Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis

Lessons Learned from

Avid Life Media

Rob Davis, CISSP

Founder – Critical Start

CEO – Advanced Threat Analytics

[email protected]

214-674-1748

4© 2015 Advanced Threat Analytics LLC

• Attacks are up

• Defense is down

• There’s more vulnerabilities every year than the year before

• We’re still getting breached

• The media loves to talk about

• We’re tired of them talking about it

Things we all know already… but I am gonna say anyways


The normal response to this information…


This slide is intentionally blank

Vendors that provide a bullet-proof solution…

No such thing


The Elephant in the Room

Corporate Alignment to Strategy to Mitigate Cybersecurity Risk

�People

�Money

�Time

Bu

sin

ess

Imp

act

Ris

k

Tole

ran

ce

Th

rea

t

Lan

dsc

ap

e

SecCon 01

SecCon 02

SecCon 03

SecCon 04

SecCon 05

SecCon05

SecCon04

SecCon03

SecCon02

SecCon01

Operational

Operational security –

minimal resources and

budget allocated

Industry Average

Use security practices

that are typical for a

given peer group and

industry. Higher risk

tolerance.

Industry Best Practice

Use security practices

that are best practice

for their industry.

Lower risk tolerance.

Advanced

Goal is to detect and

effectively respond to

sophisticated, targeted

cyber attacks

Compliance

Security is an outcome

of compliance

• Stored information in clear readable

text

• Easily guessed passwords

• Did not limit access between

networks

• Unable to identify the source of

cybersecurity attack

• Failed to adequately restrict access

of third-party vendors to its network

and servers

• Failed to employ “reasonable

measures to detect and prevent

unauthorized access” to its computer

network or to “conduct security

investigations”

• Did not follow “proper incident

response procedures”

• Stored information in clear

readable text

• Easily guessed passwords

• Did not limit access between

networks

• Unable to identify the source of

cybersecurity attack

• Failed to adequately restrict access

of third-party vendors to its

network and servers

• Failed to employ “reasonable

measures to detect and prevent

unauthorized access” to its

computer network or to “conduct

security investigations”

• Did not follow “proper incident

response procedures”

FTC Chairwoman Edith Ramirez said in a statement that

the decision “reaffirms the FTC’s authority to hold

companies accountable for failing to safeguard consumer

data. It is not only appropriate, but critical, that the FTC

has the ability to take action on behalf of consumers

when companies fail to take reasonable steps to secure

sensitive consumer information.”

Rob Davis, CISSP

Founder – Critical Start

CEO – ATA

[email protected]

214-674-1748


Avid Life Media - Key Metric Summary (All Properties)

Metric 2013 2014 Change

Visits 700,871,661 2,333,210,131 +233%

Unique Visitors 519,543,630 1,878,447,802 +271%

Signups 7,146,172 9,726,537 +36%

Purchasing

Members

1,913,521 2,562,425 +34%

Credits Used 120,284,398 173,226,994 +44%

Metric (US $’000,000) 2013 2014 Change

Revenue (GAAP) $78 $114 +46%

EBITDA (Cash) $34 $55 +61%

$-

$2,000,000

$4,000,000

$6,000,000

$8,000,000

$10,000,000

$12,000,000

6/1

/01

4/1

/02

2/1

/03

12

/1/0

3

10

/1/0

4

8/1

/05

6/1

/06

4/1

/07

2/1

/08

12

/1/0

8

10

/1/0

9

8/1

/10

6/1

/11

4/1

/12

2/1

/13

12

/1/1

3

10

/1/1

4

Monthly Bookings


• Legal/Compliance

– A programming bug or oversight leading us to lose our regulatory compliance status (storing sensitive authentication

data, storing unencrypted credit card number, divulging PII)

– A data leak resulting in a class action lawsuit against us.

• Data leak/theft issues

– Internal users being infected with malware/viruses allowing hackers access to our user data.

– web app remote code exploit in our codebase resulting in a man-in-the-middle attack where a hacker gains access to

our customer's billing/credit card information.

