Rich Baich Principal March 22, 2012

Transcription

1 Cyber espionage The harsh reality of advanced security threats Rich Baich Principal March 22, 2012

2 Agenda Introductions Threat landscape update How organizations are responding Other discussion topics 1 Cyber espionage: The harsh reality of advanced security threats

3 Threat landscape update

4 The changing threat landscape The cybercrime landscape has evolved into a set of highly specialized criminal products and services that are able to target specific organizations, regions, and customer profiles by using a sophisticated set of malware exploits and anonymization systems which routinely evade present-day security controls. 3 Cyber espionage: The harsh reality of advanced security threats

5 The cyber underground economy An entire underground economy has been built for the purpose of stealing, packaging, and reselling electronic information. Cyber criminals have expanded their reach into other forms of information theft and are now selling access to private networks. Compromise Acquire Enrich and validate Sell Monetize Stolen Data Drop Sites Payment Gateways ecommerce Sites emoney On-Line Gambling Phishing Spammer Botnet Service Keyloggers Botnet Owner Data Validation Service Instant Messaging Carding Forums Bank Retailers Wire Transfer Drop Service Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing Malware Authors Identity Collectors Credit Card Cashers Cyber Criminals Key: Malicious Code Related Roles Underground Services Criminal Communications 3 rd Party Enablers 4 Cyber espionage: The harsh reality of advanced security threats

6 An overview of Advanced Persistent Threats Advanced Persistent Threats (APTs) are modern, automated versions of traditional espionage. Goals Targets Brand damage Corporate espionage Military advantage Revenge Actors Domestic competitors Foreign competitors Foreign governments Hacktivist groups Rogue nations Board members IT administrators Key executives Privileged users Supply chain Support staff Tools Custom malware Packet capture tools Satellite imaging Targeted exploit tools Wireless surveillance 1. Target selection and research Horizontal exploitation opportunities Internet search engines Social networking sites Underground repositories Vertical and geographic exploitation targets 3. Maintaining access Command and control infrastructure Covert network tunnels Wireless surveillance 2. Exploitation and infiltration Distributing specialized malware Embedding field agents Social engineering Spear phishing System vulnerability exploitation 4. Exfiltration Encrypted outbound transmissions Hardware and software key loggers Rogue devices performing network packet captures 5 Cyber espionage: The harsh reality of advanced security threats

7 How are adversaries planning and carrying out attacks? Cyber adversaries, such as Hacktivists, collect open source intelligence in order to generate schemes and methodologies for carrying out well-planned attacks to achieve their tactical and strategic goals. Attack sequence Goals Denial of service Open source intelligence collection Intelligence analysis and review Attack planning and target selection Attack execution Social or Political Change Peer to peer networks Search engines Social networking Job sites Vulnerabilities System information Supply chain data Credentials Privileged users Available exploits Target information Target systems Target employees Anonymization Obfuscation Schedule Customer lists Control systems System and network access Patents and research Personal identity information Targets A cyber threat profile represents how cyber criminals perceive an organization. Financial data Intellectual property On-line credentials Protected health information Secret formulas System access 6 Cyber espionage: The harsh reality of advanced security threats

8 Tools and techniques Selecting and profiling targets Hacktivists are taking advantage of public open source intelligence found on the Internet to select specific people of interest to target. Roles and duties addresses User IDs Organizations Physical addresses Contact information Person of Interest Relationships Personal web sites Telephone numbers IP addresses Social network profiles Devices 7 Cyber espionage: The harsh reality of advanced security threats

9 Understanding the current threat landscape A review of recent breaches and developments in the cyber underground have identified several threat focus areas that require additional diligence and vigilance. Spear phishing Mobile malware Targeted exploits Zero day exploits Privileged users Mobile devices Supply chain Un-remediated vulnerabilities Board members Executives Personal Corporate Technology Data processing Services and applications Personal computers Key questions 1. What is leaving our network and where is it going? 3. Do we know what s running on our computers? 2. Who is really logging into our network and from where? 4. What information are we making available to a cyber adversar 8 Cyber espionage: The harsh reality of advanced security threats

10 How organizations are responding

11 The old approach for information security Reactive Perimeter security focus Information silos Signature based controls Inward facing Too many alerts Too much data Organization silos Resource constrained Manual analysis Threat Security Investigation isolated and Remediation incident reported contained Root cause analysis Security incidents are typically reported to an information security organization through a variety of different channels including other departments, external vendors, law enforcement, media outlets, and the public. Investigations typically take a considerable amount of time and often are plagued with missing or lost information that could have assisted significantly with understanding what happened Quickly finding and containing compromised devices can be very challenging in large distributed network environments. This process can often involve dispatching resources on-site to locate devices of interest. Remediation often involves having to reimage devices, which can take long period of times and also result in lost data and negative impacts to employee productivity. Root cause analysis often involves collecting and analyzing logs from multiple internal sources. In some cases, the true root cause is not determined due to a lack of consistent logging or missing cyber intelligence 10 Cyber espionage: The harsh reality of advanced security threats

