Sheryl Hanchar C|EH, GCIH, CISSP ,CISA

•HIPPA, PCI, SOX, Due Diligence- are all aimed at

protection.

•If you lock the front door, the bad guys will come in

through an open window.

•Are you watching the front door while they come in the

back?

•Policy audit is a requirement don’t make it the total focus.

•Are the Incident Responders aware of the ever changing

threat landscape? Dedicated\Tiger Team

SPAM \ PHISHING •PDF’s \ Word \Excel \Exe’s. •Embedded links\ Redirects •Your Secure Email Gateways limitations. •Do you have a place where employees can send suspicious emails to be analyzed?

February March April May June July August

Spam 2015 2667 1798 974 823 1485 1145

Total Time (Hours) 100.50 91.18 60.60 41.38 26.56 42.27 42.78

Spam@company.com

Run in virtual machines\ identify rogue processes\C2 Callbacks

Use Email Gateways to block trends

Pull “dirty mail” out of inboxes before infection.

10/16/2012

Spam Mailbox INTEL

January 2012 to September 2012

New Initiatives- 11m in tools….

CW BCD CHQ GCSD HCC HCS HITS PSPC RFCD

Total 89 10 3 14 9 1 7 1 10

T1 20 3 0 4 4 0 2 1 8

T3 69 7 3 10 5 1 5 0 2

0102030405060708090

100

Axi

s Ti

tle

Corporate Wide

CHQ GCSD HCC HCS HITS PSPC RFCD

Total 3 14 9 1 7 1 10

T1 0 4 4 0 2 1 8

T3 3 10 5 1 5 0 2

0

2

4

6

8

10

12

14

16

Axi

s Ti

tle

Division Trending

•Trending Analysis

•Intelligence

•End User Alerting

•Program Harvesting

•HIGH SUCCESS RATE!- No matter how much security awareness training occurs- someone will click! ( wedding invite\ fantasy football\ boss email\holiday) •Does your end user security awareness campaign educate regarding links, attachments, holiday emails, “your purchase has shipped”)

•Where are you getting your INTEL? •Department of Homeland Security – Cyber Report Daily – Shows breaches, risks, trends.

•Use this Intel for your Vulnerabilty Management Program.

Fake Amex "Security Verification" Phishing Emails Doing

Rounds: Malicious spam emails impersonating American Express

have been hitting inboxes in the last few days, trying to make

recipients open the file in the attachment. The email purports to

be a notification about a "Membership Security Verification," and

warns the users that a "slight error" has been detected in their

AmEx accounts. To make it right - and not lose access to their

accounts in the next 48 hours - the victims are urged to download

the attached HTML file and open it in a browser. [T]he phishers

are looking for every bit of personal and financial information

they can get, including the users' name, address, home and work

telephone numbers, Social Security number, mother's maiden

name and date of birth, users' date of birth, AmEx credit card

number, expiry date, card security code, ATM PIN, email address

and the password for it.

10/16/2012

Enhanced Workflow and Analytics

ARTIFICIAL INTELLIGENCE

How much work is involved in a phish for the

company – ROI?

What does a malicious email cost the company…?

