Embed Size (px)
Citation preview
SINTEF ICT
The Honeynet Project Workshop 2015
1
Marie Moe, Ph. D., Researcher at SINTEF
Incident handling of cyber espionage
SINTEF ICT
• Threats and trends• Case studies with examples from real incidents• Incident handling
2
Agenda
SINTEF ICT 3
About me
§ Research scientist at SINTEF§ Associate Professor II at HiG (20%)§ MSc in Mathematics § PhD in Information Security§ GIAC certified Incident Handler§ Previously working for NSM NorCERT
PHOTO: ROBERT MCPHERSON, Aftenposten
SINTEF ICT
EspionageSabotage
Financial crime
Pranks
Crisis / War
Political protests
4
Society in general
National security
Chaotic actors
Advanced Persistent Threats
SINTEF ICT 5
Espionage trends
• Modern espionage is most effectively conducted through network operations
• Significant amounts of information stolen
• Russia and China are the most active nation states behind network operations against Norway
Source: https://forsvaret.no/ForsvaretDocuments/FOKUS2015-‐endelig.pdf
SINTEF ICT
How do they compromise our systems?
6
• Spear phishing• Often contains predictable elements• Targeting information often available online
• Watering hole/strategic web compromise• User profiling and whitelisting of targets• Harder to detect and more difficult to handle than spear phishing
• Credentials harvesting• Using compromised accounts for new spear phishing• Direct access to mail and systems without leaving traces
• Known vulnerabilities• Zero-‐days may be used against high priority targets
• Physical delivery rarely used
SINTEF ICT
How do they compromise our systems?
SINTEF ICTSINTEF ICT
Case A: Industrial espionage
SINTEF ICTSINTEF ICT 9
https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-‐china-‐chopper-‐report.pdf
SINTEF ICT
• NorCERTwas contacted by a company that discovered that they were compromised
• Detected at the exfiltration stage• Data ready for exfil was filling up the disk on the Exchange server!• Large files that appeared to be image files (.jpg), but these were in fact password protected
RAR-‐files• The exfiltrationwas carried out via HTTP GET-‐requests
• NorCERT coordinated incident response with the victim and performed forensicanalysis• The initial attack vector was found to be a vulnerability in ColdFusion which gave the
attackers the ability to upload a ”China chopper” webshell • The password for the RAR-‐files was eventually found and the company could get a clear idea
of the amount of intellectual property that was lost..
SINTEF ICTSINTEF ICT
Case B: Spear phishing against the energy sector
12
http://www.scmagazineuk.com/hundreds-‐of-‐norwegian-‐energy-‐companies-‐hit-‐by-‐cyber-‐attacks/article/368539/
SINTEF ICTSINTEF ICT
Case C: APT C&C proxy server in Norway
17
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
SINTEF ICT
HTRAN report (Aug. 2011)
http://www.secureworks.com/research/threats/htran
SINTEF ICT 19
SINTEF ICT
Incident Handling of cyber espionage
• Know your assets!• Common reaction to incidents:
“We don’t have anything of value”“We don’t understand why this happened to us”
SINTEF ICT
The incident response lifecycle
NIST SP 800-61, Revision 2
SINTEF ICT
Preparation
IT Operations/maintenanceClear understanding of network and systemsAccess control and segmentationQuick updating and patchingWhat about cloud services? Are you in control?
IT SecurityControl and monitor network trafficDetection team that look for intruders and abnormalitiesThreat intelligence
Contingency planning
Clear areas of responsibility
Escalation routines, contact information
Guidelines for incident handling
The contingency plan should be rehearsed!
SINTEF ICT
Detection and Analysis
Your IDS needs to be constantly updated with the latest threat intel!
Logging enables detection and scoping of an incident!
• Traffic logs – Web traffic logs– Proxy logs w/ SSL-‐inspection– Netflow– DNS logging / Passive DNS– Web access logs on your own web servers
• Authentication logs• Administration logs• Security logs• E-‐mail logs
SINTEF ICT
Containment, Eradication and Recovery
You detected or got informed that you have been a victim of cyber espionage…
What to do now?Selection of strategy:• Protect and forget• Watchful waiting, possible honeypot operation?
SINTEF ICT
Clean up after compromise
• Plan and execute clean ups in a controlled fashion! – Hire a MSSP if you lack the necessary know-‐how
• Establish necessary logging and monitoring/IDS• Isolate compromised systems from the network• Secure memory dump and disc image of compromised systems • Reinstall clean back ups• Change all passwords!• Evaluation of the incident handling
– Identification of lessons learned– Update contingency plans– Case studies are very useful for training
SINTEF ICT
The ”Cyber Kill Chain”
• Lockheed Martin: 7 stages/states of an ”APT-‐style” incident
• If the attacker fails in one of the stages the compromise will not succeed!
• Detection and response should be implemented for each stage
● What can the organization handle themselves?
● Where is collaboration or outsourcing required?
● Risks and costs increase for each stage
● Timeline: hours or days from successful exploitation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-‐White-‐Paper-‐Intel-‐Driven-‐Defense.pdf
Recon Weaponize Deliver Exploit Install C2 Action
SINTEF ICT
Guidelines for incident handling
• NSM has published a guide for incident handling of cyber espionage– Can be downloaded at
https://www.nsm.stat.no/globalassets/dokumenter/temahefter/apt_2014.pdf (only in Norwegian)
• Overview of logging that should be in place
• What information to submit to NorCERT if you want their assistance
