achieve cyber resilience - pwccn.com

Achieve cyber resilience in today’s digital world with the HKMA CFI 2.0

Table of contents

Reflection of the 2020

Threat Landscape 01

Key Root Causes Identified from Past

Incident Response and iCAST Exercises02

Summary of HKMA C-RAF 2.0

Requirements03

Enhancing Your Cyber Defense Capability

with TTP-based Cyber Defense Framework04

Reflection of the 2020

Threat Landscape

Human-operated ransomware likely highest threat of 2020

4

Gain initial access and deploy using automated and

opportunistic methods

Phish employees and deploy malware to

workstations

Exploit known vulnerabilities in Internet-

facing services

Compromise privileged accounts by exploiting

common IT/AD hygiene issues

Move laterally and establish footholds using common

offensive security tools

Exfiltrate sensitive data to attacker operated

infrastructure

Deploy ransomware as widely as possible to

maximize impact

Automated and mass scaleKey ‘Human-operated’

Typical path of a human-operated ransomware attack

The number of

ransomware actors

leveraging access

brokers like Emotet has

grown dramatically in

2020, encouraged by the

profits derived from

high-profile attacks

750+ organizations with data

exposed as of September

2020

80%data leakages on leak sites

occurring since April 2020Source: PwC Cyber Security: Responding to the

growing threat of human-operated ransomware

attacks

HKMA Cybersecurity Fortification Initiative 2.0 Webinar

DDoS for Extortion

Notable examples in 2020 include the New

Zealand Stock Exchange, Indian bank YesBank,

Paypal, Worldpay, and other financial institutions

Extortion of financial services

institutions by cybercriminals

claiming to represent Fancy Bear and

Armada Collective prior to attacks

disrupting access to networks and

online services

The rise in phishing events by 4 times is due to the COVID-19 outbreak as more people work and spend their leisure time at home

The results of the unsophisticated but effective campaign

933email deliveries attempted

657delivered

48links clicked

70%success rate

7% click rate

Source: Source: PwC’s FS Mass Phishing Study Data, Round 1: March-April 2019

Hong Kong Security Watch Report, 12 August 2020

Source: https://www.hkcert.org/watch-report/hong-kong-security-watch-report-q2-2020

5HKMA Cybersecurity Fortification Initiative 2.0 Webinar

SolarWinds Supply Chain Compromise

On 13th December 2020, FireEye and Microsoft

revealed that the SolarWinds supply chain had been

compromised with an advanced backdoor called

SUNBURST.

This backdoor will have been installed on any

customers of SolarWind’s Orion IT monitoring and

management software for “all software builds for

versions 2019.4 HF 5 through 2020.2.1, released

between March 2020 and June 2020”.

US authorities have claimed the operation to be “likely

Russian in origin”.

Sectors affected:

Government

Professional Services

Technology

Telecommunications

Education

Manufacturing

Financial Services

Defence

Healthcare

Regions affected:

Americas

Europe

Asia

Middle East


SolarWinds Supply Chain Compromise

Tip of the Iceberg

• Relatively early stage: expect more findings

in the foreseeable future

• Copycats: sophisticated and successful

attacks receiving media attention may inspire

other actors such as ransomware operators to

conduct software supply chain compromises

Multiple Entry Points

• Increase success rate and redundancy: only

one infection vector is unlikely for an espionage

operation of such scale and sophistication

• More supply chain risks: Valid access of

Microsoft cloud software resellers exploited in

at least one case. NSA warned of VMware

exploitation in early Dec.

Exercising Restraint

• Killswitch: deployed to most SolarWinds

customers, focus on second stage payload only

on high-value intended targets

• Intentionally targeted: unlike NotPetya

scenario, were supply chain compromise

resulted in widespread disruption


Key Root Causes

Identified from Past

Incident Response

and iCAST Exercises

Summary of common and recurring issues

We work across

all sectors

From FS to telco to

airline subsids to Hong

Kong-based international

conglomerates

What we have done

End-to-end incident

response cycle, from

containment to threat

hunting to post-incident

security uplift

What we have learnt

Rapid changes in

technologies and remote

working due to COVID-19

increased attack surfaces

and new opportunities

Ransomware

Ransomware incidents

became the most

common and damaging

Evolving tactics

Threat actors are employing more

manual hacking techniques during

intrusion, only deploying ransomware

at the final stages of their computer

network exploitation.

