Post on 24-Jun-2020
transcript
COMMON DATA BREACHES
IT’S CAUSES AND MITIGATION
STRATEGY
Presented by :
Krishna Rajagopal CEO, AKATI Consulting Group
HEALTHCARE CYBERSECURITY EXPERTS
AGENDA
Seminar Agenda
11.20 - 12.20 ( Presentation on Security )
WELCOME
1
ABOUT THE SPEAKER
Krishna Rajagopal from Malaysia.
Industry certifications – various certifications from Microsoft , Cisco, Sun, Adobe, EC-Council etc.
Consultant to the Enforcement body in Latin America, Africa, Saudi Arabia, Philippines.
Projects in Asia-Pacific, Europe, Middle East, USA, Caribbean.
WELCOME
COMMON DATA BREACHESIT’S CAUSES &
MITIGATION STRATEGYPresented by :
Krishna Rajagopal CEO, AKATI Consulting Group
2
OBJECTIVES
Provide insight into current efforts and future plans for corporate network security via Proactive Security.
Provide helpful perspective on nature of today’s Internet security risk
Provide guidelines to achieving goals of rock-solid networks.
Demonstrations of how simple & dangerous hacking really is…
PART 2: IS THERE ANY HOPE ?PART 1: ANGELS & DEMONS
PRESENTATION OUTLINE
PART 3: Q&A ?
3
PART 1 : ANGELS & DEMONS
THIS IS DARTH MAUL
He is a Hacker
Male
Between 14 and 34 years of age
Addicted to Computers
No permanent girlfriend
4
IN 2011, MAUL HACKED SONY (SEVERAL TIMES )
MAUL THEN BOUGHT HIMSELF A RANGE ROVER EVOQUE.
77millionDATA LEAKED
records
$ 171 millionFINANCIAL LOSS
SONY
Data including passwords and personal details were stored in clear text !
Majority of attacks were SQL Injection and DDoS
5
IN 2012, MAUL HACKED AMAZON & ZAPPOS AND .…
OH NEVERMIND..
24millionDATA LEAKED
records
N/AFINANCIAL LOSS
ZAPPOS
6
IN 2013, MAUL BRIEFLY HACKED US SATELLITES FOR ABOUT 12 MINUTES
HE DIDN'T GET ANYTHING OUT OF IT..
IN 2014, MAUL HACKED AND BROUGHT DOWN MT. GOX BITCOIN EXCHANGE
HE SPEND TWO MONTHS IN ARUBA.. NOT ALONE OF COURSE..
7
850,000DATA LEAKED
BTC
$ 450 millionFINANCIAL LOSS
MT GOXIt was launched in July 2010, and by 2013 was handling 70% of all Bitcoin transactions !
The attack led to the shutdown of Mt. Gox in Feb 2014
BUT..
In 2015 , Maul discovered that one of his girlfriends were cheating on him on a dating site..
This made him angry ..
8
IN 2015, MAUL HACKED ASHLEY MADISON
MAUL THEN WENT ON A CRUISE ON THE CARIBBEAN .. ALONE…
IN 2017, MAUL CREATED A RANSOMWARE AND WRECKED HAVOC ACROSS THE GLOBE
HE DECIDED TO REWARD HIMSELF WITH A $25M WATCH
9
200,000INFECTED
Computers
$4billionFINANCIAL LOSS
RANSOMWARE
THOSE ARE SMALL COMPANIES AND THEY’RE NOT FROM FSI OR CAPITAL INDUSTRY !
10
Bangladesh Central Bank Heist
Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded, with $20 million traced to Sri Lanka and $81 million to the Philippines.The New York Fed blocked the remaining thirty transactions, amounting to $850 million, at the request of Bangladesh Bank
FEB 2016
Qatar National Bank Hacked
1.4 gigabytes of sensitive customer data first appeared online that purportedly includes information on Qatar’s royal family !
2016
11
Banco del Austro’s SWIFT Network Hacked
Over 10 days, hackers used SWIFT credentials of a bank employee to modify transaction details for at least 12 transfers amounting to over $12 Million, which was transferred to accounts in Hong Kong, Dubai, New York and Los Angeles.
