Von der aktuellen Gefahrenlage bis zuMassnahmen nach dem “Breach”

Cybersicherheit

04.05.2017

www.pwc.ch/cybersecurity

PwC Digital Services

Introduction and Context

01

2

PwC Digital Services

Cybersecurity Context

Digital revolution

Growing cyber risk

More regulation

Cloud ‘IoTs’ Social media Big data

Evolvingthreats

Moreconnections

Talentshortage

Armsrace

NIS

DirectiveGDPR

PwC Digital Services

The World Economic Forum cited “data fraud or theft” and “cyber attacks” amongst the top ten global risks most likely to occur

Source: World Economic Forum Global Risks Report 2017

Global Risks Landscape Top 10

1 – Extreme Weather Events

2 – Large-scale involuntary migration

3 – Natural Disasters

4 – Terrorist Attacks

5 – Data Fraud or Theft

6 - Cyberattacks

7 – Illicit Trade

8 – Man-made environmental disasters

9 – Interstate conflict

10 – Failure of National Governance

4

Most Important Driver of Risks – Emerging Technologies

PwC Digital Services

02Anatomy of a modern cyber-threat campaign

5

Lets start the conversation

PwC Digital Services

I have a bad feeling, we

might have an issue

here…

6

What’s the problem?

Trigger event:

• Discovery of an insider

• Near miss compromise

• Seeking a baseline

“

Targeted

How do I

recover?

Seek out

help

Initial trigger

event

Eradication

What was done?

PwC Digital Services

INCIDENT

~durationAt least …

Confirmed earliest compromise identified so far

dates back some time. In network with complete

access before discovery

7

Key *metrics

ENTERPRISE SIZE

>X0,000employees

GLOBAL PRESENCE

>manyCountries in 5 continents

Global operations footprint

DATA

>1 billionRows

Individual database records collected

repeatedly from a variety of key parameters

such as running processes, unusual paths,

tcp connections, command history, and more

ENTERPRISE ESTATE

>X0,000endpoints

Partial estate across several territories

DATA

1.5 Tb+

Endpoint and log data

Data collected over 4 weeks of assessment

from endpoints and perimeter logs

*Exact metrics obfuscated to protect our client

PwC Digital Services

Anatomy of a Global Hack

8

PwC Digital Services 99

A piece of a much larger puzzle

PwC Digital Services 1010

The Big Picture: Geographically

USA,Canada,

Brazil, Norway, Sweden, Finland, France,

Switzerland, U.K.,

South Africa, India,

Thailand, Australia,

South Korea, Japan

PwC Digital Services 1111

The Big Picture: Assets at risk

• Board member information• Key personnel• Intellectual Property• Patents• Manufacturing• Contracts• Government Records

PwC Digital Services

Hunting against a modern cyber-threat

campaign

03

12

PwC Digital Services

Grounding terminology – key understanding

13

Hunting

Proactively seeking out threats across the

technology estate

(IT, OT, mobile, IoT)

Sustained iterative assessment seeking to

detect, disrupt, mitigate or isolate these

threats

Smart Intelligence-based searching

Sophistication

Accomplishing political or geopolitical goals

Utilizing lowest necessary tools to

accomplish objectives (optimized use of

resources)

Timing

Complex, compounded and well

orchestrated operations

(cyber, physical, social, deception)

Persistence

PwC Digital Services

Operating under uniform policies

Consistent privacy regulations

Simplified authority, governance, chain-of-command

Best Intelligence available

Unlimited resources

Ideal Hunting RealityThe Adversary’s advantage

14

PwC Digital Services 15

The reality of enterprise hunting

Technology

En

vir

on

me

nta

l

Economic

Consumer

Suppliers

JV/Partners

Service providers

Customer

Industry/competitors

Sovereign estates

Distinct privacy laws and requirements

Corporate IT governance

Mergers and acquisitions – lack of integration

Enterprise environment familiarity

Do you really know what you have

Understanding of crown jewels

Third parties

SLAs

Competing priorities

Persona

Logical

Physical Network

Geopolitical

Device

2 Derived from Snowden’s leaked documents on NTOC. (Simplified) to illustrate industry cross-domain interactions

PwC Digital Services

PwC Hunting Approach

16

02Investigate

PwC’s own CSIR-certified incident response

team use the most advanced technologies to

dramatically reduce dwell time of intruders,

scope intrusions and minimise the need for

fly-to-site teams on globally distributed

incidents.

