Upload
nguyenque
View
220
Download
0
Embed Size (px)
Citation preview
Breach ”Lessons Learned”
CyberTexas 2016
© Fidelis Cybersecurity
CyberTexas – Day 1 Highlights
2
Mayor TaylorCongressman HurdMr. NaethingBill MarionPanels!Rodney PetersonDr. SaundersCol CluffBrig Gen ButikoferCyber Hall of
Honor
© Fidelis Cybersecurity
Cyber & the Presidential Campaign
3
Who attacked the DNC?Will it impact the election?Will it impact US cyber policy?
© Fidelis Cybersecurity
Cyber & the Presidential Campaign
4
Who attacked the DNC?……and the DCCC?
Will it impact the election?Will it impact US cyber policy?
Fuzzy Bear
© Fidelis Cybersecurity
Getting Out the ”Lessons Learned”
5
The NYSE “Definitive CybersecurityGuide”
Available in Kindle, iBooks, and PDF format at: www.securityroundtable.org
© Fidelis Cybersecurity
“Lessons Learned” Failures
6
ShamoonDark Seoul/Jokra
Bashas, Schnucks& Family Produce
© Fidelis Cybersecurity
CyberPatriot in San Antonio
7
"San Antonio is doing what no one else has in promoting cyber education in youth. The partnerships you have formed among government, academe, the military, civic leaders and your local sponsors are AMAZING."
Bernie Skoch, CyberPatriot Commissioner
Thank you!
Jim [email protected]: +1 443-926-1159
© Fidelis Cybersecurity
Fidelis: Experts in Advanced Cyber Attacks
• Provide critical cyber capabilities for
government and industry
• Global presence with headquarters
in Washington, DC
• Offices in the UK, Germany, Poland,
Czech Republic, Dubai & Singapore
Rapidly GrowingGlobal Presence
Products and Intelligence Based on Experience
Deep visibility and forensics across both the network and endpoints
Prevent data theft at every stage in the attack lifecycle
Curated intelligence from the front lines
Products
Experts on the Tools & Tactics of Advanced Attackers
Incident responders to high-profile breaches
Handled over 3,500 cases
We use our own products in our investigations
Frequently called in when other leading IR firms fail
Security ConsultingServices
© Fidelis Cybersecurity
Over 15 Years of Experience in Government…
US-CERT
DC3 - the US agency that provides digital forensics support to the DoD and to other law enforcement agencies.On-time processing of over 4,600 examinations over the past 5 years; provided expert testimony in over 100 court proceedings (inside and outside the US)
US-CERT – a partnership between the DHS, public, and private sectors, coordinating response to security threats.
Since 2003, maintained 24x7x365 watch operations, analysis and detection support. We analyze over 1000 malicious code samples per day and have investigated over 250,000 incidents.
National Cybersecurity Protection System designs, develops, integrates and deploys cyber defense tools to enhance the security posture of the Federal networks.
Since 2003, integrate & operate the EINSTEIN network Intrusion Detection System for attack sensing and warning across the .govnetwork
© Fidelis Cybersecurity
… and Proven Commercial Success
A multinational leader in search, cloud, and online advertising. We assisted them with expert data mining & analysis for the much publicized Gmail and source code attack from China.
A payment processing company for online, mail order, and high street retailers. We responded quickly to perform perform analysis of the intrusion with our proprietary processes and workflows.
A global banking and financial services group based in UK. After attacks on their information we provided the data analysis that helped convict leaders of a Russian crime ring.
The second largest stock exchange in the world suffered a series of Incidents. Our rapid response teams were first on the scene in support of USCERT with our CyberSoc tools.
The leading off-price retailer of apparel & home fashions worldwide. With agile recovery we identified the threat and establish network monitoring in 48 hours. We helped convict Albert Gonzalez.
© Fidelis Cybersecurity
Attack Lifecycle Overview
Detection at Every Stage of an AttackPreventing attackers from achieving their mission requires detection and visibility at every stage of the attack.
Initial Compromise Establish Foothold Escalate Privileges Move Laterally Data Theft
Gain InitialAccess
StrengthenPosition
Steal Valid User Credentials
Access Other Servers & Files
Package & Steal Target Data
Attacker Objective
Sample Tools & Tactics• Phishing e-mail• Watering-hole attack• Removable media• Malicious download
• Custom malware• Command and control• 3rd party application
exploitation
• Credential theft• “Pass-the-hash”
• Window & Linux lateral movement techniques
• Reverse shell access
• Staging servers & directories• Data consolidation• Data theft
© Fidelis Cybersecurity
TJX Breach begins new chapter in cyber crimeTJX reported 46 million credit/debit card numbers stolen
U.S. Justice Department got arrests and convictions against the criminals
TJX spent $132 million on expenses related to the breaches
13Approved for External Release, January 2013
© Fidelis Cybersecurity
Immediate Financial Impact
© Fidelis Cybersecurity
Persistent Timeline Of Events – Case Study #2Intruder accesses the environment through second vulnerable web page.
Intruder activity was detected by incident responders and remediated.
Intruder accesses the environment through second vulnerable web page.
Intruder activity was detected by incident responders and remediated.
