ScriptAPRIL 2017

The

BulletinUPDATES:

BSides Edinburgh 2017CREST would like to congratulate and thank BSides Edinburgh for a successful debut event. BSides provided a fantastic opportunity to reach out to students, young professionals and the key influencers in their careers, something not always achievable at larger industry events.

A big thank you to Paul Midian and Ian Glover who helped man the CREST stand.

We are looking forward to future BSides events!

CREST at CyberUK CREST attended CyberUK in Liverpool, which took place from 14-16 March at the Arena & Conference Centre. It was a very busy and successful event, with lots of interest in CREST and in particular our exams. Thanks to Adriana Costa-McFadden and Sharon Earl from CREST and Debbie Jones of PRPR for running the CREST stand.

CRESTCon & IISP Congress 2017 is tomorrow Agendas online at: www.crestcon.co.uk/delegates

Thank you to our sponsors:

CREST WorkshopsCREST Events Industry Events

Partners

UPDATES:CREST in the USA The Inaugural meeting of the USA CREST Chapter took place in April. There was great progress and plenty of enthusiasm for CREST and the whole industry.

Back row from left to right: Kevin Dunn, NCC; Chris Thompson, IBM; Justin Ryan, EY;Zak Maples, MWR; Shawn Gustavel, BT; Ian Glover, CREST;Andrew Whitaker, Rapid7; Darren Manners, Sycomtech

Front Row from left to right:Lee Buttke, NetSpi; Chris Oakley, Nettitude; Chris Nickerson, Lares; Rowland Johnson, CREST; Tom Brennan, McAfee

Cybercrime Evolution and Cyber Risk Management Event at the British Embassy in AthensOn 7th March, Ian Glover, President of CREST was invited to take part in a panel discussion at a Cyber Security event in Athens, hosted by the British Ambassador Kate Smith and the CEO of OBRELA Security Industries Ltd, Mr George Patsis.

New Penetration Testing Maturity Assessment Tools – available now The effectiveness of a penetration testing programme should be regularly evaluated against approved and consistent criteria to determine if objectives have been met and ensure value for money.

CREST has developed a suite of maturity assessment tools to help assess the status of a penetration testing programme on the industry standard scale of 1 (least effective) to 5 (most effective). The suite consists of three spreadsheet-based maturity assessment tools enabling an assessment to be made at a summary, intermediate or detailed level. The consolidated tool (which is macro-driven) will enable a selection of approaches to be adopted using just one tool.

A detailed overview of the maturity assessment tools can be downloaded here: <guide>

The tool can be downloaded here: <tools>

BlackHat Asia 2017 Thank you to CREST member High-Tech Bridge for promoting CREST, along with our research reports, at BlackHat Asia, 30-31 March 2017 in Singapore.

New members in 2017 Welcome to CREST to:

LE Global Services Sdn Bhd (LGMS) – CREST AsiaSureCloud – CREST USAHigh-Tech Bridge - CREST EMEAPulseSecure – CREST AsiaNetSPI – CREST USA

Even

t D

iary

CRESTCon & IISP Congress 201719 April, 09.00-20.00 Royal College of Surgeons, 35-43 Lincoln’s Inn Fields. London, WC2A 3PE

CRESTCon & IISP Congress is a unique event that brings together leading technical and business information security professionals. The event has become a key date in the industry calendar, attracting an impressive line-up of speakers and over 400 senior delegates.

CREST AGM (members only) 10 May 2017 14:00 - 19:00, Royal College of Surgeons, 35-43 Lincoln’s Inn Fields. London, WC2A 3PE

SOC project validation workshop24th May 2017, NCC, Kings Court, Kingston Road, Leatherhead, KT22 7SL

The aim of this workshop is to validate the key findings identified during the research and analysis phases to help shape the final set of project deliverables.

Project background: CREST is running a project that is looking at the development of an accreditation scheme for the certification of Security Operations Centre (SOC) functions and professional specialists. The main objective is to establish the processes, procedures and supporting documentation required to operate an effective SOC

accreditation scheme. Many of the accreditation scheme documents will be released for use in the public domain to help promote the understanding of SOCs and the need for an authoritative, independent scheme.

