Embed Size (px)
Citation preview
WEDETECTTHECYBERTHREATSTHATOTHERTECHNOLOGIESMISS
Cyberstrategy:AWake-UpCall
Date 2017.05.30
Presenter EldonSprickerhoffChiefSecurityStrategist,[email protected]@TheEldon
C AMBR I DG E | N EW YO R K | L ONDON | C O R K
300
EMPLOYEES
2001FOUNDED
525+
CUSTOMERS
60%
YOYGROWTH
97%
CUSTOMERRETENTION
$5.7T
AUMUSDPROTECTED
PROVEN
CYBERSECURITYFORMID-SIZEDENTERPRISE
CYBERCRIMEISBIGBUSINESS
$70Bspentoncybersecurity
THREATACTORS
HACTIVIST NATIONSTATEACTORINSIDERORGANIZEDCRIMECRIMINAL TERRORIST
$375-575BinesYmatedlosses
MEANS|MOTIVE|OPPORTUNITY
EasyAccesstoCyberWeaponry
NoNegaYveRepercussions
MoYvaYonisHigh
MinimalCyberSkillsRequired
CAMPAIGNSPHISHING
SPOOFINGBOSSTHE
BUSINESSEMAILCOMPROMISE(BEC)
WATERINGHOLES
SYSTEMICVULNERABILITIES
EXPLOITATION
ENGINEERINGSOCIAL
RANSOMWARE
TARGETEDATTACKS
SOPHISTICATEDCYBERATTACKS
WHYAREVCANDPEFIRMSINTERESTINGTOHACKERS?
HIGH VALUE ASSETS PUBLICLY VISIBLE
CONFIDENTIAL & VALUABLE INFORMATION
WELL KNOWN INVESTMENTS
TheAn
atom
yofaTypicalAcack
ESTABLISHBEACHHEAD
ESTABLISHC2CHANNEL
EscalaJon/Extension/Expansion/PenetraJon
SPEARPHISHING
EXTERNALSCANSVulnerabiliJes|WeakCredenJals|SQLi
PHYSICALUSBDrive|CDR|Laptop|Mobile|WIFI
OPPORTUNISTICDrive-byDownload
EmailAZachment|MaliciousURL
INFILTRATION
ATTACKER
Updates&InstrucJons
TIME
DATAEXFILTRATION
LateralAnalysisTo‘LearnAboutYou’
LateralAccessTo‘SecretSauce’
ONGOINGEDUCATION
KeyLogging
DOC/Mailbox/TextSearch
PasswordCracking/SAM
User/GroupAccounts
PoorlyProtectedShares
ARPHijack/MITM
PoorlyPatchedSystems
BroadScanning
LOCALMETHODS
NETWORKMETHODS
©2017eSenJre,Inc.
SLIDE6
TARGETEDATTACK
TARGET SENT EMAIL WITH
INFECTED ATTACHMENT
INFILTRATE FAKE LOG IN
CAPTURED CREDS
EXPAND INFECTED EMAIL SENT FROM
COMPROMISED ACCOUNT
BLOCKED ESENTIRE DETECTED
AND REPORTED ATTACK
©2017eSenJre,Inc.
COLD CASE SOC ANALYST
DISCOVERED CNC TRAFFIC
FORENSICS TRACKED HACKER
THROUGH CELLPHONE
EVIDENCE COLLECTED
STOLEN DATA
LAW TURNED OVER EVIDENCE TO LAW ENFORCEMENT CSI
CYBER
DISCOVEREDCRIMERING
CSI
CYBER
OLDDOG,NEWTWIST
CSI
CYBER
NSA/ShadowBrokers
RegulatoryandDueDiligenceCybersecurityFocusQuesYons
ASSETS Do you know what data you have?
REGULATORS Do you know what legislation governs the data you have?
THREAT ACTORS Do you know what cyber threats are targeting your firm?
PROTECTION How are you defending your firm from cyber threats?
RISKS Do you know what access risks exist?
REPORTING Can you demonstrate your cybersecurity claims?
IncidentResponsePlanning:InformaYonSecurityEventScenarios(aka“TheDirtyDozen”)
» MalwareCompromise» RansomwareAZack
» SocialEngineering» BusinessEmailCompromise
» InfrastructureOutage(Internal)» LocalAccessWithoutAuthorizaJon(Non-
Malware)» RemoteAccessWithoutAuthorizaJon» Lost/StolenDevices» InappropriateBehavior(Internal)» CloudServiceAccessWithoutAuthorizaJon» DataLoss/Extrusion(Internal)» DirectFinancialLoss» DenialofService(External)» PhysicalBreach» Third-PartyBreach
©2017eSenJre,Inc.
SLIDE12
©2016eSenJre,Inc.
SLIDE14
Ransomware
©2016eSenJre,Inc.
SLIDE15
RansomwareFailureVectors:Technical,Process/Policy,Training• Thefirm’supstreamemail(SMTP)providerdidnotscanaZachmentsformaliciouscontent.• Thefirm’snext-generaJonfirewalldidnotidenJfytheaZachmentasmalicious(orquesJonable)content.• Thefirm’slocalemailsystem(e.g.MicrosokExchange)didnotscanaZachmentsformaliciouscontent.• TheenduserwasnotsufficientlytrainedtoidenJfyaphishingemail(withmaliciouscontent).• Theuser’sworkstaJon(ormobiledevice)didnotflagthemaliciouscontent(throughanJ-virusorother
endpointprotecJonmethodology).• IfthedeliveryvectorwasamacrohiddenwithinanOfficedocument(themostcommondelivery
method),macroswereenabledwithinOffice(ortheuserwasenJcedtoenablethemmanually).• Theuser’sworkstaJondidnothaverestricJonsplacedontheexecuJonofdownloadedcontent.• Thefirm’snext-generaJonfirewalland/orIntrusionPrevenJonsystemdidnotrecognizeand/orblockthe
command-and-controltraffic(includingkeygeneraJon)ofthemaliciouscode(parJcularlyimportantiftheremoteIPaddresseswerepreviouslyknowntobebad).
