How the History of Cyber Attacks Is Changing Current & Future Security

How the History of Cyber Attacks is Changing Current & Future Security Defenses

Cyber Security Dinner Seminar

Tom Ruffolo CISA [email protected] Agenda

Technology Trends History of Attacks New Tech that History of Defenses enables ⬧Examples Attacks or Future Security ⬧ Solutions ⬧Leveraging Defenses New ⬧Defense ⬧Likely Attacks Technology Technology ⬧Solutions History of Technology: Enabling Attacks 1980s 1990s 2000s 2010s Technology Evolution Blackberry, iPhone (’07) SaaS Cloud Apps & Office Real Internet Introduced WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IOT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10

Cloud Apps & Email Usage Up WiFi: 11-450 Mbps Slow Proprietary Networks Slow Internet Speeds: xx Kbps WiFi: Up to 16 Gbps Internet: Low Mbps Fast Internet: 100 Mbps–Gbps 3G: .4 Mbps+ 4G: ~10 Mbps (-1Gbps) 5G (2019): 100Mbps – 20Gbps

12/13/2018 Page 3 History of Security Attacks

12/13/2018 4 1980s Morris Worm

▪ Objective: ▪ Attack Target: – Graduate Student: Size the Internet – ARPANET Users ▪ Attack Type: ▪ Impact:  1st Malware Worm – Replicated out of control, 1,000s of Govt & University machines WW were so slow they  Self Replicating Worm Sent to could not function (DDoS). Authorized Dec Vax Users on ARPANET – $100,000+ Cost in Downtime & Cleaning ▪ Attack Method: ▪ Response: 1. Leverages Unix, System Configuration – Admins: Tighten Security & Weak Password Vulnerabilities to Configurations, Password Security Self Replicate itself Rapidly Over 60,000 Node Network – DARPA Funding of US-CERT (Computer Emergency Readiness Team) – 1st Conviction Under 1986 Computer Fraud Act

12/13/2018 5 1989 Aids Info Disk - Ransomware

▪ Objective: ▪ Attack Target: – To Extort $$ from PC Users – PC DOS Users ▪ Attack Type: ▪ Impact: 1st Ransomware – Computer Unusable… Wait for your Unlock key in the Mail ▪ Attack Method: 1. Mail a “Floppy Disk” ▪ Response: – User is Educated 2. Insert Disk & Open File – Future: Endpoint Security External 3. Malware Hides Directories & Storage Lockdown or AV Scans Encrypts File Names on Drive C: 4. Mail $189 to Panama to Unlock

12/13/2018 6 Melissa & ILOVEYOU Macro Viruses 1999/2000

▪ Objective: ▪ Attack Target: – Disruption, Steal Passwords – Everyone ▪ Attack Type: ▪ Impact:  Mass Mailing Macro Worm – Most Costly Malware to Date  Simple Multi-Stage, Self Replicating • $5-8B in Damages WW • $15B to Remove Worm ▪ Attack Method: ▪ 1. Email->MS Word Macro Attachment Response: 2. Open Attachment -> Infect PC – Windows Vulnerabilities Patched – Users: Restrict Running Programs 3. Replicate: – Vendors: Improved Email Security 1. Melissa: Sends Copy to 50 People – Employees Get an Education 2. ILOVEYOU: Send Copy to All Contacts – 2002- Bill Gates “Security Project”

12/13/2018 7 Advanced Persistent Threats (APTs) (2010+)

Targeted Strategic Extract RECON Credentials Discovery Attacks Users Data Top 4 Attack Map Get Download & Find More Extract & Methods used Collect Data Network, Credentials Install Credentialed Remove on People of Targeted Backdoor Users Resources, Traces #1 Malware Users Data #2 Phishing #3 Malicious Websites #4 Social Engineering Spear Phish Increase Social Sites Email Map Your One Step Transfer Data Network Attack Closer Out Web Search Malicious Access Web Links

Page 8 Operation Aurora - APT (2009+)