Generation 2
A production memory scraper appears on the network.
This scraper is more sophisticated than previous scrapers and outputs data files with stronger encryption.
Generation 2
A production memory scraper appears on the network.
This scraper is more sophisticated than previous scrapers and outputs data files with stronger encryption.
Intruder gains access to the environment through SQL injection.
The intruder begins to do reconnaisance of the network.
Intruder gains access to the environment through SQL injection.
The intruder begins to do reconnaisance of the network.
Backdoors first appear on the network.
The intruder is now able to access the network at will.
Backdoors first appear on the network.
The intruder is now able to access the network at will.
Development 0.3
Scraper output files first appear on the network, however the source scraper is unknown.
These output files contained encrypted Track 2 data.
Development 0.3
Scraper output files first appear on the network, however the source scraper is unknown.
These output files contained encrypted Track 2 data.
Development 0.1
Memory scraper and dump utilities first appear on the network.
The intruder uses the scrapers and dump utilities to test development of gathering Track 2 data in this environment.
Development 0.1
Memory scraper and dump utilities first appear on the network.
The intruder uses the scrapers and dump utilities to test development of gathering Track 2 data in this environment.
Development 0.2
A new set of memory scrapers and dump utilities appear on the network.
The intruder begins to test the next iteration of memory scrapers after further learning the environment.
Development 0.2
A new set of memory scrapers and dump utilities appear on the network.
The intruder begins to test the next iteration of memory scrapers after further learning the environment.
Generation 1
A production memory scraper appears on the network.
This scraper outputs encrypted Track 2 data in mass quantities.
Generation 1
A production memory scraper appears on the network.
This scraper outputs encrypted Track 2 data in mass quantities.
Breach terminated
Incident Responders remove vulnerable web page from the network.
The intruder loses access to the environment.
Breach terminated
Incident Responders remove vulnerable web page from the network.
The intruder loses access to the environment.
Jan Feb Mar Apr May Jun Jul Aug … Dec Jan Feb Mar AprJan Feb Mar Apr May Jun Jul Aug … Dec Jan Feb Mar Apr
© Fidelis Cybersecurity
Persistent Timeline of Events – Case Study #1Breach terminated
We lock the intruder out of the network; terminate the breach
Breach terminated
We lock the intruder out of the network; terminate the breach
Sniffer testing
Intruder tests and evolves series of sniffers
Sniffer testing
Intruder tests and evolves series of sniffers
Intruder gains access to two stores via unsecured wireless terminals.
The intruder jumps to corporate data center and begins network reconnaissance.
Intruder gains access to two stores via unsecured wireless terminals.
The intruder jumps to corporate data center and begins network reconnaissance.
VPN access established
Intruder installs VPN tunnel providing continuous access to the network
VPN access established
Intruder installs VPN tunnel providing continuous access to the network
Major download
Intruder identifies database with unencryped credit cards and exfiltrates it.
Major download
Intruder identifies database with unencryped credit cards and exfiltrates it.
Major download #2
Intruder conducts another major download but files are now encrypted
Major download #2
Intruder conducts another major download but files are now encrypted
Production operations
Intruder uses sniffer to capture credit cards and exfiltrate ~45,000 cards every three days
Production operations
Intruder uses sniffer to capture credit cards and exfiltrate ~45,000 cards every three days
Jul Aug Sep Oct Nov … May Jun … Sep Oct Nov Dec JanJul Aug Sep Oct Nov … May Jun … Sep Oct Nov Dec Jan
Lessons Learned: Robust network monitoring is critical; monitor data moving laterally & data leaving the network!
© Fidelis Cybersecurity
What It Takes to Find Attackers
17
Changing Data/Hijacking
ServicesRansomware
Insider Threat
SQL Injection
DestructiveAttacks
Cross-Site Scripting (XSS)
Zero-DayExploits
Data & Credential Theft
Web Shells
Surveillance/ Espionage
Unusual User Behaviour
Malicious Content & Services
It’s About More thanMalware
© Fidelis Cybersecurity
Eradicate the AttackersEradicate the Attackers
Case Study #3: APT Attack on Defence Contractor
18
Result: No significant Breach in 2 Years! Result: No significant Breach in 2 Years!
Company Hacked Again!
NDF EngagesLeads
Opportunities
Engage CISOEngage CISO Provide Services Capability Brief
Provide Services Capability Brief
Develop Aggressive Remediation Approach
Fidelis EngagesFidelis Engages
© Fidelis Cybersecurity
Incident Response (IR) Models
19
Phase 1 Investigation
Phase 2 Containment
Phase 3 Expulsion
Phase 4 Remediation
Phase 1 Investigation
Phase 2 Containment
Phase 3 Remediation
Traditional IR
Advanced Attack IR
© Fidelis Cybersecurity
Approaches to Eradicating APT Attackers
20
What is expulsion?
The two approaches to expulsion
Sequential Event Focused
Phase 1 Investigation
Phase 2 Containment
Phase 3 Expulsion
Phase 4 Remediation
© Fidelis Cybersecurity21
PREVENTATTACKERS
FROMACHIEVING
THEIRMISSION …by creating a world where attackers
have no place left to hide.
Our Goal