Ensuring Cyber Security Is a Boardroom Imperative Manish Gupta, SVP Products

Home , Conficker, DigiNotar, Hupigon, July 2009 cyberattacks

Ensuring Cyber Security is a Boardroom Imperative Manish Gupta, SVP Products

The impact has extended to the C-suite and boardroom.”

Home Depot Data Breach Could Be FBI Probes Possible Computer Hacking Hackers Target Belgian Press The Largest Yet At JP Morgan Group, days after French Cyber - New York Times, September 2014 - The Wall St. Journal, August 2014 Attack - Deutsche-Welle, April 2015 JP Morgan And Other Banks Struck Monsanto Confirms Security Breach By Hackers - The Wall St. Journal, May 2014 - New York Times, August 2014

Russian Hackers Amass Over A Hackers Target Information On Billion Internet Passwords MH370 Probe: Report - New York Times, August 2014 - The Straits Times, August 2014

Russia Attacks U.S. Oil And Gas Companies In Massive Hack - CNN Money, July 2014 Report: Cybercrime And Espionage Costs $445 Billion Annually - The Washington Post, June 2014 UK Prime Cyber Attack Target of Europe and Middle East Financial Times, October 2014 The €30k Data Takeaway: Domino’s Pizza Faces Ransom Community Health Says Data Stolen In Demand After Hack - CNN Money, June 16 2014 Cyber Attack From China - BusinessWeek, August 2014

For years, we have argued that there is no such thing as perfect security. The events of 2014 should put any lingering doubts to rest.”- Mandiant 2015 M-Trends Report

THEY ARE PROFESSIONAL, IF YOU KICK IT’S A “WHO,” ORGANIZED AND THEM OUT THEY NOT A “WHAT” WELL FUNDED WILL RETURN

THERE’S A HUMAN AT A NATION-STATE SPONSORED THEY HAVE SPECIFIC KEYBOARD OBJECTIVES ESCALATE SOPHISTICATION HIGHLY TAILORED AND OF TACTICS AS NEEDED THEIR GOAL IS LONG-TERM CUSTOMIZED ATTACKS OCCUPATION RELENTLESSLY FOCUSED TARGETED SPECIFICALLY ON THEIR OBJECTIVE PERSISTENCE TOOLS ENSURE AT YOU ONGOING ACCESS

Nuisance Data Theft Cyber Crime Hacktivism Network Attack

Objective Access & Economic, Political Financial Defamation, Press Escalation, Destruction Propagation Advantage Gain & Policy

Advanced Persistent Website Destroy Critical Botnets & Spam Credit Card Theft Example Threat Defacements Infrastructure

Targeted     

Character Automated Persistent Opportunistic Conspicuous Conflict Driven

APTTINYFUSE Malware ADDTEMP Crimeware SPYNET 3% 3%MACKTRUCK 3% RUNBACK 3%DOTSPACES 3% 3%Generic PROTUX Exploit 3% Documents WITCHCOVEN 3% PYKSPA 3% 14% Other H-WORM Other 35% 10% 12%

KELIHO S CITADEL 1% ANDROMEDA 2% 25% LV SALITY 2% KILLAV 2% HUPIGON 3% CONFICKER 63% 4%

6 Copyright © 2015, FireEye, Inc.FireEye All rights reserved.Detections: January – April 2015 The Middle East in Context A backdrop of complex geopolitics: – Multiple protracted conflicts – Post- Arab Spring social instability – Religious and sectarian tensions – Coveted energy resources Indigenous threat groups maturing their capabilities – Burgeoning local hacking community – Multiple homegrown offensive operations uncovered in 2014 – Non-state actors trying to break into the mix The threat landscape in the Middle East is complex and evolving rapidly. 7 Copyright © 2015, FireEye, Inc. All rights reserved. Syria: Behind the Digital Front Lines Cunning social engineers • Built rapport via Skype before deploying malware • “Prospected" targets to choose Android or PC malware and improve success rate

Targeted key members of Syrian opposition • Strong focus on military and political targets • Stolen data included battle plans, political strategies, and humanitarian plans

Diverse, custom-built toolset: • Custom DarkComet • 2 variants of Android malware keylogger • Custom tools with • Steal contacts, username & • Unique multistage shellcode phone geo-location dropper deployed payloads 8 Copyright © 2015, FireEye, Inc. All rights reserved. Front End of Android Backdoor LV Malware: Easy to Use and Widely Deployed