Recurring Threats

Business email

compromise

remains a threat

due to lack of

interpersonal

communications


Heatmap of MITRE ATT&CK techniques observed

Initial

AccessExecution Persistence

Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral

MovementCollection

Command

and ControlExfiltration Impact

Drive-by

CompromiseCommand

and

Scripting

Interpreter

Account

Manipulation

Abuse Elevation

Control

Mechanism

Abuse

Elevation

Control

Mechanism

Brute

Force

Account

Discovery

Exploitation of

Remote

Services

Archive

Collected

Data

Application

Layer

Protocol

Automated

Exfiltration

Account

Access

Removal

Exploit

Public-

Facing

Application

Exploitation for

Client

Execution

BITS Jobs Access Token

Manipulation

Access Token

Manipulation

Credentials from

Password

Stores

Application

Window

Discovery

Internal

Spearphishing

Audio Capture Communication

Through

Removable

Media

Data Transfer

Size LimitsData

Destruction

External

Remote

Services

Inter-Process

Communication

Boot or Logon

Autostart

Execution

Boot or Logon

Autostart

Execution

BITS Jobs Exploitation

for

Credential

Access

Browser

Bookmark

Discovery

Lateral

Tool

Transfer

Automated

Collection

Data Encoding Exfiltration Over

Alternative

Protocol

Data

Encrypted

for Impact

Hardware

Additions

Native API Boot or Logon

Initialization

Scripts

Boot or Logon

Initialization

Scripts

Deobfuscate/

Decode Files

or Information

Forced

Authentication

Cloud Service

Dashboard

Remote Service

Session

Hijacking

Clipboard Data Data

ObfuscationExfiltration

Over C2

Channel

Data

Manipulation

Phishing Scheduled

Task/Job

Browser

ExtensionsCreate or

Modify

System

Process

Direct Volume

Access

Input Capture Cloud Service

DiscoveryRemote

Services

Data from Cloud

Storage Object

Dynamic

Resolution

Exfiltration Over

Other Network

Medium

Defacement

Replication

Through

Removable

Media

Shared

Modules

Compromise

Client Software

Binary

Event Triggered

Execution

Execution

Guardrails

Man-in-the-

Middle

Domain Trust

Discovery

Replication

Through

Removable

Media

Data from

Information

Repositories

Encrypted

Channel

Exfiltration Over

Physical

Medium

Disk Wipe

Supply Chain

Compromise

Software

Deployment

Tools

Create Account Exploitation for

Privilege

Escalation

Exploitation

for Defense

Evasion

Modify

Authentication

Process

File and

Directory

Discovery

Software

Deployment

Tools

Data from

Local

System

Fallback

ChannelsExfiltration

Over Web

Service

Endpoint Denial

of Service

Trusted

Relationship

System

Services

Create or Modify

System ProcessGroup

Policy

Modification

File and

Directory

Permissions

Modification

Network Sniffing Network Service

Scanning

Taint Shared

ContentData from

Network

Shared

Drive

Ingress Tool

Transfer

Scheduled

Transfer

Firmware

Corruption

Valid

Accounts

User

Execution

Event Triggered

Execution

Hijack Execution

FlowGroup

Policy

Modificatio

n

OS

Credential

Dumping

Network

Share

Discovery

Use Alternate

Authentication

Material

Data from

Removable

Media

Multi-Stage

ChannelsTransfer

Data to

Cloud

Account

Inhibit

System

Recovery

Windows

Management

Instrumentation

External Remote

ServicesProcess

Injection

Hide Artifacts Steal

Application

Access Token

Network Sniffing Data Staged Non-Application

Layer Protocol

Network Denial

of Service

Hijack Execution

Flow

Scheduled

Task/Job

Hijack

Execution

Flow

Steal or Forge

Kerberos

Tickets

Password Policy

Discovery

Email Collection Non-Standard

Port

Resource

Hijacking

Implant Container

ImageValid

Accounts

Impair

Defenses

Steal Web

Session Cookie

Peripheral

Device

