1. CYBERSECURITY: INNOVATIVE APPROACHES FOR APTS Robert E Stroud CGEIT CRISC | International President ISACA Robert.Stroud@ca.com @RobertEStroud

2. ROBERT E STROUD CGEIT CR INTERNATIONAL PRESIDENT ISACA Vice President Strategy & Innovation CA Technologies Futurist, Author, Public Speaker & Industry GeeK 15 years Banking Contributor to numerous industry frameworks, standards and good practices Former Director itSMF International & itSMF USA Robert.Stroud@ca.com @RobertEStroud 2 | 6/20/2014 3. AGENDA 1. The security landscape 2. Advanced Persistent Threats 3. ISACA 2014 APT SURVEY 4. What should your approach be 5. Recommendations 3 | 6/20/2014 4. THE SECURITY LANDSCAPE 5. KEY TRENDS AND DRIVERS OF SECURITY Consumerization Mobile devices Social media Cloud services Nonstandard Security as a Service Emerging Trends Decrease in time to exploit Targeted attacks Advanced persistent threats Continual Regulatory and Compliance Pressures SOX, PCI, EU Privacy ISO 27001 Other regulations 5 | 6/20/2014 6. THE WORLD IS CHANGING The 2010 Google Aurora attack forever changed the way we look at Internet security. This large-scale, sophisticated attack showed us that all sectors, from private to public, are vulnerable to a new class of security breach: The Advanced Persistent Threat 6 | 6/20/2014 7. SO WHAT IS AN ADVANCED PERSISTENT THREAT? 7 | 6/20/2014 8. THE WORLD IS CHANGING 9. ADAPTIVE ATTACK VECTORS 9 | 6/20/2014 10. ADAPTIVE ATTACK VECTORS Security Issue Security Solution Adaptive Attack Vector Single factor authentication (e.g. something you "know" - like a userid and a password) is too weak - passwords are easily compromised or guessed. Multi-factor authentication - something you know (userid/password) + something you have (password retrievable from a token that changes at regular intervals based on strong encryption algorithms) Break into the token vendor (RSA - March 2011) and steal the encryption keys that are used by the real target (Lockheed Martin - May 2011) Thousands of malware writers - some masquerading their code as being from a trusted developer. Digital certificates used to "sign" code from a vendor so that the code can be trusted. Break into a credible vendor whose software is run on almost every computer (Adobe) and use their code signing infrastructure to sign the malicious code (Sept 2012) The antivirus approach (defining what is "bad" software and blacklisting or quarantining it) is not able to keep pace with malware writers - more than 200,000 new blacklist signatures each day. Application whitelisting - define what is "good" and assume everything else is "bad". Break into the application whitelisting vendor (Bit9) and have their code signing infrastructure sign the malicious code (February 2013) so that it is effectively on the whitelist 11. THE APT LIFECYCLE History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets. 11 | 6/20/2014 12. APT MODUS OPERANDI APTs have adapted their tactics, techniques and procedures to the typical information security architecture they find deployed Traditional Security Practice APTs Modus Operandi Network boundary/perimeter devices inspect traffic content SSL, custom encryption, and password protected/encrypted container files make packet content inspection difficult or impossible Network firewalls monitor and assess traffic metadata Communication initiated from within the network using standard ports and protocols (HTTP, DNS, SSL, SMTP, ) Host firewalls monitor and assess local traffic metadata Initial infection tool adds malware to host firewall white list Intrusion detection and prevention systems with real-time assessment and alerting running on servers and workstations Communications use common ports and protocols hide in plain site within obvious/allowed traffic Antivirus (AV) on every server and workstation with multiple daily automatic signature updates Compile malicious code immediately before use and test on the latest AV defs. Custom code per target. Protect with multiple anti-reverse engineering techniques (i.e. kernel drivers, packers, other obfuscation) Monthly or Quarterly Vulnerability Assessments Attacks not based on server operating system vulnerabilities but on host/application vulnerabilities, 0-day attacks, and user action Two-factor authentication Custom malware installed with users privileges - hacker authenticates to the malware, circumventing two-factor requirements HTML formatted email disallowed and real-time email content filtering Embed links to malware (instead of malware itself) in very well crafted, specifically targeted phishing email Real-time malicious web site and URL filtering Compromise third party sites to host malware - a different site for each victim - a different site for each wave of attacks on a victim 12 | 6/20/2014 13. APT MODUS OPERANDI Traditional Security Practice APTs Modus Operandi Network boundary/perimeter devices inspect traffic content SSL, custom encryption, and password protected/encrypted container files make packet content inspection difficult or impossible Network firewalls monitor and assess traffic metadata Communication initiated from within the network using standard ports and protocols (HTTP, DNS, SSL, SMTP, ) Host firewalls monitor and assess local traffic metadata Initial infection tool adds malware to host firewall white list Intrusion detection and prevention systems with real-time assessment and alerting running on servers and workstations Communications use common ports and protocols hide in plain site within obvious/allowed traffic