The modern security lifecycle approach
Challenges, defense concepts, our solutions
Cyber Security Day, Bucharest, 29 Oct, 2014
Teodor Cimpoesu, Cyber Security BU Director
How CSOs think of their networks
How the reality looks like –overwhelmed by bots
Agenda
1
2
3
Outside your cyber walls
Defense - military imported cyber concepts
Solutions – CSIRT and Managed Services
7 min
5 min
8 min
Outside your cyber walls
1
2
3
Cyber threats evolution
Freelance hackers
Small criminal groups
Terrorist groups
Cyber espionage
Organized crime
Nation-state cyber attacks
Kinetic cyber-attacks
Danger
Complexity
Agent.Btz(2008), Aurora (2010)Energetic Bear (2012), Flame
(2012), Uroburos (2014)
Chevron (1992), Gazprom (1999) Stuxnet (2010), Aramco (2012)
5%
5% true targeted attacks 95% are consumer-grade
RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions.
Cybercrime Ecosystem
70% individuals or small groups 20% criminal organizations5% cyber-terrorists4% state-sponsored players
Most quantity: CN, Latin America, EEBest quality: RU, UA, CN
$100 mil
FBI takedown of SilkRoad led to seizing of $100mil in Bitcoins
$50k
In 2009 it cost $50k to rent a botnet for a DDoSattack of 24h. Prices went down
$150 bln
The cost of traditional crime going cyber is over 150 billion, and total estimate at 250 billion
Gang Crime GroupCrime
OrganizationSyndicate Cartel Consortium
Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org
Goods and Services on the Black Market
Category Definition Examples Category Definition Examples
Vendors offer guarantees (e.g. 12h malware undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise).They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round.
Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org
Goods and Services on the Black Market
Exploit Kit Price Year
Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org
Nation-state campaignsAttacker Targets Initial vector / Delivery Control / Persistence
Aurora / Hydraq(2010)
Chinese (supposed)Elderwood Group / PLA Unit 61398 / Comment Crew
Google, Adobe, Juniper, Yahoo, Symantec, Morgan Stanley
IE JavaScript exploit (3mon old). Spear phish / watering hole suspected.
Backdoor, masq SSL with custom encryptedDynamic DNS.
Night Dragon(2011)
Chinese (supposed)
One attacker identified being from Shandong Province
Global Oil&Gas, energy and petrochemical
SQL-injection exploits of extranet web servers. Malware placed on server and used to harvest AD.Spear-phishing e-mail to mobile worker laptops containing malicious link (social engineering)
RAT (zwShell) on the users computers/laptops, connection over userVPN.Dropper + backdoor
RSA (2011) Chinese (supposed) RSA SecurID toLockheed Martin, L-3 Communications, Northrop Grumman
Spear phising email – Excel with SWF exploitStolen account (Lockheed)
Poison Ivy RAT. No other info available. Lockheed claims it stopped it.
RedOctober(2012)
Russian (supposed)Possible links with Uroburos/Snake
Gov, Diplomatic, Trade, Nuclear, Oil&Gas, Military, Aerospace
Spear phising email with Excel and Word (RTF) exploits > Dropper > Loader
Multi-functional frame work (34+ modules)
Energetic Bear (2014)
Russian (supposed) Defense & aviation (US, CA), energy ICS / SCADA vendors (EU), EU Gov
Spear phishing email campaign (XDP packaged PDF with SWF expl)Watering hole – 3rd party site with LightsOut exploit kit -> JARTrojanized software installers
Havex RATSysmain TrojanKaragany backdoor
Strategies of attack
•Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet
Matryoshka Attack
•Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress.
Impossible Attack
•Create disturbances or simulate threats to the victim to obtain intelligence about a target resource.
•The deployment of additional monitoring in certain parts of the network reveals the location of high-value assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation.
Panic Attack
•Conceals adversarial activity or stolen data within legitimate or benign-looking context. High-value assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means).
Deceive&Decoy Attack
Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012)
Exfiltration – should keep you up at night
• Encrypted communication
• Over trusted protocols
• Can you change your security policy?
Source: TrendMicro Labs
Today
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t
know it” – Gartner Inc. (2012)
Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014)
CEE Cyber Security Readiness
Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014)
38%
37%
47%
44%
13%
16%
0% 20% 40% 60% 80% 100%
... External attacks
…disruptions and data loss
We have best protection for
Highly Agree Agree Depends
We had 3rd party vulnerability assessments in the last 3 years
57%
50%
50%
45%
38%
34%
46%
46%
0% 10% 20% 30% 40% 50% 60%
Austria
Cehia
Ungaria
Polonia
Romania
Slovacia
Turcia
TotalCompanies do not regularly check their security standing and hope for the best
Military Imported cyber security concepts
1
2
3
The TermsExploit – the defined way (specific steps/application) to use a vulnerability in practice, to breach a system. The exploit range can be local or remote.
Zero-Day Vuln – Vulnerability for which there is no patch (solution/countermeasure) from the vendor of the system or application.
Zero-Day Exploit – the actual means to use that vulnerability
Attack – The realization of a threat, through the means of exploits on existing vulnerabilities.
Attack vector - the method that the (exploit) code uses to breach or propagate. A vulnerability can have several attack vectors.
Attack surface – the sum of all attack vectors
Impact – financial and non-financial loss estimate = value of services, capabilities, data etc. after a threat materializes into an attack (if we take cyber attacks, not accidents).
Controls - Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent.
