The modern security lifecycle approach

Challenges, defense concepts, our solutions

Cyber Security Day, Bucharest, 29 Oct, 2014

Teodor Cimpoesu, Cyber Security BU Director

How CSOs think of their networks

How the reality looks like –overwhelmed by bots

Agenda

1

2

3

Outside your cyber walls

Defense - military imported cyber concepts

Solutions – CSIRT and Managed Services

7 min

5 min

8 min

Outside your cyber walls

1

2

3

Cyber threats evolution

Freelance hackers

Small criminal groups

Terrorist groups

Cyber espionage

Organized crime

Nation-state cyber attacks

Kinetic cyber-attacks

Danger

Complexity

Agent.Btz(2008), Aurora (2010)Energetic Bear (2012), Flame

(2012), Uroburos (2014)

Chevron (1992), Gazprom (1999) Stuxnet (2010), Aramco (2012)

5%

5% true targeted attacks 95% are consumer-grade

RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions.

Cybercrime Ecosystem

70% individuals or small groups 20% criminal organizations5% cyber-terrorists4% state-sponsored players

Most quantity: CN, Latin America, EEBest quality: RU, UA, CN

$100 mil

FBI takedown of SilkRoad led to seizing of $100mil in Bitcoins

$50k

In 2009 it cost $50k to rent a botnet for a DDoSattack of 24h. Prices went down

$150 bln

The cost of traditional crime going cyber is over 150 billion, and total estimate at 250 billion

Gang Crime GroupCrime

OrganizationSyndicate Cartel Consortium

Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org

Goods and Services on the Black Market

Category Definition Examples Category Definition Examples

Vendors offer guarantees (e.g. 12h malware undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise).They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round.

Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org

Goods and Services on the Black Market

Exploit Kit Price Year

Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org

Nation-state campaignsAttacker Targets Initial vector / Delivery Control / Persistence

Aurora / Hydraq(2010)

Chinese (supposed)Elderwood Group / PLA Unit 61398 / Comment Crew

Google, Adobe, Juniper, Yahoo, Symantec, Morgan Stanley

IE JavaScript exploit (3mon old). Spear phish / watering hole suspected.

Backdoor, masq SSL with custom encryptedDynamic DNS.

Night Dragon(2011)

Chinese (supposed)

One attacker identified being from Shandong Province

Global Oil&Gas, energy and petrochemical

SQL-injection exploits of extranet web servers. Malware placed on server and used to harvest AD.Spear-phishing e-mail to mobile worker laptops containing malicious link (social engineering)

RAT (zwShell) on the users computers/laptops, connection over userVPN.Dropper + backdoor

RSA (2011) Chinese (supposed) RSA SecurID toLockheed Martin, L-3 Communications, Northrop Grumman

Spear phising email – Excel with SWF exploitStolen account (Lockheed)

Poison Ivy RAT. No other info available. Lockheed claims it stopped it.

RedOctober(2012)

Russian (supposed)Possible links with Uroburos/Snake

Gov, Diplomatic, Trade, Nuclear, Oil&Gas, Military, Aerospace

Spear phising email with Excel and Word (RTF) exploits > Dropper > Loader

Multi-functional frame work (34+ modules)

Energetic Bear (2014)

Russian (supposed) Defense & aviation (US, CA), energy ICS / SCADA vendors (EU), EU Gov

Spear phishing email campaign (XDP packaged PDF with SWF expl)Watering hole – 3rd party site with LightsOut exploit kit -> JARTrojanized software installers

Havex RATSysmain TrojanKaragany backdoor

Strategies of attack

•Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet

Matryoshka Attack

•Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress.

Impossible Attack

•Create disturbances or simulate threats to the victim to obtain intelligence about a target resource.

•The deployment of additional monitoring in certain parts of the network reveals the location of high-value assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation.

Panic Attack

•Conceals adversarial activity or stolen data within legitimate or benign-looking context. High-value assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means).

Deceive&Decoy Attack

Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012)

Exfiltration – should keep you up at night

• Encrypted communication

• Over trusted protocols

• Can you change your security policy?

Source: TrendMicro Labs

Today

“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t

know it” – Gartner Inc. (2012)

Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014)

CEE Cyber Security Readiness

Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014)

38%

37%

47%

44%

13%

16%

0% 20% 40% 60% 80% 100%

... External attacks

…disruptions and data loss

We have best protection for

Highly Agree Agree Depends

We had 3rd party vulnerability assessments in the last 3 years

57%

50%

50%

45%

38%

34%

46%

46%

0% 10% 20% 30% 40% 50% 60%

Austria

Cehia

Ungaria

Polonia

Romania

Slovacia

Turcia

TotalCompanies do not regularly check their security standing and hope for the best

Military Imported cyber security concepts

1

2

3

The TermsExploit – the defined way (specific steps/application) to use a vulnerability in practice, to breach a system. The exploit range can be local or remote.

Zero-Day Vuln – Vulnerability for which there is no patch (solution/countermeasure) from the vendor of the system or application.

Zero-Day Exploit – the actual means to use that vulnerability

Attack – The realization of a threat, through the means of exploits on existing vulnerabilities.

Attack vector - the method that the (exploit) code uses to breach or propagate. A vulnerability can have several attack vectors.

Attack surface – the sum of all attack vectors

Impact – financial and non-financial loss estimate = value of services, capabilities, data etc. after a threat materializes into an attack (if we take cyber attacks, not accidents).

Controls - Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent.

