Embed Size (px)
Citation preview
Believe It Or Not….You’ve Been Hacked
Event Code: RRMPG4
Jim Fortmuller – Systems Security Manager Kelley Drye & [email protected]
Mike Tohivsky ‐ Solutions Principal RSA ‐The Security Division of [email protected]
1
Believe
• 11/09—The FBI Warning• 06/10 - Mandiant M-Trends Report• 06/11 - Canadian law firms • 09/11 - “America the Vulnerable”, Brenner• 11/11 – Galligan NY FBI Law Firm Meeting• 1/12 – Paller Article in Forbes• 02/12 – Alexandria Firm - Anonymous• 07/12 – DC Law Firm – Byzantine Candor
2
To Protect
Greg Walters
3
Our Clients & Competition Care
• Data Breach Notification Act (Mass.)• HIPPA• SOX• PCI/DSS• GLBA • FISMA• Red Flag Rules
4
Shameless promotions
• Yesterday - #RRMPG1– Differentiate Your RFP from the Competition
• Today 1:30 - 4:30 – 2 Part #HAND6– Info Governance & Sec Policies
• Tomorrow 8:30 - 10:00 #AFT6– LegalSEC Workshop: Security Design and
Implementation Best Practices
• Tomorrow 3:30 – 4:30 #TECH11– ISO Certification
5
The Players
6
The PlayGround
7
Toys
Advanced.
8
The Game
9
How’d that happen?
10
Managing Advanced Threats
Response if often uncoordinated and chaotic
AUTOMATED INTELLIGENT CONTROLS, with real-time monitoring capabilities to spot anomalies are needed
Poorly prepared for advanced threats
Inability to detect attacks in a timely manner
Characteristics of Advanced Threats
AttackBegins
SystemIntrusion
Attacker Surveillance
Cover‐upComplete
Access Probe
Leap Frog AttacksComplete
TargetAnalysis
TIME
AttackSet‐up
Discovery/ Persistence
Maintain foothold
Cover‐up Starts
Attack Forecast
Physical Security
Containment & Eradication
System Reaction
Damage Identification
Recovery
Defender Discovery
Monitoring & Controls
Impact Analysis
ResponseThreat Analysis
Attack Identified
Incident Reporting
Need to collapse free time
Reducing Attacker Free Time
ATTACKER FREE TIME
TIME
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
14
How’d that happen?
15
Most compromises use• Social Engineering• Commonly available software• System Vulnerabilities• External agents• Valid credentials• Lateral Movement• Backdoors• Related targets / opportunism• Persistence
16
17
PreventDetect
Remediate
18
SANS Top 201. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configs for Hardware and Software on Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability (validated manually) 9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) 10. Secure Configs for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Security Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response Capability (validated manually) 19. Secure Network Engineering (validated manually) 20. Penetration Tests and Red Team Exercises (validated manually)
19
Twenty Critical Security Controls
for Effective Cyber Defense
• Quick Wins• Improved Visibility and Attribution• Hardened Configuration• Advanced
20
Verizon 2012 DATA BREACH
INVESTIGATIONS REPORT
21
From: James E. Fortmuller[mailto:[email protected]] Sent: Tuesday, March 29, 2011 8:33 AMTo: Kane, DanaSubject: Globe Financial Crisis Analysis Report
Economic growth has lifted more people out of poverty faster than at any time in history, but economic crises can sweep across the globe even more quickly.The government economists analyze the Globe financial crisis will strike more countries after the earthquake in Japan, their points were supported by more and more people.
FYI,http://www.safereturn.org/economic/Globe_Financial_Crissis_Analysis_Report.zipRegards, James
James E. Fortmuller Systems Security ManagerKelley Drye & Warren LLPWashington Phone: 202.342.8893Fax: 202.342.8451 [email protected]
22
ILTSO – 2011 Guidelines for Legal Professionals
23
Australian Government Department of Defence Intelligence & Security
Strategies to Mitigate Targeted Cyber Intrusions
24
Defence Signals DirectorateImplementing DSD’s Top Four
25
Top 4• Patch Apps• Patch OS
• Least Privilege• Application Whitelisting
26
Top 4• Patch Apps• Patch OS
• Least Privilege• Application Whitelisting
27
What KDW Does• Password Management• Anti-Spam• Penetration Testing /
Vulnerability Assessment• Network monitoring • Firewalls – egress rules.• Network Segmentation• Secure File Transport –
Accellion• User Awareness• Dedicated Security Team
28
• Policies• Logging – enVision, Sourcefire• Windows 7• Least Privilege• Patch Management - SCCM• Build Management - SCCM• Application Management - SCCM• Application Virtualization• Group Policy• Web proxy• Anti-Virus
Coming / Wish list ‐ Third Party Application Vulnerability and Patch management , Two factor authentication, Application whitelisting, Mobile Device Management, Change Management, More training
Things to slow down.