This project will build on CREST’s extensive experience in developing accreditation schemes. Input will also be used from the recently completed Cyber Security Monitoring and Logging project; the existing CREST Intrusion Analyst qualification; guidance recently issued by the National Cyber Security Centre in the UK; other international initiatives identified as part of the research; and CREST regional interest in the project. The scheme will produce new and updated material that can be used to support regulators, government bodies, procurement specialists and buyers of SOC services. In particular it will help the buying community to differentiate the services provided.

Diversity eventTBA, June, BCS, 5 Southampton St, London WC2E 7HA

Research update event June – we are looking for a venue to hold this event

This event will include the official launch of the new pen testing guide and the ISC report. It will also report on current and future CREST research and invite input.

CREST Events:The Script APRIL 2017

Bulletin

The Script APRIL 2017

Workshops on VA and Bug Bounty are also planned for 2017. Dates and venues TBA

Social EngineeringDate to be advised, Cyberis offices, Tewkesbury, Gloucestershire.

Webinars:CREST has a BrightTalk channel for hosting webinars and other videos and we will be stepping up our programme of webinars in 2017 after a successful 2016. See https://www.brighttalk.com/channel/13519/crest. BrightTalk’s summit calendar for 2017 is listed below and we are looking for CREST members to take part.

May 16–18 SECURING FINTECHMay 16: Trends in fintech security May 17Authentication, encryption & data protection

May 18 Ransomware/malware & Business Continuity and Disaster Recovery

June 14–16 SECURING THE INTERNET OF EVERYTHING (IOT MONTH)

Jun 14IoT & DDoS: threats, detection & response

Jun 15Hacking the smart city Jun 16Hacking the connected car

October 17–19 THE FUTURE OF CLOUD SECURITY (CLOUD MONTH)Oct 17: Protecting against the evolving threatscape Oct 18Next generation cloud security Oct 19Cloud backup & BCDR

November 14–16 THE 2018 THREATSCAPE Nov 142017’s biggest breaches and why

Nov 15Emerging threats & technologies Nov 16: 2018Threats on the horizon

If you are interested in presenting a technical webinar or would like us to host your content, then please submit your ideas for consideration to allie@crest-approved.org. We will promote, run and record on the CREST channel. Even

t D

iary

CREST Workshops:Bulletin

The Script APRIL 2017

Even

t D

iary

Industry Events:Bulletin

IP EXPOIP EXPO is one of Europe’s leading IT events for those looking to find out how the latest IT innovations can drive their business forward. The IP EXPO event series showcases brand new exclusive content and senior level insights from across the industry, as well as unveiling the latest developments in IT. IP EXPO events are aimed at CIOs, heads of IT, security specialists, heads of insight and tech experts.

IP Expo Manchester 26/27 April 2017, Manchester Central

CREST at IP EXPO Manchester:

www.ipexpomanchester.com/Exhibitors/CREST/?utm_source=IP17MANCRERegister for IP EXPO Manchester:

www.ipexpomanchester.com/Register/?utm_source=IP17MANCREIP EXPO Manchester homepage:

www.ipexpomanchester.com/?utm_source=IP17MANCRE

IP Expo Nordic 20/21 September 2017, Stockholmsmassan, Stockholm IP Expo Europe 4/5 October 2017, ExCel, London

CREST is supporting, exhibiting and presenting at the London and Manchester events. If you are interested in helping on the stand or presenting a demo in the CREST cyber hack area please contact allie@crest-approved.org Infosecurity Europe 2017Infosecurity Europe, Olympia, London 6-8 June 2017 is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme and over 360 exhibitors showcasing the most relevant information security solutions and products to 13,500 visitors.

CREST is supporting and exhibiting at the event. If you are interested in helping at this event please contact allie@crest-approved.org

Cyber Security Chicago Cyber Security Chicago, 18-19 October 2017, will take place at the award-winning McCormick Place. Combining world class solutions on the exhibition floor with a strategic C-Suite level keynote conference, brought to you by the same organisers as IP EXPO.

CREST is supporting, exhibiting and presenting at the event. If you are interested in helping at this event please contact allie@crest-approved.org

Operation Cloud Hopper: Exposing a systematic hacking operation with an unprecedented web of global victims.

Authors: James Campbell lead of PwC’s incident response services within its Cyber Security practice

Jason Smart manager in PwC’s Cyber Threat Detection & Response team

Since late 2016, PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign

conducted by a China-based threat actor. We assess this threat actor to almost certainly be the same as the threat actor widely known within the security community as ‘APT10’. The campaign, which we refer to as Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same actor.