Stages
1• Intelligence gathering – OSINT, CYBINT, HUMINT
2• Infecting the target – SE, BYOD, spear phishing, water holing
3• System exploitation – zero-day exploits, half-day exploits + RATs
4• Internal recon - lateral movement and maintaining control
5• Data exfiltration – over FTP/HTTP, known/fake protocols
Military concepts in cyber use
Kill ChainOPSEC
Cyber Terrain
Targeting
Threat Intelligence
Disinformation Diversion
Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions
OPSEC - sytematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations
Targeting - the process of selecting and prioritizing targets and matching them against the appropriate response to them
Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary
Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data
The Kill Chain
Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/
Find
Fix
Track
Target
Engage
Assess
Intelligence-driven Computer Network Defense
Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al.
The Defense Chain
Plan – what to protect, what are your assets, policies, what type of protective controls
Build – acquire competencies, build skills specialists, acquire tools (after teams). Implement the solutions in your company
Monitor – operate the technical solutions have operational NSM/SIEM systems, perform reviews and drills (incident response excercises)
Plan Build Monitor Detect Respond Report Improve
Detect – check the output of monitoring systems, validate the alerts and do proactive search of IoA (indicators of attack)
Respond – exercise the incident response plans; investigate, contain and remediate
Report – gather information, analyze it, communicate to the right people
Improve – keep the tools, procedures and processes in a maturing loop
Source: http://detect-respond.blogspot.ro/2014/10/the-defense-chain.html
Step 1 - Risk Management
Risk Assessment
Asset Management
Asset Values
Asset Exposure
Threat Modeling
Threat Vectors
Attack Centric
Attack Modeling
Attack Trees
Scenarios
Solutions – CSIRT and Managed Services
1
2
3
Why use Managed Services
1 Fast track to legal/regulatory compliance and risk management
2 Import of skills and capabilities – the specialists you wished you had
3 Focus your IT resources on support for core processes and competencies
4 Smarter investment – all those technologies are yours, as a service
5 Smarter execution – translating large upfront costs into operational costs
6 Build solid trust for solid quality – you have a commercial contract, not HR
What we do
Technology Solutions
-Complete cyber
defenses projects-
Cisco, Juniper, FireEye, IBM, Symantec, Websense, Sk
yBox, Microsoft, BAE Systems, Rapid7 and
others.
MSSP Portfolio-
Security ConsultingAudit & Pentest
Security ManagementManaged Network
SecurityManaged Endpoint
SecurityNetwork Security
Monitoring
Training: EC-Council, (ISC)², ISACA, Mile2, Mandiant, CompTIA+ Microsoft, Cisco, Fortinet and others.
UTI CERT-
Incident ResponseData Forensics
Malware analysis & more
Managed Security Service Provider & CERT
SOC
Monitoring(SIEM)
Network Security
Communication Security
Data Security
Managed Services
Endpoint Security
Alerting Services
Incident Handling
Vulnerability Handling
Vulnerability AnalysisCSIRT
Malware
Analysis
Data Forensics
Threat Intelligence
Advanced Correlation
Cyber Investigation
Special Projects
Research & Development
Special Services
Vulnerability Assessment
Security validation(Pentesting)
Security PolicyDesign
Consulting Network Security Design
What we can do for you
1• Help do proper risk evaluation and update your cyber policy
2• Test and validate the technical vulnerabilities – in the key points
3• Implement the right security controls with the best technologies
4• Monitor the security for you, or help you do it right (SIEM based)
5• Be your SWAT team when incident strikes – do Incident Response
6• Be your Investigator – if you may be the target of cyber-espionage
CSIRT Services
Security Management
Risk Analysis
Security Consulting
Security Validation
Education/Training
BC & DR Plans
Proactive Services
Announcements
Technology Watch
Configuration Management
Network Security Management
Intrusion Detection Services
Security Tools Development
Security Analytics
Reactive Services
Alerts and warnings
Incident Handling
Incident analysis
IR on site, support,coordination
Vulnerability Handling
Vuln analysis
Vuln response, coordination
Data Forensics
Artifact analysis
DF response, coordination
Referenced/Quoted Material• RAND Corporation, “Markets for Cybercrime Tools and Stolen Data - Hackers’ Bazaar” (2014)
• IBM, “IBM X-Force Threat Intelligence Quarterly, 3Q 2014” (2014)
• RSA, “THE CURRENT STATE OF CYBERCRIME 2014 - An Inside Look at the Changing Threat Landscape” (2014)
• SANS Institute, “Critical Security Controls: From Adoption to Implementation” (2014)
• CrowdStrike, “Global Threat Report – 2013 Year in Review (2014)
• Adita Sood, Richard Ebody, “Targeted Cyber Attacks – multi stage attacks driven by exploits and malware”, Elsevier Publishing (2014)
• Jason Luttgens, Matthew Pepe, Kevin Mandia “Incident Response and Computer Forensics – 3rd edition”, Mc GrawHill Education (2014)
• Symantec, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers” (2014)
• Kaspersky Lab, "Red October" Diplomatic Cyber Attacks Investigation (2013)
• IBM, “IT executive guide to security intelligence - Transitioning from log management and SIEM to comprehensive security intelligence (2013)
• DarkReading, “Top 15 Indicators Of Compromise” (2013)
• Ari Jues, Ting-Fang Yen , RSA, “Sherlock Holmes and The Case of the Advanced Persistent Threat” (2012)
• McAfee, “Global Energy Cyberattacks: “Night Dragon” (2011)
• Eric M. Hutchins et al., Lockheed Martin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (2011)
• HB Gary, Operation Aurora (2010)
• Alexander Opel, “Design and Implementation of a Support Tool for Attack Trees” (2005)