defending the academynwacc.org/programs/workshops/network_security/downloads2018/d… · security...
TRANSCRIPT
Defending the AcademyMaintaining stakeholder confidence and trust in a changing digital worldRevision 004 / 09 October 2018
Christian Schreiber, CISM, PMP
Global Pursuit Specialist - FireEye
Introductions
2
©2018 FireEye | Private & Confidential
Personal background
20+ years IT and security experience•CISO positions: The University of Arizona,
University of Wisconsin – Whitewater• IT leadership: University of Wisconsin – Madison,
Central Michigan University•Serv ice prov ider leadership: SunGard Data
Systems / Ellucian
FireEye roles•Global Pursuit Specialist with focus on
universities / public sector•Program Executive supporting University of
California System since 2016
3
©2018 FireEye | Private & Confidential
Who is FireEye? Unique visibility across attack lifecycle
Adversary IntelligenceDeploying global researchers with local knowledge
• 22 countries• 30+ languages• 150+ analysts & researchers
Machine IntelligenceGenerating attack telemetry globally
• 15,000+ network sensors• Millions of endpoints and email mailboxes • 56 countries• Performing tens of millions of malware
detonations per hour
Victim IntelligenceResponding to the most significant breaches
• 13+ years investigative expertise• 200+ of the Fortune 500• 26 countries with consultants
Campaign IntelligenceWitnessing attacks as they unfold
• 7 Security Operations Centers• 4M+ monitored endpoints• 120K+ analyst investigations*• 7 new attack groups identified*
* 2017 M anaged Defense statistics
More than 40% of R1 institutions are FireEye customers
4
©2018 FireEye | Private & Confidential
Frequently consulted for cybersecurity insights
5
What is the world’s deadliest animal?
6
©2018 FireEye | Private & Confidential
The mosquito kills more humans each yearthan any other animal*
7
830,000580,000
60,00024,200
17,4008,000
4,4003,5003,500
2,7001,600
1,000500
100100
6050
4010
6
MosquitoHuman
SnakeSandfly
DogKissing bug
Freshwater snailTsetse flyScorpion
Ascaris roundwormTapewormCrocodile
HippopotamusElephant
LionBee
TigerJellyfish
WolfShark
*Ramsey, Lisa. “The world’s deadliest animal isn’t a shark or even a human.” 25 April 2017. Available online at http://www.businessinsider.com/bill-gates-mosquitoes-deadliest-animals-2017-4
Macro trends impacting higher education
8
©2018 FireEye | Private & Confidential
Sophistication of attackers
9
“The line between certain financial attackers and state-sponsored attackers no longer exists.”
* M andiant M -Trends 2017* Accessed online from http://www.dailymail.co.uk/news/article-2198755/Herbie-Goe s-For-Sale- Iconic-VW- Beet le-grab s-asking-price-96-000-youd-want-fully-lo aded.html
©2018 FireEye | Private & Confidential
Resurgence of self-propagating malware
10
Spread using network worms
Exploit known vulnerabilities
©2018 FireEye | Private & Confidential
Non-IT leaders more aware of cyber issues
11
Stakeholders asking more questions about cybersecurity posture•Boards•Presidents / Chancellors•Provosts / Deans•Donors / Alumni•Research sponsors•Auditors
©2018 FireEye | Private & Confidential
Research sponsors adding cybersecurity requirements
12
Controlled Unclassified Information (CUI) / NIST 800-171
Information Security
Confidentiality
IntegrityAvailability
Most people associate cybersecurity with CONFIDENTIALITY
Sponsors also care about AVAILABILITYand INTEGRITY of data
©2018 FireEye | Private & Confidential
CUI impact not limited to research
13
Institutions have “legal obligations to protect student information used in the administration of the Title IV Federal student financial aid programs.”
“NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.”