• Thefirmdidnotdetect(throughfilesystemanalysis)thataspecificuserwasmodifyingalargenumberoffilesrapidly.
• Dependingonhowmanyfileswereaffectedbytheinfectedendpoint,itisapossibilitythattheenduserhadmoreaccessthantheynecessarilyneededtoexecutetheirjob.
• Duringtherestoreprocess,somenewerfilesmighthavebeennotbackedupduetoagapinbackuprigor.
“THEMOREYOUSWEATINPEACE,THELESSYOUBLEEDINWAR.”-GeneralGeorgeS.Pacon
INCIDENTRESPONSE
PLAN
Legal
LawEnforcement
PRBoard
Regulator
Compliance
IR
SimulaJonRuns
3
2
1
0 0
1
3
2
PENETRATIONTESTING VULNERABILITYSCANNING
ExternalVulnerabilityAnalysis(nocreds)withaZemptstoexploit0
ExternalVulnerabilityAnalysis(nocreds)withaZemptstoexploitPhishing/OSINT/Physical
1
PhishingwithAcJvecontent(notdamaging,butpersistentaccess)
2
“OceansEleven”AcJveexploitaJonDefinedObjecJveWebAppExploits
3
0
1
2
3
ExternalVulnerabilityAnalysis(withcreds)withoutaZemptstoexploit
InternalVulnerabilityAnalysis(withcreds)withoutaZemptstoexploit
WirelessVulnerabilityScanning
WebApplicaJonAnalysis
©2017eSenJre,Inc.
ResourcesAvailable
» IllustraJveQuesJonnaireforDueDiligenceofVendorCyberSecurity(AITEC)
» SEC-OCIE2015CybersecurityExaminaJonIniJaJve(RiskAlert)» eSenJreWriZenInformaJonSecurityPolicy/IncidentResponse
Template» eSenJreSecurityFramework(CommunityEdiJon)» eSenJreComplianceReadinessWorkbook» eSenJreDataFlowSecurityTemplate» eSenJre“DirtyDozen”ScenarioLisJng» eSenJreUpdatedRegulatoryCybersecurityRecommendaJons(v7)» eSenJreRansomwareDefenseRecommendaJons
©2017eSenJre,Inc.
SLIDE20
“Howcanonedecidewhat’sreasonable?”
©2017eSenJre,Inc.
SLIDE21
TheBest(12or13)Top-LevelCybersecurityQuesYons
» The6“TopLevel”QuesJonsfromthebeginningofthispres.» Whoisresponsibleforcybersecuritywithinyourfirm?» Howwelldoyouvetyourvendors(AITEC)?» Whatisyourincidentresponseplan(esp.foraransomwareaZack)?» Whatisyourprotocoltofulfillwiretransferrequests?» Howdoyoueducatethefirm’semployees(esp.seniormanagement)?» DescribeyourvulnerabilityassessmentandpenetraJontest
methodologies.» EU-specificDomicileQuesJon:HowareyoupreparingforGDPR? ©2017eSenJre,Inc.
SLIDE22
CYBERSECURITYMUST-HAVES(e.g.PorlolioFirms)
1 IDENTIFYCOMMONATTACKS1
PATCHSYSTEMSREGULARLY5
ENFORCERIGOROUSPASSWORDPOLICY3MINIMIZEADMINPRIVILEGES4
VALIDATESECURITYSYSTEMSFUNCTIONING6
1 PERFORMREGULARBACKUPS7
VALIDATEPHYSICALSECURITY11
PERFORMVULNERABILITYASSESSMENTS9MONITORNETWORKTRAFFIC10
LOGSYSTEMACCESS8ACCEPTABLEUSEPOLICY(AUP)2
PREPAREFORTHEEVENTUALINCIDENT12
©2017eSenJre,Inc.
SLIDE23
MANAGED DETECTION & RESPONSE Focus on threat detec<on use cases, advanced or targeted a@acks that have bypassed exis<ng perimeter controls
©2016eSenJre,Inc.
SLIDE24
MDRsupportsorganisaJonsseekingtoimprovetheirthreatdetecJonandincidentresponsecapabiliJes:
• OrganisaJonsstruggletodeploy,manageanduseaneffecJvecombinaJonofexperJseandtoolstodetectthreats,especiallytargetedadvancedthreatsandinsiderthreats.
• Agrowingnumberofprovidersareofferingoutcome-basedservicesthatdifferfromtradiJonalmanagedsecurityservices(MSSs)offerings,becausetheyarefocusedondetecJngpreviouslyundetectedthreatsthathavebreachedanorganizaJon'sperimeterandaremovinglaterallythroughtheITenvironment.
• MDRservicesarenotdeliveredbythemajorityofMSSPstoday,butthisischanging.
• MDRservicesaresJllfocusedattheenterpriseandupper-midmarketcustomer,butnewentrantsaretargeJngsmallermidsizeorganisaJons.
24X7 Human Monitoring and
Hunting
Intervention & Response
Detection and Prevention Technology
• Real-time detection and prevention of known attacks
• Signal suspicious network behavior to detect unknown attacks
• Real-time forensics via 24X7 Global SOCs
• Add insights to raw signals • Quickly determine if weird
normal or weird bad
• Contain Threat • Escalate to customer • Remediate
eSenYreManagedDetecYonandResponse™(eMDR)Service
