Upload
hortense-allison
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
eEconomy / Cyber SecMichael Goedeker - CEO
© 2015 · Auxilium Cyber Security GmbH
Our Story…… Business Focused Security
o Our goal is to make threat Intel, and systems capable of providing actionable
threat Intel that businesses and nations can use.o Initial start of Threat Research with Windows and Unix (first mainstream viruses) (Firewalls, Logs,
SNMP, Syslog, packet capture, IDS, IPS, SIEM & DAM
o Academic Research into Innovative leadership of Security Teams
o Research into Cyber Espionage / Warfare as a factor in Cyber Crime
o Creation of Cyber Unit Trainings for Gov. and Corporate Customers
o Creation of AIFM – Actionable Intel Focus Methodology
o Creation of PSTM – Proactive Security Team Methodology
o Creation of SITAM– Secure IT Asset Management Methodology
o Creation of ETM – Evolving Threat Methodology
© 2015 · Auxilium Cyber Security GmbH
Our approach to Security
o Creating an accurate pictureo Proactive security
o Understanding risks / threats
o Getting Actionable Intel
o Continuous Research / Understanding Threatso Always evolving and dynamic
o Creating proactive and tested methods
o PSTM
o SITAM
o ODA
o Business Focused Securityo Security as a “business critical” process with benchmarks & goals
o Providing ROI for Security Investments that protect and increase revenue
Assessment
Classify
Audit
Actionable
Intel
Analyze
Improve
© 2015 · Auxilium Cyber Security GmbH
Time for a Hypothesiso H1 - Attacks are successful because they have become undetectable by current Anti Virus,
Firewalls and other current technologyo H2 - Attacks are successful because they are dynamic & complex (spillover of tech)o H3 - Attacks are becoming polymorphic in nature (due to them evolving and tech
spillover), which makes them detection averse! o H4 - Security Teams and Classical security training are not targeted at or teach how to
detect spyware and next gen threats (our Proactive Security Team Methodology PTSM)o H5 - Currently security processes, procedures and awareness are not adapted to cooping
with Next Gen Threats! o H6 - When “new” attacks and technology are published or found, they are reverse
engineered
© 2015 · Auxilium Cyber Security GmbH
The definition of “Cyber”Definition of Cyber (What does it really mean???)
o Origin of cyber and what it meant, how that changed
© 2015 · Auxilium Cyber Security GmbH
Introduction to “Cyber” Security“Cyber” really involves a few core things
o The Internet
o The eEconomy (how we use inter-connected systems for eCommerce and eBusiness)
o The Global Electronic World (Cyberspace)
o Traditional Network, Server and Clients that “connect” with each other
o Changes in how systems are attacked (Cyber Threats)
o Changes in Traditional Security due to new “threats” (Cyber Security)
o Changes in Warfare (Cyber War), Espionage (Cyber Espionage) and Crime (Cyber
Crime)
© 2015 · Auxilium Cyber Security GmbH
Introduction to “Cyber” SecurityCyber History 101
o The Internet was never meant to be secure!
o A global system used to communicate with others
o The importance was on being able to communicate, even when
the network was attacked because of a nuclear bomb
o Used to connect military, agencies and universities
o Security was originally not impacted by this first version (ARPA)
o Security and confidentiality was never part of the equation
© 2015 · Auxilium Cyber Security GmbH
Introduction to “Cyber” Securityo Networks and the protocols of the Internet were not
restricted in any real tangible ways because the objective was communicationo TCP / IPo HTTPo HTTPS (this came later with ssl)
o No one ever thought that this network would be as critical as it is todayo Interconnected Systemso Bases for an entirely new type of economy
o This open communication is the root of most of the web application, network services and router, firewall hacks and vulnerabilities todayo Challenging communication connectionso Data-in-transit securityo Requests / Responses
© 2015 · Auxilium Cyber Security GmbH
Introduction to “Cyber” Securityo The Internet has formed the basis for eBusiness and eCommerce
o Small companies are now global players because of reduced investments needed to deliver goodso Competition is totally different because all nations are part of the economyo All nations are impacted by the eEconomy
o National Boarderso The Internet has no national identity or bordero 24/7 not closed for any holidays and always ono Nations can not control what comes in or out of their “portion” of the internet
o Legal Issueso There is no global law for things “Cyber”o No global police force that monitors who is misbehaving
© 2015 · Auxilium Cyber Security GmbH
Why Security is Business Critical..
o Not just about large corporations, SMBs get
attacked more and more
o SMBs spend less on security but also find less
attacks, there is a connection?
o Security is a critical business process, it
protects revenue and products
© 2015 · Auxilium Cyber Security GmbH
What is going on today in “Cyber”…
o Increase in attacks and complexity on all
levels and for all businesses including SMBs!
© 2015 · Auxilium Cyber Security GmbH
What's going on in the Cyber Worldo Here are some attacks in April..
© 2015 · Auxilium Cyber Security GmbH
What's going on in the Cyber Worldo Here are some attacks in April..
© 2015 · Auxilium Cyber Security GmbH
What’s going on in the Cyber World“Cyber” really involves a few core things
© 2015 · Auxilium Cyber Security GmbH
What’s going on in the Cyber World“Cyber” really involves a few core things
© 2015 · Auxilium Cyber Security GmbH
What’s going on in the Cyber World
The CAPEC Website and CybOx initiative
© 2015 · Auxilium Cyber Security GmbH
“Cybernetic” Definitionso Cyber Espionage – This is the term that is
used to refer to using computers, computer technology such as malware, viruses and more complex spyware for spying. Recently the lines that separate espionage from cyber crime, warfare and terrorism are very thin if not dilutedo Cyber has introduced a move from HUMINT to
computer based espionageo Think of the old classical phone taps and
transpose this onto network devices, cables and connections
© 2015 · Auxilium Cyber Security GmbH
“Cybernetic” Definitionso Cyber Crime – This is essentially using criminal
tactics that use computer systems to steal data and also implant espionage technology In order to bypass security systems and personnel. Cyber crime can involve espionage tech as well as warfare tech (and often does). This is a newer type of “crime” and also has the more traditional crime approaches that use electronic means in an effort to lower risk of capture and higher return on investment of the criminal or gang.o Traditional criminal acts by electronic means (i.e. cracking,
card skimmers, interception).o Leveraging criminal groups for espionage or hacktivisimo Cyber Terrorism
© 2015 · Auxilium Cyber Security GmbH
Cyber Threats – Security Evolveso Open systems lead to new architecture, network services,
new protocols and network devices that were created to enable global communication
o Based on the global nature of internet connected systems and potential attacks, security teams need a new approach to security
o New threats are also classified as “Cyber Threats” and can target anything and anyone 24/7
© 2015 · Auxilium Cyber Security GmbH
Cyber ThreatsAs new technology and access to otherwise closed systems was opened, so do we also
have new types of attacks and technologies that are used to attack those systemso Botnetso Social Botnetso Espionage based attacks that steal data and informationo DOS / DDOSo Drive-by-downloadso Last Mile Interceptionso Transmission Bugs / Interceptso Critical Infrastructureo Cyber Kidnappingo Cyber Extortiono Hacktivisim
© 2015 · Auxilium Cyber Security GmbH
How new threats enter the eEconomyo When “new” attacks and technology are
published or found, they are reverse engineered
o New attacks are then “rewritten” for cyber crime based attacks
o Stolen data is also purchases from (crackers) by nations
o Espionage is also done on a corporate level by nations
o New attacks lead to the need for better defenses and protection
o Security Teams as a result need to be dynamic, up to date, knowledgeable in Cyber Threats
Nation Develops Technology
Military Hacker uses attack on
target
Target reverse engineers
technology
Cyber Criminals modify
technology
New Cyber Crime / War attack
© 2015 · Auxilium Cyber Security GmbH
The eEconomy and Cyber Threatso Everything connected to the Internet and its
network of systems and businesses is a separate economy
o As discussed in the introduction, cyberspace has no traditional borders and so it spans the entire world
o Any attack on the internet such as a DOS (Denial Of Service) or DDOS (Distributed DOS) can potentially impact all businesses connected to the Internet
o Any Cyber War, Espionage and Crime can also impact this “Economy”
Nation Develops Technology
Military Hacker uses attack on
target
Target reverse engineers
technology
Cyber Criminals modify
technology
New Cyber Crime / War attack
© 2015 · Auxilium Cyber Security GmbH
The eEconomy and Cyber Threatso The Internet is global, has its own economy and in
some cases its own currency (aka BitCoin, etc.)o If someone attacks the Internet, they also attack this
separate economyo Does an attack on the Internet endanger local
economies?o Does Espionage make this economy more or less
trusted and used?o Who is responsible for governing the Internet and its
economy?
Nation Develops Technology
Military Hacker uses attack on
target
Target reverse engineers
technology
Cyber Criminals modify
technology
New Cyber Crime / War attack
© 2015 · Auxilium Cyber Security GmbH
Threats and Critical Infrastructureo A term that only recently has come up in the cyber worldo Started in its more modern form in 1998 with the US Presidential directive PDD-63 of
May 1998o Listed vital and important assets that were critical to the countryo Was updated by President Bush in December 17th, 2003 by Homeland Security
Presidential Directive HSPD-7 for “Critical Infrastructure Identification, Prioritization and Protection
© 2015 · Auxilium Cyber Security GmbH
Critical Infrastructure Protection
Protecting Critical Infrastructure (audits, assessments, defense &
threat / infection detection)o National Borders
o Utilities
o Financial Industry and “Economy Critical”
o Global and National Corporations
o National and Local Government, Law enforcement, Agencies
o Military and Defense Industry
o Educational, Cultural, Parks, Museums
o Telecommunications , Transport and Agriculture
© 2015 · Auxilium Cyber Security GmbH
Treats and Critical Infrastructureo Some of the “assets” deemed important to a
nation’s stability and well-being are listed on the right
o The EU also has something similar called EUCOM 2006
o Another term is “Infracritical” and can be referenced at: http://www.infracritical.com/images/cip-sectors5.jpg
o http://www.sciencedirect.com/science/article/pii/S1040619014000268
Water
Power
Banking & Financial Institutions
Transportation, Logistics & ShippingInformation & Communications
Federal & Municipal services
Emergency Services
Fire Departments
Public Works
Agriculture & Food
National Monuments & Icons
© 2015 · Auxilium Cyber Security GmbH
Attack Chain for Critical Infrastructure
© 2015 · Auxilium Cyber Security GmbH
Cyber Defenseo Understanding in writing Malware, Virus, Worms and Rootkitso Understanding of OS and Application Vulnerabilitieso Understanding of defensive technologieso Interception methods (network, communications systems)o Usage of OSINT against targetso Understanding and reverse engineering previous attack technologies to
understand how to defendo Usage of executive buy-ino Using Awareness and Awareness Campaignso Integration of ITIL Processes like Asset Management, Change Management,
Incident Management, Problem Management, etc.o Integration of ISO2700Xo Looking at and integrating SANs
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo Hackers are not Crackers (Criminal Hackers)
o Hackers understand technology, improve on ito Find holes so that people are aware, ask for fixes
o Crackers are the criminalso Crackers use vulnerabilities to exploit and break into systemso Disrupt systems for financial gain or Lulz
o Hacktivistso Like Crackers but have political motivationso Can in extreme cases turn into Cyber Terrorists
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo Hacking is a scienceo The reason or
motivation tends to point to a narrow set of profiles
o Intel and Recon are vital to hacking
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo The reason for a hack defines the hacker profile o Also points to possible goal
o Cyber Warfareo Cyber Espionage / Corp Espionageo Cyber Crimeo Cyber Terrorism
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo Intelo Gathering information about the target and scoping out how the company is, are vitial
to successful hackingo Good hackers will spend a majority of their time here (80%+)
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo After getting intel and noting down any interesting pieces of information, we move on
to the next phase which is Identifying and looking for potential systems and vulnerabilities
o This includes using tools like google dorks, shodan and other tools that search but do not leave an imprint or trail
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo After identifying potential target systems its now time to look at specific exploits and
prepare them for testingo We take the information from previous phases to select low hanging fruits and then
match these with zero day attacks or CVEs
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo After accessing a system it is then time to look around in the system for more
important data, information or planting malware or rootkitso While injecting or installing tools, it also becomes important to keep access by
deleting important logs, alerts, etc.o This phase is also were additional users are added to maintain access if activity is
detected
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense and Hackingo Here we are close to the goal or have achieved the goalo Data and information are saved and stored off-site o Depending on the goal the website was defaced, the server was corrupted, a rookit
installed or systems disrupted
© 2015 · Auxilium Cyber Security GmbH
Cyber Threats – BotnetsOne of the biggest threats today in cyberspace is
the Botneto Botnets are used in cyber war, espionage and
crimeo Botnets can have very complex structureso Are typically used for DOS/DDOS attacks and
can have attack bandwidths over 100GBS!o Are created very quickly and are very
economical
BotNet Owner
Cybil Creator
Target 1
Target 2
Target ….