US Department of Education notices GEN-15-18 and GEN-16-12
©2018 FireEye | Private & Confidential
Expectations for due diligence beginning to solidify
14
George W Bush• Designation and Sharing of Controlled
Unclassified Information (CUI) (07 May 2008)
Barack Obama• Executive Order 13556 – Controlled Unclassified
Information (04 Nov 2010)• Executive Order 13636 – Improving Critical
Infrastructure Cybersecurity (12 Feb 2013)
Donald J Trump• Presidential Executive Order on Strengthening
the Cybersecurity of Federal Networks and Critical Infrastructure (11 May 2017)
Guidance consistent across three administrations
Understanding advanced attacks
15
©2018 FireEye | Private & Confidential
What do we mean by an “advanced attack?”
It’s a “who” not a “what”•There is a human at the keyboard•Performing highly tailored and customized attacks•Targeted at YOU
Professional, organized, well funded•Attackers escalate sophistication of their tactics as needed•They remain relentlessly focused on their objective
If you kick them out, they WILL return•They have specific objectives•Their goal can be long-term or short-term•They use persistence tools and tactics to ensure ongoing access
16
©2018 FireEye | Private & Confidential
Difficult to fully investigate once detected
17
©2018 FireEye | Private & Confidential
What the customer thought they had contained
18
©2018 FireEye | Private & Confidential
What was actually happening in their network
19
* M andiant M -Trends 2016
46% of compromises don’t
use malw are*
©2018 FireEye | Private & Confidential
APT35 (Newscaster) Case Study*
20
Establish Foothold
Complete Mission
Initial Compromise
LateralMovement
MaintainPresence
Initial Recon
Escalate Privileges
Internal Recon
Logon to VPN using stolen credentials (no additional backdoors deployed by attacker)
Use extracted data to target other (partner) organizations for destructive attacks
PUPYRAT & BROKEYOLK to steal user’s credentials and maintain persistence
Use custom Mimikatz to steal additional credentials from 500+ remote hosts
Recon: Identify users of interest (executives, R&D, etc.)
Spear phishing email with l ink to malicious resume on compromised (legitimate) website
Use O365 admin tools to assign read access for targeted inboxes to a single compromised account
Logon to Outlook Web Access using compromised account to harvest data from hundreds of target inboxes
* M andiant M -Trends 2018
©2018 FireEye | Private & Confidential
Social engineering primary method of entry
21
Email phishing
Social media
Telephone / Chat
©2018 FireEye | Private & Confidential
Stolen credentials primary method of data exfiltration
22
Exploit authorized access by stealing legitimate credentials
Use cloud services to exfiltrate data
©2018 FireEye | Private & Confidential
Once a target, always a target*
56%Incident Response
customers who experienced a
significant attack by the same or
similarly motivated attack group
within 19 months
49%Customers who had at least one significant attack
who were successfully
attacked again within one year
86%Customers who had more than one significant
attack who had more than one
unique attacker in their environment
23
* M andiant M -Trends 2018
©2018 FireEye | Private & Confidential
Do advanced attacks really impact higher education?
24
“To run their spying campaign, the [Chinese] attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico…”*
* Perlroth, Nicole. “Hackers in China Attacked the Time for Last 4 Months.” 31 January 2013. Available online.
©2018 FireEye | Private & Confidential
Iranian credential harvesting targeting universities
25
9 charged with data theft•Hacked 8,000 professors at 320 universities•144 U.S. universities were victims
Leveraged multiple techniques•Spear phishing•Password spray attacks
Attackers did not stop once exposed•Silent Librarian attackers charged in April 2018,
but attacks still ongoing as of August 2018•76 additional targeted universities in 14
countries since indictment
* Accessed online from https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/
©2018 FireEye | Private & Confidential
Many threat groups target higher education
26
FireEye customers targeted by multiple threat groups, by industry*
0 1 2 3 4 5 6 7
Non-ProfitGovernment
Business and Professional ServicesTransportation and Logistics
OtherFinancial
EnergyBiotechnology and Pharmaceuticals
Retail and HospitalityMedia and Entertainment
HealthcareManufacturing
Construction and EngineeringEducation
TelecommunicationsHigh Tech
Number of different threat groups
* M andiant M -Trends 2018
Why target higher education
27
©2018 FireEye | Private & Confidential
Why target higher education? FINANCIAL GAIN
28
Personal information theft
Intellectual property theft
Financial fraud
Payment extortion
©2018 FireEye | Private & Confidential
Why target higher education? DISRUPT OPERATIONS
29
Data destruction
Denial of Service
Hactivism
©2018 FireEye | Private & Confidential
Why target higher education? EXPLOIT INFRASTRUCTURE
30
Pass through attacks
Resource hijacking
Watering hole attacks
©2018 FireEye | Private & Confidential
Why target higher education? GEOPOLITICAL OBJECTIVES
31
Steal personal information
Steal intellectual property
Monitor individuals
©2018 FireEye | Private & Confidential
Why target higher education? CREDENTIAL THEFT
32
Allows attackers to hide in plain sight• (VPN, email, etc.)