▪ Objective: ▪ Attack Targets: – Gain Access to Source Code – Google, Adobe, Juniper, – Gain Access to Dissident Gmail Rackspace, Symantec, Northrop… ▪ Attack Type: ▪ Impact:  Advanced Persistent Threat (APT) – Some Google Source Code Stolen  Multi-Year Attack – Google Threatens to Leave China (Censored Search Engine Business) ▪ Attack Method: ▪ Response: 1. China Based – Microsoft IE Patch 2. Visit Malicious Web Sites (Links) – Dedicated APT Solutions 1. Leveraging Zero Day Vulnerabilities in IE – Later: APT Solutions in Everything 3. Download & Encrypt Payload to Avoid Discovery 4. Ongoing Access to Source Code etc

12/13/2018 9 How Ransomware Works (2014+)

Attackers Website Well Known VariantsDownload Malicious CodeCost of Ransomware

Ransomware as a Service • Files Encrypted (even Backup) • System Unusable • 2013-2015 Crytolocker, Cryptowall • 2015 $325M • Ransom Needed (Ransomware) Request • No Traces of Dr. Evil • 2016 Locky, Petya, NotPetya • 2016 1.45B (FBI) (Ransomware) • 2017Download $5B • 2017 WannaCry (Cryptoworm) • 2019 $11.5B Forecasted Application or Attachment Ransomware Compromised O/S Exploit Replicate

12/13/2018 Page 10 WannaCry Ransomware (2017)

▪ Objective: ▪ Attack Target: – Extort $$ from Everyone – Everyone (Personal, Small, Enterprise) ▪ Attack Type: ▪ Impact:  Ransomware Cryptoworm – Infected >230,000 Computers in 150 Countries  Simple Multi-Stage, Self Replicating ▪ Response: ▪ Attack Method: – Windows Vulnerabilities Patched – Kill Switch Turned on to Kill Replication, 1. Initial Infection Unknown (normally Email or Web) 2. Encrypts Data – PC, Server but New Variant Ignores Kill Switch 3. Ransomware Request - Bitcoin – New Ransomware/Zero Day Security 4. Spreads to Random PCs on Network or • Endpoint Security Developed (including AI) • Gateway Firewall UTMs Internet w/Win Vulnerability (EternalBlue) • Patch Management – Backup & Disaster Recovery Focus

12/13/2018 11 CEO Fraud - Social Eng. Attack (2015+)

▪ Objective: ▪ Attack Target: – Steal $$ or High Value Data – All Size Companies ▪ Attack Type: ▪ Impact:  Impersonate “CEO”, Order Teams to – Unrecoverable $$ or Data Loss Initiate Targeted Transactions ▪ Response: ▪ Attack Method (Social Eng.): – Improved Email Security 1. Reconnaissance (Social Media…) – Online Employee Training 2. Spear Phishing (Spoofed Emails) – Human 2-Factor Authentication 3. Response • Improved Internal Communication 4. Damage • Policies, Process, Procedures 5. Impact – Social Media Usage Controls – Website Domain Control (Spoofing)

12/13/2018 12 Supply Chain Attacks (2017)

▪ Objective: ▪ Attack Target: – Introduce Malware Into Your – All Companies – Any Software Network, then Initiate an Attack ▪ Impact: ▪ Attack Type: – Any Attack is Possible  Corrupt Legitimate Software ▪ Response (Hard to Prevent/Detect): Downloads from Trusted Vendor – Prevent: • NextGen Web Reputation Checking ▪ Attack Method: • Controlled (or Delayed) Updates 1. Corrupt Trusted Software/Update • Vendor Selection Scrutiny 1. On Suppliers Download Servers or – Detect 2. Corrupt Software Vendor’s Software or • Zero Day Malware Detection 3. Hijack Software Update Path 2. User Downloads Malware • APT Detection(C&C) 3. Attack Starts – Respond: • Backup and Disaster Recovery 12/13/2018 13 Crypto Currency Attacks & Mining (2017)

▪ Objective: ▪ Attack Target: 1. Steal Cryptocurrency or – Crypto Food Chain Incl. Users 2. Create Crytocurrency on Your Nickel