Command & Control Server Social Media Monitor
© 2015 · Auxilium Cyber Security GmbH
Cyber Threats – Botnets (Normal)There are different types of Botnets, we will talk about two
o “Traditional” or normal
o Social Media BotNet
© 2015 · Auxilium Cyber Security GmbH
Cyber Threats – Botnets (Social Media)There are different types of Botnets, we will talk about two
o “Traditional” or normal
o Social Media BotNet
© 2015 · Auxilium Cyber Security GmbH
Cyber Threats - Botnet Attack Case StudyHere is an example of a Botnet attack case that we see and resolve on a regular basiso Attack Case $Random Company
© 2015 · Auxilium Cyber Security GmbH
How Cyber Threats have emergedo Initially we dealt with “typical” threats o Malware, Virus, Wormso Less from Nationso More from Groupso Increase in Hacktivisimo Emerging of Espionage as a way to steal corporate datao Emerging of the “Military Hacker”
© 2015 · Auxilium Cyber Security GmbH
Threat Evolution Methodology
How Threats evolve via Espionage
& Warfare into Cyber Crimeo Cyber Warfare Technology develops
o Cyber Espionage develops
o Developed technology finds its way
into Cyber Crime groups
o Technology is reverse engineered
© 2015 · Auxilium Cyber Security GmbH
Threat Evolution Methodology
New Threats evolve from oldo Old Attacks are developed and tested
o Old technology improved
o New Types of attacks are developed
o New variants turn into completely new threats
o Traditional Security got “stuck”
© 2015 · Auxilium Cyber Security GmbH
Threat Evolution Methodology
How Threats evolve via Espionage & Warfare into Cyber Crimeo Cyber Warfare Technology develops
© 2015 · Auxilium Cyber Security GmbH
Threat Evolution Methodology
How Threats evolve via Espionage & Warfare into Cyber Crimeo Cyber Warfare Technology develops
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Defenseo Creation, Training, Implementation
o Support, Audits, Assessments
o Cyber Defense Systems
Offenseo Creation, Training, Implementation
o Support, Audits, Assessments
o Cyber Offense Systems
Products/Serviceso Interception Detection / Blocking
o Secure Infrastructure
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Impact factors of Cyber Defenseo Creation, Training, Implementation
o Support, Audits, Assessments
o Cyber Defense Systems
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Social Engineering o Drive-By- Downloads
o Phishing / Emails
o PDF or Email Attachments
o Dumpster Diving
o Tailgating
o Intel o Traditional
o Social Media
o Maltego
o Web Leaks
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Web Applications / Web2.0, 3.0o MitM
o SQLi (Sql injection)
o XSS – Cross Site Scripting
o Authentication (Verification)
o Weak Passwords (Cracking)
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Hardware Hackingo Baseband – Telephones
o Only 2 manufacturers
o Supply-Chain-Hacking/Espionage
o Firmware
o Out-of-Band Managemento AMT / Intel
o Out of band protocol used to spy on people via
chipset
o Signals Hackingo Signals Interception
o GSM, 3 and 4G
o Sat
© 2015 · Auxilium Cyber Security GmbH
Cyber Defense / Anti Espionage
Next Generation Hackingo Combining old tech with new features
o Using Hostile Encryption (Ransom)
o Solutions that proactively intercept traffic
and signals (Heat, Wifi, Sound)
o Application Backdoors
o Cloud Backdoors (AWS & Co.)
