YOUR BABY MONITOR IS ATTACKING THE GOVERNMENT A perspective on security risks today and a look towards the future Nick McKerrall | Threat Prevention Team ©2016 Check Point Software Technologies Ltd. 1 2016 Statistics 5.5 million “things” are getting connected 75% of the to the internet every organizations we day perform security checkups on have machines infected Every 32 minutes – Sensitive with bots data is sent outside the org Every 5 seconds – a host Every 4 minutes - a high accesses a malicious risk application is used website ©2016 Check Point Software Technologies Ltd. September 2016 World Cyber Threat Map Green – Low Risk Beige – Medium Pink – Higher Red – Highest White – Insufficient Data RED: Bolivia, Angola, Zambia, Botswana, Uganda, Mongolia, Sri Lanka, Vietnam ©2016 Check Point Software Technologies Ltd. 3 September 2016 ‘Most Wanted’ Malware 1. Conficker Worm – Botnet 2. Sality – Remote Access and Control 3. Locky – Ransomware (via mostly email) 4. Cutwail – Botnet (Spam/DDoS) 5. Zeus – Banking Trojan 6. Chanitor – Downloader 7. Tinba – Banking Trojan 8. Cryptowall – Ransomware (via exploit kits and phishing) 9. Blackhole – Exploit kit 10. Nivdort (Bayrob) – Multipurpose bot September 2016 ‘Mobile Most Wanted’ Malware 1. HummingBad – Android Rootkit 2. Triada – Android Backdoor 3. Ztorg - Application Dropper ©2016 Check Point Software Technologies Ltd. 4 The threat landscape is changing You need to dynamically adjust to new threat sources Attacks change geography all the time Malware is changing constantly Both in signature/variant and purpose We are seeing new levels of sophistication Malware is becoming big business Our approach to protecting networks needs to change ©2016 Check Point Software Technologies Ltd. 5 Infected Machines are worth Money Ransomware keeps growing ©2016 Check Point Software Technologies Ltd. 6 Infected Machines are worth Money It’s getting easier to use them to make money ©2016 Check Point Software Technologies Ltd. 7 Infected Machines are worth Money ©2016 Check Point Software Technologies Ltd. 8 ©2016 Check Point Software Technologies Ltd. 9 ©2016 Check Point Software Technologies Ltd. 10 ©2016 Check Point Software Technologies Ltd. 11 A business model as old as the internet ©2016 Check Point Software Technologies Ltd. 12 DDOS • 665 Gbps DDoS against Krebs Online - large enough to have his hosting provider drop him as a client • 1 Tbps DDoS against France based hosting provider OVH ©2016 Check Point Software Technologies Ltd. 13 DDOS • Attack against DNS provider DynDNS • Targeted popular sites like: Amazon, Twitter, Netflix, Etsy, Github, Spotify, NYT, Wired, Reddit ©2016 Check Point Software Technologies Ltd. 14 DDOS • Want your own botnet, just get it off of github ©2016 Check Point Software Technologies Ltd. 15 To complicated? DDOS as a Service ©2016 Check Point Software Technologies Ltd. 16 Don’t think it’s a threat? • Ontario Education Quality and Accountability office (EQAO) confirmed “intentional, malicious” cyber attack • Students and educators unable to access the system ©2016 Check Point Software Technologies Ltd. 17 Internet of Things • Healthcare – Patient monitoring and controls • Industrial – ICS/SCADA/Critical infrastructure, inventory management, monitoring, safety • Wearable tech – Fitness, augmented reality, health • Home Automation – HVAC, Access Control, Security, lighting, convenience • Municipal – Traffic control, parking enforcement, utilities, lighting, law enforcement, data collection • Environmental – Pollution monitoring, water, wildlife tracking, advanced warning systems ©2016 Check Point Software Technologies Ltd. 18 Internet of Things • Generally insecure • Difficult to update/patch • Can be a target within your environment • Can be used to target you if compromised • Needs to be protected through network security and segmentation ©2016 Check Point Software Technologies Ltd. 19 Mobile Mythbusters • Mobile isn’t a big problem – 1 in 5 organizations have had a mobile breach in the last year. • MDM is enough – MDM helps control devices, but it doesn’t help protect them. • Secure Containers are safe – Data does not always exist in containers. ©2016 Check Point Software Technologies Ltd. 20 Mobile Mythbusters • IOS is Immune – Side loaded apps, often from MDM’s can be malicious. • Mobile Antivirus is enough – Anything signature based will only detect known malware, unknown malware will slip through until it’s been identified. ©2016 Check Point Software Technologies Ltd. 21 Mobile Devices • They are the unpatched, unmanaged, unknown devices in your network • Every year they gain more access to corporate resources and they gain more access