MAY 2016
ENOUGH ! ENOUGH !
12
Far Eastern International Bank - SWIFT again..
Hackers reportedly last week managed to steal almost $60 Million from Far Eastern International Bank in Taiwan by planting backdoors on the bank's servers and through the SWIFT interbank system.
2017
2017
13
I GIVE UP.
BUT C’MON THESE SECURITY ISSUES DON'T HAPPEN IN OUR COUNTRY / COMPANY..
14
BIGGEST DATA BREACHES 2016 & 2017
WE CAN DO IT !
HEALTHCARE BREACHES 2016 & 2017
WE CAN DO IT !15
INCIDENT 1
HACKING TEAM JULY 2015
16
HACKING TEAMThe company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down or maybe even sniff something that even customers aren't told about !
To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they're targeting with it.
HACKING TEAM
Hacking Team has even tried to sell to the Vatican ! They devised a malicious Bible app to infect religiously minded targets.
17
INCIDENT 2
18
INCIDENT 3
19
ASHLEY MADISON
ASHLEY MADISON
20
WHO WAS ON IT ? 13,000 - .MIL AND .GOV ADDRESSES. 804 FROM MICROSOFT.COM 313 FROM APPLE.COM 76 FROM BANKOFAMERICA.COM MOST POPULAR PASSWORDS ?
123456 PASSWORD 12345 QWERTY 12345678 ASHLEY ABC123 A**HOLE F***ME HUNTER 696969
• 22 - 15 • 681 -16 • 3,782 - 17. • 4 < 15
21
WHATS THE BIG DEAL ?
MINISTER JOHN GIBSON
22
CAPT. MICHAEL GORHUM
“I AM SORRY FOR BEING UNFAITHFUL. I KNOW THAT YOU WILL LEAVE ME NOW AND TAKE THE KIDS. I KNOW THAT I WILL BE FIRED FROM MY JOB AT YOUR FATHERS COMPANY AND THAT MY LIFE AS I KNOW IT IS GOING TO CHANGE DRASTICALLY FOR THE WORSE. SO I’M JUST GOING TOO MAKE IT EASY ON YOU. YOU GET EVERYTHING. GOODBYE”
DONALD BRADSHAW
23
LAWYERS IN AMERICA DESCRIBED IT AS 'CHRISTMAS IN SEPTEMBER'
INCIDENT 4
24
INTERNET OF THINGS WILL BE TARGETED AND EXPOSED
9
Internet of THINGS will be safe from technological attacks for now, but attackers will focus on retrieving data from THESE IoT devices
But soon with Open Interconnect Consortium (IOC)& HomeKit, there will be a shift in this, as common protocols and platforms will emerge. i.e IoT ransomware - Imagine smart cars held hostage..
MANCHESTER FORT SHOPPING PARK
25
WHO IS THE NEXT TARGET FOR MAUL ?
26
WHAT ARE MAUL’S ACTIVITY TREND ?
Figure 9 dives deeper into the specific varieties of threat actions observed over the last five years. The overall top twenty across the five-year span is listed in successive columns, and the lines connecting columns highlight how each action changes over time.. To be honest, concise commentary on this visualization may be impossible. Yes, it’s incredibly busy, but it’s also incredibly information-dense. Let your eyes adjust and then explore whatever strikes your fancy. As an example, follow RAM scrapers through the years. They start at #5 in 2009, drop way down over the next few years and then shoot up the charts to the #4 spot in 2013. We talk about that resurgence in the POS intrusions section of this report. Literally every item in Figure 9 has a story if you care to look for it. Enjoy.
Figure 9. Top 20 varieties of threat actions over time
20102009 20122011 2013
Use of stolen creds [hac] 422
Use of stolen creds [hac] 203Use of stolen creds [hac] 327
Use of stolen creds [hac] 84
Use of stolen creds [hac] 28
Export data [mal] 327
Export data [mal] 183
Export data [mal] 309
Export data [mal] 233Export data [mal] 103 Phishing [soc] 245
Phishing [soc] 181Phishing [soc] 62
Phishing [soc] 11
Phishing [soc] 10
Ram scraper [mal] 223
Ram scraper [mal] 27
Ram scraper [mal] 21
Ram scraper [mal] 17
Backdoor [mal] 165
Backdoor [mal] 209
Backdoor [mal] 214
Backdoor [mal] 104
Backdoor [mal] 267
Use of backdoor or C2 [hac] 152
Use of backdoor or C2 [hac] 192
Use of backdoor or C2 [hac] 237Use of backdoor or C2 [hac] 202
Use of backdoor or C2 [hac] 94
Spyware/Keylogger [mal] 149
Spyware/Keylogger [mal] 215
Spyware/Keylogger [mal] 480Spyware/Keylogger [mal] 255
Spyware/Keylogger [mal] 28 Downloader [mal] 144
Downloader [mal] 181
Downloader [mal] 59
Downloader [mal] 15
Downloader [mal] 13
Capture stored data [mal] 133
Capture stored data [mal] 196
Capture stored data [mal] 58
Capture stored data [mal] 8
Capture stored data [mal] 11
C2 [mal] 119
C2 [mal] 183
C2 [mal] 61
C2 [mal] 15C2 [mal] 4
SQLi [hac] 109
SQLi [hac] 25
SQLi [hac] 53
SQLi [hac] 53SQLi [hac] 13
Brute force [hac] 108
Brute force [hac] 188
Brute force [hac] 581
Brute force [hac] 221
Brute force [hac] 107
Rootkit [mal] 106Rootkit [mal] 61
Rootkit [mal] 31
Rootkit [mal] 0Rootkit [mal] 0
Tampering [phy] 102
Tampering [phy] 56
Tampering [phy] 146
Tampering [phy] 300
Tampering [phy] 22
Disable controls [mal] 2
Disable controls [mal] 188 Disable controls [mal] 169
Disable controls [mal] 102
Disable controls [mal] 7
Password dumper [mal] 75
Password dumper [mal] 70
Password dumper [mal] 51
Password dumper [mal] 0Password dumper [mal] 0
Privillege abuse [mis] 65
Privillege abuse [mis] 59
Privillege abuse [mis] 33
Privillege abuse [mis] 59Privillege abuse [mis] 18
Scan network [mal] 62
Scan network [mal] 101
Scan network [mal] 2
Scan network [mal] 38
Scan network [mal] 1
Adminware [mal] 39
Adminware [mal] 33
Adminware [mal] 28
Adminware [mal] 47
Adminware [mal] 81
Footprinting [hac] 8Footprinting [hac] 4Footprinting [hac] 2
Footprinting [hac] 185
Footprinting [hac] 6
Ram scraper [mal] 90
10 VERIZON ENTERPRISE SOLUTIONS
27
HOW DOES MAUL DO IT ?
“USUALLY, I JUST FIND ONE DISGRUNTLED EMPLOYEE. JUST ONE.”
28
WE ARE THE WEAKEST LINK ..
The backup email address on my Gmail account is that same .mac email address.
At 4:52 PM, they sent a Gmail password recovery email to the .mac account.
Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
ICLOUD ATTACKED !
29
PART 2 : IS THERE ANY HOPE ?
BEFORE AN ATTACK
30
AFTER AN ATTACK
WHAT THE BOARD DOES NOT KNOW ABOUT CYBERSECURITY CAN HURT THEIR BOTTOM LINE ..
HOW IS THAT SO ?
31
79% OF C-LEVEL EXECUTIVES SAY EXECUTIVE-LEVEL INVOLVEMENT IS NECESSARY TO ACHIEVE EFFECTIVE CYBERSECURITY - PONEMON INSTITUTE
4 OUT 10 CFO’S SURVEYED SAY THEY ARE THE OWNER OR CO-OWNER OF CYBERSECURITY AT THEIR COMPANIES
74% OF C-LEVEL EXECUTIVES SURVEYED SAID THEIR COMPANY HAS NOT EXPERIENCED A DATA BREACH WHEN THEY ACTUALLY DID
• STRATEGIC RISK • TRANSACTION RISK • COMPLIANCE RISK • REPUTATION RISK • CYBER RISK • CREDIT RISK • INTEREST RATE RISK • LEGAL RISK • FOREIGN EXCHANGE RISK
CYBER RISK IS KEY !
32
2015 DATA BREACH INVESTIGATIONS REPORT 15
Of all the risk factors in the InfoSec domain, vulnerabilities are probably the most discussed, tracked, and assessed over the last 20 years. But how well do we really understand them? Their link to security incidents is clear enough after the fact, but what can we do before the breach to improve vulnerability management programs? These are the questions on our minds as we enter this section, and Risk I/O was kind enough to join us in the search for answers.
Risk I/O started aggregating vulnerability exploit data from its threat feed partners in late 2013. The data set spans 200 million+ successful exploitations across 500+ Common Vulnerabilities and Exposures (CVEs)11 from over 20,000 enterprises in more than 150 countries. Risk I/O does this by correlating SIEM logs, analyzing them for exploit signatures, and pairing those with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time. We focused on mining the patterns in the successful exploits to see if we could figure out ways to prioritize remediation and patching efforts for known vulnerabilities.
‘SPLOITIN TO THE OLDIES
In the inaugural DBIR (vintage 2008), we made the following observation: For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach [and 71% >1 year]. This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released.
We decided to see if the recent and broader exploit data set still backed up that statement. We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published. Our next step was to focus on the CVEs and look at the age of CVEs exploited in 2014. Figure 10 arranges these CVEs according to their publication date and gives a count of CVEs for each year. Apparently, hackers really do still party like it’s 1999. The tally of really old CVEs suggests that any vulnerability management program should include broad coverage of the “oldies but goodies.” Just because a CVE gets old doesn’t mean it goes out of style with the exploit crowd. And that means that hanging on to that vintage patch collection makes a lot of sense.
11 Common Vulnerabilities and Exposures (CVE) is “a dictionary of publicly known information security vulnerabilities and exposures.”—cve.mitre.org
VULNERABILITIESDo We Need Those Stinking Patches?
99.9%OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.
10
30
50
70
90
’99 ’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14YEAR CVE WAS PUBLISHEDNU
MBE
R OF
PUB
LISH
ED C
VEs E
XPLO
ITED
Figure 10. Count of exploited CVEs in 2014 by CVE publish date
22 VERIZON ENTERPRISE SOLUTIONS
to detect. In contrast, the prolific amount of malware hitting education institutions could be the byproduct of less-strict policies and controls, or a sign that Education users are easy pickings for high-volume opportunistic threats.
One other thing it means is that just because you haven’t seen similar spikes doesn’t mean you won’t. Make sure incident response plans include measures to handle a malware flood as well as a trickle.
The takeaway here is that while we’ve provided a baseline view of malware threat-event frequency, you should be capturing this data in your own environment, using it to understand how this overview compares to your own organization, and analyzing how your organization’s own view changes over time.
YOU’RE ABSOLUTELY UNIQUE—JUST LIKE EVERYONE ELSE
With volume and velocity out of the way, it’s time to turn our attention to the amount of variation (or uniqueness) across malware picked up by our contributors. Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.
We use “unique” here from a signature/hash perspective; when compared byte-to-byte with all other known malware, there’s no exact match. That’s not to say that what the malware does is also distinct. Criminals haven’t been blind to the signature- and hash-matching techniques used by anti-virus (AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior. The result is often millions of “different” samples of the “same” malicious program.
This is more than just the malware analyst form of omphaloskepsis (look it up). It has real-world consequences, which basically boil down to “AV is dead.” Except it’s not really. Various forms of AV, from gateway to host, are still alive and quarantining nasty stuff every day. “Signatures alone are dead” is a much more appropriate mantra that reinforces the need for smarter and adaptive approaches to combating today’s highly varied malware.
There’s another lesson here worth stating: Receiving a never-before-seen piece of malware doesn’t mean it was an “advanced” or “targeted” attack. It’s kinda cool to think they handcrafted a highly custom program just for you, but it’s just not true. Get over it and get ready for it. Special snowflakes fall on every backyard.
24 The 2005 analyses mostly came from data in the WildList, an effort started by Joe Wells and Sarah Gordon to maintain a list of malicious binaries that are active “in the field” for use by researchers and defenders. If that wave of nostalgia hit you as hard as it did us, you may be surprised and pleased to learn that the project is still active: wildlist.org/CurrentList.txt.
25 Where the actual family name could be discerned. Attribution is further made difficult due to the nonstandard signature naming conventions between vendors and the fact that some vendors, like FireEye, are able to catch malicious code behaviorally but are not always able to classify it precisely. Perhaps y’all could at least standardize on/a.SEParator and field-order pattern before next year’s report?
TAKE A WALK ON THE WILDLIST24
We managed to borrow a Wayback machine to take a trip to 4 BD (before DBIR) to pluck some research wisdom from one of our elder researchers. Specifically, we wanted to compare one of his findings from yesteryear against the current malware climate to see how much (or little) has changed.
The observation was that back in 2005, “just seven families represented about 70% of all malcode activity.” (For those interested, those were Mytob, Netsky, Zafi, Sober, Lovgate, Mydoom, and Bagle.) Fast-forward to 2014, and our analysis of the data from our network malware defense partners suggests that should be updated to read, “20 families represented about 70% of all malware activity.”25 (Today’s “sinister seven” are zbot, rerdom, zeroaccess, andromeda, expiro, asprox, gamaru, and sality.)
The key differences between the malcode of 2005 and malware of 2014 are that the older viruses were noisy e-mail worms with varying backdoor capabilities, whereas the common components of the 2014 “top seven” involve stealthy command-and-control botnet membership, credential theft, and some form of fraud (clickfraud or bitcoin mining). Alas, those were simpler times back in 2005.
70–90%OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.
2,500
5,000
7,500
10,000
# M
ALW
ARE
EVEN
TS (/
WEE
K)
0
2,500
5,000
7,500
10,000
2,500
5,000
7,500
10,000
# M
ALW
ARE
EVEN
TS (/
WEE
K)#
MAL
WAR
E EV
ENTS
(/W
EEK)
0
0
RETAIL
AVERAGEMALWAREEVENTS:
801
UTILITIES
AVERAGEMALWAREEVENTS:
772
EDUCATION
AVERAGEMALWAREEVENTS:
2,332
JAN APR JUL OCT JAN
JAN APR JUL OCT JAN
JAN APR JUL OCT JAN
6 VERIZON ENTERPRISE SOLUTIONS
BREACH DISCOVERY
Figure 5 offers a new twist on one of our favorite charts from the 2014 DBIR. It contrasts how often attackers are able to compromise a victim in days or less (orange line) with how often defenders detect compromises within that same time frame (teal line). Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.
Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise.
If you’re desperate for good news, you’ll be happy to see that 2014 boasts the smallest deficit ever recorded and the trend lines appear a bit more parallel than divergent. We’ll see if that’s a trick or a budding trend next year.
67% 55% 55% 61% 67% 62% 67% 89% 62% 77% 45%
2004 2006 2008 2010 2012 2014
0%
25%
50%
75%
100%
% W
HERE
“DAY
S OR
LES
S”
Time to Compromise
Time to Discover
Figure 5. The defender-detection deficit
60%IN 60% OF CASES, ATTACKERS ARE ABLE TO COMPROMISE AN ORGANIZATION WITHIN MINUTES.
2015 DATA BREACH INVESTIGATIONS REPORT 11
Based on attacks observed by RiskAnalytics during 2014, 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour. That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness.
BEST WHEN USED BY…
Let’s say, for the sake of argument, that we share indicators quickly enough to help subsequent potential victims. The next thing we need to know is how long we can expect those indicators to remain valid (malicious, active, and worthy of alerting/blocking). We return to the RiskAnalytics data set to study that important question.
