SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm

SECURITY INSIDE THE PERIMETER-

THE CALL IS COMING FROM INSIDE THE HOUSE

Event Code: #ILTALSS #LSS17Date: June 13, 2017

Time: 3:00 PM - 4:00 PM ETLocation: Salon I

2

Arlan McMillan

Kirkland & Ellis LLP, [email protected]

Arlan has over 20 years experience in Information Technology and Security and prior to joining Kirkland & Ellis LLP was the CISO for United Airlines.

He’s led a number of teams evaluating, developing and delivering security services, including as the CISO for the City of Chicago and Director of Global Information Security Operations for ABN AMRO, LaSalle bank.

In 2014 Arlan was honored to be voted as the Chicago area CISO of the Year and until joining Kirkland, was a board member of the Aviation Information Sharing and Analysis Center (A-ISAC).

SECURITY INSIDE THE PERIMETERTHE CALL IS COMING FROM INSIDE THE HOUSE

Obligatory legal disclaimer…. This discussion represents Arlan’s personal viewpoint which is not necessarily shared by his employer or the host of the event.

A different approach to this type of conversation…

Lots of slides delivered quicklyYou will walk away with productDropbox.com

http://bit.ly/2r44mHWThis and other presentations for you to reuseCatalog of over 400 operational metricsThe CSF diagnostic and reporting templatesOther really cool stuff

3http://bit.ly/2r44mHW


SIT BACK AND RELAX


1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience





DEFENDERS ARE LOSING

Its happening more often Over 4 billion records lost in 2016

> record high It costs more $4 million average cost of a data breach

> 29% increase since 2013 Humans are the #1 target 93% of all significant breaches began with

a phishing email


ATTACKERS ARE OUT-PACING DEFENDERS% WHERE “DAYS OR LESS”

9

Source: “2016 Data Breach Investigations Report”, Verizon

http://bit.ly/2r44mHW

ATTACKERS GET IN AND REMOVE DATA VERY FASTAVERAGE TIME TO COMPROMISE AND EXFILTRATION

10



INTERNAL CONTROLS AREN’T EFFECTIVELY IMPLEMENTED% OF BREACH DISCOVERY METHODS

11



BOUNTY ON LAW FIRMS

Flashpoint report published in January, 2017

Multiple Firms targeted by Russian handlerDomain Admin Access: $50,000Mail Server Access: $20,000Access to Office Computer of an Employee: $5,000



COMPRESSION


RAPID PACE OF CHANGE

Computer power has doubled every year since the mid-1960’s

In 1978, a flight from New York City to Paris cost ~$900 and took 7 hours

If airlines accelerated as fast as computer technology…..

the same trip would cost less than one cent and take less than one second to complete





5 THREAT CATEGORIES


#1: NUISANCE


#2: HACKTIVISTS


#3: ORGANIZED CRIME


#4: ESPIONAGE


#5: DESTRUCT, DENY, DESTROY


PLA GENERAL STAFF ORG CHART


PLA UNIT 61398 – BASE OF OPERATIONS12-STORY BUILDING IN A PUBLIC, MIXED-USE AREA IN SHANGHAI


10 STEP APT DANCE“A” “ADVANCED”…. SHOULD JUST BE NAMED “PT”


10 STEP APT DANCE


DNC & CLINTON CAMPAIGN COMPROMISES – JOHN PODESTA

Highly crafted to look like standard Google password change email

108 sent, 20 clicked – then forwarded to 16 more people of which 4 more clicked

Stole passwords on individuals & silently installed malware on target’s computer which then allowed attacker to move laterally and infect other nearby computers





There is significant variability is the number of possible ways that a bad guy can do you harm….

…. but 90% of the time it happens in just a few different ways.

Plan for the 90% and you’ll be well on your way for the other rest. (5+7)


5 CYBER SCENARIOS TO PLAN FOR

1. Malware spread (crypto)2. Insider data harvesting and exfiltration3. External breach of client data4. External breach of non-client data5. Wide-spread destruction of computer assets


7 BCM SCENARIOS TO PLAN FOR


1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning and testingd. Paperwork now!



