Embed Size (px)
Citation preview
Gary Woods, Director, North America
A RECENT, SHORT HISTORY OF CYBER AND WHAT YOU CAN DO
Data Connectors/Tech Showcase Milwaukee
2
Agenda
Anatomy of an Attack
Notorious attacks and methods
Verizon DBR
What you can do
3
Threat Trends
Hactivists
“Anonymous” response to WikiLeaks donation stoppage
DDoS attacks
Website defacement
Nation State
Motivations: espionage, disruption, or destruction
Targeting Government + private sector
Cyber Crime
Bad guys are mostly Eastern European although Asian groups are also active
A complete service based economy supporting their activities
Attacks are a mix of social engineering and technical attack.
4
5
ATTACKER MOTIVATION, CAPABILITY & INTENT
WHO ARE THE ADVERSARIES?
Cyb
erc
rim
inals •Money
•Money
•And more money
•Large number of
organized groups
•Skills from basic to
advanced
•Present in virtually
every country
•Up to $$$
Hackti
vis
ts•Protest
•Revenge
•Large number of groups
•Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills"
•Up to $ -$$ Nati
on
Sta
te
•Acquiring Secrets for national security or economic benefit
•Small but growing number of countries with capability
•Larger array of ‘supported’ or ‘tolerated’ groups
•Up to $$$$+Op
po
rtu
nis
ts •Victims are selected
because they show
some form of weakness
that an attack was is
able to exploit.
•Financially driven
• Initial attacks lack
sophistication and
increase as more
attacks are launched
•Up to $$
$ - Under thousands
$$ - Tens to hundreds of thousands
$$$ - Millions
$$$$ - Tens to hundreds of millions
$$$$$ - Billions
Hackti
vis
ts
Dark Web: Connecting Miscreant Suppliers
with Miscreant Buyers
• Online libraries and advertisements of stolen data
• Education on how to launch spamming, phishing, and key logging attacks
• Advertisements for partners for complex fraud schemes
• Recruitment
• Detailed info sharing on technical vulnerabilities of software and specific financial institutions and their service providers
6
Still Lots of Opportunities for Malware
• Phishing – Widespread email – lots of victims
• Spearphishing – Targeted email aimed at a few victims
• Drive by Download– the unintentional download of malicious
software, typically from an infected reputable site
• Compromised Vendors – any remote access is high prize target
• Malicious Mobile Apps – Free or fake mobile apps
• IT Supply Chain – compromise integrators / distributors
• IT Patch Management Systems – broad distribution of code
9
PHISHING VARIATIONS – STILL EFFECTIVE
• Phishing and Spearphishing remain a highly effective means of distributing destructive malware.
9
COMMON ATTACK SCENARIO
ADVERSARY GAINS FOOTHOLD
Adversary
Compromised Web Site
Host 1
www.hackedsite.com
Tainted email sent to Organization‘s
users
User clicks on link to compromised
web site, remote admin tool installed
Additional tools uploaded
Using credentials gained, adversary works
to establish additional footholds
Host 2
9
COMMON ATTACK SCENARIO: DATA MINING
Host 2 File
Server
Adversary frequently will
perform data mining through
a host (Host 2) other than the
initially compromised host
(Host 1)
Remote host may or may not
be the same IP/Domain as
initial attack
Host 1
Multiple files are typically
extracted as an encrypted
bundle
Adversary
Data mining typically occurs
on file servers via share
permissions
DD4BC (Distributed Denial of Service for BitCoin)
attack
Subject: DDOS ATTACK!
Hello,
To introduce ourselves first:
http://www.coindesk.com/bitcoin-extortion-dd4bc-new-zealand-ddos-attacks
http://bitcoinbountyhunter.com/bitalo.html
http://cointelegraph.com/news/113499/notorious-hacker-group-involved-in-
excoin-theft-owner-accuses-ccedk-of-withholding-info
Or just google “DD4BC” and you will find more info.