Figure 8 shows how long most IP addresses were on the block/alert list. We split the view up into Niddel’s inbound and outbound categories to see if that made a difference in longevity. While some hang around for a while (we restricted the graphic to seven days, but both charts have a fairly long tail), most don’t last even a day. Unfortunately, the data doesn’t tell us why they are so short-lived, but these findings track well with Niddel’s “cumulative uniqueness” observations.
Ultimately, the data speaks to a need for urgency: The faster you share, the more you (theoretically) will stop. This is just one data source, though, and one that is geared toward threats of a more opportunistic, high-volume, and volatile nature (e.g., brute forcing, web app exploits, etc.) rather than more “low and slow” targeted attacks. To test whether these findings apply more broadly, we’d be happy to incorporate data from a wider range of willing participants next year. In the meantime, we encourage others who have such data to share it. Only when we measure our intelligence systems will we know what they’re really doing for us and how we can improve them.
But the overall takeaway would appear to be valid regardless: We need to close the gap between sharing speed and attack speed.
CHOOSE THE WELL OVER THE FIRE HOSE
Ultimately, what is presented here is good news (organizations are indeed sharing). However, we’d like to recommend that if you do produce threat intel, focus on quality as a priority over quantity. Where an opportunity for detection presents itself, seize it in the way that offers the greatest longevity for your efforts. Certainly, anything that leads to the discovery of an incident is worthwhile, but in most cases, context is key. Those consuming threat intelligence, let it be known: An atomic indicator has a life of its own that may not be shared with another. Focus less on being led to water and work on characterizing where the well resides. Expect more out of your communities, and where possible, reciprocating context enables a wider audience to make additional determinations that enable a broader defensive capability.
3.5k4.9k3.4k
10.8k3.2k
9.0k2.8k
7.9k3.5k
8.4k6.3k
11.2k
1
2
3
4
5
6
7
DAYS
ON
LIST
116.0k403.6k
Figure 8.Count of indicators by days observed in at least one feed
We need to close the gap between sharing speed and attack speed.
24 VERIZON ENTERPRISE SOLUTIONS
Figure 19 from the 2014 DBIR presented the frequency of incident patterns across the various industry verticals. The major takeaway was that different industries exhibit substantially different threat profiles and therefore cannot possibly have the same remediation priorities. That may be a rather “no duh” finding, but keep in mind most security standards treat all requirements as equal stepping stones on a path to 100% compliance. Past reports have emphasized that with security, there is no “one size fits all” approach. It is our fervent hope that that data sowed some seeds of change, and this year we’d like to help grow that crop a bit more.
Whereas last year’s report asked “Do all organizations share similar threat profiles?”, we now want to explore what we believe to be a much better question: “Which industries exhibit similar threat profiles?” Just as our nine patterns helped to simplify a complex issue last year, we believe that answering this question can help clarify the “so what?” question for different verticals. Figure 19 measures and provides, at least in part, the answer to that question.28
28 To look up the three-digit NAICS codes, visit: census.gov/eos/www/naics/index.html
INDUSTRY PROFILESRaising the Stakes with Some Takes on NAICS
With security, there is no “one size fits all” approach.
211
213
221
311
315
324
325
333
334
335
336
339 423
424
441
443
444
445
446 447
448
451452453454
481
483
485
486
491511
512
515
517 518
519
521
522
523
524525
531
532
541
551
561611621
622623624711713
721
722
812813
814
921
922923
926
928
¬ Accommodation
¬ Administrative
¬ Educational
¬ Entertainment
¬ Financial Services
¬ Healthcare
¬ Information
¬ Management
¬ Manufacturing
¬ Mining
¬ Other Services
¬ Professional
¬ Public
¬ Real Estate
¬ Retail
¬ Trade
¬ Transportation
¬ Utilities
Figure 19. Clustering on breach data across industries
2015 DATA BREACH INVESTIGATIONS REPORT 13
ONE PHISH, TWO PHISH
In previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.
Now, these messages are rarely sent in isolation—with some arriving faster than others. Many are sent as part of a slow and steady campaign.9 The numbers again show that a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey, and it’s bag it, tag it, sell it to the butcher (or phishmonger) in the store.
