And You Thought It Could Not Get Worse

Home , 2016 Dyn cyberattack, Dan Kaminsky, KeRanger, LulzSec, Mirai (malware), OurMine

Joe Vigorito/Director, Mobility & Security Annese & Associates, Inc. Sad State of Security

“Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions–such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a company’s network is easier than it sounds.” Costin Raiu Director, Global Research & Analysis Team Kaspersky Lab

“I could teach a third-grader to do it.”

Darren Martyn aka “PwnSauce” LulzSec After hacking senate.gov in 2011

The Current State of Cybersecurity is Not Nearly Good Enough, and is getting worse all the time! Not getting worse? Lets look…

• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks Not getting worse? Lets look…

“You can’t defend. You can’t prevent. All you can do is detect and respond.” – Bruce Schneier Recent Samples Exploratory Attacks

• May 12, 2017 – WannaCry Ransomware Campaign • Oct. 21, 2016 – Massive Global Distributed Denial of 150 countries; $300 per ransom request Service Attack on Dyn • Used in combination with worm functionality to • Affected the essential component of all web sites, move laterally across networks DNS • Leveraged Windows SMB exploit released by • Twitter, SoundCloud, Spotify, Reddit and a host of Shadow Brokers other sites • Distributed via various methods; but observed • Leveraged the collective firepower of Internet of most often via SPAM with malicious links Things devices — poorly secured Internet-based including the following: security cameras, digital video recorders (DVRs) and internet routers • http://www.rentasyventas.com/incluir/rk/i megenese.htm?retencion=081525418 • Mirai is a crime machine that enslaves IoT devices for use in large DDoS attacks (used in Dyn’s attack) • https://graficagibin.com.br/olja/q.hta • Took down a small part of the Internet but a prelude • From the following email address: to a far bigger attack in the future. [email protected] Continental US • MS17-010 Microsoft Security Bulletin • Patching or other risk mitigations prevented exposure

“The sky is falling! What’s happening? Many companies have really bad security, and have comfortably had it for a long time.” – Marcus Ranum WannaCry Ransomware

Patching, A/V & Endpoint Admin Are Important But Insufficient!

Four other higher order concepts are needed…. The Higher Order of Security

• Data Classification & Information Impact o What data does my organization need to function and where is it? • Business Resiliency / Continuity o Can I operate if every tool currently at my disposal is impaired? o Note, disaster recovery is one piece of this puzzle, not the puzzle itself! • Prevention o Your tools: Layer, Limit, Diversify, Obfuscate, Simplify • Incident Preparedness o Canary in the coal mine test: If staff sees a ransom note, they do what?

Beware of a tools only approach Past Protection No Longer Has Efficacy in the Present

Known Malware < traditional AV is less than 5% to 45-50% effective

1 in 3 chance Zero-days will evade detection

107 billion identities compromised in past 6 years

Your firewalls/IPS’ were faced with 86 billion threats last year – do you think they blocked them all?

Organizations must decide if these odds are unacceptable Attack Surface & Commonality

Maintain Lateral Presence Movement

Initial Initial Establish Escalate Internal Complete Recon Comprom Foothold Mission ise Privileges Recon

Identify Gain Initial Strengthen Steal Valid User Identify Package & Exploitable Access Into Position Credentials Target Data Steal Target Vulnerabilities Target Within Target Data

Real Whaling Attack on Opswat Spear Phishing Example CFO/CEO Security Dilemma: Balance Convenience and Control • Cyber-fatigue

• Snapshot training

• Policy and process lacking

• Vulnerabilities not managed uniformly

• Patching approach required

• Change Management is a fallacy for many

• Automate as much as possible

Be prepared or be prepared to suffer Infrastructure Has Changed

Buying Hardware Infrastructure As a Service

EARLY 2000’s MID 2000’s NOW

The one on the right can be bought with a credit card! Security Has Changed As Well

Source: Alert Logic Security Has Changed As Well

Source: Alert Logic Active Insider Threat Security Has Changed

Source: Alert Logic Lastly Cybercrime Has Changed

Single Actors

EARLY 2000’s MID 2000’s NOW Lastly Cybercrime Has Changed

Single Actors Highly Organized Groups

EARLY 2000’s MID 2000’s NOW

Anonymous, LulzSec, Cyberzeist, Cult of Dead Cow, Shadow Brokers, etc. Cybercrime is Flourishing

Expanding Attack Surfaces Evolution of Adversaries Overwhelmed Defenses

AV-TEST, 2016 Forbes, 2014 FireEye, 2015

508 is the average 390,000 new malicious 37% of US companies number of applications programs every day with face 50,000+ alerts in an enterprise a viable ecosystem per month

Source: Alert Logic Attack methods are evolving • Security risks o Perception of increased risk due to lack of control o Blind spots: no way to connect on-premise and cloud attacks o Increased threat surface o Tuning tools for relevant notifications

CLOUD ATTACKS Brick and Mortar ATTACKS 2% 6% 7% APPLICATION 11% APPLICATION ATTACK 25% ATTACK BRUTE FORCE 21% BRUTE FORCE 48% 10% RECON RECON

