securing organizational credentials - internet2 · 2019-03-27 · securing organizational...

Securing Organizational Credentials:New and Pervasive Cyber-Threats

PRESENTER NAME: Kim MilfordExecutive Director, REN-ISAC

[ 2 ]

THREATS

[ 3 ]

[ 4 ]

Ransomware

[ 5 ]

Business Email Compromise

[ 6 ]

[ 7 ]

REN-ISAC CSIRT Notifications, 12/31/2018

0 200 400 600 800 1000 1200 1400 1600 1800 2000

Dorkbot, 2015

Nivdort, 2016

Pushdo, 2007

Fleercivet, 2014

Kelihos, 2010

ZeroAccess, 2013

Ponmocup, 2006

Gozi, 2013

Bedep, 2015

Conficker, 2008

[ 8 ]

CSIRT STATISTICS, 2018 COMPARED TO 2016

[ 9 ]

STOLEN CREDENTIALS

[ 10 ]

Stolen Credentials Used for Exfiltration

[ 11 ]

[ 12 ]

[ 13 ]

[ 14 ]

IMPACT

[ 15 ]

[ 16 ]

Password Dump Cleanup

Parse out old domain names

Run the list through a macro to see if the password composition meets

current (enforced) password policy.

Feed surviving credentials into a script that checks against current authoritative

credential store.

Reset passwords on at-risk/exploited credentials and notify users

[ 17 ]

[ 18 ]

• Underreported• If reported at all, generally a long delay• Risk is uncertain, depends on circumstances

– Requires additional analysis

Stolen Credentials

[ 19 ]

MITIGATION

[ 20 ]

Training and Education

[ 21 ]

Two Factor Authentication

[ 22 ]

[ 23 ]

Modlishka

[ 24 ]

MITM Mitigation

• User education• U2F tokens• Password managers• Limit exposure, e.g, short timeouts for tokens• Phishing page detection, e.g. Chrome extension• Site authentication to the user• Reduce the life of user accounts

[ 25 ]

Student Lifecycle

0

1

2

3

4

5

6

Application Admission Enrollment

Student Accounts Granted

[ 26 ]

Student Lifecycle

- Account disabled after 2 consecutive semesters of non-enrollment- Account disabled 6 months after last enrolled semester, OnTrack account

disabled 1 year after last enrolled semester - Deactivated one term after student was last eligible to register, deleted

one term after that - Access retained for "things like unofficial transcripts and academic and

employment information"; email deactivated after no attendance for a year

- Access retained for "things like unofficial transcripts and academic and employment information"; email deactivated after no attendance for a year

[ 27 ]

References• 2018 Verizon Data Breach Investigations Report

– https://enterprise.verizon.com/resources/reports/dbir/

• 2015 DHS Intelligence Assessment on Research and Education (R&E)– https://intellihub.com/wp-content/uploads/2015/02/DHS-UniversityCyberThreats.pdf

• March 2019: Wall Street Journal “Chinese Hackers Target Universities in Pursuit of Maritime Military Secrets”

• FireEye Threat Report: APT40 Examining a China-Nexus Espionage Actor– https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-

espionage-actor.html

• https://haveibeenpwned.com/

[ 28 ]