How long does an attacker have to wait to get that foot in the door? We aggregated the results of over 150,000 e-mails sent as part of sanctioned tests by two of our security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data (where the real damage is done). The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.
The reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.
How long do you suppose you have until the first message in the campaign is clicked? Not long at all, with the median time to first click coming in at one minute, 22 seconds across all campaigns.With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.
THERE ARE PLENTY OF PHISH IN THE SEA
We looked at organization demographics to see if one department or user group was more likely than another to fall victim to phishing attacks. Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments. Then again, opening e-mail is a central, often mandatory component of their jobs.
When we studied how many people actually clicked a link after they opened the e-mail, we found a great deal of overlap in the confidence intervals for each department…which is a fancy way of saying that we can’t say there’s a statistical difference between these departments.
9 Unless we’re talking about a very targeted spear-phishing campaign.10 apwg.org/resources/apwg-reports
50 %NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.
Figure 9.APWG site and domains per month since 2012
DOING MORE WITH LESSThe payload for these phishing messages has to come from somewhere. Data from the Anti-Phishing Working Group (APWG)10 suggests that the infrastructure being used is quite extensive (over 9,000 domains and nearly 50,000 phishing URLs tracked each month across the Group’s members). The charts in Figure 9 also show that the attackers have finally learned a thing or two from the bounty of their enterprise breaches and may even have adopted a Lean Six Sigma approach to optimize operations.
UNIQUE DOMAINS UNIQUE SITES
0
5,000
10,000
15,000
0
20,000
40,000
60,000
MAY 12 NOV 12 MAY 13 NOV 13 MAY 14 MAY 12 NOV 12 MAY 13 NOV 13 MAY 14
COUN
T
WHAT THE HACK ?
Motivation and decision to act
Determine objective
Select avenue of approach
Acquire capability
Develop access
Implement actions Assess Restrike
Financial gainPoliticsHarass or embarrass, etc.
Steal dataDestroy dataManipulate data
Network: Website, EmailInsiderSupply Chain
BuildHireUse existing capability
InsiderCompromise supply chainSQL injectionSpear phishing
Establish presence on targetMove laterally on networkSteal dataDestroy dataManipulate dataCover tracks
Were actions successful?Were actions sufficient?Were objectives satisfied?
YesNo
Lockheed Martin’s Cyber Kill Chain Methodology for Cyber Attackers
SOURCE : AKATI CONSULTING - HACKER MODUS OPERANDI
33
SOLUTION ?
SOURCE : AKATI CONSULTING - CYBERSECURITY TACTICAL ASSESSMENT SERVICE
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)
Action on Objectives
Intrusion Kill Chain
Campaign Analysis – Tools, Techniques and Procedures
Detect Deny Disrupt Degrade Deceive Destroy
Leverage, discover, analyze Atomic, computed and behavior indicators
Research identification and selection of targets, often represented as crawling internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client applications data files such as Adobe PDF or Microsoft Office documents serve as the weaponized deliverable.
Transmission of the weapon of the targeted environment using vectors like email attachments, websites, and USB removable media.
After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability.
Installation of a remote access Trojan or backdoor on the victim’s system allows the adversary to maintain persistence inside the environment.
Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel.
Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim’s environment.
Red Team Methodology
Blue Team Methodology
EXTERNAL THREATS - EXTERNAL PEN TEST
INTERNAL THREATS - INTERNAL PEN TEST
PEOPLE THREATS - AWARENESS , SIMULATION
PHASE 1
PHASE 2
PHASE 3
34
“My computer has antivirus software. That means I’m protected, right?”
“I don’t need to worry about computer security—I’m not in office right now.”
“I trust my colleagues—why shouldn’t I share my password with them?”
“I have a brand new computer. Do I really need to install updates?”
“I watch streaming movies online instead of downloading them. So, I’m safe… right?”
DO THESE SOUND FAMILIAR ?
STEP TWO STEP THREESTEP ONE STEP FOUR
Put A Lock On Your Password — Keep It A Secret !