Spear Phishing Taxonomy Use Case Examples Summary of Costs

1 User Infected 300 Users Infected 1 User 300 Users

Introduction into the Environment Threat Mitigation

1. Spear Phish Email Sent 0 0 SOC $155.35 $3,777.69

2. User Receives Email (Clicks Link/Send Email to HD/Notifies SOC/Calls HD) 10 3000 IRT $211.25 $8,309.17

3. Service Desk Reviews Email and Sends it to SOC 1 300 Support Staff

4. Service Desk Receives Phone Call from User 8.5 2550 Service Desk $10.29 $3,087.50

5. SOC Analyzes Email (if links/attachment => Further Action Required) 1 100 HEMS $32.50 $65.00

Desktop $368.33 $110,500.00

Spear Phishing Analysis EAS $32.50 $32.50

6. SOC Opens a Case 10 15 Network $1.30 $390.00

7. SOC Reviews link/attachment on malware station for validity 20 20 HITS AIM Costs $811.53 $126,161.86

8. SOC Conducts DLM Search 10 30 End User Customer $3,130.83 $939,250.00

9. SOC Conducts WatchGuard Search 10 30

10. SOC Creates STRM Rules from Malware Properties 10 10 Total Cost $3,942.36 $1,065,411.86

11. IRT Leverages FireEye to Prevent Future Attacks 10 10

12. SOC Creates Remedy Ticket for FW / DNS / Websense Blocks 20 20 Fixed/Sunk Costs

Incremental Costs

13. EAS Support Staff Vets Request and Completes Block Action 30 30 X = 1 X = 300

14. SOC Creates Blocking Rules in WatchGuard 10 10 Threat Mitigation

15. SOC Runs Script to Identify Unique Email Recipients 10 10 SOC $109.42 $45.93 $12.23

16. HEMS Removes Spear Phish Email from All Users' Inboxes Identified by SOC 30 60 IRT $184.17 $27.08 $27.08

17. IRT Conducts Netwitness Traffic Analysis 40 40 Support Staff

EAS $32.50 $0.00 $0.00

Identification of Malware HEMS $32.50 $0.00 $0.11

18. STRM Beacon from Rule Identifies User Clicked Link or Attachment 5 1500 Service Desk $1.08 $9.21 $10.29

19. IRT Conducts Further Analysis 120 120 Desktop $0.00 $368.33 $368.33

20. IRT User traced back to IP/Machine 25 7500 Network $0.00 $1.30 $1.30

21. SOC Creates Remedy Ticket to Reimage Users' Machines 5 1200 HITS AIM Costs $359.67 $451.86 $419.34

22. SOC Creates Remedy Ticket to Block by MAC Address (30% of the time) 0.9 2.1 End User Customer $2.17 $3,128.67 $3,130.83

23. SOC Puts User or Machine in Appropriate NO ACCESS OU (10% of the time) 0.5 150

24. Local Desktop Team Tracks Down Machine 20 6000 Total Cost $361.83 $3,580.53 $3,550.17

25. Network Team Blocks Machine by MAC (30% of the time) 0.6 180

26. Customer Down Time (2 Days Avg.) 2880 864000 Summary (X=User's Infected)

27. Desktop Team Reimages Machine (copy files, decrypt, reimage, encrypt) (5 hr Avg) 300 90000 Formula

28. Desktop Team Returns Machine to User (Ship/Send/Walkover/etc) 20 6000 When X = 0 $361.83

29. Network Team Releases MAC Block (30% of the time) 0.6 180 When X = 1 $3580.53X + $361.83

30. SOC Releases Machine/User from OU (10% of the time) 1 300 When X = 300 $3550.17X + $361.83

31. SOC Closes Case (All Data is Entered and Verified) 30 90 Increasing the # of infected users dilutes costs by $30.35/inf

32. Continuous Monitoring 0 0

Totals (in Minutes) 3639.1 983457.1

Total Cost $3,942.36 $1,065,411.86

Advanced Persistent Threats

Growing Risks of Advanced Threats

•APT is on the rise…

–71% increase in APT attacks over the past 12 months

•APT targets any industry

–83% of US companies have been hit by the APT

•APT is low profile…

–46% say it takes 30 days or more to detect

•APT is targeted …

–97% of the 140M records compromized through customized

malware

•APT is elusive

–AV databases are 20-50% effective at detecting new or low-

volume threats

Profile of Advanced Persistent Threats

Consensus Audit Guidelines20 Critical Security Controls

The Incident Response part….

• Scanning nodes for 1 file takes time

• Tools are not fast even if you know where to

look.

• Machines not on the network can’t be scanned.

• Pulling back data and analysis takes time

• When you find something doesn’t work…and

you will. (what do you mean THAT server didn’t

have….)

Technical and Administrative Controls- Some cost $ some don’t.

•Logs Logs Logs Logs Logs!- what are you logging? Are they being overwritten?

•Log tool not licensed properly and dropping data. ( SIEM)

•Administrator accounts still in use? Password Changes? Entitlement Reviews? •Why is the Domain Admin on at 4am? Normal? Wait – he is logging in from Korea! Wow Dan got to go to Korea!

•Do your technical staffs feel safe alerting to an incident? (Monica)

•Forgotten Servers not being patched or Windows NT boxes? ( How are you notified of new servers added? VM’s!) (Vulnerability Scanning\Hardening\What is New on my VLAN?)

•Security Awareness- How big of a deal does the company make? 5k run?

•Outdated policy binds controls from being implemented. ( IRC- When was the last time the content filtering system rule list was reviewed?)

Who is on your Incident Response team?

• Dedicated

• Secondary

What happens when an incident occurs?

•Recreating the crime scene is not easy. Clues and evidence

are always missing

•All of Sr. Mgmt becomes involved…Timeline.

•Practice \Tabletops

Don’t forget your scribe!

•Geeks do not take notes! Work all night- not 1 note.

•Genius\Autistic? (NSA)- Think fast and cant speak

•The different types of cases- porn\policy violation vs. Exfiltration

to Foreign nation.