Discovery

Input Capture Protocol

Tunneling

Service

Stop

Office Application

Startup

Indicator

Removal on

Host

2FA Interception Permission

Groups

Discovery

Man in the

Browser

Proxy System

Shutdown/Rebo

ot

Pre-OS Boot Indirect

Command

Execution

Unsecured

Credentials

Process

Discovery

Man-in-the-

Middle

Remote Access

Software

Scheduled

Task/Job

Masquerading Query Registry Screen Capture Traffic Signaling

Server Software

Component

Modify

Authentication

Process

Remote System

Discovery

Video Capture Web Service

Traffic Signaling Modify Cloud

Compute

Infrastructure

Software

Discovery

Valid

Accounts

Modify

Registry

System

Information

Discovery

Valid

Accounts

System Network

Configuration

Discovery


Observed frequency

Occasionally

Sometimes

Common

Frequently

We observed similar, recurring techniques and issues from

iCAST 1.0

dsdsaasa

Privileged

account

credentials not

managed

properly

Inadequate

controls to block

malicious

activities on

endpoint

Excessive

privileges

granted to

service

accounts

Unprotected

storage of

confidential

information

Commonly used

passwords for

high-privileged

accounts

Insufficient

network

segregation

Unpatched

workstations or

applications with

exploitable

vulnerabilities

Inadequate

protection

against memory

retrieval and

pass-the-hash

attacks

Inconsistent

SMB or RDP

restrictions in

OA network


Lessons Learnt – What are the Recurring Patterns?

Flying under the radar

• Lack of security monitoring or blind spots:

unattended network segment, legacy systems

without logging, e.g. Linux servers

• Leverage remote access tools : backdooring

servers with common remote control software

e.g. Anydesk

• Command and control : use data sharing

platform for exfiltration to blend into normal IT

operations

Abusing low-hanging fruits

• Over-privileged accounts: compromise of

users with excessive administrative rights

• Network segmentation: lateral movement

across network segments with little restriction

• Legacy systems: out-of-date systems that lack

proper protection and detection mechanisms

(Windows Server 2003!)

Breaking in via the front door

• External vulnerability: Leaked credentials via

vulnerability (e.g. Fortinet CVE-2018-13379,

Pulse Secure CVE-2019-11510)

• Exposed administrative ports: Password

brute-force attack from the Internet against open

RDP, SSH services

• Weak or leaked credentials: Takeover of

accounts by spraying common, or previously

leaked credentials


Lessons Learnt – How Do We Tackle This Problem?

• How does my attack surface look like?

• Where are my crown-jewels?

• What technology is the business using, and

what are their associated risks?

• Who are my business partners, and how well

are they protecting themselves?

• What is our oldest application in use?

• Are there blind spots in detection?

• Are the VIPs and privileged accounts

being monitored?

• What is the degree of technical debt over

legacy systems?

• Any prior leaked credentials, or known

vulnerabilities?

• Do we have the right roles filled in security

team, both governance and operations?

• What appliances are there to detect suspicious

activities in my network, host, cloud? What are

their coverages?

• How good is our backup strategy?

• What is our vulnerability assessment and

patching frequency?

• How fast can our security team react to an

active threat?

• How fast can we get the patch window for

our systems?

• What are the compensation controls for

the legacy systems that cannot be

patched soon?

• How are we monitoring for abuse of the web

traffic e.g. to cloud data sharing platform?

• Do we have enough licenses for our

security appliances?