o Critical Infrastructure
o Cyber War / Espionage
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations Center
Core ITIL Processeso Incident & Problem Management (*)
o Change Management (*)
o Risk Management (*)
o Service Desk, Service Level Management (*)
o IT Asset, Configuration Mgmt. / CMDB (*)
o Application, Test and Development Mgmt.
o IT / Strategic Planning (*)
o Release, Deployment, capacity, & Availability Mgmt.
o Demand & Service Continuity Mgmt.
o Vendor / Supplier / Partner Management
o (*) = Minimal Requirements
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations Center
Basic Level (logs, files, Agents, Monitoring)
o LAN / WAN / VPN / Proxy
o Firewall / IDS / IPS
o AV (Client, Server and Mobile Devices)
o Data Base Monitoring / Access & ID Management
o Service Desk
Advanced Level
o Software Catalogue, CMDB
o NAC
o SIEM
o Threat Intel (sensors & system)
o Proactive Security Tools and Lab
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations CenterPersonnel
o Manager
o SIEM / Monitoring Engineer
o Analyst
o Incident Response / Blue / Red(?) Teams
Technology
o Software
o Hardware
o Facilities / Data Center
Services
o Event Monitoring, Correlation, Incident Response/Management
o Consulting, Training
o Penetration Testing, Audits, Assessments
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations CenterIn-house
o Own staff & technology (larger companies)
o Higher Costs
o All Skills in house
Outsourced
o Outsourced staff & systems (SMB’s)
o Skills purchased externally
o Lower Costs (depending on levels)
Hybrid
o Mixture of in-house and external staff &
technologies
o Services via long term contracts possible
o Mixed costs (in some cases cheapest option)
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations Center
SOC Reasons: Laws, Regulations
o Based on National & International Laws
o High fines for non compliance or breaches
Protecting Revenue
o High Risk of attacks
o High Risk of lost revenue due to downtime, IP
theft or disruption
Critical Infrastructure / National Defense
o National Security
o Economical or Cultural Collapse
o Cyber War and Espionage Defense
© 2015 · Auxilium Cyber Security GmbH
SOC – Security Operations CenterBusiness Case
o Assessment on what is in place for SOC
o Business Case for SOC
Classify Security Service Catalogue needed
o Catalogue of security services needed
Audit
o Build Management / Ops pieces to support SOC
Actionable Intel
o Build Technology in place for Event Mgmt. etc.
Analyze
o Start Operations and gather metrics
Improve
o Tweak Operations and Tech to achieve goals
© 2015 · Auxilium Cyber Security GmbH
Proactive Threat Intelligence
Interpreting and unifying threat Intel that’s usableo Firewall, SIEM, IDS/IPS from multiple InfoSec Event &
Info Systems into actionable Intelo Planning, Configuring, Implementing and Tweaking
o Threat Research into Cyber Espionage, War and Crime
o Turning systems into proactive threat and cyber threat
management systems (also using PSTM and SITAM)o Providing NOC, SOC and Detailed Security Analysis via team of
globally experienced Forensics and InfoSec professionals
o Additional Threats Intel via Partners and Social Media Analysis
Solution
© 2015 · Auxilium Cyber Security GmbH
Penetration Test, Audit, Assessment
SOC 2.5
Vulnerability Status / Report
SIEM D
ashboard
Proactive Monitoring
Alert & Event Reporting
Incident / Problem Management
Thre
at F
eeds
Change / Risk Management
Event Correlation
API, Agents, Logs, Other
Envi
ronm
ent
Thre
ats
OSI
NT
Proactive Intel (security posture & status) Dashboard
© 2015 · Auxilium Cyber Security GmbH
Governance & Actionable Intel
Regulations, standards & Best Practice
Proactive & Actionable Intel (D
ash)
Governance
ITSM
ITAM
Risk
, Kill
Cha
in R
elev
ance
Apps, Data & Info, IP
FW, Net, IDS, IPS, LM, SIEM, TI
Hardware, Firmware, Baseband
Thre
ats
Envi
ronm
ent
© 2015 · Auxilium Cyber Security GmbH
Attack Case Studies
© 2015 · Auxilium Cyber Security GmbH
The Big Picture
Threatbutto Attacks going on in real Time
© 2015 · Auxilium Cyber Security GmbH
The Big Picture
Norseo Attacks going on in real Time