Anatomy of a breach – What have we learned, and what should we expect in 2016?

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 1

Robert Masse, Cyber Risk Partner February 2016 17th Annual Privacy and Security Conference

About me

•  Partner / Cyber •  20 years experience •  Background in offensive cyber / investigations

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 2

Discussion

•  Understanding the cyber threat landscape •  Anatomy of a cyber attack •  Transform your defenses •  Closing thoughts

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 3

Understanding the cyber threat landscape

4 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Understanding the cyber threat landscape Common threat actors, vectors and impacts Threat Actors

•  Hackivists

•  Criminal organizations

•  Nation states

•  China (5YP, IP->PII, ngo)

•  Russia (gov, ngo)

•  DRPK (gov)

•  Iran (5YP, IP)

•  Insiders/Partners

•  Disgruntled Employees

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 5

Attack Vectors

•  Legacy production systems that are not adequately protected

•  Phishing and social engineering tactics to gain entry into the environment

•  Employees and administrative staff privileged access

Impact

•  Corporate systems disruption/sabotage

•  Privacy breaches

•  Launch supply chain attacks – gateway to partners/stakeholders

•  Reputation

•  Financial fraud

Global shift in attack vectors, patterns, and capabilities Understanding the cyber threat landscape

1. Attack vector shifting from technology to people

2. Attack patterns increasingly look like normal behavior

3. Threats increasingly hiding in plain sight, adaptive with ability to go into dormant mode, making them difficult to detect

4. Criminals, state actors and even hactivists are building important intelligence capabilities

5. Supply chain and business partner poisoning or lateral entry are on the rise

6 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Top 10 Cyber challenges for organizations Understanding the cyber threat landscape

1.  Legacy systems that have not been patched or adequately secured

2.  Operate without centralized security policies and standards

3.  Lack of centralized management and monitoring of critical assets

4.  Focus has been primarily on locking down the perimeter

5.  Malware defenses are required but inadequate to address today’s threats

6.  Cyber incident response capabilities are basic or nonexistent

7.  Often ignore or don’t consider insider threats

8.  Siloed operating model lack of enterprise risk awareness/culture

9.  Heavy reliance on technology, without adequate operational processes and procedures

10. Supply chain vulnerabilities are not measured nor managed

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 7

Largest breaches by records 2012-2015 All Organizations

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 8 Source: Informationisbeautiful.net

•  Customer data vs. personal data?

Largest breaches by records 2012-2015 Government only

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 9 Source: Informationisbeautiful.net

•  Observations?

Largest breaches by records 2012-2015 Government only

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 10 Source: Informationisbeautiful.net

•  Stolen media only

Largest breaches by sensitivity 2012-2015

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 11 Source: Informationisbeautiful.net

•  Is security getting better?

•  How sensitive was AM data?

Root cause of infiltration 2012-2015

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 12 Source: Informationisbeautiful.net

•  Legend – take a guess:

•  Accidently published?

•  Hacked?

•  Inside job?

•  Lost/stolen physically?

Value of stolen data On the black market 2014 – how relevant now?

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 13 Source: Informationisbeautiful.net

Anatomy of a cyber attack

14 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Speed of attack is accelerating, while response times lag Anatomy of a cyber attack

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 15

Initial attack to initial compromise takes place within minutes (almost 3 of 4 cases)

Data leaks occur within minutes (nearly half)

Discovery takes weeks or longer

Containment (post-discovery) requires weeks or longer

72%

72% 59%

46% Time is of the essence

Target Case Study Anatomy of a cyber attack

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 16

Victim timeline

Sept. 2013 Nov.12 Nov. 15-28 Nov. 30 Dec. 2 Dec. 12 Dec. 15 Dec. 19 Jan. 2014

Attacker timeline

Victim certified as PCI-DSS compliant

Victim confirms additional data records stolen

Victim publically announces credit and debit cards stolen

Victim confirms breach, removes most malware

DOJ notifies victim

More alerts triggered

First alerts triggered

Virus software identifies malicious activity

Attackers steal vendor credentials

Attackers test malware on victim’s POS

Attackers first breach victim’s network

POS malware fully installed

Attackers install data exfiltration software

Attackers install upgraded versions of exfiltration malware – begin extracting data

Attackers lose foothold in victim’s network

Methodology – Overview of an APT attack Anatomy of a cyber attack

1.  Hackers vs. Advanced Persistent Threats (“APT”)

2.  7 stage APT can be described in what’s known as “Cyber Kill Chain (Lockheed Martin)”