“Locally made” Remote access tool (RAT) – Popular on Arabic-language hacking forums – “njq8” developed in LV in VB.net and provides user support in online forums Middle East APT The LV (aka NJRAT) Control Panel offers users a Detections YTD wide range of capabilities. Provides a range of functionality • Keystroke logging • File & registry • Credential harvesting, modifications Reverse shell access • File uploads & downloads Customizable & easy to use • Builder feature allows threat actors to easily configure Criminals trade access to LV victim computers on online “victim exchanges” “LV” and choose how they want to infect users Copyright © 2015, FireEye, Inc. All rights reserved. 9 Iran’s Goals in Cyberspace

Limited but evolving capabilities • Rely on old vulnerabilities and publically available tools. • Unfocused movement in a network and unsuccessful data theft

Fake IEEE Aerospace Conference website employed in Operation Saffron Rose spearphishingagainst DIB targets • Espionage increasingly common Notable Events: • DigiNotar Certificate theft for MitM • Al-Qassam/Brobot DDoSes • Destructive attacks: Saudi Aramco, RasGas, Sands Casino • Multiple espionage campaigns: Saffron Rose,

NEWSCASTER, Operation Cleaver Defacement associated with Sands Casino Attack

Iran has three main objectives in cyberspace: disrupt symbolic targets, inform military & political decision making, and monitor domestic dissent. Threats to the Energy Sector: ICS Malware Havex BlackEnergy aka PEACEPIPE / “DragonFly” / “Energetic Bear” / “Koala Team” ICS Variant – Detected in Middle East networks in 2014 aka “Quedagh Group” / SandWorm • Constant interest in Energy Sector – Targets ICS Software – Compromise via Spearphish or SWC – Associated activity leveraged BlackEnergy to compromise – Targets are diverse: wide, multi-sector targeting NATO, Ukrainian targets – Motivation somewhat unclear

• Espionage / intelligence collection

• Oil/gas: pricing data, negotiation positions?

• Business operations

• Possible disruptive ambitions? This Is A Board Level Issue

The cost of cyber incidents have increased and demonstrated the substantial impact that cyber attacks can have on shareholder value. After the Target breach: • Profits fell 46 percent in Q4 2013. • Spent ~$61 million addressing the breach. • Facing more than 100 lawsuits and some analysts forecast breach-related losses could top $1 billion. Shareholders have responded sighting fiduciary irresponsibility with derivative suits: • TJX Companies (2007) Source: Cyber-Risk Oversight NACD • Heartland Payment Systems, Inc. (2009) Director’s Handbook Series 2014 • Wyndham Worldwide Corporation (2014) • Target Corporation (2014)

June 10, 2014: Cyber Risks and the Boardroom Conference Speech

“Good boards also recognize the need to adapt to new circumstances such as the increasing risks of cyber-attacks.”

SEC Commissioner Luis Aguilar Also June 2014: New Directors “Handbook” Corporate boards need to ensure that management is fully engaged in developing defense and response plans as sophisticated as the attack methods, or otherwise put their company’s core assets at considerable risk.

“It is incumbent upon the executive team to take ownership of cyber risk and ensure that the Board understands how the organization will defend against and respond to cyber risks.”

Source: PwC 2015 Global State of Information Security Survey

Copyright © 2015, FireEye, Inc. All rights reserved. 14 What Keeps Me Up At Night? And Translate Your Concerns To Make The Case LACK OF • Credential Protection • Privilege Escalation TOO MUCH NOISE 400K HYGIENE • Lateral Movement • Cloud • People UNIQUE • Remote Access MALWARE SAMPLES • Mobile • Supply Chain REVIEWED AND • Poor Process / Slow Response PROCESSED DAILY • Flat Networks OTHER VECTORS • Basic Vulnerability Management

THREAT UNDETECTED REMEDIATION Mandiant 2015 Initial M-Trends “Security Breach Report breaches are inevitable.” 205 Days 24 Days - Mandiant 2015 M-Trends Less than 2013 Report Median number of days threat groups were 2982 Days present on a victim’s network before detection. Longest Presence

A Nation State Attacks Advanced Cyber Espionage B Concerned (APT)

C Reactive Cybercrime

D Conventional Threats Sophistication of the Threat the of Sophistication Minimalist Security Capability/Agility to Respond

Minimalist Reactive Concerned Advanced

[Information]

[Speed]

[Automation]

[Strategy]

[Program Management]

EXISTING APPROACH ADAPTIVE APPROACH ADAPTIVE [Risk Tolerance]

TECHNOLOGY

IDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS

INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS

PATENTED VIRTUAL MACHINE TECHNOLOGY INTELLIGENCE

50 BILLION+ OBJECTS ANALYZED PER DAY FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS MILLIONS OF NETWORK & ENDPOINT SENSORS HUNDREDS OF INTEL AND MALWARE EXPERTS HUNDREDS OF THREAT ACTOR PROFILES DISCOVERED 16 OF THE LAST 22 ZERO-DAYS EXPERTISE