“The future of cyber defence lies beyond simple intelligence sharing, but in forging true collaboration between organisations in the public and private sector with the deep technical and innovative skills required to combat this type of threat. This operation has demonstrated the importance of the recently established National Cyber Security Centre, set up for moments just like this. Operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks. Together we’ve been working to brief the global security community, managed service providers and known end victims to help prevent, detect and respond to these attacks. “New forms of attack require new ways of working to defend our society. Close working collaboration is key.”

Richard Horne, Cyber Security Partner, PwC

The Script APRIL 2017Bulletin

Article from our CRESTCon gold sponsor PwC

We have identified a number of key findings that are detailed below.

APT10 has recently unleashed a sustained campaign against MSPs. The compromise of MSP networks has provided broad and unprecedented access to MSP customer networks. • Multiple MSPs were almost

certainly being targeted from 2016 onwards, and it is likely that APT10 had already begun to do so from as early as 2014.

• MSP infrastructure has been used as part of a complex web of exfiltration routes spanning multiple victim networks.

APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. • APT10 ceased its use of the

Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.

• APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardising their command and control function.

• We have observed a shift

towards the use of bespoke malware as well as open-source tools, which have been customised to improve their functionality. This is highly likely to be indicative of an increase in sophistication.

Infrastructure observed in APT10’s most recent campaigns links to previous activities undertaken by the threat actor. • The command and control

infrastructure used for Operation Cloud Hopper is predominantly dynamic-DNS domains, which are highly interconnected and link to the threat actor’s previous operations. The number of dynamic-DNS domains in use by the threat actor has significantly increased since 2016, representative of an increase in operational tempo.

• Some top level domains used in the direct targeting of Japanese entities share common IP address space with the network of dynamic-DNS domains that we associate with Operation Cloud Hopper.

APT10 focuses on espionage activity, targeting intellectual property and other sensitive data. • APT10 is known to have

exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world.

The Script APRIL 2017Bulletin

Article from our CRESTCon gold sponsor PwC continued

• The targeted nature of the exfiltration we have observed, along with the volume of the data, is reminiscent of the previous era of APT campaigns pre-2013.

PwC UK and BAE Systems assess APT10 as highly likely to be a China-based threat actor. • It is a widely held view within

the cyber security community that APT10 is a China-based threat actor.

• Our analysis of the compile times of malware binaries, the registration times of domains attributed to APT10, and the majority of its intrusion activity indicates a pattern of work in line with China Standard Time (UTC+8).

• The threat actor’s targeting of diplomatic and political organisations in response to geopolitical tensions, as well as the targeting of specific commercial enterprises, is closely aligned with strategic Chinese interests.

The Script APRIL 2017Bulletin

Article from our CRESTCon gold sponsor PwC continued

Abbey House | 18-24 Stoke Road | Slough | Berkshire | SL2 5AG

CREST is a not for profit company registered in the UK with company number 06024007.

The Script APRIL 2017Bulletin

APT10 is a constantly evolving, highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors, enabled by its strategic targeting.

Since exposure of its operations in 2013, APT10 has made a number of significant changes intended to thwart detection of its campaigns. PwC UK and BAE Systems, working closely with industry and government, have uncovered a new, unparalleled campaign which we refer to as Operation Cloud Hopper. This operation has targeted managed IT service providers, the compromise of which provides APT10 with potential access to thousands of further victims. An additional campaign has also been observed targeting Japanese entities.

APT10’s malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns; this is indicative of APT10’s increasing sophistication, which is highly likely to continue. The threat actor’s known working hours align to Chinese Standard Time (CST) and its targeting corresponds to that of other known China-based

threat actors, which supports our assessment that these campaigns are conducted by APT10.

This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chains. More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships and prompt them to take appropriate steps to assure and manage these.

For more information visit: www.pwc.com or contact:James Campbell: james.c.campbell@pwc.comJason Smart:jason.a.smart@pwc.com

There’s never been a better time to get in to the technology business. With digital becoming the new normal and transforming how we work and live. At PwC, as we focus on future innovations, we’re investing in the best and most diverse talent of today and tomorrow. The wide range of technology services we offer our clients means we have a wide range of roles available. To find out more about what a career in Technology with PwC can mean to you, and view our current vacancies visit pwc.com/uk/careers/tech-careers

Article from our CRESTCon gold sponsor PwC continued