And You Thought It Could Not Get Worse
Joe Vigorito/Director, Mobility & Security Annese & Associates, Inc. Sad State of Security
“Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions–such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a company’s network is easier than it sounds.” Costin Raiu Director, Global Research & Analysis Team Kaspersky Lab
“I could teach a third-grader to do it.”
Darren Martyn aka “PwnSauce” LulzSec After hacking senate.gov in 2011
The Current State of Cybersecurity is Not Nearly Good Enough, and is getting worse all the time! Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks • French election in May – Russian hackers, undetected by ANSII, compromised French infrastructure and released info to social media 36 hours before election Not getting worse? Lets look…
• Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks • French election in May – Russian hackers, undetected by ANSII, compromised French infrastructure and released info to social media 36 hours before election
“You can’t defend. You can’t prevent. All you can do is detect and respond.” – Bruce Schneier Recent Samples Exploratory Attacks
• May 12, 2017 – WannaCry Ransomware Campaign • Oct. 21, 2016 – Massive Global Distributed Denial of 150 countries; $300 per ransom request Service Attack on Dyn • Used in combination with worm functionality to • Affected the essential component of all web sites, move laterally across networks DNS • Leveraged Windows SMB exploit released by • Twitter, SoundCloud, Spotify, Reddit and a host of Shadow Brokers other sites • Distributed via various methods; but observed • Leveraged the collective firepower of Internet of most often via SPAM with malicious links Things devices — poorly secured Internet-based including the following: security cameras, digital video recorders (DVRs) and internet routers • http://www.rentasyventas.com/incluir/rk/i megenese.htm?retencion=081525418 • Mirai is a crime machine that enslaves IoT devices for use in large DDoS attacks (used in Dyn’s attack) • https://graficagibin.com.br/olja/q.hta • Took down a small part of the Internet but a prelude • From the following email address: to a far bigger attack in the future. [email protected] Continental US • MS17-010 Microsoft Security Bulletin • Patching or other risk mitigations prevented exposure
“The sky is falling! What’s happening? Many companies have really bad security, and have comfortably had it for a long time.” – Marcus Ranum WannaCry Ransomware
Patching, A/V & Endpoint Admin Are Important But Insufficient!
Four other higher order concepts are needed…. The Higher Order of Security
• Data Classification & Information Impact o What data does my organization need to function and where is it? • Business Resiliency / Continuity o Can I operate if every tool currently at my disposal is impaired? o Note, disaster recovery is one piece of this puzzle, not the puzzle itself! • Prevention o Your tools: Layer, Limit, Diversify, Obfuscate, Simplify • Incident Preparedness o Canary in the coal mine test: If staff sees a ransom note, they do what?
Beware of a tools only approach Past Protection No Longer Has Efficacy in the Present
Known Malware < traditional AV is less than 5% to 45-50% effective
1 in 3 chance Zero-days will evade detection
107 billion identities compromised in past 6 years
Your firewalls/IPS’ were faced with 86 billion threats last year – do you think they blocked them all?
Organizations must decide if these odds are unacceptable Attack Surface & Commonality
Maintain Lateral Presence Movement
Initial Initial Establish Escalate Internal Complete Recon Comprom Foothold Mission ise Privileges Recon
Identify Gain Initial Strengthen Steal Valid User Identify Package & Exploitable Access Into Position Credentials Target Data Steal Target Vulnerabilities Target Within Target Data
Real Whaling Attack on Opswat Spear Phishing Example CFO/CEO Security Dilemma: Balance Convenience and Control • Cyber-fatigue
• Snapshot training
• Policy and process lacking
• Vulnerabilities not managed uniformly
• Patching approach required
• Change Management is a fallacy for many
• Automate as much as possible
Be prepared or be prepared to suffer Infrastructure Has Changed
Buying Hardware Infrastructure As a Service
EARLY 2000’s MID 2000’s NOW
The one on the right can be bought with a credit card! Security Has Changed As Well
Source: Alert Logic Security Has Changed As Well
Source: Alert Logic Active Insider Threat Security Has Changed
Source: Alert Logic Lastly Cybercrime Has Changed
Single Actors
EARLY 2000’s MID 2000’s NOW Lastly Cybercrime Has Changed
Single Actors Highly Organized Groups
EARLY 2000’s MID 2000’s NOW
Anonymous, LulzSec, Cyberzeist, Cult of Dead Cow, Shadow Brokers, etc. Cybercrime is Flourishing
Expanding Attack Surfaces Evolution of Adversaries Overwhelmed Defenses
AV-TEST, 2016 Forbes, 2014 FireEye, 2015
508 is the average 390,000 new malicious 37% of US companies number of applications programs every day with face 50,000+ alerts in an enterprise a viable ecosystem per month