Enables access to resources otherwise unavailable• (library resources, discounts, etc.)
Exploring security concepts
33
©2018 FireEye | Private & Confidential
Some common Defense-in-Depth analogies
34
Network
Platform
Application
Data
©2018 FireEye | Private & Confidential
What do these analogies have in common?
They describe methods of PREVENTING attackers from reaching your assets
35
©2018 FireEye | Private & Confidential
Why are messages focused on prevention problematic?
36
No technical solution can prevent all attacks all the time
There will always be bad actors looking to exploit that security gap
Asymmetric Threat
©2018 FireEye | Private & Confidential
Mitigate risk with a cyber resilience strategy
• Identify threats early to help prevent a security incident
Prevent Incidents
• Disrupt the attack chain and act to mitigate damage
Reduce Impact • Make better use
of your resources
Improve Efficiencies
37
©2018 FireEye | Private & Confidential
Adopt a comprehensive framework to guide your program
38
Identify
Protect
Detect
Respond
Recover
* From NIST 800-171
e.g. NIST Cybersecurity Framework (CSF) core functions
©2018 FireEye | Private & Confidential
Change your narrative when describing security goals
39
Art museum vs Castle• Museums must protect
valuable assets• ...while creating an open
welcoming environment• …and allowing visitors
within inches of the assets
©2018 FireEye | Private & Confidential
Underlying security goals are different
Castle Analogy
• GOAL: Protect assets by preventingattackers from gaining entry
40
A museum cannot succeed if visitors have a difficult time gaining access
Museum Analogy
• GOAL: Protect assets while enabling visitors to gain entry
©2018 FireEye | Private & Confidential
Key assets are treated differently
Castle Analogy
•GOAL: Most valuable assets are isolated making them difficult for attackers to reach
41
Visitors are encouraged to visit the most important assets in a museum
Museum Analogy
•GOAL: Most valuable assets are highlighted making them easier for visitors to reach
©2018 FireEye | Private & Confidential
Monitoring is approached differently
Castle Analogy
•GOAL: Cover the perimeter thoroughly
•Focus on preventing bad actors from gaining access
42
Museums must assume bad actors can act from inside the perimeter
Museum Analogy
•GOAL: Cover the interior thoroughly
•Focus on preventing bad actors from exploiting access
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
43
Identify
Protect
Detect
Respond
Recover
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
44
Identify•Maintain accurate inventory•Identify v isitors (tickets / passes)•Employee background checks
Protect
Detect
Respond
Recover* Accessed online from http://www.montel.com/en/markets/museum-mobile-shelving-storage/museums
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
45
Identify
Protect•Implement physical barriers to protect high-
risk assets•Limit visitor flow to specific entry points•Implement addit ional visitor checkpoints
around high-risk collect ions
Detect
Respond
Recover* Accessed online from https://www.louvre.fr/en/security-officer
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
46
Identify
Protect
Detect•Pervasive monitoring (cameras, motion
sensors)•Apply intelligence with AI, facial
recognit ion, etc.•Deploy guards to monitor visitor activity
Respond
Recover
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
47
Identify
Protect
Detect
Respond•Empower guards to respond to threats•On-demand protective barriers•Fire / smoke suppression systems
Recover
* Accessed online from https://www.asmag.com/showpost/13890.aspx
©2018 FireEye | Private & Confidential
How does a museum approach breach resilience?