So, it’s your turn!
All sites and servers of Anonymized Member are going under DDoS attack
unless you pay 40 Bitcoin.
Pay to Anonymized
Please note that it will not be easy to mitigate our attack, because our
current UDP flood power is 400-500 Gbps.
Right now we are running small demonstrative attack on one of your IPs:
Don't worry, it will not be hard (we will try not to crash it at this moment)
and will stop in 30 minutes. It's just to prove that we are serious.
We are aware that you probably don't have 40 BTC at the moment, so we are
giving you 24 hours to get it and pay us.
DDOS ATTACK
Internet
Company X network andweb server
Company X edge router
Your Internet ISP
Compromised PCs
Your customers
Servers controlled by attackers
DDoS Solutions Solutions – ISP
DDoS Monitoring DDoS Mitigation
Normal Internet Traffic
Netflow and SNMP info from ISP router
Internet ISP
Company X network
Company X edge router
DDOS Mitigation
Internet ISPDDoS Monitoring facility
Company X network
Company X edge router
14
BIGGEST COMPUTER HACKS OF ALL TIME
Adobe (October 2013) Number of people affected: 150 million (Email addresses and passwords for 150 million users, as well as credit card data for 2.9 million users)
How it happened: Hackers gained access to Adobe’s networks, though exactly how they did it has yet to be publicly revealed. In addition to stealing user information, attackers also downloaded the source code for a handful of Adobe programs, which essentially forms the foundation of the software.
eBay (May 2014) Number of records compromised: 145 million
The attack on its network compromised over 145 million customers’ passwords, usernames, email addresses, addresses, phone numbers and dates of birth.Despite being aware of the breach since February 2014, eBay only alerted its customers in June 2014 – a move that naturally angered some of those affected.
How it happened: Hackers used stolen employee details to break into its network
15
Heartland Payment Systems (January 2009) Number of records compromised: 130 million customer card details
How it happened: A malware outbreak on its payment systems
Worse still, during an earnings call following the breach executives revealed the malware used to steal the information was successful because Heartland did not have antivirus software installed on its payment processing network at the time
TJX Companies (January 2007) Number of records compromised: 94 million
How it happened: A cartel of hackers infiltrated its network
The firm currently owns T.K.Maxx, T.J.Maxx, Marshalls, HomeGoods and HomeSense.
BIGGEST COMPUTER HACKS OF ALL TIME
16
BIGGEST COMPUTER HACKS OF ALL TIMETarget (January 2014) Number of people affected: 110 million (40 million credit and debit card numbers, as well as 70 million consumer email addresses)
How it happened: Hackers used credentials from an HVAC contractor working within Target to then gain access to the retailer’s network.
Aftermath: Six months later, company CEO Gregg Steinhafel was forced to resign over the breach. In March, Target settled a class-action lawsuit for $10 million with individuals who had their credit and debit cards stolen.
Home Depot (September 2014) 109 million (53 million email addresses and 56 million credit and debit cards)
How it happened: Home Depot said hackers used a vendor’s login information to access the network and install malware on the retailer’s self-checkout systems, which fed the attackers information on credit card customers in the U.S. and Canada.
Aftermath: Cleaning up after the breach cost Home Depot an estimated $62 million. The company offered free credit monitoring to any customers who used a payment card at a Home Depot store after April 2014..
17
BIGGEST COMPUTER HACKS OF ALL TIME
Anthem (February 2015) 88 million (Social Security numbers, employment details, and other personal information, but no medical data)
How it happened: Investigators speculate the intrusion began months earlier and was perpetrated by Chinese government-sponsored hackers, who are also suspected of breaking into the networks of United Airlines and the U.S. government’s Office of Personnel Management.
Aftermath: Anthem offered free credit monitoring services to those affected by the attack.
