I Know What You Did Last Summersocal.himsschapter.org/sites/himsschapter/files/ChapterContent/socal/PS18_Stan_Banash.pdfIncident Response • Build a Plan – NIST SP800-61 • Prepare

RansomwareI Know What You Did Last Summer

Stan Banash Jr. CISM, CISSP, C|CISO, CIPP

Chief Information Security Officer (CISO)

Children’s Hospital of Orange County

January 25, 2018

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwi0rs2cw_LYAhUK1mMKHWIjDXYQjRx6BAgAEAY&url=http://www.google.com/url?sa%3Di%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dimages%26cd%3D%26ved%3D%26url%3Dhttp%3A%2F%2Fwww.hasc.org%2Fmember-hospital%2Fchoc-childrens-mission-hospital%26psig%3DAOvVaw2404syeSv1IUvOhI_n1gkU%26ust%3D1516949447827392&psig=AOvVaw2404syeSv1IUvOhI_n1gkU&ust=1516949447827392

Are You Ready?


Threat Landscape

• Hackers• Cyber Crime Syndicates

• Malware Mercenaries

• Insiders• Clinical Staff

• Physicians

• Administrative/Support Staff

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjV8Jelr_LYAhVMuFMKHTGoCKoQjRx6BAgAEAY&url=http://uk.businessinsider.com/fbi-3-million-reward-russian-hacker-evgeniy-bogachev-record-breaking-2015-2&psig=AOvVaw3eqcfv42ZamMCwTVn-rOAv&ust=1516943899645867

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=&url=https://www.yahoo.com/lifestyle/nurses-unhealthiest-americans-need-help-change-150335598.html&psig=AOvVaw3CN4I1-Xtmp3rlBJY3QER1&ust=1516944199703907

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwi63eOqsPLYAhVD11MKHSkoDX4QjRx6BAgAEAY&url=https://www.deanwhite.com.au/patient-information/new-patients/choosing-your-surgeon/&psig=AOvVaw1fwTFGRAWT53mkjaCzRc3m&ust=1516944294437172

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwi--YjbsPLYAhXO6FMKHSv-DIkQjRx6BAgAEAY&url=https://www.abine.com/blog/2015/senior-execs-and-the-value-of-deleteme/&psig=AOvVaw0JigL-DQY1FR3_IU1ETlMZ&ust=1516944426665903


Attack Vectors

• External• Social Engineering

• Phishing

• Impersonation

• Vulnerable Systems

• Internal• Web Browsing

• Downloads

• External Media

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiqhfbvsvLYAhVQ2FMKHZ7bDXsQjRx6BAgAEAY&url=http://www.itsecurityguru.org/2016/08/17/best-security-practices-to-prevent-costly-social-engineering-attacks/&psig=AOvVaw2xXU8UlpiszjcjTm-dBoPj&ust=1516944901685824

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiQ1OeLs_LYAhWGzVMKHbTqBiYQjRx6BAgAEAY&url=https://techviral.net/meet-shodan-scariest-search-engine-internet/&psig=AOvVaw17Do4lj_XA6fUr_qcb1hgK&ust=1516945104143039

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwis_IHStPLYAhXMuFMKHdPgCqYQjRx6BAgAEAY&url=https://www.newegg.com/USB-Flash-Drives/SubCategory/ID-522&psig=AOvVaw25qaIt3_jJ_R6HyRNpLHS6&ust=1516945517666221

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjX_4ywtPLYAhXJzlMKHclTDMcQjRx6BAgAEAY&url=https://www.tomsguide.com/us/driveby-download,news-18329.html&psig=AOvVaw3Nj6gCSl01yEpdE_L_PVDl&ust=1516945327406257

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwih8t3-tPLYAhVR11MKHZwmCB4QjRx6BAgAEAY&url=http://time.com/money/4029443/fantasy-sports-betting-legal/&psig=AOvVaw2PCcJEJWKz1t34Nce4urfF&ust=1516945606537753


Mitigation: Threat Intel

• Infragard

• US-CERT

• National Health • Information Sharing Analysis Center (NH-ISAC)

• Anti-Malware/ Security Vendors

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=2ahUKEwji9d60ufLYAhUMwWMKHbhJDOQQjRx6BAgAEAY&url=https://www.cisco.com/&psig=AOvVaw2hp9uIN8N-xmEKbg88_Nr3&ust=1516946819434891

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwi13taQuPLYAhVO12MKHZgXDr8QjRx6BAgAEAY&url=https://www.infragard.org/&psig=AOvVaw2EhycCVZRrCgkP72IIceue&ust=1516946467418400

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjcj4C-uPLYAhVSz2MKHYiQCN4QjRx6BAgAEAY&url=http://news.softpedia.com/news/US-CERT-Intel-Microsoft-Red-Hat-Oracle-Affected-by-Privilege-Escalation-Flaw-275578.shtml&psig=AOvVaw1Nv6piB8uNpPCRSnqadjaN&ust=1516946538891314