Know your business

Know your controls

Know your weaknesses

Know your limitations

Summary of HKMA

C-RAF 2.0

Requirements

Detection

Maturity

Assessment

7 Key

Domains

04

~180

106

We embedded the lessons learnt from

incident response as well as the

learnings from iCAST 1.0 into the

C-RAF Maturity Assessment

new or revised Control

Principles, out of 482

totally new Control Principles

How to use C-RAF to prepare for advanced attacks


Overview of Highlighted Changes and Good

Practices Observed

Detection

Maturity

Assessment

7 Key

Domains

04

• Independence of CISO and Head of TRM

• Role-based training by SMEs

• Cyber defense enterprise architecture

01

• Threat modeling

02

• Intelligence-led vulnerability management

• Password strength checker

03• 24x7 detection and response SOC/MDR

• EDR to detect behavioral-based attacks

• Orchestration of cyber defense tools

• Purple team to identify/eliminate blind spots

04

• Drills extending to management and business

• Properly test security controls and failover

mechanism

• Clear KPIs / metrics to benchmark improvement

• Auto/self-healing

05

• Digital footprint intelligence

06

• Extend guiding principles to partners

• Involvement in security assessment to

validate effectiveness of controls

07


Recap on new requirements in iCAST 2.0

Threat-focused

Reference MITRE ATT&CK TTPs

New TI Specialist role

Intelligent SOC & Cyber Defense

Uplift Blue Team effectiveness in defense

orchestration, incident response, cyber forensics,

and remediation through 360 Degree Replay

Workshop

Cyber resilience

Extending to response and recovery

Involve broader ecosystem if needed,

e.g., partners

How to use iCAST to prepare for advanced attacks

Do it iteratively and

collaborate through

Purple Team

Be threat-focused and

reference latest MITRE

TTPs

Cover holistically — the

7 C-RAF domains

Validate the fixes and

demonstrate impact

Prioritize implementing

quick-win fixes


Enhancing Your Cyber

Defense Capability with

TTP-based Cyber

Defense Framework

Learning from Red Team exercisesCommon challenges – Recap

Driving appropriate remediationGetting more out of Red Team exercises

Abusing low-hanging fruits

• Insufficient clean up of low-hanging fruits

• Lack of processes / technology to prevent

low-hanging fruits

Flying under the radar

• Lack of tools to provide telemetry for detection

• Lack of resources / expertise to identify and

recognise the TTPs

Know your crown jewels

Considering remediation depth

• Is the fix comprehensive?

• Can this be consistently applied and maintained?

• Does it solve the root issue?

Look at other relevant vectors

• How far does the fix covers other possible

relevant techniques?

Depth

Breath


Driving remediation from red team resultsCausing most pain for your attacker

Red Team results drives remediation against

Tactics, Techniques and Procedures (“TTPs”)

TTPs based Indicators of Compromise

• The detection / protection fix should aim to

work against the TTPs used

Source: David J Bianco “Pyramid of Pain”

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Indicator of

Compromises

(“IOCs”) with

increasing

pain for

attackers

TTPs

Tools

Network/

Host Artifacts

Domain Names

IP Addresses

Hash Values

Tough!

Challenging

Annoying

Simple

Easy

Trivial



Driving remediation from red team resultsCausing most pain for your attacker

Red Team: Successful execution of malicious macros TTPs:

• Execution of call-back agent through Macro-based

Document

• Use of Living-off-the-Land binaries

: Denotes a shortcut that may be used to gain access to continue testing

: Denotes the step that achieved an Objective

Campaign 2 – Excel

Spread Sheet

Macro Document with

tailored malware

Campaign 1 –

Word Macro

Document

Simulated

external

attacker

XLS

DOC

User may

report; SOC

responded

User Laptop

Enumerate

domain

Privilege

Escalation on

Server

Domain

Admin

Passwords

Cracked

Password

Hashes

Database

Admin

Database

Server

SQL

Staging

Server

STG

Collect target

information on

SharePoint

Targeted

Server

Target

Modification

privileges on

Database

Server

Enumerate

publicly

available email

addresses


Driving remediation from red team resultsA typical red team situation



Red Team: Successful execution of

malicious macros

TTPs:

• Execution of call-back agent through

Macro-based Document

• Use of Living-off-the-Land binaries

TTPs

Tools

Network/

Host Artifacts

Domain Names

IP Addresses

Hash Values

Tough!

Challenging

Annoying

Simple

Easy

Trivial

Blocking hash of the

excel file?

Blocking of the IP

addresses and domains?

Artefacts created by the call-back?



Driving remediation from red team resultsA typical red team situation



Red Team: Successful execution of

malicious macros

TTPs

Tools

Network/

Host Artifacts

Domain Names

IP Addresses

Hash Values

Tough!