Stages

1• Intelligence gathering – OSINT, CYBINT, HUMINT

2• Infecting the target – SE, BYOD, spear phishing, water holing

3• System exploitation – zero-day exploits, half-day exploits + RATs

4• Internal recon - lateral movement and maintaining control

5• Data exfiltration – over FTP/HTTP, known/fake protocols

Military concepts in cyber use

Kill ChainOPSEC

Cyber Terrain

Targeting

Threat Intelligence

Disinformation Diversion

Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions

OPSEC - sytematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations

Targeting - the process of selecting and prioritizing targets and matching them against the appropriate response to them

Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary

Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data

The Kill Chain

Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/

Find

Fix

Track

Target

Engage

Assess

Intelligence-driven Computer Network Defense

Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al.

The Defense Chain

Plan – what to protect, what are your assets, policies, what type of protective controls

Build – acquire competencies, build skills specialists, acquire tools (after teams). Implement the solutions in your company

Monitor – operate the technical solutions have operational NSM/SIEM systems, perform reviews and drills (incident response excercises)

Plan Build Monitor Detect Respond Report Improve

Detect – check the output of monitoring systems, validate the alerts and do proactive search of IoA (indicators of attack)

Respond – exercise the incident response plans; investigate, contain and remediate

Report – gather information, analyze it, communicate to the right people

Improve – keep the tools, procedures and processes in a maturing loop

Source: http://detect-respond.blogspot.ro/2014/10/the-defense-chain.html

Step 1 - Risk Management

Risk Assessment

Asset Management

Asset Values

Asset Exposure

Threat Modeling

Threat Vectors

Attack Centric

Attack Modeling

Attack Trees

Scenarios

Solutions – CSIRT and Managed Services

1

2

3

Why use Managed Services

1 Fast track to legal/regulatory compliance and risk management

2 Import of skills and capabilities – the specialists you wished you had

3 Focus your IT resources on support for core processes and competencies

4 Smarter investment – all those technologies are yours, as a service

5 Smarter execution – translating large upfront costs into operational costs

6 Build solid trust for solid quality – you have a commercial contract, not HR

What we do

Technology Solutions

-Complete cyber

defenses projects-

Cisco, Juniper, FireEye, IBM, Symantec, Websense, Sk

yBox, Microsoft, BAE Systems, Rapid7 and

others.

MSSP Portfolio-

Security ConsultingAudit & Pentest

Security ManagementManaged Network

SecurityManaged Endpoint

SecurityNetwork Security

Monitoring

Training: EC-Council, (ISC)², ISACA, Mile2, Mandiant, CompTIA+ Microsoft, Cisco, Fortinet and others.

UTI CERT-

Incident ResponseData Forensics

Malware analysis & more

Managed Security Service Provider & CERT

SOC

Monitoring(SIEM)

Network Security

Communication Security

Data Security

Managed Services

Endpoint Security

Alerting Services

Incident Handling

Vulnerability Handling

Vulnerability AnalysisCSIRT

Malware

Analysis

Data Forensics

Threat Intelligence

Advanced Correlation

Cyber Investigation

Special Projects

Research & Development

Special Services

Vulnerability Assessment

Security validation(Pentesting)

Security PolicyDesign

Consulting Network Security Design

What we can do for you

1• Help do proper risk evaluation and update your cyber policy

2• Test and validate the technical vulnerabilities – in the key points

3• Implement the right security controls with the best technologies

4• Monitor the security for you, or help you do it right (SIEM based)

5• Be your SWAT team when incident strikes – do Incident Response

6• Be your Investigator – if you may be the target of cyber-espionage

CSIRT Services

Security Management

Risk Analysis

Security Consulting

Security Validation

Education/Training

BC & DR Plans

Proactive Services

Announcements

Technology Watch

Configuration Management

Network Security Management

Intrusion Detection Services

Security Tools Development

Security Analytics

Reactive Services

Alerts and warnings

Incident Handling

Incident analysis

IR on site, support,coordination

Vulnerability Handling

Vuln analysis

Vuln response, coordination

Data Forensics

Artifact analysis

DF response, coordination

Teodor.Cimpoesu@certSIGN.ro@cteodor, +40724.039.254csirt@certsign.ro

Referenced/Quoted Material• RAND Corporation, “Markets for Cybercrime Tools and Stolen Data - Hackers’ Bazaar” (2014)

• IBM, “IBM X-Force Threat Intelligence Quarterly, 3Q 2014” (2014)

• RSA, “THE CURRENT STATE OF CYBERCRIME 2014 - An Inside Look at the Changing Threat Landscape” (2014)

• SANS Institute, “Critical Security Controls: From Adoption to Implementation” (2014)

• CrowdStrike, “Global Threat Report – 2013 Year in Review (2014)

• Adita Sood, Richard Ebody, “Targeted Cyber Attacks – multi stage attacks driven by exploits and malware”, Elsevier Publishing (2014)

• Jason Luttgens, Matthew Pepe, Kevin Mandia “Incident Response and Computer Forensics – 3rd edition”, Mc GrawHill Education (2014)

• Symantec, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers” (2014)

• Kaspersky Lab, "Red October" Diplomatic Cyber Attacks Investigation (2013)

• IBM, “IT executive guide to security intelligence - Transitioning from log management and SIEM to comprehensive security intelligence (2013)

• DarkReading, “Top 15 Indicators Of Compromise” (2013)

• Ari Jues, Ting-Fang Yen , RSA, “Sherlock Holmes and The Case of the Advanced Persistent Threat” (2012)

• McAfee, “Global Energy Cyberattacks: “Night Dragon” (2011)

• Eric M. Hutchins et al., Lockheed Martin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (2011)

• HB Gary, Operation Aurora (2010)

• Alexander Opel, “Design and Implementation of a Support Tool for Attack Trees” (2005)