• System integrity

– web app SQL injection resulting in alteration of user data

– Application code bug exploited to alter code and introduce malicious payload delivered to our customers

• Disclosure

– Bad actor creating accounts on our sites, crawling search results and finding a method of correlating our users to their

private lives (facial recognition, image metadata location coordinates, etc…)

– Internal bad actor stealing customer data and exposing it in social media/blackmailing

– Internal bad actor using a known/shared password to access customer data

– A hacker/bad actor at New Relic gaining access to our customer data.

– Third party billing partner getting hacked, exposing our customer list.

Internal Document Around Areas of Concern

1

2

3

Administrative Passwords to Production Domain


Passwords to Production Domain


Passwords to Employee Domain


Passwords to Employee Domain


Beware of QA Systems, Default Passwords

Breach Doesn’t Mean Loss of Information

Microsoft has published a

comprehensive whitepaper that

contains mitigations and guidance

called “Mitigating Pass-the-Hash

(PtH) Attacks and Other Credential

Theft Techniques.

NSA has a fantastic document on

Windows Event log collection

including a section on detecting PtH

from log data

LAPS Tool from Microsoft

https://technet.microsoft.com/en-

us/library/security/3062591.aspx

Simple Example of Attempting to Trick Users

• Notice that by default,

macros are usually

disabled.

• The document tries to

create a sense of urgency

by falsely claiming that the

file is protected with a RSA

key and requires the user

to “Enable Content”.


• Notice that by default,

macros are usually

disabled.

• The document tries to

create a sense of urgency

by falsely claiming that the

file is protected with a RSA

key and requires the user

to “Enable Content”.


After the user enables the

macro, the malicious Word

document will display

different content so the user

believes the documents has

been decrypted.

Alert via iPhone App, Email, or SMS Text

From Alert to Investigation


Incident Response – Isolate Host Immediately

Incident Response – Real Time Investigation

The responder has

a real time window

into the isolated

host – both on and

off the corporate

network.

Investigation of Host

Secondary Download – Uncategorized Traffice

http://anacornel.com/images/desene/united.exe

ATA Alerts – Breach Detection

• ATA Alerts is a custom branded list of queries

to detect activity consistent with malware

infections, malicious credential usage, and

attackers using credentials to move laterally.

• ATA Query Feed examples shown are:

o Attempts to add user to a system from

the command line

o Attempts to add users to a local group

from the command line

o Instances of SVCHOST running in an

incorrect user context

o Use of Sysinternals Tools

o PSEXEC process on endpoints


Tracking All Unsigned Process with NW Connections

• Constant tuning is required for any proactive security system to reduce false positives. ATA Security Analysts

constantly tune queries using custom analytics and processes.

• In this example, whitelisted executables are posted using Threat Analytics Search Extension to analysis process.

• After analysis, this whitelist information is sent to Carbon Black server as a feed and also to analytics system.


• Configuration and good security practices are critical for Active Directory security– Use proper segmentation and privileged account control

– Don’t mix regular and administrative accounts

– Disable or protect local administrative accounts – log privileged account success/failures

• Initial breach is still overwhelming caused by exploits and malware missed by anti-virus –AV is dead, so don’t depend on it to protect against malware

• Don’t depend on IDS/IPS/Firewall to detect a breach – use next generation tools that use machine learning/statistics to detect breaches

• DO NOT USE PASSWORDS FOR REMOTE ACCESS

• From the FTC Lawsuit Against Wyndham, these items increase your liability:– Easily guessed passwords

– Did not limit access between networks

– Unable to identify the source of cybersecurity attack

– Failure to adequately restrict access of third-party vendors to network and servers

– Failed to employ “reasonable measures to detect and prevent unauthorized access”

– Did not follow “proper incident response procedures”

Lessons Learned from Avid Life Media

www.advancedthreatanalytics.com

6860 North Dallas Pkwy, Suite 200 | Plano, TX | 75024

[email protected]

Technology

Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis