The modern security lifecycle approach Challenges, defense concepts, our solutions Teodor Cimpoesu, Cyber Security BU Director Cyber Security Day, Bucharest, 29 Oct, 2014 How CSOs think of their networks How the reality looks like – overwhelmed by bots Agenda 1 Outside your cyber walls 7 min 2 Defense - military imported cyber concepts 5 min 3 Solutions – CSIRT and Managed Services 8 min 1 2 Outside your cyber walls 3 Cyber threats evolution Danger Kinetic cyber- attacks Nation-state cyber attacks Chevron (1992), Gazprom (1999) Organized Stuxnet (2010), Aramco (2012) crime Cyber Agent.Btz(2008), Aurora (2010) espionage Energetic Bear (2012), Flame (2012), Uroburos (2014) Terrorist groups Small criminal groups Freelance hackers Complexity Cybercrime Ecosystem 5% $50k $100 mil $150 bln The cost of traditional crime In 2009 it cost $50k to going cyber is over 150 rent a botnet for a DDoS attack of 24h. Prices went billion, and total estimate at down 250 billion 5% true targeted attacks FBI takedown of SilkRoad led to 95% are consumer-grade seizing of $100mil in Bitcoins 70% individuals or small groups Most quantity: CN, Latin America, EE 20% criminal organizations Best quality: RU, UA, CN 5% cyber-terrorists 4% state-sponsored players RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions. Crime Gang Crime Group Syndicate Cartel Consortium Organization Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market Category Definition Examples Category Definition Examples Vendors offer guarantees (e.g. 12h malware undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise). They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round. Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market Exploit Kit Price Year Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Nation-state campaigns Attacker Targets Initial vector / Delivery Control / Persistence Aurora / Chinese (supposed) Google, Adobe, Juniper, IE JavaScript exploit (3mon old). Backdoor, masq SSL Hydraq Elderwood Group / Yahoo, Symantec, Spear phish / watering hole with custom encrypted (2010) PLA Unit 61398 / Morgan Stanley suspected. Dynamic DNS. Comment Crew Night Chinese (supposed) Global Oil&Gas, energy SQL-injection exploits of extranet RAT (zwShell) on the Dragon and petrochemical web servers. Malware placed on users (2011) One attacker identified server and used to harvest AD. computers/laptops, being from Shandong Spear-phishing e-mail to mobile connection over user Province worker laptops containing malicious VPN. link (social engineering) Dropper + backdoor RSA (2011) Chinese (supposed) RSA SecurID to Spear phising email – Excel with Poison Ivy RAT. No Lockheed Martin, L-3 SWF exploit other info available. Communications, Stolen account (Lockheed) Lockheed claims it Northrop Grumman stopped it. RedOctober Russian (supposed) Gov, Diplomatic, Trade, Spear phising email with Excel and Multi-functional frame (2012) Possible links with Nuclear, Oil&Gas, Word (RTF) exploits > Dropper > work (34+ modules) Uroburos/Snake Military, Aerospace Loader Energetic Russian (supposed) Defense & aviation (US, Spear phishing email campaign Havex RAT Bear (2014) CA), energy ICS / (XDP packaged PDF with SWF expl) Sysmain Trojan SCADA vendors (EU), Watering hole – 3rd party site with Karagany backdoor EU Gov LightsOut exploit kit -> JAR Trojanized software installers Strategies of attack Matryoshka Attack •Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet Impossible Attack •Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress. Panic Attack •Create disturbances or simulate threats to the victim to obtain intelligence about a target resource. •The deployment of additional monitoring in certain parts of the network reveals the location of high- value assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation. Deceive&Decoy Attack •Conceals adversarial activity or stolen data within legitimate or benign-looking context. High- value assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means). Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012) Exfiltration – should keep you up at night • Encrypted communication • Over trusted protocols • Can you change your security policy? Source: TrendMicro Labs Today “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it” – Gartner Inc. (2012) Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014) CEE Cyber Security Readiness We have best protection for We had 3rd party vulnerability assessments in the last 3 years 0% 20% 40% 60% 80% 100% 0% 10% 20% 30% 40% 50% 60% Austria 57% ... External attacks 38% 47% 13% Cehia 50% Ungaria 50% Polonia 45% …disruptions and data loss 37% 44% 16% Romania 38% Slovacia 34% Highly Agree Agree Depends Turcia 46% Companies do not regularly check their Total 46% security standing and hope for the best Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014) 1 Military Imported cyber 2 security concepts 3 The Terms Exploit – the defined way (specific steps/application) to use a vulnerability in practice, to breach a system. The exploit range can be local or remote. Zero-Day Vuln – Vulnerability for which there is no patch (solution/countermeasure) from the vendor of the system or application. Zero-Day Exploit – the actual means to use that vulnerability Attack – The realization of a threat, through the means of exploits on existing vulnerabilities. Attack vector - the method that the (exploit) code uses to breach or propagate. A vulnerability can have several attack vectors. Attack surface – the sum of all attack vectors Impact – financial and non-financial loss estimate = value of services, capabilities, data etc. after a threat materializes into an attack (if we take cyber attacks, not accidents). Controls - Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent. Stages 1 • Intelligence gathering – OSINT, CYBINT, HUMINT 2 • Infecting the target – SE, BYOD, spear phishing, water holing 3 • System exploitation – zero-day exploits, half-day exploits + RATs 4 • Internal recon - lateral movement and maintaining control 5 • Data exfiltration – over FTP/HTTP, known/fake protocols Military concepts in cyber use Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions Kill OPSEC Chain OPSEC - sytematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations Cyber Targeting - the process of selecting and prioritizing Targeting Terrain targets and matching them against the appropriate response to them Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary Disinformation Threat Diversion Intelligence Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data The Kill Chain Find Fix Track Target Engage Assess Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/ Intelligence-driven Computer Network Defense Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. The Defense Chain Plan – what to protect, what are your Detect – check the output of monitoring assets, policies, what type of protective systems, validate the alerts and do controls proactive search of IoA (indicators of attack) Build – acquire competencies, build skills specialists, acquire tools (after teams). Respond – exercise the incident Implement the solutions in your company response plans; investigate, contain and remediate Monitor – operate the technical solutions have operational NSM/SIEM Report – gather information, analyze systems, perform reviews and drills it, communicate to the right people (incident response excercises) Improve – keep the