48
Identify
Protect
Detect
Respond
Recover•Insurance•Escalation to law enforcement•Tracking devices to locate objects
* Accessed online from https://www.smithsonianmag.com/smart-news/professor-helps-bust-italian-art-theft-ring-180963563/
Building a cyber resilience strategy
49
©2018 FireEye | Private & Confidential
Where should you focus limited resources?
50
Identify
Protect
Detect
Respond
Recover
©2018 FireEye | Private & Confidential
Balance your investment and strategies
51
DETECTION, RESPONSE, & RECOVERY are often less robust
©2018 FireEye | Private & Confidential
52
Identify
©2018 FireEye | Private & Confidential
Maintain inventory of your data assets
53
“If we guard our toothbrushes and diamonds with equal zeal, we’ll lose fewer toothbrushes and more diamonds.” – McGeorge Bundy
©2018 FireEye | Private & Confidential
Understand your regulations
54
Map data assets to regulations
Map regulations to your security framework
Don’t let new regulations distract from your strategy
* Accessed online from http://themetapicture.com/i-get-easily-distracted/
©2018 FireEye | Private & Confidential
Understand your security responsibilities
55
"Security and Compliance is a shared responsibility between AWS and the customer…”*
Providers help secure underlying components, but you are ultimately responsible for securing your data. * Amazon AWS. “Shared Responsibility Model.” Available online at https://aws.amazon.com/compliance/shared-
responsibility-model/
©2018 FireEye | Private & Confidential
56
Protect
©2018 FireEye | Private & Confidential
Operationalize your security efforts
57
Incorporate security into daily processes
Cannot delegate to security team
©2018 FireEye | Private & Confidential
Continuously train your stakeholders
58
Require at ALL levels of the organization
Everyone understands role and responsibilities
©2018 FireEye | Private & Confidential
Maintain your technology with good hygiene
59
Patch in a timely manner
Use supported OS versions
Implement comprehensive malware prevention
©2018 FireEye | Private & Confidential
Strengthen your architecture
60
Separate what’s truly public from what should be internal
Risk-based network segmentation
Role-based data segregation
©2018 FireEye | Private & Confidential
Strengthen your authentication
61
Use credential and privilege management tools
Use multi-factor authentication
Authenticate DEVICES that connect to your networks
©2018 FireEye | Private & Confidential
62
Detect
Respond
©2018 FireEye | Private & Confidential
Extend your visibility across the enterprise
63
Implement monitoring and detection tools at trust boundaries
Ensure availability and integrity of logs
©2018 FireEye | Private & Confidential
Strengthen your detection and response capabilities
64
Don’t rely on prevention alone
Limit attacker dwell time
Practice regularly (e.g. table top drills)
©2018 FireEye | Private & Confidential
65
Recover
©2018 FireEye | Private & Confidential
Engage your leadership before a crisis occurs
66
Evaluate potential value of cyber insurance
Implement proactive incident response retainers
Identify and train crisis response team members
©2018 FireEye | Private & Confidential
Maintain your business continuity and recovery plans
67
Determine your risk tolerance
•E.g. are hot/cold standby sites needed?
Restore from backup when cost effective (and no regulatory issue)
Test your backup/recovery processes, tools, and procedures
* Accessed online from https://www.canada15edgedatacenters.com/good-info-on-backup-disa ster-recovery/
©2018 FireEye | Private & Confidential
68
Report your Progress
©2018 FireEye | Private & Confidential
Maintain your metrics and share with stakeholders
69
Provide answers, not alerts
©2018 FireEye | Private & Confidential
70
What we learned today
71
©2018 FireEye | Private & Confidential
72
You cannot prevent all attacks all the time
©2018 FireEye | Private & Confidential
73
You can describe your goals differently
©2018 FireEye | Private & Confidential
74
You can mitigate risk with cyber resilience
Identify
Protect
Detect
Respond
Recover
©2018 FireEye | Private & Confidential
75
* Accessed online from http://themetapicture.com/i-get-easily-distracted/
You can avoid chasing every new regulation
©2018 FireEye | Private & Confidential
76
You can show you’re better than you were yesterday!
Questions?
77
Thank you!
78