THE QUESTION IS NOT “IF” BUT “WHEN”A Look Into the Importance of Cyber Resilience and Incident Response for Financial Institutions

ABOUT THE SPEAKER

• Tom Neclerio, VP of Cyber Consulting Services

• 18 Years Providing Consulting to Regulated Industries

• Advised over 1000 FIs on security/regulatory compliance

• Trainer/speaker to the FFIEC agencies on Security

• Former CISO of SilverSky developed internal controls

• PCI Qualified Security Assessor to large banks, service providers, and merchants

Cyber Professional Services summaryCyber Advisory Services• Full range of consulting services for information security•Review entire security programs or components thereof•Assess against industry standards/best practices•Perform risk assessments, compliance review, gap analysis•Create an improvement plan, provide implementation

Cyber Technical Services•Technically focused “intelligence led” security testing and assessments•Programs where we “think like an adversary”•Cyber Exposure Profiling, Security Testing•Targeted Attack Resistance / Red Teaming• Security architecture and controls assessment and improvement

Cyber Incident Response Services•Complete coverage for the 3 crucial areas of incident response•Planning, Preparing, and Responding •Assessments and Incident Response Plan development• Incident Readiness exercises•Enterprise Incident Response and Management services

AGENDA

• The Financial Threat Landscape

• Case Study: Lesson Learn From Real Attacks

• FFIEC Cyber Resilience Guidance

• How to be Prepared

1

2

3

4

AGENDA

• The Financial Threat Landscape

• Case Study: Lesson Learn From Real Attacks

• FFIEC Cyber Resilience Guidance

• How to be Prepared

1

2

3

4

TARGET OF ATTACKS

RETAIL AND FINANCIAL: TOP TARGETS AGAIN

• Retail and Financial Continue to be Top Targets• Organized Crime w/ focus on monetary gain• Financial: Malware/Web Banking Application• Retail: POS Terminals

THE TARGET

TOXIC DATACommoditized information you are compelled to protect by regulation, statute or contract.

SECRETSSensitive intellectual property whose disclosure would cause strategic harm.

Examples:• Customer PII• Electronic protected health

information (ePHI)• Credit card numbers• Account Numbers

Loss value determined by criminals (de facto) and regulators (de jure).

Examples:• Trade secrets• Strategic plans• Sales forecasts• Company financials

Loss value is intrinsic, tangible or incalculable (reputation).

CYBERCRIME IN FINANCIAL SERVICES INDUSTRY

Two Categories made up approx. 70% of Financial Breaches

Crimeware – Classified into two types• Backdoor: Maintaining persistence and staging advanced attacks • Data Stealing: Capturing and data exfiltration

Web App Attacks• Compromised individual customer accounts • Hacked website or database

PHISHING STATISTICS

For last two years, more than two-thirds of incidents

reported have featured phishing

23% of recipients now open phishing messages

90% success rate on a phishing campaign of 10 or more emails

11% click attachments

50% open e-mails and click on phishing links within the first hour

CRIMEWARE

• Bank Records and Credentials are by far the most targeted data (approx. 90%)

• Opportunistic and financially motivated to establish long term foothold in network

• Less likely to be forensically discovered if not detected early

• Usually starts with a Phishing campaign

ATTACK DIFFICULTY

High

Medium

Low

Very Low

0.2%

22.7%

67.3%

9.8%

DISCOVERY TIMEFRAME

801233.9x

DAYS TO DISCOVER MALICIOUS BREACHES

DAYS TO RESOLVE MALICIOUS BREACHES

HIGHER COST OF CYBER CRIME IF UNDERPROTECED

LESSONS LEARNED SO FAR

• Retail and Financial verticals are the top targets of attack

• Financial Institutions are HIGH VALUE targets for Cyber Crime

• Organized & Funded Criminal Gangs are behind FI Attacks

• 70% of FI breach types are Crimeware and Web Applications

• Phishing is often used to carry out initial hacks

• Phishing is highly successful with a small detection window

• Credentials and backdoor malware are top modes of entry

• Large timeframes exist from initial compromise to discovery

• Criminals are increasingly exploiting third party vendors

AGENDA

• The Financial Threat Landscape

• 2014 Data Breaches – Lessons Learned

• FFIEC Cyber Resilience Guidance

• How to be Prepared

1

2

3

4

CASE STUDY 1: 2014 MAJOR ATTACKS

Third Party Stolen Credentials

Third Party

Vendor BreachRemote Access Hack

CASE STUDY 2: SMALL NORTHEAST CREDIT UNION• Infected with Cryptolocker

Ransomware Trojan

• Most likely source a phishing email attachment.