Make it long, make it strong
Never reveal it to anyone
Use a Password Manager / Token
SECURE YOUR PASSWORDS
35
STEP TWO STEP THREESTEP ONE STEP FOUR
Guard Against Computer Bugs — Use Protective Software
Host firewalls are pre-installed & available on machines running Windows, Linux, and Mac OS X. Be sure they’re turned on and configured correctly!
Use anti-virus, anti-malware and a firewall or security suite that includes all three. This is like keeping your doors and windows locked at home.
STOP MALWARE !
STEP TWO STEP THREESTEP ONE STEP FOUR
Keep Your Computer Up To Speed — Install Software Updates
Get the latest software updates : Keep your applications and operating system sharp and healthy
Make regular backups !
KEEP YOUR TOOLS SHARP !
36
STEP TWO STEP THREESTEP ONE STEP FOUR
Stay Aware On The Internet — It Can Keep You Safe !
Cyber criminals like Maul make sites look legitimate to steal your information or spread malware to your computer or mobile device without you even knowing.
Browse the internet safely : Make your browser safe and avoid dodgy websites
NEVER EVER CLICK A LINK IN AN EMAIL
BE SAFE !
WHAT ABOUT CORPORATE NETWORKS ?
37
DEFENSE IN DEPTH
DEFENSE IN DEPTH www.intel.com/IT 5
Defense in Depth Strategy Optimizes Security IT@Intel White Paper
Our strategy evolved as we established our IT
information risk and security organization, building
on information warfare theory and venerable
security approaches. We took the mature IT security
model of prevention, detection, and response, and
added a fourth key element: prediction.
The addition of prediction creates the continually
evolving structure that is necessary to adapt to
the fluid nature of information security threats.
Prediction gives us insights into the most likely
threats, methods, and targets, which allow us
to efficiently focus resources in the prevention,
detection, and response areas. Conversely,
learnings in these areas feed back into the
prediction teams to promote better assessments,
forming a continual performance improvement
loop as shown in Figure 1.
Our strategy enables us to reduce the risk of
losses as well as the associated cost. The earlier
we can interdict a threat, the more we reduce the
potential loss. The cost of predicting or preventing
an attack is a fraction of the cost of responding
to a successful attack, as shown in Figure 2.
Prediction Prediction is an invaluable first step in the
efficient use of security resources. Although
the truly paranoid may disagree, not everyone
SolutionOver the past six years, Intel IT has evolved a defense in depth strategy to meet these challenges. Our strategy has been proven to work over time in many different security disciplines. We have found that this strategy is highly effective at providing overall security assurance, as well as establishing cost-effective, scalable, and adaptive programs that keep pace with changing threats.
PreventionSecuring the computing environment with current tools, patches, updates, and best-known methods in a timely manner. Represents the bulk of cost-effective security capabilities and facilitites better Detection.
PredictionProactively seeks to identify attackers, their objectives, and their methods prior to materialization of viable attacks. Enables and maximizes Prevention activities.
DetectionVisibility to key areas and activities. Effective monitoring to identify issues, breaches, and attacks. Drives immediate interdiction by Response capabilities.
ResponseEfficient� management� of� efforts� to� contain,� repair, and recover as needed to return the environment to normal operations. Reduces losses by rapidly addressing issues and feeds intelligence into Prediction and Prevention areas.
Figure 1. Intel IT’s defense in depth strategy provides a performance improvement loop that helps improve our security strategy.
38
LETS TALK ABOUT YOU & ME ..
HUMAN VULNERABILITY IS NATURAL
39
• FIREWALLS ARE NOT ENOUGH • SECURITY AWARENESS EDUCATION
SOMETIMES FAILS MISERABLY • POSTERS DON’T WORK • COMPLIANCE HAS US RACING TO THE
BOTTOM
PART 3 : Q & A ?
40
www.akati.com/warlockFOR MORE INFO, VISIT OUR BLOG
And while you're there sign up for
our FREE security advisory services !
THANKS FOR LISTENING !THANK YOU
41