•  Reconnaissance

•  Weaponization

•  Delivery

•  Exploitation

•  Installation

•  C&C

•  Actions on objectives

3.  Defenses are difficult, but you want to break the chain as early as possible

17 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Reconnaissance Anatomy of a cyber attack

1.  Research, identification and selection of targets

2.  Understand your infrastructure, discover potential weaknesses to exploit (people, process & technology)

3.  Open source intelligence gathering on targets:

•  Google hacking (filetype:pdf metadata, etc)

•  Social media (LinkedIn, Robin Sage, etc)

•  Shodan

•  Monster

•  Semi private databases (municipalities, government “sunshine lists”, incorporation DBs, etc)

4.  Free tools exist for automation

18 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Weaponization Anatomy of a cyber attack

1.  Develop weapon/payload based on previously gathered information

2.  Payload normally weaponized two main ways:

•  PDF

•  Office document

3.  Malware must be customized to your environment to ensure success (operating system, application version, language, etc). Recon phase is key

4.  Once you have the information, generating this malware is easier than you think

5.  Free malware generator!

6.  We can test malware after on web sites like virustotal

19 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Delivery Anatomy of a cyber attack

1.  Transmission of weaponized payload

2.  Multiple delivery mechanisms

•  Email attachment

•  Web site (could be legitimate site that has been hacked)

•  USB key (less common)

•  Delivery not just via Internet, via extranet, partners, vendors..

3.  What percentage of people open emails and click on links from strangers? From people they know?

4.  In my experience… 100%

20 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Delivery Anatomy of a cyber attack

21 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Exploitation Anatomy of a cyber attack

1. User must open attachment or click on web link

2. Malware exploit previously found vulnerability

3. Most traditional anti-virus systems cannot detect exploitation

4. Statistics from some recent malware I generated for an attack…

22 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology - Installation Anatomy of a cyber attack

1.  Initial malware infection will be used to download and install various programs

2. Single stage vs. multi stage

3. Primary concern of attacker is anti-virus

4. Downloaders, RAT, webshells,

5. Most attackers will leverage existing customer tools as to not be detected

23 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology – Command and control Anatomy of a cyber attack

1. Once access is gained into the network, the attacker needs to establish C&C

2. Outbound connection back to attacker C&C equipment (can be any where in the world)

3. Persistence is priority

4. Attackers will find every hole possible to punch out through

24 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Methodology – Action on objectives Anatomy of a cyber attack

1. Execute plan against target

2. We have seen multiple teams within customers at the same time

3. Trending

•  Intellectual property

•  Government data

•  Personal data

4. Months to years…

25 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

Transform your defenses

26 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

A new paradigm for cyber risk management Transform your defenses

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 27

•  Is this a senior leadership conversation yet?

•  Do you have a cyber security strategy including a clear governance framework?

•  How are you evaluating and managing cyber risk?

•  Is the existing risk framework adequate to address the changing threat landscape?

•  How structured and well-tested are your existing incident response and crisis management capabilities?

•  Who are your cyber adversaries and what types of attacks are they planning?

Strategically

A new paradigm for cyber risk management Transform your defenses

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 28

•  What is leaving your network and where is it going?

•  Who is really logging into your network and from where?

•  What information are you making available to a cyber adversary?

•  Are critical assets monitored for inappropriate access and activity?

•  MASTER THE BASICS

Tactically

Closing thoughts

29 Deloitte Cyber Risk Services | www.deloitte.ca/cyber

•  Educate your user community

•  Don’t use unsecured email for sharing sensitive information

•  Understand situational awareness and couple it with threat intelligence

•  Limit privileged access and where it’s required, monitor

•  Third parties are your partners & allies but could be a liability

•  Proactively monitor for suspicious activity

•  Traditional defenses are insufficient

•  Be prepared, it’s only a matter of when it will happen

•  Most importantly, learn from the mistakes of other organizations

Closing thoughts and lessons learned

Thank you!

Deloitte Cyber Risk Services | www.deloitte.ca/cyber 31

Tejinder Basi Partner | Enterprise Risk Services Deloitte LLP tbasi@deloitte.ca 604-640-3255

Jamie Ross Partner | Enterprise Risk Services Deloitte LLP jaross@deloitte.ca 250-978-4412

@Rob_Masse

Robert Masse Partner | Enterprise Risk Services Deloitte LLP rmasse@deloitte.ca 514-393-7003

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

© Deloitte LLP and affiliated entities. Deloitte Cyber Risk Services | www.deloitte.ca/cyber 32