21
Breach ”Lessons Learned” CyberTexas 2016

Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

Embed Size (px)

Citation preview

Page 1: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

Breach ”Lessons Learned”

CyberTexas 2016

Page 2: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

CyberTexas – Day 1 Highlights

2

Mayor TaylorCongressman HurdMr. NaethingBill MarionPanels!Rodney PetersonDr. SaundersCol CluffBrig Gen ButikoferCyber Hall of

Honor

Page 3: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Cyber & the Presidential Campaign

3

Who attacked the DNC?Will it impact the election?Will it impact US cyber policy?

Page 4: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Cyber & the Presidential Campaign

4

Who attacked the DNC?……and the DCCC?

Will it impact the election?Will it impact US cyber policy?

Fuzzy Bear

Page 5: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Getting Out the ”Lessons Learned”

5

The NYSE “Definitive CybersecurityGuide”

Available in Kindle, iBooks, and PDF format at: www.securityroundtable.org

Page 6: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

“Lessons Learned” Failures

6

ShamoonDark Seoul/Jokra

Bashas, Schnucks& Family Produce

Page 7: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

CyberPatriot in San Antonio

7

"San Antonio is doing what no one else has in promoting cyber education in youth. The partnerships you have formed among government, academe, the military, civic leaders and your local sponsors are AMAZING."

Bernie Skoch, CyberPatriot Commissioner

Page 8: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

Thank you!

Jim [email protected]: +1 443-926-1159

Page 9: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Fidelis: Experts in Advanced Cyber Attacks

• Provide critical cyber capabilities for

government and industry

• Global presence with headquarters

in Washington, DC

• Offices in the UK, Germany, Poland,

Czech Republic, Dubai & Singapore

Rapidly GrowingGlobal Presence

Products and Intelligence Based on Experience

Deep visibility and forensics across both the network and endpoints

Prevent data theft at every stage in the attack lifecycle

Curated intelligence from the front lines

Products

Experts on the Tools & Tactics of Advanced Attackers

Incident responders to high-profile breaches

Handled over 3,500 cases

We use our own products in our investigations

Frequently called in when other leading IR firms fail

Security ConsultingServices

Page 10: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Over 15 Years of Experience in Government…

US-CERT

DC3 - the US agency that provides digital forensics support to the DoD and to other law enforcement agencies.On-time processing of over 4,600 examinations over the past 5 years; provided expert testimony in over 100 court proceedings (inside and outside the US)

US-CERT – a partnership between the DHS, public, and private sectors, coordinating response to security threats.

Since 2003, maintained 24x7x365 watch operations, analysis and detection support. We analyze over 1000 malicious code samples per day and have investigated over 250,000 incidents.

National Cybersecurity Protection System designs, develops, integrates and deploys cyber defense tools to enhance the security posture of the Federal networks.

Since 2003, integrate & operate the EINSTEIN network Intrusion Detection System for attack sensing and warning across the .govnetwork

Page 11: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

… and Proven Commercial Success

A multinational leader in search, cloud, and online advertising. We assisted them with expert data mining & analysis for the much publicized Gmail and source code attack from China.

A payment processing company for online, mail order, and high street retailers. We responded quickly to perform perform analysis of the intrusion with our proprietary processes and workflows.

A global banking and financial services group based in UK. After attacks on their information we provided the data analysis that helped convict leaders of a Russian crime ring.

The second largest stock exchange in the world suffered a series of Incidents. Our rapid response teams were first on the scene in support of USCERT with our CyberSoc tools.

The leading off-price retailer of apparel & home fashions worldwide. With agile recovery we identified the threat and establish network monitoring in 48 hours. We helped convict Albert Gonzalez.

Page 12: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Attack Lifecycle Overview

Detection at Every Stage of an AttackPreventing attackers from achieving their mission requires detection and visibility at every stage of the attack.

Initial Compromise Establish Foothold Escalate Privileges Move Laterally Data Theft

Gain InitialAccess

StrengthenPosition

Steal Valid User Credentials

Access Other Servers & Files

Package & Steal Target Data

Attacker Objective

Sample Tools & Tactics• Phishing e-mail• Watering-hole attack• Removable media• Malicious download

• Custom malware• Command and control• 3rd party application

exploitation

• Credential theft• “Pass-the-hash”

• Window & Linux lateral movement techniques

• Reverse shell access

• Staging servers & directories• Data consolidation• Data theft

Page 13: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

TJX Breach begins new chapter in cyber crimeTJX reported 46 million credit/debit card numbers stolen

U.S. Justice Department got arrests and convictions against the criminals

TJX spent $132 million on expenses related to the breaches

13Approved for External Release, January 2013

Page 14: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Immediate Financial Impact

Page 15: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Persistent Timeline Of Events – Case Study #2Intruder accesses the environment through second vulnerable web page.

Intruder activity was detected by incident responders and remediated.

Intruder accesses the environment through second vulnerable web page.

Intruder activity was detected by incident responders and remediated.

Generation 2

A production memory scraper appears on the network.

This scraper is more sophisticated than previous scrapers and outputs data files with stronger encryption.

Generation 2

A production memory scraper appears on the network.

