RESEARCH AND EDUCATION CYBERTHREAT BRIEFING
Todd Herring, REN-ISAC Membership Services Director Kim Milford, REN-ISAC Executive Director © 2016 Internet2 REN-ISAC - Background
● Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities.
● Within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large.
● Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.
[ 2 ] REN-ISAC - Background
▪ Hosted at Indiana University ▪ Board of Directors ▪ Advisory groups ▪ Ad hoc special interest groups and projects ▪ Over 480 member institutions and over 1400 member representatives
[ 3 ] REN-ISAC Membership
Type of Ins�tu�on Number Percent of Membership US College, Private for-profit 2 0.4% US College, Private not-for-profit 162 33.3% US College, Public 235 48.4% Medical Science / Medical Center 13 2.7% University Department, non-medical 2 0.4% Non-US College 31 6.4% Research Center 20 4.1% Network 8 1.7% Consor�um 13 2.7%
[ 4 ] REN-ISAC Growth Since August 2004 1600 1400 1200 1000 800 600 400 200 0
Ins�tu�ons Member Reps
[ 5 ] Membership Fees
[ 6 ] Human-centered Intelligence Sharing
• Community of trusted cybersecurity staff at R&E institutions
• Sharing actionable information for operational protection and response
• Confidentiality
[ 7 ] Human-centered Intelligence Sharing o CSIRT for .EDU space o 24x7 support o Sector ISAC o Cybersecurity research and development o Education and training o Daily Watch Report o Friday Pulse
[ 8 ] Automated Threat Intelligence
• Security Event System (SES) • Passive DNS • Trusted Third Party Data • Automated Notifications
[ 9 ] Threat Trends
§ Motive is espionage or financial 89% of the time § 80% of the time, the threat actor is external to the organization § Time to discover (more than 1 day over 68% of the time) is still way behind time to compromise (minutes 82% of the time § Mobile is not a big vector in data breaches § Our work is not done
[ 10 ] REN-ISAC
Malicious Actors Target US Colleges and Universities
[ 11 ] Infosec is the #1 IT Issue in Higher Ed in 2016
[ 12 ] Data Breaches in Higher Education
[ 13 ] Sensitive Data Breaches
[ 14 ] [ 15 ] Vulnerabilities Attacks come in millions, exploits are automated
[ 16 ]
© 2016 Internet2 [ 17 ] [ 18 ] Ransomware
[ 19 ] Recent Survey Results
With regard to ransomware, how has the amount of time spent on incident response changed in the last 3 months? Increasing 4 Decreasing 3 About the same 18
[ 20 ] Recent Survey Results
What are you doing to mitigate the risk of Ransomware? Increasing employee education and awareness efforts 19 Tightening spam filters on email systems 11 Accelerating the institution's move to cloud storage 1 Reminding system administrators to verify/test backups, check schedules 9 Updating institutional policies / standards 2
[ 21 ] [ 22 ] TGYFBFTDHA
[ 23 ] Phishing, Spear-phishing, Whaling & Poison Harpooning
§ Nearly 50% of users open phishing email and click on the links within the first hour after they receive
§ Phishing is now the established initial attack vector for online crime
[ 24 ]
© 2016 Internet2 [ 25 ] Denial of Service Attacks § Amplification via vulnerable protocols, e.g. NTP
§ Increasing use of powerful cloud infrastructure, e.g., AWS
[ 26 ]
© 2016 Internet2 Denial of Service Attacks
[ 27 ] [ 28 ] [ 29 ] Compromised Credentials
[ 30 ] Future Possible Threat Vectors
• Automated access controls • Industrial control system • Internet of things
[ 31 ] Sources of Threat Indicator Information
Jan. 2016 Feb. 2016 March 2016 April 2016 Total Notifications compromised machines 7,885 8,147 7,911 7,742 31,685 compromised credentials 6,889 4,698 1,575 7,267 20,429 spam or phish 42 29 46 29 146 vulnerable machines - - 1 1 2 open recursive DNS resolvers 263 168 362 239 1,032 open mail relays 21 17 14 11 63 other - - 1 - 1 total notifications: 15,100 13,059 9,910 15,289 53,358
[ 32 ] Sources of Threat Indicator Information Reported Malware Count Reported Malware Count Conficker 1861 Ramnit 50 Bedep 1446 Beebone 49 Gozi 816 Rovnix 36 Ponmocup 668 Locky 25 ZeroAccess 492 Corebot 24 Kelihos 432 Slenfbot 24 Fleercivet 265 Shiz 22 Pushdo 262 Murofet 20 Nivdort 184 Vawtrak 16 Dorkbot 142 Dridex 15 Zeus P2P 126 Pykspa 15 Zeus 124 ZeroAccess-Supernode 13 Nymaim 122 Torpig 12 Sality 113 Pony 10 Ramdo 107 Bamital 6 Qakbot 90 Vobfus 6 Virut 72 IRC bot 5 Tinba 67 scanner 4
[ 33 ] Sources of Threat Indicator Information
[ 34 ] General Mitigation Recommendations • https://publicintelligence.net/dhs-university-cyber-threats/ • Educate and reinforce • Store data securely and have solid backup plans • Protect networks where sensitive data is stored • Enforce strong credentialing policies • Aggressively patch and use inspection tools to identify outdated applications • Employ active protections and detection technology • Collect and monitor logs • Be aware of risks and know your environment • EDUCAUSE Benchmarking Service
[ 35 ] PRESENTATIONSubtitle (if any) TITLE
PRESENTER NAME Presenter title, organization © 2016 Internet2