This document discusses cyber security threats and recommendations for addressing them. It begins with an overview of the history of threats like Melissa in 1999 and Slammer in 2003. Today's threats are described as persistent, sophisticated, and targeted. The document then outlines the anatomy of a common attack involving phishing emails, drive-by downloads, gaining access to internal networks, and exfiltrating data. It recommends building a strong security foundation with controls and guidelines, developing an incident response plan, and establishing partnerships for assistance in responding to incidents.
2. Agenda
• Threat History
• Current Threats
• Breakdown of a Common Attack
• What you can do
– Incident Response
– Resources Available
3. CTS Security Operations Center
Provides centralized information sharing, monitoring, and
analysis of Washington State security posture while mitigating
risk and minimizing incident exposure.
•Alerting
•Risk Analysis
•Incident Response
•Vulnerability Management
•Education and Awareness
Awareness Test:
http://www.youtube.com/watch?v=oSQJP40PcGI
5. 1999 Threat - Melissa
• Sent copies of an
infected Word
Document to up to
50 people
• No damage to
computers or files
• Overwhelmed Mail
Servers
http://www.cert.org/advisories/CA-1999-04.htm
6. 2003 Threat – Slammer
• SQL Server Stack
buffer overflow
vulnerability
• Code execution at
System user level
http://www.cert.org/advisories/CA-2003-04.htm
7. 2008 Threat – Conficker
• Windows server
service vulnerability
• Multiple variants
• Quickly took over
millions of computers
• Disabled windows
services
• Locked out users
8. Today’s Threats
Persistent
•44% increase in breach incidents 2010-11 across multiple verticals
(Source: Poneman Institute, 2011)
Sophisticated
•Use of advanced techniques and tactics points to growing nation-state
sponsorship and resourcing
Targeted
•Shift to targeting of commercial sectors and government supply-chain
providers
•Larger attack plane
•Consumerization of IT with pervasive use of social media, mobile devices ,
big data and cloud infrastructures
9. What I see at WA State
Reporting
Period:
1Q 2013
10. What I deal with
Reporting Period: 3/1/13 – 3/15/13
• Web Site Defacement by Turkish Muslim Group
• Attempted breach of VPN account
• Multiple workstations attempting to communicate to Zeus
command and control servers
• Web server participating in DDoS attack against foreign national
• Multiple workstations attempting to communicate to Zero Access
command and control servers
• Web site content management server software exploited
• Anomalous traffic at agency firewall indicating insider threat
• Open mail relay detected
• Multiple SQL injection attempts of web application
• Penetration test erroneously configured causing alerts
11. Advanced
Persistent
Threats
Sophisticated attacks
and well resourced
adversaries
Nation State
Actors
Cyber Criminals
Open Source
Intelligence
Collection
Foreign
Nationals
Black Markets
Non-Nation State
Sub Contractors
Supply Chain
Tampering
Third Countries
The Age of the APT
12. Phishing emails
A member of your staff
receives a phishing email
which may be personalized to
attract their interest.
Common Attack
14. Adversary uses machine
to gain access to internal
network systems
Trojan installs backdoor which allows
reverse connection to infected machine
Hacker dumps password hash and gains
access to a critical server via RDP.
RDP
16. Phishing emails
Attack Anatomy
Discovery of Company email Addresses
Jigsaw
Come up with a Scenario
OWA Upgrade
Security Alert
Build Phishing Message
Save .html file locally
Use a kit such as SET
Set up a real temporary domain
Monitor effectiveness with scripts
Discovery of Company email Addresses
Jigsaw
Come up with a Scenario
OWA Upgrade
Security Alert
Build Phishing Message
Save .html file locally
Use a kit such as SET
Set up a real temporary domain
Monitor effectiveness with scripts
17. Drive-by download
Packing utilities / Metasploit /
Backtrack
Alternately, purchase a SDK
and sign the executable so that
it is trusted
Test the executable or payload with
free Antivirus packages
Microsoft Security Essentials
AVG
Await acknowledgement response
from machine
Packing utilities / Metasploit /
Backtrack
Alternately, purchase a SDK
and sign the executable so that
it is trusted
Test the executable or payload with
free Antivirus packages
Microsoft Security Essentials
AVG
Await acknowledgement response
from machine
18. Adversary uses machine
to gain access to internal
network systems RDP
Passwords enumerated and cracked
Mapping of other network devices
Active directory queries
Access attempts with credentials
Passwords enumerated and cracked
Mapping of other network devices
Active directory queries
Access attempts with credentials
19. Data ex-filtration
Data is compressed
Data is encrypted and sent
over a common port such as
80 or 443
Transmission is rate-limited
to avoid detection
Data is used for criminal
purposes or to damage
reputation
Data is compressed
Data is encrypted and sent
over a common port such as
80 or 443
Transmission is rate-limited
to avoid detection
Data is used for criminal
purposes or to damage
reputation
20. Recommendations
1. Build a strong security foundation
2. Have an Incident Response Plan ready
3. Know who to call
21. Build a Security Foundation
• SANS Top 20 Controls
• Australia DOD Mitigations
• NIST Guidelines
22. Develop Incident Response Mechanisms
• Have a plan
– NIST 800-61.2
• Know the priority of your
assets
• Exercise your plan
– 15 minute tabletops
– Functional exercise every 6
months
• Recognize that you will not
be able to contain the
incident yourself in many
cases
Key Takeaways CIRC, SOC and SIEM are not always interchangeable terms. In some organizations their responsibilities are different and distinct. ***************************** To address APTs the security organization is faced with some growing and changing responsibilities. First and foremost, the need for a CIRC capability has become evident in many organizations. Responsibilities include the need to be able to identify anomalies, predict attacks and respond to incidents. This drives a need for additional intelligence. Traditional SOC responsibilities have included security help desk capabilities and the day-to-day administration of key technical controls including firewall, VPNs, access controls, AV, etc.. Another key capability includes SIEM. This is where many of the reports and alerts that are so important to the CIRC originate. Click: What does all this mean for you sitting here today? It means different stakeholders may have new and different needs but a unified strategy is needed to deal with new threats. Click: Traditional responsibilities across the board are undergoing review. This more than just updating technical responsibilities and controls. This requires updating our Business and Operations models to deal with new Enterprise dimensions.
The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.
The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.