Antivirus (AV) on every server and workstation with multiple daily automatic signature updates Compile malicious code immediately before use and test on the latest AV defs. Custom code per target. Protect with multiple anti-reverse engineering techniques (i.e. kernel drivers, packers, other obfuscation) Monthly or Quarterly Vulnerability Assessments Attacks not based on server operating system vulnerabilities but on host/application vulnerabilities, 0-day attacks, and user action Two-factor authentication Custom malware installed with users privileges - hacker authenticates to the malware, circumventing two-factor requirements HTML formatted email disallowed and real-time email content filtering Embed links to malware (instead of malware itself) in very well crafted, specifically targeted phishing email Real-time malicious web site and URL filtering Compromise third party sites to host malware - a different site for each victim - a different site for each wave of attacks on a victim 14. METHODS FOR DEFENDING AGAINST THE APT Many enterprises implement some of the intermediate-level concepts. Because the APT and other advanced, sophisticated attackers have such a high success rate, it is recommended that every enterprise implement all of the basic concepts. 14 | 6/20/2014 15. ISACA 2014 APT SURVEY 16. ISACAS 2014 APT SURVEY 1,220 Individuals Globally; Fielded February 2014 Because the studys purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy adherence and management support, the study surveyed those who deal with those issues every day: professionals with information security responsibilities. Respondents are still using the wrong controls, such as antimalware, antivirus and firewalls, to defend against APTs. These arent effective as most of these attacks come from zero-day exploits and the attack vectors are very personalized spear-phishing attacks and now web exploits in the browser. While technology improvements are not clear, behavior is improving, with more organizations making the necessary changes in terms of incident response plans and security awareness training. 16 | 6/20/2014 17. 92% SAY APTS POSE A CREDIBLE THREAT TO NATIONAL SECURITY OR ECONOMIC STABILITY. 1 IN 5 HAVE EXPERIENCED AN APT ATTACK. 66% SAY IT IS LIKELY OR VERY LIKELY THAT THEIR ORGANIZATION WILL EXPERIENCE AN APT ATTACK: 17 | 6/20/2014 18. CROSSTAB OF THOSE WHO FIND AN APT LIKELY AND ABILITY TO RESPOND TO AN APT ATTACK Even those who feel it is very likely that their enterprise will be targeted by an APT do not feel very able or even able to respond effectively. Even those who expect to get hit are not well prepared to respondmore is needed to be done. 18 | 6/20/2014 19. CROSSTAB OF BELIEF OF LIKELIHOOD OF BECOMING TARGET AND ADJUSTING INCIDENT RESPONSE PLAN More than half of organizations who say an APT is likely or very likely to impact them are adjusting their incident response plans to accommodate for APT attacks. In the very likely to be attacked category, about 70% are adjusting their plans, and in the likely category, 60% have adjusted the plans. 19 | 6/20/2014 20. PREPARATION ISACAs 2014 APT Awareness Study revealed that 66% of respondents feel that it is only a matter of time before they encounter an APT Preparation is key: 1. Build a team make a plan 2. Establish key relationships 3. Determine Authorities 4. Inventory Existing Technologies 5. Standardize the Investigation Process 6. Training and Governance 7. Establish Critical Capabilities 20 | 6/20/2014 21. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) A CSIRT should contain the people, process and technology capabilities the organization needs to effectively and efficiently manage a cybersecurity incident. Capability (people, process, technology) Minimum Preferred Host-level activity awareness a. Logs from endpoint software agents (e.g., antivirus) b. Native operating system logging (e.g., Windows) a. Host-based intrusion detection b. Remote enterprise forensic analysis c. Agent-based, live memory analysis Network-level activity awareness a. Network flow data (e.g., layer 3) b. Proxy logs c. Firewall logs Network intrusion detection logs Full packet capture at all egress points SSL inspection Search Decentralized log searches on a per- system basis a. Local logging b. Manual retrieval c. Limited automation a. Centralized aggregation of searchable log data b. Event correlation (e.g., SIEM) Digital forensics a. Ad hoc, local a. Remote enterprise (acquisition) b. Case management systems Malware analysis a. Dynamic malware analysis b. Basic static and automated analysis a. In-depth static code analysis b. Reverse engineering Threat intelligence Ad hoc, open source research a. Subscription-based b. Business partner information sharing c. Repeatable, automated integration Vulnerability identification Enterprise application inventory Enterprise vulnerability identification 21 | 6/20/2014 22. Capability (people, process, technology) Minimum Preferred Host-level activity awareness a. Logs from endpoint software agents (e.g., antivirus) b. Native operating system logging (e.g., Windows) a. Host-based intrusion detection b. Remote enterprise forensic analysis c. Agent-based, live memory analysis Network-level activity awareness a. Network flow data (e.g., layer 3) b. Proxy logs c. Firewall logs Network intrusion detection logs Full packet capture at all egress points SSL inspection Search Decentralized log searches on a per-system basis a. Local logging b. Manual retrieval c. Limited automation a. Centralized