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjhm93buPLYAhVCKGMKHbE_Dx0QjRx6BAgAEAY&url=https://nhisac.org/&psig=AOvVaw3O6w1KX4uc3zAIU6GJl03N&ust=1516946627092355

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=2ahUKEwjnm7HyuPLYAhUJ1mMKHTKWDxUQjRx6BAgAEAY&url=https://www.alienvault.com/&psig=AOvVaw23wb2a64Cr6wjvRgb-R6zU&ust=1516946680316466

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=2ahUKEwiz5_CRufLYAhUV6WMKHU2SCb0QjRx6BAgAEAY&url=https://en.wikipedia.org/wiki/File:Palo-Alto-Networks-2016.svg&psig=AOvVaw1cT5qdRvrxgDTwCZl40BVm&ust=1516946746719970

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=2ahUKEwibxbugufLYAhUBTmMKHXs1CzoQjRx6BAgAEAY&url=http://logocurio.us/blog/2015/09/10/did-the-symantec-logo-cost-1-28-billion/&psig=AOvVaw2n7gFgVZqbNXiJEBCTNIlN&ust=1516946777185343

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=2ahUKEwiVqOvDufLYAhUN_mMKHTxQC8MQjRx6BAgAEAY&url=https://www.fireeye.com/&psig=AOvVaw22ePdZqlpD0ITibEE-jhbQ&ust=1516946851408005


Mitigation: Know Your Attack Surface

• Cloud Services

• Data Centers

• Mobile Devices / BYOD

• Vendors

• Internet of Things (IoT) / BioMed

• Users

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjA5p7Cu_LYAhVC2GMKHbzMAgoQjRx6BAgAEAY&url=https://argus-sec.com/attack-surface/&psig=AOvVaw0zuAOt7GzC6B98PrIhkejQ&ust=1516947004111972


Mitigation: Security Posture

• Understand Normal

• Security Operations Center (SOC)

• Develop a World View

• Career Development / Training

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjZjsTGvfLYAhUD12MKHRDIDPAQjRx6BAgAEAY&url=https://www.linkedin.com/pulse/security-operations-center-soc-built-shared-branden-rowe&psig=AOvVaw14gNUSpCuPQv-_QZ5lT_OZ&ust=1516947915020317

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjnz-LFvvLYAhVE4WMKHccLA5AQjRx6BAgAEAY&url=https://peterdewit.wordpress.com/tag/heartbeat/&psig=AOvVaw0DXeMAxxB-Uj8TjY2_NgRG&ust=1516948188150854


http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiH-dSHxfLYAhVS3mMKHSXTAmEQjRx6BAgAEAY&url=http://countlightning.blogspot.com/&psig=AOvVaw2AifQ6R77cVQHgbIsFauB5&ust=1516949896246114

Mitigation: Vulnerability Management

• Vulnerability Management Program• Routine Scans• Risk Assessment• Segregation

• Patch Management Program• Applicability• Understand Risk• Metrics

• Time to remediate• Remediation Percentage


https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiu5bPExvLYAhUH8WMKHUP-DXwQjRx6BAgAEAY&url=https://hackercombat.com/remote-vulnerability-unity-game-developers-warned/&psig=AOvVaw0eNdtaxwWx-JwKnmag1AFA&ust=1516950334422344

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiu5bPExvLYAhUH8WMKHUP-DXwQjRx6BAgAEAY&url=https://hackercombat.com/remote-vulnerability-unity-game-developers-warned/&psig=AOvVaw0eNdtaxwWx-JwKnmag1AFA&ust=1516950334422344

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwiu5bPExvLYAhUH8WMKHUP-DXwQjRx6BAgAEAY&url=https://hackercombat.com/remote-vulnerability-unity-game-developers-warned/&psig=AOvVaw0eNdtaxwWx-JwKnmag1AFA&ust=1516950334422344

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjwssaqyPLYAhUM9mMKHb7zAL4QjRx6BAgAEAY&url=https://www.securestate.com/blog/2017/06/08/patch-management-the-not-so-secret-sauce-of-security&psig=AOvVaw2G6N1yfjnL4PTj1GFfnZCS&ust=1516950678623115

Incident Response

• Build a Plan – NIST SP800-61

• Prepare Your Environment

• Train Your Team

• Stage Tabletop Exercises

• Live Fire – Red/Blue, Purple

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiy--erwfLYAhUU3WMKHRAPB88QjRx6BAgAEAY&url=https://www.pinterest.se/circleg986/the-three-stooges/&psig=AOvVaw1pGG8pgFR3NzIpYRiLnrQy&ust=1516948874505842


Documents

I Know What You Did Last Summersocal.himsschapter.org/sites/himsschapter/files/ChapterContent/socal/PS18_Stan_Banash.pdfIncident Response • Build a Plan – NIST SP800-61 • Prepare