▪ Attack Methods (Numerous & Growing): 1. Crypto Mining by ▪ Broad Crypo Currency Ecosystem • Cryptojacking Browsers or Servers • Using Malware Infections Attacks Require Broad Solutions in 2. Hijacking the Cryptojacker: Redirect wallet Address to These Areas: another wallet – Traditional Security Solutions 3. Crypto Attacks on 3rd Parties: Tools, Wallets, Exchanges 4. Attacks on End users: – Crypto Infrastructure Protection • Crypto Wallet Shuffling (Stealing your wallet or changing your wallet with theirs for crytofund storage – Secure Access Control • Scraping your PC for crypto information (wallets, coin addresses) • Stealing login Credentials for your Crypto Account and wallet – Protect Developers & Tools 5. Attacks on Cryto Exchanges: $532M lost from Credential – Social Attacks on People Stealing Malware, Stolen Private Wallet Keys While the architecture of Blockchain may be secure the surrounding ecosystem is not. 12/13/2018 14 New Threats from Moving to the Cloud

ISSUES Data Center ❑Visibility ❑Data Protection ❑Malware ❑Access Control

Cloud Applications

Storage/ CRM HR Sharing Finance

Office Sales Development Operations Apps 12/13/2018 15 History of Security – Attacks Summary

1980s 1990s 2000s 2010s Technology Blackberry, iPhone (’07) SaaS Cloud Apps & Office Evolution Rapid Internet Growth WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IoT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10 WiFi: 11-450 Mbps Cloud Apps & Email Usage Up Internet: Low Mbps WiFi: < 1Gbps Slow Proprietary Networks Slow Internet Speeds: xx bps K 3G: .4 Mbps+ Fast Internet: 100 Mbps–Gbps 4G: ~10 Mbps – 1Gbps 5G: 100 Mbps - 20 Gbps Software Supply Chain Website Vulnerabilities CEO Fraud Email Threats Stolen credentials Ransomware / RaaS 1st Malware Worms Adv Persistent Threats Attack Windows OS, Servers Phishing Email 1st Ransomware Spear Phishing Malware Variants Attachments Methods Hackers Fast Morphing Malware Hacker Malware, Worms, Botnets Privilege Misuse Hacking Website Vulnerabilities Hacking History of Security – Defense Responses 2010s Software Supply Chain 1980s 1990s 2000s CEO Fraud Ransomware/ RaaS Adv. Persistent Threats Website Vulnerabilities Privilege Misuse Stolen credentials Email Threats Website Vulnerabilities Malware Worms Phishing Email, Attack Windows OS, Servers Spear Phishing 1st Ransomware Attachments Fast Morphing Malware 1st Morphed Malware Methods Hackers Malware, Worms, Hacking Hackers Botnets Hacking Windows 10 Dedicated APT Solution Improved Email Security (CEO, Spear) Zero Day & Ransomware Antimalware Detection: IDS/IPS Web Application Firewalls (WAFs) Core Security Begins Data protection Low Cost Multi-factor Auth. (MFA) Security Antivirus, Firewalls Enhanced Endpoint Cloud App. Security Brokers (CASBs) Antivirus Invented Email, 2-Factor UTM Firewalls Prevent + Detect & Response Solutions (SIEMs, EDRs, Network Monitoring) Enterprise BDR Better WiFi Security Next Gen Firewalls SMB BDR DRaaS Online Security Awareness Training 12/13/2018 Threat & Solution Acceleration Risk Assessments Become CommonPage 17 History of Security – Defense Technologies 2010s Windows 10 1980s 1990s 2000s Dedicated APT Solution Improved Email Security (CEO, Spear) Zero Day & Ransomware Antimalware Discovery: IDS/IPS WAFs Core Security Begins Data protection Low Cost Multi-factor Authentication Antivirus, Firewalls Enhanced Endpoint CASBs Security Antivirus Invented Prevent + Detect & Response Email, 2-Factor UTM Firewalls Next Gen Firewalls Solutions Enterprise BDR WiFi Security Updates DRaaS SMB BDR Online Security Awareness Training Risk Assessments Become Common

SIEM: Monitoring & Threat Detect Cloud: Data Center Security WiFi Focused Security CASB & Firewall CASB Lite Cloud Updates & Intelligence Firewalls SaaS Cloud: 2-Factor Auth. NEW IDS/IPS Heuristics (Behavior) Email Security Cloud: Central Mgmt & Threat Intell. Data Loss Protection APT Solutions: Dedicated & Firewall Security Signatures Web Security Data Encryption Anti-DDoS Technology 2-Factor Authentication Server Specific Security Anti-Spoof, Spear Phishing, CEO Fraud Mobile Device Mgt & Security Anti-Rootkit Ransomware Detect & Response Zero Day Rx (Sandbox, ML/AI) Page 18 What Can We Learn from History?

