Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
marcumtechnology.com
Foiling the “Cyber Kill Chain” –Mitigation Strategies
for Cyber DefenseSeptember 22, 2020
marcumtechnology.com0920054N
2
Marcum Technology has prepared these materials as part of an educational program. The information contained herein is of a general nature and is not
intended to address the circumstances of any particular individual, entity or case.
While every effort has been made to offer current and accurate information, errors can occur. Furthermore, laws and regulations referred to in this program
may change over time and should be interpreted only in light of particular circumstances.
The information presented here should not be construed as legal, tax, accounting or valuation advice. No one should act on such information without appropriate
professional advice after a thorough examination of the particular situation.
marcumtechnology.com0920054N
Today’s Speakers
3
Jeff BernsteinDirector, Cybersecurity and
Data Privacy
Jaike HornreichDirector,
Cybersecurity and Data Privacy
Peter CampbellSenior Strategic
Consultant
Kevin BakerDirector,
Digital Forensics
Fred Johnson Vice President,
Cybersecurity and Digital Forensics
Chad HudsonDirector,
Cybersecurity and Data Privacy
marcumtechnology.com0920054N
Today’s Agenda
► Introduction and Presenters
► What is a Kill Chain?
► What Have We Seen
► Compromise Costs
► Mitigating the Threat with an Effective Security Program
► Training
► Response
4
► Assurance
► Compliance
► Filling the Gaps with Specialized Staff Augmentation
► Other Considerations and Best Practice
► Marcum Technology
► Q&A
What is a Kill Chain?
marcumtechnology.com0920054N
Kill Chain
► The term kill chain was originally used as a military concept related to the structure of an attack; consisting of:► Target identification
► Force dispatch to target
► Decision and order to attack the target
► Destruction or compromise of the target.
6
► The idea of "breaking" an opponent's kill chain is a method of defense or preemptive action. More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.► The cyber kill chain model has seen
some adoption in the information security community. It should be noted that acceptance of the concept is not universal, with critics pointing to what they believe are fundamental flaws in the model.
SOURCE: Wikipedia
marcumtechnology.com0920054N
Type of Attacks
► Website Defacements
► Anonymous disparagement of key personnel on the Internet
► Theft of funds and leakages of Data (client, personnel, IP and research)
► Malware outbreaks
► Ransomware attacks
► Stealing algorithms
► Wiping and/or corrupting data and crippling trade process
7
► Extortion and ransomware cases
► Denial of Service (DoS) Attacks
► Malicious insider attacks and IP exfiltration
► Various instances of fraud
► Crypto mining schemes
► Mobile application compromises
► Third-party partner compromises and exposures
► Physical attacks resulting in compromise
Social Engineering still dominates and the ease of use of tools available is ridiculous.
marcumtechnology.com0920054N
Cost of a Cyber Compromise
► Data Breach Risk Claims
8SOURCE: Risk Strategies
Breaking the Kill Chain –TRAC
marcumtechnology.com0920054N
Training
10
Consequences of Human Error
marcumtechnology.com0920054N
Training
11
Education
► Influence Good User Behavior and Digital Hygiene
► Training► General Audience
► C-Suite
► Role
► Regulatory
► Development
► Customize for your unique situation
► Table Top Gaming Exercises► Incident and Event Response
► BC/DR
► Test Staff
marcumtechnology.com0920054N
Training
12
marcumtechnology.com0920054N
Response
► Breaking the cyber kill chain requires a quick response
► On average companies take 197 days to detect a breach and 69 days to contain it*
13
* 2020 Cost of a Data Breach Report (https://www.ibm.com/security/data-breach)
► Early Detection and Response Prevents:► Lateral Movement
► Privilege Escalation
► Persistent Access
► Data Exfiltration
► Destruction of Evidence
► Attacks are routinely multifaceted anddevelop over time
marcumtechnology.com0920054N
Response
14
Identify
Collect
Analyze
NIST1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity
SANS1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
Incident Response Steps
marcumtechnology.com0920054N
Response
► Identification► Interviews
► System Logs
► Alerts
► Analysis
► Data preservation► Device imaging (servers, desktops, laptops, cell phones)
► Log file collection and extraction
► Online data collection (Microsoft 365, GSuite/Gmail, AWS, Azure)
► Forensically sound handling ensures admissibility
15
Digital Forensics
marcumtechnology.com0920054N
Response
► Analysis► Timeline
► Root Cause/Source
► Impacted Data
► Target Identification
► Exploit Identification
► Reporting► Provides stakeholders a plain English understanding of the incident
► Actionable items and recommendations
► Often times required by insurance companies
► Basis for referral to law enforcement and for expert testimony
16
Digital Forensics
marcumtechnology.com0920054N
Assurance
17
► Network Security► External
► Internal
► Wireless
► Segmentation validation
► Application Security► Web application / Frontend
► API/REST services / Backend
► GraphQL