• Critical systems infected through multiple attacks.

• BOD personal computers infected

• Multiple rebuilding of systems, reputational damage, lost productivity

CASE STUDY 3: MEDIUM CU NORTHEAST• BAE/SilverSky SOC noticed suspicious activity outbound to several known C&C

services in Ukraine

• Large volumes of traffic was originating outbound to the C&C servers from several computers in the CU environment.

• CU employees target of a phishing campaign with malware attachments. Over 50% of employees opened emails and attachments.

• Volume of outbound activity from malware grinded the network to a halt.

• SOC was able to block all outbound traffic to C&C servers while IR team was deployed to helped clean network from malware infestation.

AGENDA

• The Financial Threat Landscape

• Case Study: Lesson Learn From Real Attacks

• FFIEC Cyber Resilience Guidance

• How to be Prepared

1

2

3

4

REGULATION: EXECUTIVE ORDER 13636

Definition of Critical Infrastructure: • Systems/assets so vital to the US that the incapacity or destruction of such

systems/assets would have a debilitating impact on security, national economy, national public health or safety, or any combination thereof

Executive Order 13636

2/2013

• The Cyber threat to critical infrastructure…represents one of the most serious national security challenges… to the national and economic security of the US.

• Goal - Enhance the security and resilience of the nation’s critical infrastructure

FFIEC CYBER SECURITY ASSESSMENTS

• NIST to lead the development of a framework to reduce cyber risk to critical infrastructure (the “Cybersecurity Framework”)

Identify

Protect

DetectRespond

Recover

Measure Risk and Develop a program

Implement controls to mitigate risk

Implement process to detect events

The Ability to respond/

communicate

The Ability to recover and improve

FFIEC CYBER SECURITY ASSESSMENTS

• Summer of 2014, FFIEC piloted new cyber security assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cyber risks

• Integrated into regular IT Examination process• Cyber Risk Management (IDENTIFY)• Cyber Security Controls (PROTECT/DETECT)• Threat Intelligence and Collaboration (DETECT)• Cyber Resilience (RESPOND/RECOVER)• External Dependency Management (VENDOR MGMT)

Executive Order 13636

2/2013

FFIEC Cyber Assessments

6/2014

FFIEC CYBER SECURITY ASSESSMENTS

OBSERVATIONS AND RECOMMENDATIONS

Cyber Risk Management

• Set a “tone from the top”

• BOD and management discussions

• Ongoing employee training/testing including Social Engineering

• Include BOD in training

Cyber Security Controls

• Deploy preventive, detective, and corrective procedures

• Patching, encryption, limit user access

• Intrusion detection/prevention, firewall alerting

• Formal audit program with regular findings

Cyber Resilience

• Formal Incident response programs

• Includes key phases of prepare, test and recover

• Senior management and board incident reporting

• Increase Information Sharing (FS-ISAC)

FFIEC CYBER-RESILIENCE GUIDELINES

FFIEC added appendix to its Business Continuity Booklet"Strengthening the Resilience of Outsourced Technology Services"

Cyber-Resilience - an organization's ability to withstand and recover from a cyber attack by minimizing the disruption or impact that attack has on its ability to conduct business

Term was added to illustrate the changing threats and vulnerabilities financial institutions face

Executive Order 13636

2/2013

FFIEC Cyber Assessments

6/2014

FFIEC Cyber Resilience

3/2015

FFIEC CYBER-RESILIENCE GUIDELINES

Incident Response

Financial institutions and their service providers should anticipate potential cyber incidents and develop a framework to respond to these incidents.

The financial institution and its TSPs should periodically update and test their incident response plan to ensure that it functions as intended, given the rapidly changing threat landscape.

The financial institution and TSP should consider identifying and making advance arrangements for third-party forensic and incident management services.

NIST FRAMEWORK AND INCIDENT RESPONSE

Identify

Protect

DetectRespond

Recover

• Most FI’s have large gaps in their ability to respond and recover from events

• IR Today is what DR was in 2011

• Most FIs have a DR plan but are missing any IR process

• A recent study of financial institutions 83% were not prepared to handle an incident

THE FUTURE OF FFIEC EXAMINATIONS (WHAT TO EXPECT)

Increased Board and C-Suite Involvement

Participation in information-sharing group(s)

Reviews of incident preparedness and response process

Cyber security scenario testing w/ employees and BOD

Increased oversight of third party service providers

AGENDA

• The Financial Threat Landscape

• Case Study: Lesson Learn From Real Attacks

• FFIEC Cyber Resilience Guidance

• How to be Prepared

1

2

3

4

NOT “IF”…BUT “WHEN”?