JPMorgan Chase (July 2014) 83 million (Names, addresses, and phone numbers of account holders)
How it happened: According to the New York Times, hackers gained access to JPMorgan’s network via an employee’s credentials.
Aftermath: Investigators recently arrested four individuals suspected of taking part in the hack.
18
BIGGEST COMPUTER HACKS OF ALL TIME
U.S. Office of Personnel Management (June 2015) 22 million (Social Security numbers and other personal information for former and current U.S. government employees)
How it happened: Attackers suspected to be from the Chinese government stole login information from the employee of a third-party government contractor.
Aftermath: OPM Director Katherine Archuleta resigned, and the agency suspended its background check system until further notice.
Facebook (July 2008) Number of records compromised: 80 million
How it happened: A bungled test for a new website design
Facebook software glitch publicly exposed 80,000,000 users' hidden information.
Evolution from Disruptive to Destructive Attacks
19
Advanced DDOS – 2012, 2013
• 40+ FIs targeted, wake-up call for FS industry
• Resulted in dynamic, effective information sharing
Shamoon – 2012
• Malware executable spread using network shared drives
• Corrupts files and wipes device boot blocks at specified date
• A group named "Cutting Sword of Justice" claimed
responsibility
• Attack on 30,000 Saudi Aramco workstations
South Korean Attacks – 2013
• 2 banks, media company and insurance company, patch
systems targeted
• Wipers hit Windows, Linux and UNIX OS and removed file
systems. Over 3,000 machines made unbootable
Evolution from Disruptive to Destructive Attacks
20
Sony Pictures– 2014
• Data breach but more importantly destructive malware installed on their
network and core systems including back-up.
• Intellectual property and sensitive information released publically.
• Impact– financial system data destroyed, inability to disburse payments or
produce financials for extended period.
60 Minutes news program update
on impact—
• 40,000 computers made unbootable
• 800 servers turned into junk
• Directories destroyed, without the directories, the data was made
inaccessible.
Ransomware
21
The Verizon DBR“Data Breach Report”
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report_2015_en_xg.pdf
Category Capability Basic Cyber Security Hygiene:
3rd Party Products Required
Estimated Cost
Detection Files AV Detection Buy 1 / several AVs $30,000
Files Adv. Detection – web traffic FireEye, Cisco, Symantec $75,000
Files Adv. Detection – email traffic FireEye, Cisco, Symantec $50,000
Files Reputation Specialized feeds $30,000
C&C Adv. Detection Dambala $60,000
C&C Reputation Specialized feeds $30,000
Lateral Movement LightCyber $45,000
Extensibility for 3rd party sensors SIEM: HP, IBM, Splunk $50,000
Endpoint Detection Cylance, Symantec, other next-gen AV $50,000
Forensics Endpoint Forensics CarbonBlack, RSA $50,000
Network Forensics RSA, Bluecoat $75,000
File Analysis Lab FireEye / Cisco $50,000
Investigation Automation and Orchestration Resilient, Invotas, Phantom, Hexadite $50,000
Unified investigation user interface System Integrator $75,000
Incident Management Workflow, prioritization, assignments, roles, status tracking RSA, CA, Remedy, ServiceNow (ticketing) $50,000
Deployment Deploying, connecting and tuning sensors $10,000 Per product $550,000
Training Operational analysts + admin training $5,000 Per product $40,000
TOTAL $860,000 Minimum
Cost of Basic Cyber Hygiene Has Ballooned
Too many point products
Focused on single attack
vectors
$70 billion spent on IT security;Over 80% of organizations breached
~4% of alerts are investigated
Can’t make sense of the noise & takes days-weeks to investigatedays-weeks to investigate
Not enough solid insights
Shortage of Cyber Analysts to
reach 1.5M by 2019
Too many alerts17,000 malware alerts a week, of