SUSPICIOUS SUSPICIOUS ACTIVITY 23% ACTIVITY 47%

Source: Alert Logic CSR 2016

Source: Alert Logic Malware is Omnipresent SQL Injection for Period of 2/12-4/12/17

Alert Logic April 2017 You will find it without it needing to find you! The Evolution of Ransomware Variants SamSam Locky Cryptowall 7ev3n KeRanger CRYZIP First TeslaCrypt Petya Fake commercial Cryptolocker TeslaCrypt 3.0 Antivirus Redplus Android phone TeslaCrypt 4.0 Virlock TeslaCrypt 4.1 Lockdroid Reveton

2001 2005 2006 2007 20082012 2013 2014 2015 2016

CryptoDefense QiaoZha Reveton.A Cerber Koler Tox Radamant GPCoder z Ransomloc Kovter Crypvault HydraCry k Simple Locker Cokri DMALock pt Bitcoin CTB-Locker Chimera Rokku Dirty Decrypt TorrentLocker Hidden Tear Jigsaw Network Launched Cryptorbit CoinVault Lockscreen PowerWar Cryptographic Locker Svpeng TeslaCrypt 2.0 e Urausy Ransomware is the Scourge of the Digital Economy

$1B $209M 1000 %

Size of the $209M in YoY growth of ransomware Q1 CY2016 1000% since market – $1B CY2015 and growing

Source: Cisco “Be Fearful When Others Are Greedy and Greedy When Others Are Fearful” (W. Buffett)

 4,000 Attacks Per day in ’16 (Symantec)

 72% with no access >2 days (Intermedia)

 433% growth on SMB attacks (Kaspersky)

Source: Kaspersky Security Network  2016 Cost/Per: >$1BN (US ransoms higher on average) (FBI)

High Profit, Low Risk, Performed from Anywhere So if you think you are having a bad day…

A-10 “Flying Tank” DNC Ashley Madison Sony Play Station IRS Target OPM Feeling Better Yet?

Peiter C. Zatko, “If you think better known technology can as Mudge, was solve your a member of security the high profile problems, then hacker for the you don't group L0pht. understand the He was problems and testified you don't before a understand the Senate technology.” - committee in Schneier 1998 that they could bring down the Internet in 30 minutes

Dan Kaminsky discovered the Internet wide DNS Cache Poisoning Vulnerability in 2008. “I do not need to hack you. I just need to hack someone who has already hacked you.” Cyber Criminals Don’t Look Like…

Chris Helmsworth….Blackhat Cyber Criminals Don’t Look Like… They look more like….

Chris Helmsworth….Blackhat LulzSec…Sabu,Topiary, PwnSauce, Tflow, Kayla If good guys can find this… Bad Guys Can Too

Shadow Brokers threaten to release even more NSA-sourced malware The hacking group claims it will launch in June a subscription-based monthly dump of compromised data Digital Geneva Convention

• Microsoft make call again after releasing patches for unsupported XP in wake of WannaCry • “…this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”- Brad Smith, Microsoft President • Commits governments to protect civilians from nation-state attacks Presidential Executive Order • May 11, 2017 • 3 Directives: o Protect Federal Networks using the NIST Framework (the CSF) o Mandate Federal IT move to the Cloud o Centralize Federal IT as one enterprise network • 4 Elements: o Vulnerabilities: A full US review shall take place immediately o Adversaries: A full identification will take place within 90 days o Capabilities: NSA, DoD and DHS will be evaluated o Private Sector: Commerce and DHS will have 120 days to report Heads of each agency are responsible for cyber Why NIST CSF?

Divide the mitigation process into 5 categories: Identify Assets, Protect Information, Detect Intruders, Respond to Threats, Recover Business Why Invest to Protect? Cost of a Data Breach in 2016 • June 2016, Ponemon Institute polled 383 companies, 12 countries & found: – Average cost per data breach was $4.0M USD, up from $3.79 USD in 2015 (up 5.5%) – Average cost per stolen record was $158,USD up from $154 USD in 2014 (up 2.6%) • Healthcare breaches are $355 USD per record (due to fines and lost business) • 29% increase in total cost of a breach since 2013 – 48% of attacks are classified as malicious or criminal • This means 52% are user error,system error or data misappropriation – In next 24 months, 26% of companies will have a material breach of more than 10,000 records – Time to identify and time to contain are highest in malicious and criminal attacks (229 and 82 days respectively) – Encryption and incident response teams canreducestolenrecordcostsfrom $158 per record to $142 per record While there is no guarantee against being breached, tools & techniques such as advanced firewalls, AI based endpoint protection, encryption, least privilege, vulnerability and threat management, and data loss prevention, added to good governance, awareness and identify lifecycle management, go a long way towards mitigating risk of such events

6 Cyber lives in Shades of Gray!

You cannot fix every security problem all at once.

Do a methodical, precise risk assessment.

Measure that risk against “cost” of attendant controls.

Automate, and test regularly. Be accountable.

Make all others accountable too. Thank you for your time today and stay safe online!