to personal information • The current iPhone is 120X faster then the first iPhone. It’s a laptop in your pocket. • The attack surface is growing because nobody is really paying attention ©2016 Check Point Software Technologies Ltd. 22 02 “WE ARE STUCK WITH TECHNOLOGY WHEN WHAT WE REALLY WANT IS JUST STUFF THAT WORKS” -Douglas Adams ©2016 Check Point Software Technologies Ltd. HOW TO PROTECT BOUNDLESS ENVIRONMENTS? [Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 24 SOFTWARE – DEFINED PROTECTION MANAGEMENT LAYER Integrates security with business process CONTROL LAYER Delivers real-time protections to the enforcement points ENFORCEMENT LAYER Inspects traffic and enforces protection in well-defined segments [Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 25 SEGMENTATION METHODOLOGY ATOMIC SEGMENTS STEP 1 Elements that share the same policy and protection characteristics SEGMENT GROUPING STEP 2 Grouping of atomic segments to allow modular protection CONSOLIDATION STEP 3 Of physical and virtual components, as network security gateways or as host-based software TRUSTED CHANNELS STEP 4 Protect interactions and data flow between segments [Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 26 SEGMENTING YOUR NETWORK Atomic segment Group of Segments Consolidation [Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 27 THREAT INTELLIGENCE REAL-TIME collaborative and open INTELLIGENCE translate into SECURITY protections. [Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 28 Endpoint Protection • Endpoint is the new perimeter ©2016 Check Point Software Technologies Ltd. 29 Endpoint Protection • AV is not enough, consider the following attack vectors: Blocking known threats Detecting infected machines -Antivirus -Bot detection Blocking known Exploits/Attacks Digital media rights access - HIPS Behavior Analysis -Document Protection/DRM Incident response and analysis Application control -Forensics and behavioral -Application whitelisting Removable media and port protection Block/control access to web content -Media Security -Web security Protect data at rest Blocking unknown threats -Full disk encryption -Zero day ©2016 Check Point Software Technologies Ltd. 30 The technology won’t address the risks unless the risks are fully understood • Many different risk assessment models can be used. ̶ This example uses DREAD: ̶ Damage – how bad would an attack be? ̶ Reproducibility – how easy is it to reproduce the attack? ̶ Exploitability – how much work is it to launch the attack? ̶ Affected users – how many people will be impacted? ̶ Discoverability – how easy is it to discover the threat? ©2016 Check Point Software Technologies Ltd. 31 Threat Modeling - Ransomware • Hosts might become infected with Ransomware and encrypt important documents ̶ How much damage could be done to the organization on one or more infected machines ̶ How easy is it to get infected? ̶ Is it difficult to launch a ransomware attack? ̶ How many of our users are exposed to this kind of attack? ̶ How easy is it to figure out if we’ve been infected? ©2016 Check Point Software Technologies Ltd. 32 Threat Scoring Do we need to address this right away? How to Score RISK rating Result 3-high High 12-15 2-medium Medium 8-11 1-low Low 5-7 Ransomware Score Item Rating Damage potential 3 – Could knock out entire groups, could organization back days/weeks Reproducibility 3 – Very easy just run the file Exploitability 3 – Very easy to launch with RaaS like Cerber Affected users 2 – Could be 1 user or could be a entire group Discoverability 1 – Easy to discover user will know they’re infected right away Score: 12 – HIGH This risk needs to be addressed ASAP ©2016 Check Point Software Technologies Ltd. 33 So what are we doing with our customers? • Leverage the Cloud for threat intelligence and compute power. There are a lot of threat resources out there, try and consolidate them so they can be easily consumed by your prevention tools • Zero Trust – Files must prove themselves safe before they are allowed. Using technology like document scrubbing or threat extraction can make sure users are always accessing clean documents ©2016 Check Point Software Technologies Ltd. 34 So what are we doing with our customers? • Proactive blocking of malicious outbound traffic – If there are bots on your network they can’t just be logged, the C&C must be cut off so they can’t attack anyone else. • Micro-segmentation with protection and inspection in- between segments. Don’t just rely on VLANs you need to assume threats can come from anywhere ©2016 Check Point Software Technologies Ltd. 35 So what can be done? • Visibility and Consolidation – Don’t continue adding 1 tool