which only 19% are considered
reliable
The Need For A Unified & Automated Cyber Security Solution
47
Company X averages 200 Alerts/Day
.5 hours / Alert to “investigate & analyze” = 100 hours / day ---- IF you had ~12 Analysts on staff ----
Conservatively, if a NEW TECHNOLOGY is able to automate 50% of the incident response, analysis/forensics with guided remediation,
50 hours per DAY is SAVED
ROI per year = $975,000.00 260 work days x $3,750 / day ($75 x 50 hours)
And there is a huge potential ROI for Automating Response, Investigations & Analysis
48
Gartner: Designing An Adaptive Security Architecture
Detective, preventive, response and predictive capabilities from vendors have been delivered in nonintegrated silos, increasing costs and decreasing their effectiveness
—Gartner: Designing an Adaptive Security Architecture for Protection from Advanced Attacks, February 2014
A Solution Should Have These Characteristics
Reduce Stovepipe
Solutions Reduce complexity
“Force Multiplier” improving efficiency
Reduction in Alerts
Automation &
Orchestration
Visual representation of the attack, Automatic Investigation
Multiple Analysis Engines
File Analysis
Endpoint Analysis
Lateral Movement
Command & Control
Visual Attack PathDozens of Incidents
automatedanalysis
Thousands of Alerts
Something that looks like this…
Automation and Orchestration
Unified Investigation Workflow
Verint “Threat Protection System™, TPS
SOC Analyst
CISOChief Risk Officer
TAP
Enterprise Network
TAP
SOC Manager
Threat Detection Engines
File Analysis Lateral Movement
Command & Control
EndpointNetwork
Enrich Intelligence& Respond
SIEM
Sandbox
Endpoint Detection & Response
Perimeter Security
Threat Intelligence
Forensics Engines
Automated & Orchestrated Cyber Intelligence
Detection / Threat Hunting
Forensics Investigation Machine Guided Response
Verint TPSA Unified Solution Built from the Ground Up
Category Capability Verint TPS Basic Cyber Security Hygiene:
3rd Party Products Required
Estimated
Cost
Detection/Threat Hunting Files AV Detection Included Buy 1 / several AVs $30,000
Files Adv. Detection – web traffic Included FireEye, Cisco, Symantec $75,000
Files Adv. Detection – email traffic Included FireEye, Cisco, Symantec $50,000
Files Reputation Included Specialized feeds $30,000
C&C Adv. Detection Included Dambala $60,000
C&C Reputation Included Specialized feeds $30,000
Lateral Movement Included LightCyber $45,000
Extensibility for 3rd party sensors Included SIEM: HP, IBM, Splunk $50,000
Endpoint Detection Included Cylance, Symantec, other next-gen AV $50,000
Forensics Endpoint Forensics Included CarbonBlack, RSA $50,000
Network Forensics Included RSA, Bluecoat $75,000
File Analysis Lab Included FireEye / Cisco $50,000
Investigation Automation and Orchestration Included Resilient, Invotas, Phantom, Hexadite $50,000
Unified investigation user interface Included System Integrator $75,000
Incident Management Workflow, prioritization, assignments, roles, status tracking
Included RSA, CA, Remedy, ServiceNow (ticketing) $50,000
Deployment Deploying, connecting and tuning sensors Included $10,000 Per product $550,000
Training Operational analysts + admin training Included $5,000 Per product $40,000
SUB TOTAL
implementation+3yrsVerint TPS 3 Year
Subscription
~$300,000 $860,000
Minimum
Verint’s “Threat Protection System” is the
World’s 1st Integrated Cyber Security Solution
Automated Response & Automated Investigation
Less Noise. Faster Insights. Clearer Picture.
Alerts to Incidents: filter, triage, prioritize
Automated data gathering and enrichment
Dynamic, iterative analysis, decision and execution of best next step
Bi-directional, in-depth interaction with detection and forensics engines
Automated, Behavioral, AI and human analyst collaboration
Powered by cyber investigation workflow engine, applied know-how
So…What can you do?