Source: Alert Logic Attack methods are evolving • Security risks o Perception of increased risk due to lack of control o Blind spots: no way to connect on-premise and cloud attacks o Increased threat surface o Tuning tools for relevant notifications
CLOUD ATTACKS Brick and Mortar ATTACKS 2% 6% 7% APPLICATION 11% APPLICATION ATTACK 25% ATTACK BRUTE FORCE 21% BRUTE FORCE 48% 10% RECON RECON
SUSPICIOUS SUSPICIOUS ACTIVITY 23% ACTIVITY 47%
Source: Alert Logic CSR 2016
Source: Alert Logic Malware is Omnipresent SQL Injection for Period of 2/12-4/12/17
Alert Logic April 2017 You will find it without it needing to find you! The Evolution of Ransomware Variants SamSam Locky Cryptowall 7ev3n KeRanger CRYZIP First TeslaCrypt Petya Fake commercial Cryptolocker TeslaCrypt 3.0 Antivirus Redplus Android phone TeslaCrypt 4.0 Virlock TeslaCrypt 4.1 Lockdroid Reveton
2001 2005 2006 2007 20082012 2013 2014 2015 2016
CryptoDefense QiaoZha Reveton.A Cerber Koler Tox Radamant GPCoder z Ransomloc Kovter Crypvault HydraCry k Simple Locker Cokri DMALock pt Bitcoin CTB-Locker Chimera Rokku Dirty Decrypt TorrentLocker Hidden Tear Jigsaw Network Launched Cryptorbit CoinVault Lockscreen PowerWar Cryptographic Locker Svpeng TeslaCrypt 2.0 e Urausy Ransomware is the Scourge of the Digital Economy
$1B $209M 1000 %
Size of the $209M in YoY growth of ransomware Q1 CY2016 1000% since market – $1B CY2015 and growing
Source: Cisco “Be Fearful When Others Are Greedy and Greedy When Others Are Fearful” (W. Buffett)
4,000 Attacks Per day in ’16 (Symantec)
72% with no access >2 days (Intermedia)
433% growth on SMB attacks (Kaspersky)
Source: Kaspersky Security Network 2016 Cost/Per: >$1BN (US ransoms higher on average) (FBI)
High Profit, Low Risk, Performed from Anywhere So if you think you are having a bad day…
A-10 “Flying Tank” DNC Ashley Madison Sony Play Station IRS Target OPM Feeling Better Yet?
Peiter C. Zatko, “If you think better known technology can as Mudge, was solve your a member of security the high profile problems, then hacker for the you don't group L0pht. understand the He was problems and testified you don't before a understand the Senate technology.” - committee in Schneier 1998 that they could bring down the Internet in 30 minutes
Dan Kaminsky discovered the Internet wide DNS Cache Poisoning Vulnerability in 2008. “I do not need to hack you. I just need to hack someone who has already hacked you.” Cyber Criminals Don’t Look Like…
Chris Helmsworth….Blackhat Cyber Criminals Don’t Look Like… They look more like….
Chris Helmsworth….Blackhat LulzSec…Sabu,Topiary, PwnSauce, Tflow, Kayla If good guys can find this… Bad Guys Can Too
Shadow Brokers threaten to release even more NSA-sourced malware The hacking group claims it will launch in June a subscription-based monthly dump of compromised data Digital Geneva Convention
• Microsoft make call again after releasing patches for unsupported XP in wake of WannaCry • “…this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”- Brad Smith, Microsoft President • Commits governments to protect civilians from nation-state attacks Presidential Executive Order • May 11, 2017 • 3 Directives: o Protect Federal Networks using the NIST Framework (the CSF) o Mandate Federal IT move to the Cloud o Centralize Federal IT as one enterprise network • 4 Elements: o Vulnerabilities: A full US review shall take place immediately o Adversaries: A full identification will take place within 90 days o Capabilities: NSA, DoD and DHS will be evaluated o Private Sector: Commerce and DHS will have 120 days to report Heads of each agency are responsible for cyber Why NIST CSF?
Divide the mitigation process into 5 categories: Identify Assets, Protect Information, Detect Intruders, Respond to Threats, Recover Business Why Invest to Protect? Cost of a Data Breach in 2016 • June 2016, Ponemon Institute polled 383 companies, 12 countries & found: – Average cost per data breach was $4.0M USD, up from $3.79 USD in 2015 (up 5.5%) – Average cost per stolen record was $158,USD up from $154 USD in 2014 (up 2.6%) • Healthcare breaches are $355 USD per record (due to fines and lost business) • 29% increase in total cost of a breach since 2013 – 48% of attacks are classified as malicious or criminal • This means 52% are user error,system error or data misappropriation – In next 24 months, 26% of companies will have a material breach of more than 10,000 records – Time to identify and time to contain are highest in malicious and criminal attacks (229 and 82 days respectively) – Encryption and incident response teams canreducestolenrecordcostsfrom $158 per record to $142 per record While there is no guarantee against being breached, tools & techniques such as advanced firewalls, AI based endpoint protection, encryption, least privilege, vulnerability and threat management, and data loss prevention, added to good governance, awareness and identify lifecycle management, go a long way towards mitigating risk of such events
6 Cyber lives in Shades of Gray!
You cannot fix every security problem all at once.
Do a methodical, precise risk assessment.
Measure that risk against “cost” of attendant controls.
Automate, and test regularly. Be accountable.
Make all others accountable too. Thank you for your time today and stay safe online!