Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
SECURITY INSIDE THE PERIMETER-
THE CALL IS COMING FROM INSIDE THE HOUSE
Event Code: #ILTALSS #LSS17Date: June 13, 2017
Time: 3:00 PM - 4:00 PM ETLocation: Salon I
2
Arlan McMillan
Kirkland & Ellis LLP, [email protected]
Arlan has over 20 years experience in Information Technology and Security and prior to joining Kirkland & Ellis LLP was the CISO for United Airlines.
He’s led a number of teams evaluating, developing and delivering security services, including as the CISO for the City of Chicago and Director of Global Information Security Operations for ABN AMRO, LaSalle bank.
In 2014 Arlan was honored to be voted as the Chicago area CISO of the Year and until joining Kirkland, was a board member of the Aviation Information Sharing and Analysis Center (A-ISAC).
SECURITY INSIDE THE PERIMETERTHE CALL IS COMING FROM INSIDE THE HOUSE
Obligatory legal disclaimer…. This discussion represents Arlan’s personal viewpoint which is not necessarily shared by his employer or the host of the event.
A different approach to this type of conversation…
Lots of slides delivered quicklyYou will walk away with productDropbox.com
http://bit.ly/2r44mHWThis and other presentations for you to reuseCatalog of over 400 operational metricsThe CSF diagnostic and reporting templatesOther really cool stuff
3http://bit.ly/2r44mHW
4http://bit.ly/2r44mHW
SIT BACK AND RELAX
5http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
6http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
7http://bit.ly/2r44mHW
DEFENDERS ARE LOSING
Its happening more often Over 4 billion records lost in 2016
> record high It costs more $4 million average cost of a data breach
> 29% increase since 2013 Humans are the #1 target 93% of all significant breaches began with
a phishing email
8http://bit.ly/2r44mHW
ATTACKERS ARE OUT-PACING DEFENDERS% WHERE “DAYS OR LESS”
9
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
ATTACKERS GET IN AND REMOVE DATA VERY FASTAVERAGE TIME TO COMPROMISE AND EXFILTRATION
10
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
INTERNAL CONTROLS AREN’T EFFECTIVELY IMPLEMENTED% OF BREACH DISCOVERY METHODS
11
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
BOUNTY ON LAW FIRMS
Flashpoint report published in January, 2017
Multiple Firms targeted by Russian handlerDomain Admin Access: $50,000Mail Server Access: $20,000Access to Office Computer of an Employee: $5,000
12http://bit.ly/2r44mHW
13http://bit.ly/2r44mHW
COMPRESSION
14http://bit.ly/2r44mHW
RAPID PACE OF CHANGE
Computer power has doubled every year since the mid-1960’s
In 1978, a flight from New York City to Paris cost ~$900 and took 7 hours
If airlines accelerated as fast as computer technology…..
the same trip would cost less than one cent and take less than one second to complete
15http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
16http://bit.ly/2r44mHW
5 THREAT CATEGORIES
17http://bit.ly/2r44mHW
#1: NUISANCE
18http://bit.ly/2r44mHW
#2: HACKTIVISTS
19http://bit.ly/2r44mHW
#3: ORGANIZED CRIME
20http://bit.ly/2r44mHW
#4: ESPIONAGE
21http://bit.ly/2r44mHW
#5: DESTRUCT, DENY, DESTROY
22http://bit.ly/2r44mHW
PLA GENERAL STAFF ORG CHART
23http://bit.ly/2r44mHW
PLA UNIT 61398 – BASE OF OPERATIONS12-STORY BUILDING IN A PUBLIC, MIXED-USE AREA IN SHANGHAI
24http://bit.ly/2r44mHW
10 STEP APT DANCE“A” “ADVANCED”…. SHOULD JUST BE NAMED “PT”
25http://bit.ly/2r44mHW
10 STEP APT DANCE
26http://bit.ly/2r44mHW
DNC & CLINTON CAMPAIGN COMPROMISES – JOHN PODESTA
Highly crafted to look like standard Google password change email
108 sent, 20 clicked – then forwarded to 16 more people of which 4 more clicked
Stole passwords on individuals & silently installed malware on target’s computer which then allowed attacker to move laterally and infect other nearby computers
27http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
28http://bit.ly/2r44mHW
There is significant variability is the number of possible ways that a bad guy can do you harm….
…. but 90% of the time it happens in just a few different ways.
