples

Vendors offer guarantees (e.g. 12h undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise). They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round. Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market

Exploit Kit Price Year

Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Nation-state campaigns

Attacker Targets Initial vector / Delivery Control / Persistence

Aurora / Chinese (supposed) Google, Adobe, Juniper, IE JavaScript exploit (3mon old). Backdoor, masq SSL Hydraq Elderwood Group / Yahoo, Symantec, Spear phish / watering hole with custom encrypted (2010) PLA Unit 61398 / Morgan Stanley suspected. Dynamic DNS. Comment Crew Night Chinese (supposed) Global Oil&Gas, energy SQL-injection exploits of extranet RAT (zwShell) on the Dragon and petrochemical web servers. Malware placed on users (2011) One attacker identified server and used to harvest AD. computers/laptops, being from Shandong Spear- e-mail to mobile connection over user Province worker laptops containing malicious VPN. link (social engineering) Dropper + backdoor RSA (2011) Chinese (supposed) RSA SecurID to Spear phising email – Excel with Poison Ivy RAT. No Lockheed Martin, L-3 SWF exploit other info available. Communications, Stolen account (Lockheed) Lockheed claims it Northrop Grumman stopped it. RedOctober Russian (supposed) Gov, Diplomatic, Trade, Spear phising email with Excel and Multi-functional frame (2012) Possible links with Nuclear, Oil&Gas, Word (RTF) exploits > Dropper > work (34+ modules) Uroburos/Snake Military, Aerospace Loader Energetic Russian (supposed) Defense & aviation (US, Spear phishing email campaign Havex RAT Bear (2014) CA), energy ICS / (XDP packaged PDF with SWF expl) Sysmain Trojan SCADA vendors (EU), Watering hole – 3rd party site with Karagany backdoor EU Gov LightsOut exploit kit -> JAR Trojanized software installers Strategies of attack

Matryoshka Attack •Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet

Impossible Attack •Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress.

Panic Attack •Create disturbances or simulate threats to the victim to obtain intelligence about a target resource. •The deployment of additional monitoring in certain parts of the network reveals the location of high- value assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation.

Deceive&Decoy Attack •Conceals adversarial activity or stolen data within legitimate or benign-looking context. High- value assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means).

Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012) Exfiltration – should keep you up at night

• Encrypted communication • Over trusted protocols • Can you change your security policy?

Source: TrendMicro Labs Today

“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it” – Gartner Inc. (2012)

Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014) CEE Cyber Security Readiness

We have best protection for We had 3rd party vulnerability assessments in the last 3 years 0% 20% 40% 60% 80% 100% 0% 10% 20% 30% 40% 50% 60%

Austria 57%

... External attacks 38% 47% 13% Cehia 50%

Ungaria 50%

Polonia 45%

…disruptions and data loss 37% 44% 16% Romania 38%

Slovacia 34%

Highly Agree Agree Depends Turcia 46%

Companies do not regularly check their Total 46% security standing and hope for the best

Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014) 1

Military Imported cyber 2 security concepts 3 The Terms Exploit – the defined way (specific steps/application) to use a vulnerability in practice, to breach a system. The exploit range can be local or remote. Zero-Day Vuln – Vulnerability for which there is no patch (solution/countermeasure) from the vendor of the system or application. Zero-Day Exploit – the actual means to use that vulnerability Attack – The realization of a threat, through the means of exploits on existing vulnerabilities. Attack vector - the method that the (exploit) code uses to breach or propagate. A vulnerability can have several attack vectors. Attack surface – the sum of all attack vectors Impact – financial and non-financial loss estimate = value of services, capabilities, data etc. after a threat materializes into an attack (if we take cyber attacks, not accidents). Controls - Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent. Stages

1 • Intelligence gathering – OSINT, CYBINT, HUMINT

2 • Infecting the target – SE, BYOD, spear phishing, water holing

3 • System exploitation – zero-day exploits, half-day exploits + RATs

4 • Internal recon - lateral movement and maintaining control

5 • Data exfiltration – over FTP/HTTP, known/fake protocols Military concepts in cyber use

Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions Kill OPSEC Chain OPSEC - sytematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations

Cyber Targeting - the process of selecting and prioritizing Targeting Terrain targets and matching them against the appropriate response to them

Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary Disinformation Threat Diversion Intelligence Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data The Kill Chain

Find

Fix

Track

Target

Engage

Assess

Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/ Intelligence-driven Computer Network Defense

Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. The Defense Chain

Plan – what to protect, what are your Detect – check the output of monitoring assets, policies, what type of protective systems, validate the alerts and do controls proactive search of IoA (indicators of attack) Build – acquire competencies, build skills specialists, acquire tools (after teams). Respond – exercise the incident Implement the solutions in your company response plans; investigate, contain and remediate Monitor – operate the technical solutions have operational NSM/SIEM Report – gather information, analyze systems, perform reviews and drills it, communicate to the right people (incident response excercises) Improve – keep the tools, procedures and processes in a maturing loop

Plan Build Monitor Detect Respond Report Improve

Source: http://detect-respond.blogspot.ro/2014/10/the-defense-chain.html Step 1 - Risk Management

Risk Assessment

Asset Management Threat Modeling Attack Modeling

Asset Values Threat Vectors Attack Trees

Asset Exposure Attack Centric Scenarios 1

Solutions – CSIRT and 2 Managed Services 3 Why use Managed Services

1 Fast track to legal/regulatory 4 Smarter investment – all those compliance and risk management technologies are yours, as a service

2 Import of skills and capabilities – the 5 Smarter execution – translating large specialists you wished you had upfront costs into operational costs

3 Focus your IT resources on support 6 Build solid trust for solid quality – you for core processes and competencies have a commercial contract, not HR What we do

Technology MSSP Portfolio UTI CERT Solutions - - - Security Consulting Incident Response Complete cyber Audit & Pentest Data Forensics defenses projects Security Management Malware analysis & Managed Network more - Security Cisco, Juniper, FireEye, IBM , Symantec, Websense, Sk Managed Endpoint yBox, Microsoft, BAE Security Systems, Rapid7 and Network Security others. Monitoring

Training: EC-Council, (ISC)², ISACA, Mile2, Mandiant, CompTIA + Microsoft, Cisco, Fortinet and others. Managed Security Service Provider & CERT SOC

Consulting Vulnerability Security validation Security Policy Network Assessment (Pentesting) Design Security Design

Managed Monitoring Network Communication Data Endpoint Services (SIEM) Security Security Security Security

Malwar Alerting Incident Vulnerability Data Vulnerability e CSIRT Services Handling Handling Forensics Analysis Analysis

Special Cyber Threat Advanced Special Research & Services Investigation Intelligence Correlation Projects Development What we can do for you

1 • Help do proper risk evaluation and update your cyber policy

2 • Test and validate the technical vulnerabilities – in the key points

3 • Implement the right security controls with the best technologies

4 • Monitor the security for you, or help you do it right (SIEM based)

5 • Be your SWAT team when incident strikes – do Incident Response

6 • Be your Investigator – if you may be the target of cyber-espionage CSIRT Services

Security Management Proactive Services Reactive Services Risk Analysis Announcements Alerts and warnings Security Consulting Technology Watch Incident Handling Security Validation Configuration Management Incident analysis Education/Training Network Security IR on site, support, BC & DR Plans Management coordination Intrusion Detection Services Vulnerability Handling Security Tools Development Vuln analysis Security Analytics Vuln response, coordination Data Forensics Artifact analysis DF response, coordination

[email protected] @cteodor, +40724.039.254 [email protected] Referenced/Quoted Material

• RAND Corporation, “Markets for Cybercrime Tools and Stolen Data - Hackers’ Bazaar” (2014) • IBM, “IBM X-Force Threat Intelligence Quarterly, 3Q 2014” (2014) • RSA, “THE CURRENT STATE OF CYBERCRIME 2014 - An Inside Look at the Changing Threat Landscape” (2014) • SANS Institute, “Critical Security Controls: From Adoption to Implementation” (2014) • CrowdStrike, “Global Threat Report – 2013 Year in Review (2014) • Adita Sood, Richard Ebody, “Targeted Cyber Attacks – multi stage attacks driven by exploits and malware”, Elsevier Publishing (2014) • Jason Luttgens, Matthew Pepe, Kevin Mandia “Incident Response and Computer Forensics – 3rd edition”, Mc Graw Hill Education (2014) • Symantec, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers” (2014) • Kaspersky Lab, "" Diplomatic Cyber Attacks Investigation (2013) • IBM, “IT executive guide to security intelligence - Transitioning from log management and SIEM to comprehensive security intelligence (2013) • DarkReading, “Top 15 Indicators Of Compromise” (2013) • Ari Jues, Ting-Fang Yen , RSA, “Sherlock Holmes and The Case of the Advanced Persistent Threat” (2012) • McAfee, “Global Energy Cyberattacks: “Night Dragon” (2011) • Eric M. Hutchins et al., Lockheed Martin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (2011) • HB Gary, (2010) • Alexander Opel, “Design and Implementation of a Support Tool for Attack Trees” (2005)