03Remediate

Mobilising a containment strategy and

patching vulnerable systems form a core

part of our execution plan.

Detect

PwC gleans threat intelligence from the

front lines of incident response

engagements around the world. Our threat

research team conduct independent

research on a wide variety of threats and

develop detection techniques.

04Enforce

We design integrations, processes and

workflows to ensure your teams work

effectively to achieve better security hygiene

and compliance metrics.

01

Expertise and insight…

…applied at scale

PwC Digital Services

So what do you hunt for?

Persistence

Events

Unusual paths

Past & Future

• Registry keys

• autoruns/auto-start

• Windows events, crashes, logins

• Sysmon

• Process creation

• Execution of files, services or dlls

• Alternate Data Streams (NTFS)

• ShimCache: CMD, PowerShell

• Prefetch: confirmation of execution

• AT/schtasks: Lateral movement

17

Impossibility

Relationships

Signatures

Logs

• VPN connections

• Non existent User Agent strings

• Unusual processes spawning

(i.e. != Svchost.exe → services.exe)

• Process low count

• Evaluate signed and unsigned files

• Evaluate hashes or PE file

segment hashes

• DNS logs for not just known bad

destinations but also for unusual

urls.

• DNS record entropy → DGAs

PwC Digital Services

Before you can hunt, consider the following challenges

Ready your hunting kit … as it will assist

you during incident response

(yep, it will lead there)

No. 4Outdated SLAs

Not drafted to support responsive actions. Usually

geared towards maintaining operations

No. 1IT integration

Mergers and acquisitions may have led to

heterogeneous and disjoint environments

No. 2Inventory

Unfamiliarity with baselines, hardware, topology.

Specially if outsourcing to MSPs

(i.e. I don’t have Windows XP)

No. 3Privacy regulations

Differences between US and European regulations

(i.e. financial industry)

No. 5Governance

Geographically dispersed business units, local

autonomy. Also, have you lost control of your

environment (consider No. 4)

No. 6Think ≠ Is

Defenses or mitigations you think you have may

not be real (i.e. centralized logging)

No. 7Remote = Local

See No. 3, you may be required to conduct all

hunting within country.

No. 8Priorities

Third party MSPs or business units may view

hunting deployment or actions as a lower priority

than day-to-day operations

18

PwC Digital Services

Before you can hunt, consider the following challenges

Continued…

No. 9IR team?

The Enterprise may not possess an in-house IR

team

No. 10Delays

Plan for delays due to operational milestones,

country extended holiday season, deployment

testing

No. 12Fragility

Often we find unstable fragile networks which have

suffered many recent outages. Low resources

(memory/cpu/hd space)

No. 13Legal / Pre-Vetting

Inform legal team, review every command and

data type.

19

No. 11Confidentiality /

OPSECRFPs for hunting contracts are not a good thing.

Do not communicate on compromised networks

PwC Digital Services

What to look for?

Red Typhon, Aurora Panda, APT17

20

We currently track over 110 distinct threat actors from circa 20 countries, including nation state

sponsored actors as well as hackers-for-hire.

Blue Kitsume, CozyBear, CozyDuke Red Apollo, Stone Panda, APT10

In this particular case, the threat actor is suspected to be Red Apollo (APT10) targeting Chinese dissidents around the world, and occasionally targets US defence contractors, technology, and telecoms operators. Attributing is grounded on tools, methodologies, and C2 infrastructure used.