1990s Today

Malware Cloud Mobile & Worms Hacking eMail, Software IoT Ransomware Apps & Wearables Phishing, APTs Supply (Business Gateway & / Zero Day Data Endpoints/ Internet Social Eng. Chain & Homes) Block Servers Centers Chain

 Technology Drives Security Attack Opportunities  The Rate of Change is Accelerating  Attacks Over Time are Stackable & Reusable  Defenses Have Been Incrementally Built & Are Stackable Also 12/13/2018 19 Future of Security - Attacks Future Future Defenses

Everything Fast Wireless (5G…) Adaptive Ecosystem Defenses Technology Everything On-Demand ▪ AI/Machine Learning Defenses Evolution Smart Devices & Wearables ▪ Integration of All Security Devices Cloud & IOT Driven Everything Big Data ▪ Automated Response Block Chains & Digital Currency Wi-Fi & Mobile Focused Security WiFi: 10+ Gigabits Faster Internet: Gigabit+ IOT Standards & IoT Security (#2 Hot Topic) 5G: ~20 Gbps Block Chain + Traditional Security What’s Different: Wireless Network Attacks ▪ To Protect Personal Data & Social Data, Attack the Cloud Corporate Data, Contracts, Financial Data Attack IoT Attacks (Home & Office) Methods Supply Chain Attacks AI Driven Security Risk Simulations AI Driven Malware Hacking into Everything Federated Biometric + Adaptive Auth Social Engineering Everyone is Regulated Takeaways for Today ▪ Choose Security Product Partners that – Have a Growing List of Integrated Products – Are Targeting Your Specific Sized Company or Market – Whose Strategic Vision is in Alignment with Yours ▪ Outsource for: – Risk Assessments – Higher Level of Expertise – Managed Security ▪ Fill Gaps in Areas you Have Been Ignoring – AI, IoT, Cloud, Mobile, Access Control, Training ▪ Act Like Criminals are After Your Data/$, They Are Use a Risk Management Process

RISK MANAGEMENT PROCESS

Risk Assessment

Define Gaps, Manage & Priorities Compliance Define Plan Revise Security Security, Strategies, Document Priorities & Compliance Plans

Goals

Product, Detect & Service & Respond Policy Solutions

Reduce Implement Monitor Employee Risk

Train How We Help Our Customers

MANAGED SECURITY/ MDR ADVISORY-CONSULTING SECURITY TRAINING  Security Strategy & Advisory  Risk Assessments / Audits  Cybersecurity Awareness  Compliance Manager Services  Vulnerability Scans & Pen. Tests  Product Technical Training  Firewall & Advanced Threat Mgt SERVICES/PROJECTS RISK ASSESSMENTS  Web Application Firewalls (WAF)  Security Review/Audit  SIEM Security Monitoring+  Security/Networking Projects  Security Tests  Threat Detection & Response  Hourly Support Agreements  Vulnerability Scans  Backup & Disaster Recovery  Penetration (Network, WebApp)  Cloud Application Security (CASB) Security Products  Phishing Simulation  Cloud Data Center Security  Full Social Engineering  Network & Server Security Mgt  Cloud Application  EMAIL (Security, Spam, Archiving)  Gateway Risk Assessment  Access Control (IDaaS 2-Factor)  Advanced Malware (APT)  WiFi Security  Security Awareness & Phishing  VOIP  Endpoint EDR (Endpoint Detection & Response)

Compliance Solutions ▪ PCI DSS ▪ NIST ▪ FFIEC/NCUA ▪ HIPAA ▪ SOX ▪ GLBA ▪ ISO 27001/2 ▪ FISMA ▪ GDPR We Can Help You Manage Compliance with Compliance Manager Support Services eSecurity Solutions

 15 Years 100% Security Focused Assess Risks  Complete Security Solutions

Products & Projects Manage, Security Managed Adjust & Strategy & Security Compliance Policies Risk Assessments

vCSO & Advisory Tom Ruffolo CISA ▪ [email protected] eSecurity ▪ www.eSecuritySolutions.com Awareness Solutions Threat Training Prevention ▪ https://www.esecuritysolutions.com/blog ▪ www.esecuritysolutions.com/subscribe

Monitor ▪ 866-661-6685 Detect 12/13/2018 Respond 24