Verify that an incident occurred

Maintain or Restore Business Continuity

Reduce the incident impact

Determine the root cause of the incident

Prevent future attacks or incidents

Improve security and incident response

8 GOALS OF INCIDENT RESPONSE

Prosecute illegal activity

Keep key stakeholders informed of the situation

1

2

3

4

5

6

7

8

SIX STEPS OF INCIDENT RESPONSE

Practice

Train

Test

Preparation

Identification and Scoping

Response and Containment

Eradication and Remediation

Recovery

Review and Update

PREPARATION

DEVELOPING AN INCIDENT RESPONSE PLAN

A comprehensive Incident Response plan should:

• Assess the nature and severity of the event

• Identify the potential impact of the event

• Establish roles and responsibilities

• Establish lines of communications regarding the event

• Help you identify response team(s) to handle the event

• Act as a launching point to initiate other plans (DR/BCP, Evacuation, etc.)

IDENTIFICATION AND SCOPING

INCIDENTS COME IN ALL SHAPES AND SIZESConfidentiality – Employee emails confidential data file to the wrong person; Loss of information confidentiality (data theft)

Integrity – A file is detected to have unauthorized changes

Theft – An employee’s work computer is stolen from their house

Physical – A computer hard drive is destroyed in a fire

Availability – An attack on the FI’s ebanking application leaves it unavailable for 24 hours; Misuse of services, information, or assets

Malware – A system containing customer information is infected with crimeware

Hack – An unauthorized criminal gains access to the internal network and systems

INCIDENT INDICATORS

Tip-off from CERT

Customer complaints

Targeted phishing email

Systems off-line

Email with demands

Alerts from monitoring tools

Unexplained transaction

Assumed insider

Account lockouts

Website defacement

Data leaked on Internet

Cyber espionage

Cyber-enabled

Fraud

Insider Cyber extortion

Hacktivist

RESPONSE, REMEDIATION, RECOVERY

INCIDENT RESPONSE PRINCIPLES

Integrate with the business

Communication through every department

Everyone knows how to report incidents in a timely manner

Maximize your preparation

The first time you are seeing the event should not be in a real

scenario

Keep pace with threatsThe groups behind cyber attacks are

constantly evolving so incident response procedures need to be regularly reviewed and updated

Don’t make things worse, avoid:

Alarming stakeholders

Being noticed by the attacker

Causing further disruption

Right first time

Minimize the change for mistakes by using common protocols, scenario-based procedures, templates, and

checklists

Confirm remediation success

It’s critical to confirm that remediation has been successful

and has met agreed criteria

REVIEW AND UPDATE

REVIEW AND MAINTENANCE

Post Incident Reviews

• Should be performed after any incident• Any lessons learned should be discussed• Plan improvements should be documented and

incorporated into the next plan revision

Plan Update Reviews

• Plan owners should schedule periodic reviews to ensure that the document is up to date, and any improvements to ensure that the plan remains relevant (e.g., audits) should also be scheduled

MAINTENANCE:PRACTICE, TRAIN, TEST!

Plan TestingCritical to ensure that the Incident Response Plan is current and ready

Periodic testing is advised to validate:

1. The steps in the plan are relevant 2. Team members are properly trained 3. Team members understand their roles and responsibilities4. That all the participants, including senior management, can

work together effectively under pressure5. That there is a reduced risk of a counterproductive response

during the incident6. Involve any outsourced first responders in testing

WHY PRACTICE YOUR PLAN?

TYPES OF INCIDENT TESTING

GROUP WALK THROUGH

Periodic reviews to ensure that the document is up to date and any improvements to ensure that the plan remains relevant (e.g. audits) should also be scheduled.

TABLE TOP TESTS

Key plan stakeholders gather to discuss a given scenario or simulated event. Focus on how the group would respond to the event as the scenario develops.

WAR GAMESUsually performed in conjunction with a penetration test or other simulated hacking event. Real-life testing to determine how teams respond to realistic scenarios.

SIX STEPS OF INCIDENT RESPONSE

Practice

Train

Test

Preparation

Identification and Scoping

Response and Containment

Eradication and Remediation

Recovery

Review and Update

QUESTIONS?

Tom NeclerioVice President Cyber ConsultingBAE Systems Applied Intelligence

M: +1 954..873.6823 E: tom.neclerio@baesystems.com