APT1 IN THE FINANCIAL SECTOR

ONDREJ KREHEL

ONDREJ KREHEL

CISSP, CEH, CEI

MANAGING DIRECTOR

LIFARS LLC

Twitter: @LIFARSLLC

Digital Firefighter

Talk Agenda

1 Introduction

2 Today’s APT Threat Landscape

3 Attacks and Stories

4 Questions & Answers

There are only two types of companies in the world: The ones that have been

hacked, and those that will be.

-FBI Director Robert Mueller

If you had to bet a $100 on someone to protect your private data, who would it

be?

I hope you weren’t thinking of betting on any of these …

D

A

T

A

B

R

E

A

C

H

Total cost of cybercrime is

on the rise across the

globe.0%

$3.67

$4.72

$5.19

$6.73

$7.56

$11.56

$3.33

$3.99

$5.93

$6.38

$6.91

$8.13

$12.69

Russia

Australia

United Kingdom

France

Japan

Germany

United States

Total cost of cybercrime in seven countries.In millions of US dollars. Based on results collected from 257 companies.

FY 2014 FY 2013No info on Russia in FY 2013

Data from the 2014 Global Report on the Cost of Cyber Crime by the Ponemon Institute

How often

cybersecurity

crosses one’s

mind…

THE CYBER EVENT HORIZON

The types of attacks

companies face.

35%

49%

49%

51%

52%

58%

59%

97%

98%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Malicious Insiders

Stolen Devices

Denial of Service

Malicious Code

Phishing & SE

Web-based Attacks

Botnets

Malware

Viruses, Worms, Trojans

Types of cyberattacks experiencedBased on results collected from 257 companies.

Percentage of experienced attacks

Data from the 2014 Global Report on the Cost of Cyber Crime by the Ponemon Institute

The black market price of your data

The usual APT suspects

Getting from point A to point B is only a click away. So is the danger.

Alarming Advanced Persistent

Threat survey results

22%

69%

9%

YES NO DON'T KNOW

Data from the Palo Alto Networks APT Report 2014

In the past year, has your organization experienced a security incident as a result of advanced threat or

advanced persistent threat (APT)?

What is APT?

Advanced Persistent Threat

AdvancedAttacker, not attack

Persistent Attacker won’t give up after a failurw

ThreatAttacker has a particular target

What are the typical

entry points of an APT

attack?

Human Itself

Social engineering• Phishing & whaling emails• Message with malicious

-URL-Attachment

• Malicious web pages-Drive by download of malicious code

• Free stuff (USB keys, software, music, movies)

Vulnerability of the client machine• Message with malicious content• Malicious web pages

-Redirection to malicious code/exploit

Vulnerable public facing service

What are the typical

attack goals?

Information • Blueprints • Research• Financial information• Plans, contracts • Classified information• PII

Control of system• SCADA / PLC

-Critical information providers-Vendors of technology-Research and development facilities

Disruption of services• Critical infrastructure• Competitor’s services

Research

Important facts about APT attacks

An APT attack is typically discovered after 6-9 months

Exploitation of vulnerabilities • not known (zero-days)• not considered as threat(social engineering, physical

access, employee)

APT produce not imminent losses • Loss not seen in the moment

“The fact, that you have not discovered a breach does not mean that you are not compromised.”

Principles of defense

Least privilege for the most specific people• Assign only necessary privileges and only for those

who need them

Divide “et impera”• Do proper classification on every information• Know who is (and can be) owner, consumer, and

holder of information• Where and how can it be stored, processed, and used

Defense in Depth

• Multiple layers of security

4 eyes principle• Every possible attack vector should be addressed by

at least two different controls • At least one should be technical• At least one should include human supervision

Technical controls

Defense of known perimeters

Malicious code protection

Network behavioral analysis

Intrusion protection

Internal network defense

Hardening of systems

Data Loss Prevention

Known high-profile

APTs

Ghostnet (2009)•103 countries, cyber espionage

Aurora (2009)•High-tech, security and defense companies•Modification of source code, cyber espionage

Stuxnet (2010)•IRAN, nuclear devices

Aramco (2012)•Kingdom of Saudi Arabia•30 000 workstations and servers compromised

James Bond of yesterday…

…Meet the James Bond of today!

The APT Lifecycle

When breached, follow these three steps…

Step 0 - UPDATE YOUR RESUME

Step 1 - CONFIRM INCIDENT

Step 2 - PROVIDE RESPONSE

Step 3 - IMPROVE

NO ONE SAID IT WOULD BE EASY

Cybersecurity CasinoWelcome to the cybersecurity casino! (Whether you like it or not)

To shun this approach is to meddle with the primary forces of the Internet, Mr. Beale. The hackers won’t have it. They’ll take millions out of your business and put nothing back in. It is ebb and flow, tidal gravity. It is the new cyber ecological balance. -movie

NETWORK, 1976

SIDE NOTE

Q&A

PART FOUR

THANK YOU!