Leveraging MSS for Security Operations
Advanced Security Solutions for Trusted IT
29
Companies require…
Comprehensive Visibility
“Analyze everything that’s happening in my infrastructure”
Agile Analytics
“Enable me to efficiently analyze and investigate potential threats”
Actionable Intelligence
“Help me identify targets, threats & incidents”
Incident Response
“Establish a process for timely response”
30
EMC CIRC – Sphere of Protection
31
Outsource
Maturation Model
32
RSA Monitored Security Services
33
SOC/ CIRC Critical Components
34
• PEOPLE: First line responders to security related incidents.
• EXPERIENCE: Coordinate and respond to unexpected security incidents.
• KNOWLEDGE: Identify suspicious activity, and respond appropriately to the root cause.
• INTELLIGENCE: Assess newly discovered vulnerabilities, impact to the organization, and to work with IT department to mitigate or minimize these risks to the organization’s lines of business.
SOC/ CIRC Design Objectives
Your DLP Str
Assessment
Incident Response
Identity & AccessManagement
Cyber Crime/Threat Intelligence
Data at Rest and in Motion protection
Governance/ Risk Control
“Total Threat Visibility & Mitigation”
Investigation
Visualization
Collect
• Unmatched Device
Support
•Agent lessEvent Data Collection
• Remote or
Local Collection
•Internal Policy
•Comprehensive Event Taxonomy
•Alert Correlation
•Purpose Built Database
Analyze
• Measurable Reporting
•Intelligent Incident
Investigation
• Proactive Alerting
Prioritize
RSA “enVision” SIEM Process
37
Examples- RSA enVison Alerts1. Telnet Activity Detected2. Multiple Firewall Login
Attempts3. Privilege Access
Escalations4. Failed Login on Service
Account5. Account
Creation/Deletion6. High Number of DoS
Attack Alerts
7. Excessive In/Out Connections Denied From a Single IP
8. Denied Connections Followed by success (within 10, 20, 30 min.)
9. Worm Activity Originating from the Internal Network
10. Unauthorized SMTP Traffic Detected
11. Switch/Router/Firewall Port ‘Up’ or ‘Down’
12. Any Activity Resembling a Scan
38
RSA Monitored Security Services: Incident Response Path
RSAenVision
CorrelatedAlert
Activated
RSAenVision
Event Explorer
Populated
RSA Ticketing System
Populated
Incident Triage
Analysisand
Verification
ActivateAppropriate
Incident Response
NotificationTree
InitiateBest
Practice Incident
RemediationRecommend-
actionOptions
ActivateAppropriate
Incident Response
NotificationTree
CustomerStop Gap
or Risk
RemediationPath
Activated
RSA Incident Tracking
AndIncidentClosure
Customer
RSA Monitored Security Services: Delivers
Monitor and analyzeTune & Baseline
We integrate RSA products into one comprehensive end-to-end solution.
Measure & Enforce
Identify and Prioritize Incidents
Report & Audit Measure Performance
40
Operation of RSA Monitored Security Services: High Level Service Framework
HealthCheckand
Workshop
Customer Policies and RSABest
Practice
ControlObjectives:Monitor
ControlActivities:Respond
KnowledgeTransfer
Transition to Monitored Services
Task Area 1 Task Area 2
1. Baseline environment2. Tune Service (analysis/ response)3. Monitor Users and Incidents4. Alert customer escalation trees5. Tune to reduce false Positives6. Weekly and quarterly reports
Optional: Transition to Customer
Baseline Monitor Measure Report
1. Test escalation trees.2. Establish meeting
schedules.3. Policy Mapping and Gap
documentation.
