perma cyber threat brief
TRANSCRIPT
CYBER THREAT BRIEFA N D R E W D O L A N
D I R E C T O R O F S T A K E H O L D E R
E N G A G E M E N T
The key cybersecurity resource for cyber threat prevention, protection, response and recovery for all U.S. State, Local, Tribal and
Territorial governments.
MS-ISAC Members include:üAll 56 US States and TerritoriesüAll 78 federally recognized fusion centersüMore than 1,000 local governments, public education
entities, and tribal nations
State, Local, Tribal, and TerritorialCities, counties, towns, airports, public education, police departments, ports,
transit associations, and more
WHO WE SERVE
WHY GOVERNMENT?
Criminals look for data......And governments have a lot of it!
VulnerabilitiesContent Management
Systems
Plug In’s
Server
Web Programming Language
Phishing
üWell WrittenüAppear CredibleüEnticing or
Shocking SubjectüApparent Trusted
Source
TIME-TO-PATCH
54.6%
59.2% 61.4% 62.7% 64.7% 65.6%
Week1 Week2 Week3 Week4 Week5 Week6
%ofPatchedWordPress Instances followingaWordPress RemoteCodeExecutionVulnerability
(patchreleased8/4/15)
WHO ARE BEHIND THE THREATS?
Hacktivists
Cyber Criminals
Nation States
HACKTIVISTS
Targeted
Opportunistic
Social, Political & Ideological
AgendaDDoSAttacks
DoxingSystem
Compromise
Web Defacements
From March to July 2015
Vikingdom claimed 74 DDoS attacks against
state and local government websites
in 34 states.
Serial DDoS Attacker10 Successful DDoS attacks in March 2015
Social Media BraggerTwitter, YouTube
Attacker of:Municipalities, gaming services, hospitals
Claim to Motivation:“Police abusing innocent victims”
CYBER CRIMINALS
Power &
Control
VaryingExpertise
Financial Motivation
Shifu
ZeusUpatre/Dyre
Dridex
Ransomware
Prepaid debit credit database copied onto plastic cards with magnetic strips
36,000 transactions in 10 hours
Coordinated with “Cash Crews”
Emptied ATMs ACROSS THE WORLD
Preconfigured to eliminate withdrawal limits
Discovered through flashy purchases and social media
CRYPTOWALL – CRYPTOLOCKER – TESLACRYPT
ü Phishing emailsüAttached zip file or straight executable
üOr Zeus infectionüEncrypts all personal files on local
hard drive and file shares üDemands $200-$600 for the
decryption key ü Payment must be made within
72hrs-100hrs otherwise the decryption key is destroyed
NATION STATE ACTORS/APT
IntellectualCapital
CompetitiveInsight
Political Leverage
CyberWarfare
UKRAINE’S CRITICAL INFRASTRUCTURE
Boryspil International Airport – Kiev, UkrainePower Grid Shut Down
80,000 customers lost power for 6 hoursBlackEnergy Malware IP Attributed to Russia
EVERYONE MAKES MISTAKES…….
The trick is to learn from them!
24 X 7 SECURITY OPERATIONS CENTER
24/7 Support for:ü Network Monitoring Servicesü Research and Analysis
24/7 Analysis & Monitoring of:ü Threatsü Vulnerabilitiesü Attacks
24/7 Reporting:ü Cyber Alerts & Advisories ü Web Defacementsü Account Compromisesü Hacktivist Notifications
Central location to report any cybersecurity incident
Phone: 1-866-787-4722Email: [email protected]
COMPUTER EMERGENCY RESPONSE TEAM (CERT)
ü Incident Response (includes on-site assistance)ü Network & Web Application Vulnerability
Assessmentsü Malware Analysisü Computer & Network Forensicsü Log Analysisü Statistical Data Analysisü Penetration Testing To report an incident or request assistance:
Phone: 1-866-787-4722Email: [email protected]
Any SLTT
MONITORING OF IP RANGE & DOMAIN SPACE
ü IPs connecting to monitored malicious C&C
üCompromised IPsü Indicators of compromise
from the MS-ISAC network monitoring (Albert)
üNotifications from Spamhaus
IP Monitoring Domain MonitoringüNotifications on
compromised user credentials
üVulnerability Management Program (VMP)
Any SLTT
Send domains, IP ranges, and contact info to: [email protected]
WHAT CAN YOU DO?
üPatch!üTrainingüBackupsüHarden SystemsüUpdate PoliciesüComplianceü Scan SystemsüEncrypt Mobile Devices
NEW GOVERNMENTAL PRECEDENTS BEING SET