► Mobile applications (iOS/Android)
► Human Security► Social engineering (phishing,
vishing, SMShing)
► USB drops, USPS delivery, piggybacking
► Trusted relationships
► Fraudulent domains
► Dumpster diving
Penetration Testing – Offensive Security Exercises
marcumtechnology.com0920054N
Assurance
18
► Reconnaissance/Weaponization – Identify sensitive data in the public domain and map attack plan► Search engines, DNS, WHOIS, social media, news/blogs, file
metadata, vulnerability scanning, surveying
► Help to sanitize external footprint of the organization
► Delivery – Determine the effectiveness of human and border defenses► Phishing, web application flaws, vulnerable network services,
account brute force, piggybacking, wardriving
► Identify areas for retraining, remediation, patching, and hardening
Penetration Testing – Offensive Security Exercises
marcumtechnology.com0920054N
19
► Exploitation – Determine the effectiveness of endpoint protections and security controls► Execution of a malicious payloads, SQL injection, cross-site scripting,
physical network patching, USB data exfiltration or rogue access point creation
► Identify solutions to identify and mitigate attacks, through the use of tools and implementation of operational controls
► Installation/Command & Control – Can the attacker gain persistence?► Establish a network agent, creation of user accounts, modify boot
records
► Identify solutions to limit administrative access, spot abnormal behavior or traffic, reduce the impact of an attacker, and prevent data exfiltration
Assurance
Penetration Testing – Offensive Security Exercises
marcumtechnology.com0920054N
20
► Action on Objectives – Understand the severity of a compromise and operational weaknesses► Controlled attack simulation to abuse or bypass network/access
controls: escalate privileges, inappropriately access or exfiltrate data, attempt to move laterally and pivot into secured environments
► Identify opportunities to implement stricter access control/segmentation of data, solutions to security key services/systems, and processes for securely backing up and storing data
Assurance
Penetration Testing – Offensive Security Exercises
marcumtechnology.com0920054N
Compliance
Key to foiling the kill chain is anticipating the attacks. Compliance frameworks offer a well-rounded approach to securing every facet of your operation.
► Attackers often look for the easy targets. If they quickly determine that you have a comprehensive security plan, they might move on and find someone easier to hack.
► Adopting a framework is the first step. Frameworks describe the controls that should be in place to keep you protected.
► Institutionalizing the compliance, so that security awareness and oversight is a facet of organizational culture, is the ultimate goal.
21
marcumtechnology.com0920054N
Compliance
► There are many frameworks, some of which you are required to implement, depending on your business, such as:► Sarbanes-Oxley (corporate, financial)
► ISO-27001 (corporate, banking)
► HIPAA (health information)
► PCI-DSS (credit card and payments)
► NIST, FISMA (government)
► GDPR (and similar privacy regulations)
► And some that you can voluntarily adopt, such as Microsoft’s framework
► Most frameworks cover similar territory and overlap, so picking a base framework and addressing any specific additional regulatory requirements keeps you covered
22
marcumtechnology.com0920054N
Compliance
► Compliance frameworks address threats by identifying all areas where risk must be mitigated:
► Maintaining a comprehensive security plan and regularly evaluating your protective measures against it, while staying informed about the latest threats and best practices, stops the chain in it’s tracks
23
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communications Protection
Maintenance System and Information Integrity
marcumtechnology.com0920054N
Specialized Staff Augmentation
► Diverse backgrounds and capabilities► Ability to integrate efficiently and offer immediate value► Project-based and long-term offerings
► Security administration: readiness assessments for various frameworks, system configuration, testing and patching
► Security operations: environment monitoring, looking for and responding to anomalies
► Security architecture: identity and access management, end-point security software, firewall design
► Malware analysis and remediation
► Security leadership: Virtual CISO services, Board and executive guidance, program development and strategy
► Internal resource training and development► Reduced administrative overhead► Custom tailored program for your organization
24
marcumtechnology.com0920054N
Partnering with Marcum to Break the Kill Chain
► Training and Education
► Response
► Assurance
► Compliance
► Staff Augmentation
► Security Technology Solutions
► Managed Services
25
marcumtechnology.com0920054N
Questions?
26
Jeff BernsteinDirector, Cybersecurity and Data [email protected]
Peter CampbellSenior Strategic [email protected]
Kevin BakerDirector, Digital [email protected]
Chad HudsonDirector, Cybersecurity and Data [email protected]
Jaike HornreichDirector, Cybersecurity and Data [email protected]
Fred Johnson Vice President, Cybersecurity and Digital [email protected]