Challenging

Annoying

Simple

Easy

Trivial

APP

Excel spawning a new application process



Initial

AccessExecution Persistence

Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral

MovementCollection

Command

and ControlExfiltration Impact

Drive-by

Compromise

Command and

Scripting

Interpreter

Account

Manipulation

Abuse Elevation

Control

Mechanism

Abuse Elevation

Control

Mechanism

Brute Force Account

Discovery

Exploitation of

Remote

Services

Archive

Collected Data

Application

Layer Protocol

Automated

Exfiltration

Account Access

Removal

Exploit Public-

Facing

Application

Exploitation for

Client Execution

BITS Jobs Access Token

Manipulation

Access Token

Manipulation

Credentials from

Password

Stores

Application

Window

Discovery

Internal

Spearphishing

Audio Capture Communication

Through

Removable

Media

Data Transfer

Size Limits

Data

Destruction

External

Remote

Services

Inter-Process

Communication

Boot or Logon

Autostart

Execution

Boot or Logon

Autostart

Execution

BITS Jobs Exploitation for

Credential

Access

Browser

Bookmark

Discovery

Lateral Tool

Transfer

Automated

Collection

Data Encoding Exfiltration Over

Alternative

Protocol

Data Encrypted

for Impact

Hardware

Additions

Native API Boot or Logon

Initialization

Scripts

Boot or Logon

Initialization

Scripts

Deobfuscate/De

code Files or

Information

Forced

Authentication

Cloud Service

Dashboard

Remote Service

Session

Hijacking

Clipboard Data Data

Obfuscation

Exfiltration Over

C2 Channel

Data

Manipulation

Phishing Scheduled

Task/Job

Browser

Extensions

Create or Modify

System Process

Direct Volume

Access

Input Capture Cloud Service

Discovery

Remote

Services

Data from Cloud

Storage Object

Dynamic

Resolution

Exfiltration Over

Other Network

Medium

Defacement

Replication

Through

Removable

Media

Shared Modules Compromise

Client Software

Binary

Event Triggered

Execution

Execution

Guardrails

Man-in-the-

Middle

Domain Trust

Discovery

Replication

Through

Removable

Media

Data from

Information

Repositories

Encrypted

Channel

Exfiltration Over

Physical

Medium

Disk Wipe

Supply Chain

Compromise

Software

Deployment

Tools

Create Account Exploitation for

Privilege

Escalation

Exploitation for

Defense

Evasion

Modify

Authentication

Process

File and

Directory

Discovery

Software

Deployment

Tools

Data from Local

System

Fallback

Channels

Exfiltration Over

Web Service

Endpoint Denial

of Service

Trusted

Relationship

System

Services

Create or Modify

System Process

Group Policy

Modification

File and

Directory

Permissions

Modification

Network Sniffing Network Service

Scanning

Taint Shared

Content

Data from

Network Shared

Drive

Ingress Tool

Transfer

Scheduled

Transfer

Firmware

Corruption

Valid Accounts User Execution Event Triggered

Execution

Hijack Execution

Flow

Group Policy

Modification

OS Credential

Dumping

Network Share

Discovery

Use Alternate

Authentication

Material

Data from

Removable

Media

Multi-Stage

Channels

Transfer Data to

Cloud Account

Inhibit System

Recovery

Windows

Management

Instrumentation

External

Remote

Services

Process

Injection

Hide Artifacts Steal

Application

Access Token

Network Sniffing Data Staged Non-Application

Layer Protocol

Network Denial

of Service

Hijack Execution

Flow

Scheduled

Task/Job

Hijack Execution

Flow

Steal or Forge

Kerberos

Tickets

Password Policy

Discovery

Email Collection Non-Standard

Port

Resource

Hijacking

Implant

Container Image

Valid Accounts Impair Defenses Steal Web

Session Cookie

Peripheral

Device

Discovery

Input Capture Protocol

Tunneling

Service Stop

Office

Application

Startup

Indicator

Removal on

Host

2FA Interception Permission

Groups

Discovery

Man in the

Browser

Proxy System

Shutdown/Rebo

ot

Pre-OS Boot Indirect

Command

Execution

Unsecured

Credentials

Process

Discovery

Man-in-the-

Middle

Remote Access

Software

Scheduled

Task/Job

Masquerading Query Registry Screen Capture Traffic Signaling

Server Software

Component

Modify

Authentication

Process

Remote System

Discovery

Video Capture Web Service

Traffic Signaling Modify Cloud

Compute

Infrastructure

Software

Discovery

Valid Accounts Modify Registry System

Information

Discovery

Valid Accounts System Network

Configuration

Discovery

How about depth?Interpreting your red team results

A typical TTPs coverage from a red team exercise

How to gain more?

• 360 Workshop – Get more first hand information from

red teamers

• Purple Teaming – Extend to more TTPs within

MITRE ATT&CK


How to continuous improve your defencesInterpreting your red team results

Red Team Results – Remediation against

Simulated TTPs

Use the 360 Replay Workshop to get more

depth and breath!

Continual improvement exercises

Use Purple Team to target more TTPs to add

Threat Intelligence

Understand TTPs from Threat Intelligence

Holistic

Cyber

Defence


Get in touch with us

Kenneth Wong

Cybersecurity and Privacy Leader, Risk Assurance,

Asia Pacific and Mainland China/Hong Kong

+852 2289 2719

[email protected]

Felix Kan

Partner

+852 2289 1970

[email protected]

Jenius Shieh

Senior Manager

+852 2289 2086

[email protected]

Luca Berni

Manager

+852 2289 2938

[email protected]

Jason Lee

Manager

+852 2289 2084

[email protected]

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2021 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

achieve cyber resilience - pwccn.com

Documents