This scraper is more sophisticated than previous scrapers and outputs data files with stronger encryption.

Intruder gains access to the environment through SQL injection.

The intruder begins to do reconnaisance of the network.

Intruder gains access to the environment through SQL injection.

The intruder begins to do reconnaisance of the network.

Backdoors first appear on the network.  

The intruder is now able to access the network at will.

Backdoors first appear on the network.  

The intruder is now able to access the network at will.

Development 0.3

Scraper output files  first appear on the network, however the source scraper is unknown.

These output files contained encrypted Track 2 data.

Development 0.3

Scraper output files  first appear on the network, however the source scraper is unknown.

These output files contained encrypted Track 2 data.

Development 0.1

Memory scraper and  dump utilities first appear on the network.

The intruder uses the scrapers and  dump utilities to test development of gathering  Track 2 data in this environment.

Development 0.1

Memory scraper and  dump utilities first appear on the network.

The intruder uses the scrapers and  dump utilities to test development of gathering  Track 2 data in this environment.

Development 0.2

A new set of memory scrapers and  dump utilities appear on the network.   

The intruder begins to test the next iteration of memory scrapers after further learning the environment.

Development 0.2

A new set of memory scrapers and  dump utilities appear on the network.   

The intruder begins to test the next iteration of memory scrapers after further learning the environment.

Generation 1

A production memory scraper appears on the network.

This scraper outputs encrypted Track 2 data in mass quantities.

Generation 1

A production memory scraper appears on the network.

This scraper outputs encrypted Track 2 data in mass quantities.

Breach terminated

Incident Responders remove vulnerable web page from the network.

The intruder loses access to the environment.

Breach terminated

Incident Responders remove vulnerable web page from the network.

The intruder loses access to the environment.

Jan Feb Mar Apr May Jun Jul Aug … Dec Jan Feb Mar AprJan Feb Mar Apr May Jun Jul Aug … Dec Jan Feb Mar Apr

Page 16: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Persistent Timeline of Events – Case Study #1Breach terminated

We lock the intruder out of the network; terminate the breach

Breach terminated

We lock the intruder out of the network; terminate the breach

Sniffer testing

Intruder tests and evolves series of sniffers

Sniffer testing

Intruder tests and evolves series of sniffers

Intruder gains access to two stores via unsecured wireless terminals.

The intruder jumps to corporate data center and begins network reconnaissance.

Intruder gains access to two stores via unsecured wireless terminals.

The intruder jumps to corporate data center and begins network reconnaissance.

VPN access established

Intruder installs VPN tunnel providing continuous access to the network

VPN access established

Intruder installs VPN tunnel providing continuous access to the network

Major download

Intruder identifies database with unencryped credit cards and exfiltrates it.

Major download

Intruder identifies database with unencryped credit cards and exfiltrates it.

Major download #2

Intruder conducts another major download but files are now encrypted

Major download #2

Intruder conducts another major download but files are now encrypted

Production operations

Intruder uses sniffer to capture credit cards and exfiltrate ~45,000 cards every three days

Production operations

Intruder uses sniffer to capture credit cards and exfiltrate ~45,000 cards every three days

Jul Aug Sep Oct Nov … May Jun … Sep Oct Nov Dec JanJul Aug Sep Oct Nov … May Jun … Sep Oct Nov Dec Jan

Lessons Learned:  Robust network monitoring is critical; monitor data moving laterally & data leaving the network!

Page 17: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

What It Takes to Find Attackers

17

Changing Data/Hijacking

ServicesRansomware

Insider Threat

SQL Injection

DestructiveAttacks

Cross-Site Scripting (XSS)

Zero-DayExploits

Data & Credential Theft

Web Shells

Surveillance/ Espionage

Unusual User Behaviour

Malicious Content & Services

It’s About More thanMalware

Page 18: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Eradicate the AttackersEradicate the Attackers

Case Study #3: APT Attack on Defence Contractor

18

Result: No significant Breach in 2 Years! Result: No significant Breach in 2 Years!

Company Hacked Again!

NDF EngagesLeads

Opportunities

Engage CISOEngage CISO Provide Services Capability Brief

Provide Services Capability Brief

Develop Aggressive Remediation Approach

Fidelis EngagesFidelis Engages

Page 19: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Incident Response (IR) Models

19

Phase 1 Investigation

Phase 2 Containment

Phase 3 Expulsion

Phase 4 Remediation

Phase 1 Investigation

Phase 2 Containment

Phase 3 Remediation

Traditional IR

Advanced Attack IR

Page 20: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity

Approaches to Eradicating APT Attackers

20

What is expulsion?

The two approaches to expulsion

Sequential Event Focused

Phase 1 Investigation

Phase 2 Containment

Phase 3 Expulsion

Phase 4 Remediation

Page 21: Breach ”Lessons Learned” - fbcconferences.com · TJX Breach begins new chapter in cyber crime TJX reported 46 million credit/debit card numbers stolen U.S. Justice Department

© Fidelis Cybersecurity21

PREVENTATTACKERS

FROMACHIEVING

THEIRMISSION …by creating a world where attackers

have no place left to hide.

Our Goal