aggregation of searchable log data b. Event correlation (e.g., SIEM) Digital forensics a. Ad hoc, local a. Remote enterprise (acquisition) b. Case management systems Malware analysis a. Dynamic malware analysis b. Basic static and automated analysis a. In-depth static code analysis b. Reverse engineering Threat intelligence Ad hoc, open source research a. Subscription-based b. Business partner information sharing c. Repeatable, automated integration Vulnerability identification Enterprise application inventory Enterprise vulnerability identification 23. INVESTIGATION The core component of any investigation is the collection and analysis of facts pertinent to the matter. The Incident Response or investigative process: Identification -> Containment -> Eradication -> Recovery -> Follow-up 23 | 6/20/2014 24. INVESTIGATION The major objectives of Incident Response process are to: 1. Identify all potentially relevant data sources, 2. Preserve those data with forensically sound methodologies, 3. Analyze the data for facts related to the matter, and to 4. Report findings. 24 | 6/20/2014 25. INVESTIGATION Answer the basic questions: who, what, when, where, why and how Input answers as intelligence into the eradication plan! 25 | 6/20/2014 26. INVESTIGATION Objective 1: Understand the attackers tactics, techniques and procedures and if possible, intentions to inform the eradication plan Objective 2: Understand the scope, breadth and depth of the compromise for communications to stakeholders (internal and external) Activity 1: Collect appropriate electronic records relevant to the compromise Activity 2: Transform collected data into information to help focus the investigation Activity 3: Analyze the information to determine the who, what, when, where, why and how details of the compromise Activity 4: Develop detail reporting for stakeholders 26 | 6/20/2014 27. ERADICATION If investigation is a marathon, eradication is a sprint. Its important to understand that while investigating a sophisticated cybersecurity breach might seem like a marathon; effective eradication must be a sprint. That is, efficiency in the eradication effort is critical to success. Effective eradication plans must be executed with speed and precision because attackers will often try to re-establish a beachhead and then re- entrench themselves into the network once they sense theyve been discovered and eradication is under way. 27 | 6/20/2014 28. ERADICATION & POST-ERADICATION ACTIVITIES Eradication Activities: 1. Plan for eradication 2. Execute the Plan 3. Monitor for attempted re-entry Post Eradication Activities: 1. Validate that eradication activities were successful 2. Brief stakeholders on results 3. Lessons learned 4. Strategic change - cybersecurity transformation 28 | 6/20/2014 29. CONCLUSIONS 30. CONCLUSIONS The situation is only going to get more complex If you have IP, its not a question of if, but when Defined industry skills shortage Have a plan and perfect it with experience over time Share information 30 | 6/20/2014 31. MORE INFORMATION www.isaca.org/cyber 31 | 6/20/2014 insights and resources for the cybersecurity professional cutting-edge thought leadership, training and certification programs for professionals... knowledge, tools, guidance and connections 32. QUESTIONS? 32 | 6/20/2014 33. CSX COMPONENTS AVAILABLE NOW Cybersecurity Fundamentals Certificate (workshops and exams taking place in Q3; first workshop sold out) Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks Advanced Persistent Threats: Managing the Risks to Your Business Cybersecurity webinars and conference tracks (six-part webinar series begins in June) Cybersecurity Knowledge Center community COMING SOON Mentoring Program Implementation guidance for NISTs US Cybersecurity Framework (which incorporates COBIT 5) and the EU Cybersecurity Strategy Cybersecurity practitioner-level certification (first exam: 2015) Cybersecurity training courses SCADA guidance Digital forensics guidance 33 | 6/20/2014 34. CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE Knowledge-based exam for those with 0 to 3 years experience Foundational level covers four domains: 1) Cybersecurity architecture principles 2) Security of networks, systems, applications and data 3) Incident response 4) Security implications related to adoption of emerging technologies The exam will be offered online and at select ISACA conferences and training events. The first is in September at EuroCACS and is sold out. Content aligns with the US NICE framework and was developed by a team of about 20 cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews. 34 | 6/20/2014 35. CAREER PATH 0-3 years: Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam) 3-5 years: Cybersecurity practitioner-level certification (commencing mid 2015) 5+ years: Certified Information Security Manager certification (25,000+ professionals certified since inception) 35 | 6/20/2014 36. TRANSFORMING CYBERSECURITY USING COBIT 5 Eight Key Principles: 1. Understand the potential impact of cybercrime and warfare on your enterprise. 2. Understand end users, their cultural values and their behavior patterns. 3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. 4. Establish cybersecurity governance. 5. Manage cybersecurity using principles and enablers. (The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.) 6. Know the cybersecurity assurance universe and objectives. 7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.) 8. Establish and evolve systemic cybersecurity. 36 | 6/20/2014