1. Educate Customer Staff
7 41
RSA Helps You Establish a Risk Based Program
Risk Across the Infrastructure
Collect & Baseline
Monitor & Analyze
Measure & Enforce
Program Lifecycle Management (driven by risk‐ based policies)
?RISK
TIME
Understand RiskReduce Risk
End Users & Risk Teams
Security Controls
Report & Audit
Compliance
Measure Risk
8 42
You’ve been hacked…
• Questions• Comments• Complaints• Accuzations• Retractions• Discussion
43
You’ve been hacked - appendix– http://www.fbi.gov/scams-safety/e-scams/archived_escams (1)– http://www.mandiant.com/resources/m-trends/ (2)– http://www.lawyersweekly.ca/index.php?section=article&articleid=1443 (3) – http://www.cbc.ca/news/canada/story/2011/11/29/pol-weston-hacking-
firms.html (4)– http://www.amazon.com/America-Vulnerable-Digital-Espionage-
Warfare/dp/159420313X#_ (5) ISBN: 978-1-101-54783-0 – http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-
firms.html (6)– http://www.forbes.com/sites/ciocentral/2012/01/31/conversations-on-
cybersecurity-the-trouble-with-china-part-1/ (6a)– http://gizmodo.com/5882057/anonymous-leaks-marine-corps-massacre-
case?tag=anonymous (7) – . http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-
and-d-c-with-byzantine-candor.html (8)- http://www.verizonbusiness.com/about/events/2012dbir/ (9)
44
You’ve been hacked - appendix• http://www.mandiant.com/resources/m-trends/ (10)• ” http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-
night-dragon.pdf (11)• http://www.cybersquared.com/project-enlightenment-a-modern-cyber-espionage-case-
study/ (12)• http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx. (13)• http://www.ampliasecurity.com/research/wcefaq.html#pshtoolkit• http://books.google.com/books?id=B0Lwc6ZEQhcC&pg=PA973&lpg=PA973&dq=port
+listeners+backdoor&source=bl&ots=__nLJpQfuo&sig=puc2AdUeeNQxjX5ZU_CbPumvWBk&hl=en&sa=X&ei=SukvUPqdOYrv6AGZxIHAAw&sqi=2&ved=0CDcQ6AEwAA#v=onepage&q=port%20listeners%20backdoor&f=false (15)
• http://www.mandiant.com/resources/m-trends/ (16)• http://www.sans.org/critical-security-controls/guidelines.php• http://www.iltso.org/iltso/Standards.html• http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm• http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-
kits/
45
46
Hacked.. Appendix
47
• SANS top 20 “Quick Wins” • 1. Inventory of Authorized and Unauthorized Devices • Use automated asset inventory discovery tool to know what systems are connected to the enterprise. Use active tools -
scan IP ranges & passive tools - ID hosts by traffic.• 2. Inventory of Authorized and Unauthorized Software • Develop a list of authorized software that is required in the enterprise for each• type of system, including servers, workstations, and laptops of various kinds and uses• 3. Secure Configs for Hardware and Software on Laptops, Workstations, and Servers• a. Create a secure image that is used to build all new systems that are deployed. Compromised system is re-imaged with
the secure build. Regular updates to this image are integrated into the organization’s change management processes.• b. images must have documented security settings, tested before deployment, approved by change control board, and
registered with a central image library. • validated and refreshed on a regular basis (e.g., every six months) to update their• security configuration in light of recent vulnerabilities and attack vectors.• c. Standardized images should represent hardened versions of the operating system and installed applications, using
guidelines like NIST, NSA, etc. removing unnecessary accounts, disabling or removal of unnecessary services, use of OS features such as Data Execution Prevention (DEP). applying patches, closing open and unused network ports, implementing IDS/IPS, and erecting host-based firewalls.
• d. document and approve deviations from and updates to the standard build in a change management system.• e. negotiate contracts to buy systems configured securely out of the box using.• f. store master images on securely configured servers ( or better yet air-gap them), use integrity checking tools and
change management to ensure that only authorized changes to the images are possible. • g. Run the last version of software and make sure it is fully patched. Remove• outdated or older software from the system.
Hacked…appendix Top 20• 4. Continuous Vulnerability Assessment and Remediation• a. run automated vulnerability scanning tools on a weekly or more frequent basis. • critical vulnerabilities fixed within 48 hours. Others - remediated in a timely manner,• b. Correlate Event logs vulnerability scans to fulfill two goals. • First, to verify that the activity of the vulnerability scanning tools is logged. • Second, to correlate attack detection events with earlier vulnerability scanning results to determine whether
the given exploit was used against a known-vulnerable target• 5. Malware Defenses• a. automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date
anti-malware protection - with anti-virus, anti-spyware, personal firewalls, and host-based IPS . centralized administration and event log servers.
• b. auto update features to all machines at least daily, and auto reporting to verify that each system has updated.
• c. configure laptops, workstations, and servers so that they will not auto-run content from USB “thumb drives, hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media.
• d. anti-malware scan of removable media when it is inserted.• e. All attachments entering the organization’s e-mail gateway should be scanned and malicious code or
unneeded file types blocked. This includes email and web content filtering.
48
Hacked…appendix Top 20• 6. Application Software Security• a. deploying web application firewalls to inspect all traffic flowing to the web application for common web
application attacks, like cross-site scripting, SQL injection,• command injection, and directory traversal attacks. • b. specific application firewalls should be deployed if such tools are available for the• given application type. If the traffic is encrypted, the device should either sit behind the• encryption or be capable of decrypting the traffic prior to analysis. If neither option is• appropriate, a host-based web application firewall should be deployed.• 7. Wireless Device Control• a. ensure that each wireless device connected to the network matches an authorized configuration and
security profile, with a documented owner of the connection and a defined business need. deny access to devices that do not have such a configuration and profile.
• b. ensure that all wireless access points are manageable using enterprise management tools. Home use access points lack management capabilities, and should be avoided
• c. Network vulnerability scanning tools should be configured to detect wireless• access points connected to the wired network. Identified devices should be reconciled• against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be
deactivated
49
Hacked…appendix Top 20• 8.Data Recovery• a. Back up all systems at least weekly, more often for systems storing sensitive information. Include the OS,
application software, and data on a machine should each be included for quick rebuild if needed.•• b. Data on backup media should be tested on a regular basis by performing a• data restoration process to ensure that the backup is properly working.•• c. . Key and alternative personal should be trained on both backup and restore.• .•• 9. Security Skills Assessment and Appropriate Training to Fill Gaps• a. develop security awareness training for various personnel job descriptions. Include specific, incident-based
scenarios showing the threats an organization faces, and present proven defenses against the latest attack techniques.
•• b. Awareness should be carefully validated with policies and training. Policies• tell users what to do, training provides them the skills to do it, and awareness changes• their behavior so that they understand the importance of following the policy.
50
Hacked…appendix Top 20• 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches• a. Compare firewall, router, and switch configuration against standard secure• configurations defined for each type of network device in use in the organization. The• security configuration of such devices should be documented, reviewed, and approved by an organization
change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system.
• b. At network interconnection points—such as Internet gateways, inter-organization• connections, and internal network segments with different security controls—implement ingress and egress
filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default-deny rules by firewalls, network-based IPS, and/or routers.
• c. Network devices that filter unneeded services or block attacks (including• firewalls, network-based IPS, routers with access control lists, etc.) should be tested• under laboratory conditions with each given organization’s configuration to ensure that• these devices exhibit failure behavior in a closed/blocking fashion under significant loads with traffic
including a mixture of legitimate, allowed traffic for that configuration• intermixed with attacks at line speeds• 11. Limit / Control Network Ports, protocols and Services• a. Host-based firewalls or port filtering tools should be applied on end systems,• with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.• b. Automated port scans should be performed on a regular basis against all key• servers and compared to a known effective baseline. If a new port is found open, an alert should be
generated and reviewed.
51
Hacked…appendix Top 20• 12. Contol use of admin privileges• a. use automated tools to inventory all administrative accounts and validate that each person with
administrative privileges on desktops, laptops, and servers is authorized by a senior executive and that all administrative passwords have at least 12 pseudorandom characters, consistent with the FDCC standard.
• b. Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, etc. to a difficult-to-guess value.
• c. configure all admin-level accounts to require regular password changes of no longer than 60 days.• d. ensure all service accounts have complex passwords that are changed on a periodic basis, as is done for
traditional user and administrator passwords, at a frequent interval of no longer than 90 days.• e. Passwords for all systems should be stored in a well-hashed or encrypted format, with weaker formats such
as Windows LANMAN hashes eliminated from the environment. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges.
• f. use automated scripts to ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet. Web browsers and e-mail clients especially must be configured to never run as administrator.
• g. Through policy and user awareness, organizations should require that• administrators establish unique, different passwords for their administrator and nonadministrative accounts.
Each person requiring administrative access should be given his/her own separate account. Administrative accounts should never be shared. Users should only use the Windows “administrator” or Unix “root” accounts in emergency situations. Domain administration accounts should be used when required for system administration instead of local administrator accounts.
• h. Organizations should configure operating systems so that passwords cannot be re-used within a certain timeframe, such as six months
52
Hacked…appendix Top 20• 13. Boundary Defense• a. deny communications with (or limit data flow to) known malicious IP addresses (black lists) or limit access to
trusted sites (white lists).•• b. Deploy network-based IDS sensors on Internet and extranet DMZ systems• and networks that look for unusual attack mechanisms and detect compromise of these• systems. They detect attacks by analyzing traffic and use signatures and network behavior analysis•• c. Network-based IPS devices should be deployed to compliment IDS by• blocking known bad signature or behavior of attacks. provide automation to block bad traffic.•• d. On DMZ networks, monitoring systems (IDS sensors or separate appliances) should be configured to record
packet header or full packet header and payloads of the traffic• destined for or passing through the network border and sent to a Security Event Information Management
(SEIM) system so that events can be correlated from all devices on the network.•• e. To lower the chance of spoofed e-mail messages, implement the Sender Policy Framework (SPF) by deploying
SPF records in DNS and enabling receiver-side• verification in mail servers
53
Hacked…appendix Top 20• 14. Maintain, Monitor, Analyze Audit Logs• a. Validate audit log settings for each hardware device and the software installed on it, ensuring that logs
include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into a standardized format.
• b. Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis.
• c. All remote access to a network, whether to the DMZ or the internal network (i.e., VPN, dial-up, or other mechanism), should be logged verbosely.
• d. Operating systems should be configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts must also be logged.
• e. Security personnel and/or system administrators should run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.
• 15. Controlled Access Based on Need to Know• a. establish a multi-level data identification/classification scheme (e.g., a three- or four-tiered scheme with
data separated into categories based on the impact of exposure of the data).• b. Organizations should ensure that file shares have defined controls (such as Windows share access control
lists) that specify at least that only “authenticated users” can access the share
54
Hacked…appendix Top 20• 16. Account Monitoring and Control• a. Review all system accounts and disable any account that cannot be associated with a business process
and owner.• b. Systems should automatically create a report on a daily basis that includes a list of locked-out accounts,
disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.
• c. establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor.
• d. regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.
• e. monitor account usage to determine dormant accounts that have not been used for a given period, such as 30 days, notifying the user or user’s manager of the dormancy. After a longer period, such as 60 days, the account should be disabled.
• f. When a dormant account is disabled, any files associated with that account should be encrypted and moved to a secure file server for analysis by security or management personnel.
• g. All non-administrator accounts should be required to have a minimum length of 12 characters, contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password.
• h. After eight failed logon attempts within a 45-minute period, the account should be locked for 120 minutes.
55
Hacked…appendix Top 20• 17. Data Loss Protection• deploy approved hard drive encryption software to mobile machines that hold sensitive data.• 18. Incident Response Capability• a. have written incident response procedures that include a definition of personnel roles for handling
incidents. The procedures should define the phases of incident handling consistent with the NIST guidelines cited above.
• b. assign job titles and duties for handling computer and network incidents to specific individuals.• c. define management personnel who will support the incident handling process by acting in key
decision-making roles.• d. devise organization-wide standards for the time required for system administrators and other
personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting should also include notifying the appropriate US Community Emergency Response Team in accordance with all government requirements for involving that organization in computer incidents.
• e. publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
56
Hacked…appendix Top 20• 19. Secure Network Engineering• The network should be designed using a minimum of a three-tier architecture (DMZ, middleware, and
private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier.
• 20. Penetration Tests and Red Team Exercises• conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
57