GET READY NOW

1. When a big one hits, you will need outside help from a forensics firm.

2. Don’t wait to setup the paperwork. Do it now. It will cost nothing and save you bundles.

3. The FF should be hired by the GC Office with the goal of providing legal advice. Privilege!

4. Limit who gets the report.

https://sites-shb.vuture.net/42/214/may-2017/5.22.2017---pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2


https://sites-shb.vuture.net/42/214/may-2017/5.22.2017---pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2






4 PRO TIPS

1. Tactical focus = Patching, Web & Email2. IS is Risk Management, not Cyber IT3. Authoritative Controls4. Tabletops


TACTICAL FOCUS = PATCHING, WEB & EMAIL

Not much to say here… get really good on these three first.

We can talk about all the really cool tools, techniques and PowerShell Kung fu you can bring to bear against an adversary but a strong patching process is the by far the most powerful.


IS = RM, NOT CYBER IT How you communicate and build support for your

program is the best cyber-defense! Information Security is Risk Management “current risk posture” vs “target risk posture” 5 Questions

1. Are there any material risks to the Firm and if so, what are their potential costs and likelihoods of occurrence?

2. Is my security program aligned to the organization’s desired risk profile?

3. Is my organization more or less secure than last year?

4. Am I spending the right amount of money?

5. How do I compare against my peers?


40

IS is RISK MANAGEMENT

Functional Requirements

1

2

3


AUTHORITATIVE CONTROLSYOU HAVE A ROADMAP


TABLETOPS


Train how you fight Tests readiness A clear signal to leadership and others that cyber is a

priority A great way to improve visibility and generate

conversation Part of a CISO’s job is sales – you need to sell people on

why they need to do one thing over another




INCIDENT TIMELINE


ref event comment01 AV cleans MIMIKATZ & triggers alert in SOC Bad guy forgot to disable AV – no

password on AV

02 SecOps investigates & sees login with a shared TECH ID from nearby workstation

Abuse of shared admin ID used by techs for break-fix

03 Investigate workstation – login from unusual user

04 Investigate user – doesn’t typically even use a computer + weak password

Patient Zero unknown but most likely the user #03 by way of a phishing victim

05 Setup alerts for all suspicious IDs Hackers going lateral

07 See user’s ID connect to company SSL VPN “published desktop” and then touch several other internal workstations

No 2FA – No segmentation

08 Source IP = VPN in China Bad guy obfuscating true location – could be originating from anywhere in the world

INCIDENT TIMELINE CONT.


ref event comment09 Observed an IP from Shanghai “accidentally”

connect for 30sec before disconnecting and then a new connection over VPN being est. immediately

Bad OpSec!! We now know where you’re really coming from!

10 Setup alerts for any connections from that VPN Only fire 9-5 local time in Shanghai except on Chinese holidays

11 See multiple connections using multiple IDs Result of ID harvesting

12 Monitor connections and video record desktop sessions

We now have training videos!

13 Observe bad guy using MIMIKATZ to pull any cached creds – they just do this over and over

“C” team following script to build dbs of our IDs and Pswds

14 Observe for ~20 days & prepare

15 Over three nights – 2FA for VPN, password resets for over 40K users, patch all systems to current, deploy AEPP to 90% of all workstation and server assets

16 Bad guys kicked out…. kind of


ref event comment17 AEPP alerts on PlugX RAT on insignificant, irrelevant

and forgotten system“B” team will have a back-door. Be ready & make sure asset inventory is up to date!

18 Immediately shut down & analyze system No way we would have seen the PlugX w/o Falcon

19 Deploy Forensic software to many servers

20 ID use of Service Account to go lateral Disable interactive and network login for all Svc Accts.

21 Continue to close doors w/ new visibility and authority to implement changes at will

22 Remove common tech ID on all workstations Makes going lateral much more difficult

INCIDENT TIMELINE CONT.

All said an done, this was about 60 days of all hands working in 24x7 shifts to address and then another 90 to clean up.

While no data was lost, its still very expensive.





Share your war story or…

Documents

SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm