The document discusses the need for improved coordination and information sharing between EU member states to address targeted and persistent cyber attacks. It outlines common tactics used by adversaries, including initial weak intrusions, spreading malware to undermine security monitoring and exfiltrate data while avoiding detection. The document argues for consolidating knowledge of adversaries across borders, establishing standards for secure information exchange, and properly containing incidents to effectively eradicate intruders.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Coordinating EU cybersecurity through information sharing
1. Targeted & Persistent Attacks in EU
The need for coordination and information
sharing between EU member states
Eoghan Casey, CASEITE & DFLabs
2.
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
Attack against RSA -‐ http://blogs.rsa.com/rivner/anatomy-‐of-‐an-‐attack/
3. Large-‐scale credit card robbery
Initial intrusion into regional office
Weak internal security
Servers with well known vulnerabilities
Unrestricted access to central servers
Weak egress filtering
File transfer permitted from central servers to Internet
Weak system monitoring
Intruder created account on central server
Installed sniffer on server
Sniffer and file transfer log files created on server
Weak network monitoring
Network level logs recorded file transfers
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
4. Coordinated Linux intrusions
Attacker's modus operandi
Repository of stolen SSH credentials
Privilege escalation
LKM rootkits & tricky backdoor
Trojanized SSH daemon
Resilient C2 and exfiltration
Destroy digital evidence
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
5. Common mistakes
1) Underestimating the adversary
Too quick to containment
2) Lack of evidence
No centralized logging infrastructure
3) Improper evidence handling
Update antivirus and scan compromised systems
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
6. Know the adversary
Initial intrusions not necessarily sophisticated
Spear phishing or vulnerable servers
Once inside, they spread virulently
Inside out attacks circumvent egress filtering
Undermine security monitoring
File system tampering
Multiple malware versions with custom packing
Blend in with normal traffic
Encrypt command, control and exfiltration
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
7. Quick containment?
Current recommendation:
When an incident has been detected and analyzed, it is
important to contain it before the spread of the
incident overwhelms resources or the damage increases.
Most incidents require containment, so it is
important to consider it early in the course of handling each
incident.
- NIST SP800-61 Rev. 1, page 3-19
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
8. Managing a data breach effectively
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
10. Cross border information sharing
Same attackers targeting
all EU member states >
Consolidate adversary knowledge
Trust between government and industry
Confidentiality agreements
More information to examine the better
Sanitize what is shared to protect victims
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
11. Information exchange standards
STIX Structured Threat Information eXpression
2012 Copyright Eoghan Casey and CASEITE
All rights reserved
STIX Whitepaper -‐ makingsecuritymeasurable.mitre.org/docs/STIX-‐Whitepaper.pdf
12. Get in touch
Eoghan Casey
DFLabs Business Partner
Risk Prevention and Response Co-‐manager
eoghan@dflabs.com
www.dflabs.com
2012 Copyright Eoghan Casey and CASEITE
All rights reserved