Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

The chaos of a corporate attack

769 vues

Publié le

In our Cyber Security Insider series of eBooks, we take a look at three critical topics around advanced cyber security. This is the first part of the this Ebook series.
Article link: https://business.f-secure.com/the-cyber-security-insider-series

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

The chaos of a corporate attack

  1. 1. CYBER SECURITY INSIDER – EBOOK 1/3 How one company’s sensitive data was breached and what they did next Thechaosof acorporate attack
  2. 2. 2CYBER SECURITY INSIDER – EBOOK 1/3 Cyber security inreallife
  3. 3. Thepurpose ofthiseBookis nottoscareyou 3CYBER SECURITY INSIDER – EBOOK 1/3
  4. 4. 4CYBER SECURITY INSIDER – EBOOK 1/3 Cybersecurity inreallife You already know how frequent and public cyber security incidents are becoming. You already know how far-reaching and long lasting their impact can be on a company’s reputation and customers. And you already know that the bulk of the blame ultimately falls on a company’s management. What you (hopefully) don’t know is what a cyber security incident looks like from the inside – how it happens, how much it distracts C-level leaders and how companies get affected internally. More important, if you’re like most C-level leaders, you don’t know how best to respond to a major cyber security incident – how to deal with a distracted business, how to deal with the reputation damage or how to deploy a coherent crisis management plan. Over the course of this Cyber Security Insider series, we’ll show you how CISOs are protecting their organizations, as well as the best practices you can and should be applying. The purpose of this eBook is to tell you about a specific case where an attacker breached a company’s infrastructure and extracted sensitive data, despite their existing security measures. In it you’ll learn how the breach happened, and how the company reacted to resolve the incident. You’ll see how these sorts of incidents play out and how companies should – and shouldn’t – react to them. Let’sdivein.
  5. 5. The commoditization ofadvanced threats
  6. 6. 6CYBER SECURITY INSIDER – EBOOK 1/3 The commoditization ofadvanced threats Advanced persistent threats (APTs) are usually associated with well-resourced, highly organized attackers like nation states. The trouble is, once these tactics are used in state-sponsored attacks, the techniques and procedures employed quickly become publicly known. Which means cyber criminals with fewer resources can start to use them too. For instance, we’ve seen cyber criminals utilize APT-style attacks that deploy sophisticated crypto-ransomware inside businesses without traditional mass-infection vectors like phishing and exploit kits. Put simply: cyber criminals are constantly evolving to become more organized. And the ecosystems they rely on to buy tools and tactics are only becoming more commoditized. So corporate defensive perimeters are increasingly susceptible to even the most common tactics. We only bring this up to remind you that while the methods attackers use to breach companies may be highly sophisticated, they’re also unfortunately common. A fact that was all too clear in the case of Corp X (not their real name).
  7. 7. 7CYBER SECURITY INSIDER – EBOOK 1/3 The breach
  8. 8. 8CYBER SECURITY INSIDER – EBOOK 1/3 The BREACH In the autumn of 2015, Corp X, a large service provider listed on several international stock exchanges, with major financial institutions as customers, discovered a breach in their company network. Having initially discovering the data leak, Corp X’s IT department began investigating what sort of data was being leaked, who was leaking it and how they were doing it. But since they’d never performed a forensic investigation of this magnitude before, the team had access to a very limited skill-set, few investigative tools and practically no threat intelligence information. So after a few weeks of probing and getting nowhere, they reached out to us and our team of white-hat security experts. (We only mention this to explain when we got involved.) By this point, Corp X had collected evidence that data had been extracted from their network and sent to an unknown Chinese IP address. Given this evidence, the first big question was about where the leak came from: Was it an internal actor (an employee, contractor, affiliate or member of the supply chain)? Or had an external party gained access to the company’s internal network?