Plan for the 90% and you’ll be well on your way for the other rest. (5+7)
29http://bit.ly/2r44mHW
5 CYBER SCENARIOS TO PLAN FOR
1. Malware spread (crypto)2. Insider data harvesting and exfiltration3. External breach of client data4. External breach of non-client data5. Wide-spread destruction of computer assets
30http://bit.ly/2r44mHW
7 BCM SCENARIOS TO PLAN FOR
31http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning and testingd. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
32http://bit.ly/2r44mHW
GET READY NOW
1. When a big one hits, you will need outside help from a forensics firm.
2. Don’t wait to setup the paperwork. Do it now. It will cost nothing and save you bundles.
3. The FF should be hired by the GC Office with the goal of providing legal advice. Privilege!
4. Limit who gets the report.
https://sites-shb.vuture.net/42/214/may-2017/5.22.2017---pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2
33http://bit.ly/2r44mHW
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
34http://bit.ly/2r44mHW
35http://bit.ly/2r44mHW
36http://bit.ly/2r44mHW
4 PRO TIPS
1. Tactical focus = Patching, Web & Email2. IS is Risk Management, not Cyber IT3. Authoritative Controls4. Tabletops
37http://bit.ly/2r44mHW
TACTICAL FOCUS = PATCHING, WEB & EMAIL
Not much to say here… get really good on these three first.
We can talk about all the really cool tools, techniques and PowerShell Kung fu you can bring to bear against an adversary but a strong patching process is the by far the most powerful.
38http://bit.ly/2r44mHW
IS = RM, NOT CYBER IT How you communicate and build support for your
program is the best cyber-defense! Information Security is Risk Management “current risk posture” vs “target risk posture” 5 Questions
1. Are there any material risks to the Firm and if so, what are their potential costs and likelihoods of occurrence?
2. Is my security program aligned to the organization’s desired risk profile?
3. Is my organization more or less secure than last year?
4. Am I spending the right amount of money?
5. How do I compare against my peers?
39http://bit.ly/2r44mHW
40
IS is RISK MANAGEMENT
Functional Requirements
1
2
3
http://bit.ly/2r44mHW
AUTHORITATIVE CONTROLSYOU HAVE A ROADMAP
41http://bit.ly/2r44mHW
TABLETOPS
42http://bit.ly/2r44mHW
Train how you fight Tests readiness A clear signal to leadership and others that cyber is a
priority A great way to improve visibility and generate
conversation Part of a CISO’s job is sales – you need to sell people on
why they need to do one thing over another
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
43http://bit.ly/2r44mHW
INCIDENT TIMELINE
44http://bit.ly/2r44mHW
ref event comment01 AV cleans MIMIKATZ & triggers alert in SOC Bad guy forgot to disable AV – no
password on AV
02 SecOps investigates & sees login with a shared TECH ID from nearby workstation
Abuse of shared admin ID used by techs for break-fix
03 Investigate workstation – login from unusual user
04 Investigate user – doesn’t typically even use a computer + weak password
Patient Zero unknown but most likely the user #03 by way of a phishing victim
05 Setup alerts for all suspicious IDs Hackers going lateral
07 See user’s ID connect to company SSL VPN “published desktop” and then touch several other internal workstations
No 2FA – No segmentation
08 Source IP = VPN in China Bad guy obfuscating true location – could be originating from anywhere in the world
INCIDENT TIMELINE CONT.
45http://bit.ly/2r44mHW
ref event comment09 Observed an IP from Shanghai “accidentally”
connect for 30sec before disconnecting and then a new connection over VPN being est. immediately
Bad OpSec!! We now know where you’re really coming from!
10 Setup alerts for any connections from that VPN Only fire 9-5 local time in Shanghai except on Chinese holidays
11 See multiple connections using multiple IDs Result of ID harvesting
12 Monitor connections and video record desktop sessions
We now have training videos!
13 Observe bad guy using MIMIKATZ to pull any cached creds – they just do this over and over
“C” team following script to build dbs of our IDs and Pswds
14 Observe for ~20 days & prepare
15 Over three nights – 2FA for VPN, password resets for over 40K users, patch all systems to current, deploy AEPP to 90% of all workstation and server assets
16 Bad guys kicked out…. kind of
46http://bit.ly/2r44mHW
ref event comment17 AEPP alerts on PlugX RAT on insignificant, irrelevant
and forgotten system“B” team will have a back-door. Be ready & make sure asset inventory is up to date!
18 Immediately shut down & analyze system No way we would have seen the PlugX w/o Falcon
19 Deploy Forensic software to many servers
20 ID use of Service Account to go lateral Disable interactive and network login for all Svc Accts.
21 Continue to close doors w/ new visibility and authority to implement changes at will
22 Remove common tech ID on all workstations Makes going lateral much more difficult
INCIDENT TIMELINE CONT.
All said an done, this was about 60 days of all hands working in 24x7 shifts to address and then another 90 to clean up.
While no data was lost, its still very expensive.
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
47http://bit.ly/2r44mHW
48http://bit.ly/2r44mHW
Share your war story or…