Yep, sometimes it really is China. But also Russia, the USA, Spain, Israel, Brazil, and many more …

PwC Digital Services

Attribution

21

PwC Digital Services

Attribution (Continued)

22

The limits of Super Spy Agencies:1. Human Resources Department

2. Family – Work / Life Balance

PwC Digital Services

Contributing factors to success

No. 1Legal

Early engagement with client legal teams. Vetting

of data collection. Education of operations

No. 4Intelligence

Fusing the right level of in-house developed

intelligence with incident response indicators and

community insights

No. 7Agility

Near real-time ability to query the enterprise for

key data nuggets

No. 2Governance

Clear support and alignment for hunting priorities

No. 3Patience

Methodical focused attention towards sophisticated

threat discovery

No. 6Multi-Pronged

Combining endpoint and perimeter data

No. 8Analytics

Seek out not just the known bad through fragile

IOCs but expand towards anomalies. Go after the

techniques, tactics and procedures (TTPs)

No. 9Discretion / OPSEC

The adversary watches communications on the

environment. They own VoIP, email, Active

Directory

No. 5Visibility

Having wide spread visibility into the environment,

across territories.

34

PwC Digital Services

Becoming Resilient against Modern

Cyberthreats

04

24

PwC Digital Services

What are cyber business risks to become resilient against?

25

Data Disclosure

Customer accounts are taken over by criminals and sensitive information is disclosed to an unauthorized recipient

A few examples…

Fraud / Theft

Hackers compromise the low touch order management system and execute unauthorized financial transactions

Business Outage / Service Disruption

A denial of service attack causes an extended outage of the business platform

Client Dissatisfaction

Loss of brand loyalty and trust following a cyber attack that leads to significant customer defection

Data Manipulation

Malicious or inadvertent manipulation of critical business information (e.g., market data)

Insider Trading

Non-public data is compromised during a cyber attack and used for financial gain (e.g., to trade on the stock market)

PwC Digital Services

The cyber challenge now extends beyond the enterprise

Global Business Ecosystem

Pressures and changes which create opportunity and risk

Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.

• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.

• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.

• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.

Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.

PwC Digital Services

Which cyber risks can you expect?

Insider Threats

External Threats

Nation States

Organized Crime

• Disgruntled Employees

• Cleaning Crew

• Every day attacks

• APT

• DDoS

• USA, China, Russia, Israel, North

Korea

• Significant resources and skills

• High financial gain and low risks

27

Ransomware

Espionage

Social

engineering

BYOD

• Unavailability or loss of integrity of

sensitive data

• Lack of training

• Humans can be fooled

• Smartphones, tablets

• Mobile fluid workforce

• Your competitors, nation states or

cyber criminals are interested in

your intellectual property

PwC Digital Services

NIST Cybersecurity Framework

29

PwC Digital Services

What next?

Organizations should organize their cybersecurity programs around six core objectives

Core Cybersecurity

Objectives

Identify and

protect

critical

business

assets

Identify,

manage and

monitor

cyber threats

Understand

the

organizational

boundary

Build cyber

resiliency

Implement

cyber risk

dashboard and

reporting

Prepare and

respond to

cyber events

Cybersecurity in today’s business environment is a complex problem that requires management engagement, creative techniques and new capabilities

Adversaries are sophisticated, determined and patient. They can target individuals, companies and entire industries for malicious or criminal gain

An effective cybersecurity program should enable the organization to detect cyber threats, manage the corresponding risks and respond to cyber incidents to minimize business disruption 29

PwC Digital Services

Our recommendations

Prepared for

attacks?

Third parties risk

Critical assets

protection

• Incident response program

• Crisis management concept

• Train your people to incidents / crisis

• Assess your risk linked to 3rd parties

• Review of your SLAs with MSPs

and critical third parties

• What are your critical assets?

• Do you protect them in line with

their value?

30

BCM

APT Hunting

Threat

Intelligence

• Business Continuity Management

• Business Impact Analysis (BIA)

• Endpoint analysis

• Network analysis

• Log analysis

• Know your enemies (their

resources, motivations, tactics,

techniques, and procedures)

• Be alerted on time

Compliance• How do you handle personal data?

• EU GDPR comes with big

penalties in 2018

• Employees are the weakest link of

your security

Security

Awareness

PwC Digital Services

Questions and Answers

04

31

PwC Digital Services

PwC Digital Services

32

Reto Häni

Partner and Leader Cybersecurity

reto.haeni@ch.pwc.com

+41 79 345 0124