And You Thought It Could Not Get Worse

And You Thought It Could Not Get Worse

And You Thought It Could Not Get Worse Joe Vigorito/Director, Mobility & Security Annese & Associates, Inc. Sad State of Security “Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions–such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a company’s network is easier than it sounds.” Costin Raiu Director, Global Research & Analysis Team Kaspersky Lab “I could teach a third-grader to do it.” Darren Martyn aka “PwnSauce” LulzSec After hacking senate.gov in 2011 The Current State of Cybersecurity is Not Nearly Good Enough, and is getting worse all the time! Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks • French election in May – Russian hackers, undetected by ANSII, compromised French infrastructure and released info to social media 36 hours before election Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally • Russian interplay during Presidential election season – large scale phishing campaign to harvest emails which were then published via various sources including, purportedly, those from Wikileaks • French election in May – Russian hackers, undetected by ANSII, compromised French infrastructure and released info to social media 36 hours before election “You can’t defend. You can’t prevent. All you can do is detect and respond.” – Bruce Schneier Recent Samples Exploratory Attacks • May 12, 2017 – WannaCry Ransomware Campaign • Oct. 21, 2016 – Massive Global Distributed Denial of 150 countries; $300 per ransom request Service Attack on Dyn • Used in combination with worm functionality to • Affected the essential component of all web sites, move laterally across networks DNS • Leveraged Windows SMB exploit released by • Twitter, SoundCloud, Spotify, Reddit and a host of Shadow Brokers other sites • Distributed via various methods; but observed • Leveraged the collective firepower of Internet of most often via SPAM with malicious links Things devices — poorly secured Internet-based including the following: security cameras, digital video recorders (DVRs) and internet routers • http://www.rentasyventas.com/incluir/rk/i megenese.htm?retencion=081525418 • Mirai is a crime machine that enslaves IoT devices for use in large DDoS attacks (used in Dyn’s attack) • https://graficagibin.com.br/olja/q.hta • Took down a small part of the Internet but a prelude • From the following email address: to a far bigger attack in the future. [email protected] Continental US • MS17-010 Microsoft Security Bulletin • Patching or other risk mitigations prevented exposure “The sky is falling! What’s happening? Many companies have really bad security, and have comfortably had it for a long time.” – Marcus Ranum WannaCry Ransomware Patching, A/V & Endpoint Admin Are Important But Insufficient! Four other higher order concepts are needed…. The Higher Order of Security • Data Classification & Information Impact o What data does my organization need to function and where is it? • Business Resiliency / Continuity o Can I operate if every tool currently at my disposal is impaired? o Note, disaster recovery is one piece of this puzzle, not the puzzle itself! • Prevention o Your tools: Layer, Limit, Diversify, Obfuscate, Simplify • Incident Preparedness o Canary in the coal mine test: If staff sees a ransom note, they do what? Beware of a tools only approach Past Protection No Longer Has Efficacy in the Present Known Malware < traditional AV is less than 5% to 45-50% effective 1 in 3 chance Zero-days will evade detection 107 billion identities compromised in past 6 years Your firewalls/IPS’ were faced with 86 billion threats last year – do you think they blocked them all? Organizations must decide if these odds are unacceptable Attack Surface & Commonality Maintain Lateral Presence Movement Initial Initial Establish Escalate Internal Complete Recon Comprom Foothold Mission ise Privileges Recon Identify Gain Initial Strengthen Steal Valid User Identify Package & Exploitable Access Into Position Credentials Target Data Steal Target Vulnerabilities Target Within Target Data Real Whaling Attack on Opswat Spear Phishing Example CFO/CEO Security Dilemma: Balance Convenience and Control • Cyber-fatigue • Snapshot training • Policy and process lacking • Vulnerabilities not managed uniformly • Patching approach required • Change Management is a fallacy for many • Automate as much as possible Be prepared or be prepared to suffer Infrastructure Has Changed Buying Hardware Infrastructure As a Service EARLY 2000’s MID 2000’s NOW The one on the right can be bought with a credit card! Security Has Changed As Well Source: Alert Logic Security Has Changed As Well Source: Alert Logic Active Insider Threat Security Has Changed Source: Alert Logic Lastly Cybercrime Has Changed Single Actors EARLY 2000’s MID 2000’s NOW Lastly Cybercrime Has Changed Single Actors Highly Organized Groups EARLY 2000’s MID 2000’s NOW Anonymous, LulzSec, Cyberzeist, Cult of Dead Cow, Shadow Brokers, etc. Cybercrime is Flourishing Expanding Attack Surfaces Evolution of Adversaries Overwhelmed Defenses AV-TEST, 2016 Forbes, 2014 FireEye, 2015 508 is the average 390,000 new malicious 37% of US companies number of applications programs every day with face 50,000+ alerts in an enterprise a viable ecosystem per month Source: Alert Logic Attack methods are evolving • Security risks o Perception of increased risk due to lack of control o Blind spots: no way to connect on-premise and cloud attacks o Increased threat surface o Tuning tools for relevant notifications CLOUD ATTACKS Brick and Mortar ATTACKS 2% 6% 7% APPLICATION 11% APPLICATION ATTACK 25% ATTACK BRUTE FORCE 21% BRUTE FORCE 48% 10% RECON RECON SUSPICIOUS SUSPICIOUS ACTIVITY 23% ACTIVITY 47% Source: Alert Logic CSR 2016 Source: Alert Logic Malware is Omnipresent SQL Injection for Period of 2/12-4/12/17 Alert Logic April 2017 You will find it without it needing to find you! The Evolution of Ransomware Variants SamSam Locky Cryptowall 7ev3n KeRanger CRYZIP First TeslaCrypt Petya Fake commercial Cryptolocker TeslaCrypt 3.0 Antivirus Redplus Android phone TeslaCrypt 4.0 Virlock TeslaCrypt 4.1 Lockdroid Reveton 2001 2005 2006 2007 20082012 2013 2014 2015 2016 CryptoDefense QiaoZha Reveton.A Cerber Koler Tox Radamant GPCoder z Ransomloc Kovter Crypvault HydraCry k Simple Locker Cokri DMALock pt Bitcoin CTB-Locker Chimera Rokku Dirty Decrypt TorrentLocker Hidden Tear Jigsaw Network Launched Cryptorbit CoinVault Lockscreen PowerWar Cryptographic Locker Svpeng TeslaCrypt 2.0 e Urausy Ransomware is the Scourge of the Digital Economy $1B $209M 1000

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    45 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us