  9. 9. 9CYBER SECURITY INSIDER – EBOOK 1/3 OPEN SOURCE INTELLIGENCE Even without publicly available sources, attackers use ‘social engineering‘ (such as calling individuals in the target company to gather information) to get the information they need. After careful forensic analysis, it became clear this was the work of an outsider. Next, a closer examination of the time-line of events indicated that the attacker selected Corp X as a target some time prior to the attack. In fact, they had planned their attack strategy based on information gathered during an early research and reconnaissance phase. With a wealth of public information available, including the company’s own web pages, social media, partner and affiliate sites, and contractor sites, the attacker developed a detailed picture of Corp X. Once the attacker had the right information, he designed an attack that hit a specific set of employees and targeted a weak spot in the organization’s infrastructure. Specifically, he crafted a social engineering campaign that targeted Corp X’s CFO and direct reports with an elegantly worded email directing the recipients to a compromised website. Someone in the group took the bait. And that’s when the initial breach occurred. The BREACH
  10. 10. 10CYBER SECURITY INSIDER – EBOOK 1/3 The email We took a look at the email ourselves, and nothing about it looked suspicious. Like the site it linked to, the content of the mail related directly to the group’s responsibilities. This was no ordinary phishing campaign. It wasn’t a badly written email sent en-masse hoping for gullible victims. This type of attack, commonly known as spear-phishing, relies on a carefully handcrafted, well-researched, plausible message directed at a small group of people with a common, focused set of interests. They’re incredibly easy to miss. In fact, one of the targeted employees became suspicious and sent their own copy of the mail to Corp X’s IT department. Unfortunately, with little threat intelligence to guide them, they performed their own investigation and concluded that nothing untoward was going on. The email was designed to direct the victim to a legitimate, non-malicious site. However, the attacker had compromised the site at an earlier time and inserted a specially crafted ad-banner into it. This ad-banner functioned non-maliciously for every visitor except for the group of victims in question. Then, it delivered a malicious payload – specifically designed to evade that system’s anti-virus system – onto the targeted victim’s computer. The BREACH
  11. 11. 11CYBER SECURITY INSIDER – EBOOK 1/3 ‘Living off the land’ Once the payload was successfully executed on the victim’s computer, the attacker gained access to Corp X’s internal network. From this point on, he moved laterally onto the CFO’s system, and from there, further into the organization’s network with stolen credentials from their active directory. Once a foothold had been secured, he covered his tracks by deleting all evidence of the initial breach. By impersonating employees, the infiltrator was able to operate undetected inside Corp X’s internal network, a state commonly known as ‘living off the land’. During this period, he was able to spy on employees and accumulate critical data that he would then upload to his own systems. It was during one of these uploads that the IT department at Corp X first flagged the activity. Further forensic analysis revealed the full extent of the attacker’s theft – 7GB of data had been stolen. And the intruder had complete access to Corp X’s network and data for close to nine months before he was finally caught. The importance of proactive cyber security Corp X caught a lucky break in noticing the data leak when they did. The upload was being executed during office hours, late in the afternoon, and on a busy workday. Had it’s IT staff been putting out fires or performing other critical tasks at the time – as was the case with all the other uploads the intruder got away with – they probably wouldn’t even have noticed it happening. The BREACH
  12. 12. 12CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath
  13. 13. 13CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath At this point, Corp X knew how the intruder gained access, how long he’d remained undetected, how much sensitive data he’d collected and how he was ex-filtrating that data. Now it was time to respond. And it wasn’t going to be easy. Once they’d determined the scope of the crisis, Corp X began setting up an incident response process. This involved: - Taking potentially breached systems offline - Freezing compromised accounts - Setting up network access restrictions As the forensic investigations progressed, it became clear just how much data had been ex-filtrated from Corp X. So a major incident management process was initiated. It was at this point that Corp X’s leadership team was first informed about what had happened – how a major data breach had occurred and that private customer data had been stolen by a then unknown third party. The next decision made was to inform stakeholders and – due to the nature of the data leak and Corp X’s client base – financial supervisory authorities. So during the weeks that followed, Corp X’s leadership team would have to give the incident their full attention. Next, contingency and recovery plans were drawn up, the legal department was brought in and briefed, and stakeholder communications and official company statements were drafted. Soon after, the first customer communications were sent out.
  14. 14. 14CYBER SECURITY INSIDER – EBOOK 1/3 The floodgates open As you’d imagine, Corp X received a deluge of client demands. Key account managers and service representatives were hammered with questions from unnerved customers. After breaches like this one, everyone’s focus shifts. The single most important thing at this point is to make sure you communicate the right things and understand the best way to communicate them. ‘Whathappened?’ ‘Howdidithappen?’ ‘Whendidithappen?’ ‘Whydidithappen?’ ‘Howdoesitaffectme?’ ‘Howareyougoing tofixthesituation?’ ‘Whenareyougoing tofixthesituation?’ ‘Arethereanylegal implications?’
  15. 15. 15CYBER SECURITY INSIDER – EBOOK 1/3 Everyone’s overworked The legal department, communications department, incident response team and leadership team all worked themselves into the ground trying to feed the appropriate answers to all these questions. In fact, it was only months later, that the panic slowly began to subside at Corp X. Clear communications were sent to customers, legal processes were understood and initiated, forensics were completed, and systems were slowly recovered to normal. Employees that had been fully focused on reacting to the incident were able to get back to their normal jobs. Those affected by the incident response measures could, once again, get back to work. The importance of a clear plan for crisis management During a major incident like this one, the more facts about the severity of the situation come to light, the more panic starts to set in. Multiple departments get tied up, employees and leaders have to stop thinking about their day-to-day business and customers get increasingly irate. Often, critical systems and services need to be shut down, leaving some staff without the tools they need to work. Everyone involved is usually fatigued and stressed. It’s during these moments that you realize how important it is to have a clear plan for crisis management. Think about it: every company conducts infrequent fire drills. They’re important because they make sure everyone knows how to react in the event of an actual fire – before the fire happens. But when it comes to cyber security, most companies have no clue what they should do when something goes wrong. By defining a clear plan for crisis management and then rehearsing that plan, you ensure everyone – from the top down – knows what they need to do to ensure safety and get back to work as soon as possible. That might sound paranoid, but what’s more likely to happen, a fire or a breach? The aftermath
  16. 16. 16CYBER SECURITY INSIDER – EBOOK 1/3 The fallout It took over six months to get from the moment the breach was first noticed to the moment its impact was fully understood. Unfortunately, the story didn’t end there. Corp X suffered substantial losses from this incident. Some of them are easily quantifiable: business and productivity losses during the escalation period, closed customer accounts, incident response costs and up-front legal fees were all fairly easy to calculate. But the long-term reputational repercussions are a whole lot harder to measure. In fact, Corp X is still involved with ongoing legal proceedings. The data that was stolen is still in the hands of the thieves, and it remains to be seen whether any of it will be leaked to the public, or used against the company in some other way (it’s not uncommon for companies to be held to ransom). Even a full six months after the intrusion was discovered, Corp X still has a massive mess to clean up. Moving forward During the weeks and months that followed, Corp X performed a full risk assessment analysis and put major plans in place to improve their security. These plans included implementing additional hardening of infrastructure, deployment of new security awareness measures, executing security culture improvements in the company, and drafting up recovery plans for future incidents. The aftermath
  17. 17. 17CYBER SECURITY INSIDER – EBOOK 1/3 Y axis: Stakeholder focus/Demand on resources X axis: Time Thetimeline ofCorp X’s attack Y X IT discovers the anomaly The threat is escalated to Security Monitoring and Incident Management (MIM) Internal stakeholders are notified Clients begin demanding an explanation 1 2 3 4 5 7 8 9 10 11 12 13 6 The CMT briefs affected business units The Incident Response Team (IRT) gets involved The Financial Services Authority (FSA) demands information The National Data Privacy Ombudsman demands information The comms teams start preparing statements An external PR company is brought in The 1st forensics report reveals the breach is larger than expected The issue is escalated to the management team The CEO starts preparing a statement Corp X freezes certain processes The CMT isolates a suspected system Corp X reports to the FSA Closed accounts start to hinder internal operations A major security improvement program is initiated Two risk assessments are conducted Corp X starts scoping its new security program The IRT, MIM and CMT are organized 14 15 16 17 18 19 20 21
  18. 18. 18CYBER SECURITY INSIDER – EBOOK 1/3 Fivebig lessons from CorpX’s experience
  19. 19. Notwo companies areidentical. Butthereare alotoflessons tobelearned frombreaches likeCorpX’s 19CYBER SECURITY INSIDER – EBOOK 1/3
  20. 20. 20CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience Here are five big ones: 1. Static defenses aren’t enough. No matter how many static defenses you put in place, a persistent attacker can always breach your perimeter. This isn’t to say your investments in things like endpoint protection, anti-virus and anti-malware software aren’t necessary. They absolutely are. They just can’t be the only protection you count on. A bulletproof vest is necessary – it just doesn’t make you invincible. 2. When it comes to breaches, speed is of the essence. Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues. If Corp X had caught their breach within minutes or hours (rather than months) the intruder wouldn’t have had nearly enough time to acquire the data he needed. Speed’s also about making sure you plug similar holes before an intruder tries again. 3. Define a contingency plan for cyber attacks. Nobody ever has a clear contingency plan for cyber attacks. As we mentioned earlier, without a plan, you wouldn’t know what the consequences of shutting down network connections, freezing user accounts, and taking critical resources offline are. A coherent plan accounts for worst-case scenarios before they happen so you’re ready to act in case they ever do.
  21. 21. 21CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience 4. Investigations start with great forensics. Intruders will always try to cover their tracks and hide where they’ve been, what they’ve had access to, and what they’ve done. Being able to trace an incident back to its starting point is the only way to fully understand what happened, what needs doing and which next steps to take. As Corp X’s IT team found out, without the right forensic methods and tools, their hands were tied. 5. Cyber security is all about threat intelligence. Unless you have access to threat intelligence data – samples, indicators of compromise, and an extensive knowledge of the tactics, techniques and procedures (TTP) used by attackers – you can’t know how to react. But it isn’t just about the data – it’s about having the human expertise to use that data.
  22. 22. 22CYBER SECURITY INSIDER – EBOOK 1/3 Getting cyber security Right
  23. 23. 23CYBER SECURITY INSIDER – EBOOK 1/3 getting cybersecurity right Needless to say, this isn’t the kind of learning experience anyone at Corp X wants to repeat. But here’s the thing: nothing that happened to Corp X can be considered out of the ordinary. Attacks like this happen all the time. And they don’t use any particularly advanced techniques or technologies. The attacker just needs to be patient and persistent. If the first group of victims hadn’t taken the bait, another group would’ve. What’s far less common is for these kinds of breaches to even get noticed. As we mentioned, Corp X was lucky to spot what they did. And if they were like most other companies, they’d have had to wait for an external party like law enforcement to alert them to any suspicious activity. It’s also worth noting that Corp X wasn’t a particularly exciting target from an attacker’s perspective. A lot of companies think they aren’t interesting enough to be targeted. But the reality is that even the most ‘ordinary’ businesses are viable targets. (Again, we don’t bring any of this up to scare you.) But the more we talk to companies about their breaches, the more we notice the same patterns. The C-level invariably admits they treated cyber security like little more than an insurance policy. They’re always surprised the attack happened. They’re always the first to concede their risk management strategy wasn’t good enough. And they always wonder what could have been. We hope learning about what Corp X got right (and wrong) helps you figure out what your company needs to get cyber security right. This is too important to ignore. And too many corporate leaders are flying blind.
  24. 24. 24CYBER SECURITY INSIDER – EBOOK 1/3 We’re f-secure And we’ve been a part of the security industry for over 25 years. It’s why we’ve become a trusted advisor to both industries and EU law enforcement agencies across Europe. In fact, we’ve been involved in more European crime scene investigations than any other company on the market. Our Cyber Security Services help companies react faster, learn more and respond more intelligently to threats and breaches of all sizes. So if you’re one of the smart ones and you’re getting serious about cyber security, we should talk. Next in the cyber security insider series In the second part of the Cyber Security Insider series, we’ll take a look at what CISOs in Europe are doing in order to prepare their companies to handle the type of advanced threats we’ve talked about.

×