12 Current cyber security challenges Our experience with our clients highlights the following challenges which organizations need to address: Current signature-based information security controls are not effective against sophisticated, evolving cyber threats and exploits. A large number of unique security appliances are generating even larger number of false positives and false negatives Lack of automated capability to rapidly identify, contain, analyze and remediate compromised devices. Information provided by various intelligence sources is often outdated, high level, and not actionable. Organizations lack technology and process capabilities for taking timely action on near real-time intelligence data. What kind of security controls are necessary to detect cyber threats that are currently flying under the security radar? How do we collect data from multiple disparate sources and generate normalized, enriched, and actionable information? How do we ensure that we can quickly find and contain compromised devices? How do we collect timely, relevant, and actionable cyber intelligence data? How can cyber intelligence data be used to automatically challenge or stop fraudulent transactions? 11 Cyber espionage: The harsh reality of advanced security threats

13 Developments, trends, and strategies Development Significance Counter-strategy Cyber criminals have been able to infiltrate millions of computers located in corporate networks, government sites, military networks, and homes, around the world. While the evidence showing the number of compromised devices is staggering, what is not fully known is what the cyber criminals have learned and collected that could be used to support future attacks and criminal activities. Cyber intelligence data should be leveraged and used to expose internal devices that are communicating with known criminal destinations. Cyber criminals are increasing their ability to use cryptography, code obfuscation, and code packing techniques. Cyber criminals are capitalizing on the broad based appeal of social networking sites to gain a foothold inside of corporate networks. Cyber criminals are now leveraging custom counterfeit hardware with embedded malicious code to establish covert attack vectors. Kernel level root kits are being enhanced with additional capabilities to avoid detection from network based controls. Social networking users are downloading and installing applications that cyber criminals have developed for the purpose of stealing identities and getting access to their network. It is now necessary to examine the supply chain more vigorously in order to detect fraudulent hardware that has been purposely designed to enable espionage and cyber fraud. Binary hash information needs to be collected from computers whenever new binary files are detected and compared against large hash databases. Never before seen binaries need to be analyzed in a sandbox. Additional behavior based browser and proxy security controls should be considered when allowing users to visit social networking sites. Partnerships with government intelligence agencies are becoming a priority and necessity. 12 Cyber espionage: The harsh reality of advanced security threats

14 Organizations are turning to cyber intelligence to enhance their security programs Social networks Cyber criminals Fraudulent services Compromised hosts Underground data Available target data Criminal tradecraft Available target data Peer to peer Malware and exploits Target list Attack tools Search engines External cyber intelligence Internal cyber intelligence Attack vectors Security controls Logs Business processes Business locations Technology inventory Logs Vulnerabilities Residual Risks Vulnerabilities Key suppliers Privileged users Executives and board members 13 Cyber espionage: The harsh reality of advanced security threats

15 Cyber threat management programs Organizations are developing and implementing cyber threat management programs that integrate and enhance existing information security capabilities. Supporting capabilities Core cyber threat intelligence capabilities Supporting capabilities Cyber security education Insider threat detection Cyber threat modeling Cyber security readiness assessment (Red Teaming) Penetration testing Vulnerability management Log collection and analysis Cyber threat intelligence acquisition Cyber threat intelligence capability 3 rd Party threat monitoring Patch management Solution research and development Application security review Emerging threat research Brand monitoring Network and malware forensics Incident response 14 Cyber espionage: The harsh reality of advanced security threats

16 The new approach for cyber security Proactive External Intelligence Internal Data Normalization Enrichment Fusion Raw Data Actionable Intelligence Security Control Updates Authentication Decisions Risk Assessment Technology Investment Intel Vendor Selection and HR Decisions Business Unit Level Decisioning A forward looking security threat management capability 1. Conduct emerging threat research 2. Establish partnerships to collect and share intelligence 3. Assign and prioritize threat focus areas 4. Establish live, dynamic intelligence feeds 5. Implement a holistic approach to security threat identification 6. Actively track the criminal element 7. Perform daily emerging threat reviews 8. Maintain awareness of the changing technology and business environment 9. Patch operating system, network, process, and application vulnerabilities 10. Deploy and maintain signature and behavioral based controls 11. Produce metrics and trending data for multiple key threat indicators 12. Continuously innovate and improve automation capabilities 15 Cyber espionage: The harsh reality of advanced security threats

17 Cyber intelligence functionality and usage framework A comprehensive, holistic cyber threat intelligence framework is required to maximize the value gained from collecting, correlating, enriching and distributing intelligence data. Commercial Feeds Law Enforcement Industry Associations Underground Forums Hash databases GEOIP data Fraud investigations Security event data Abuse mailbox info Vulnerability data Sandboxes Human intelligence Honeynets Malware Forensics Brand monitoring P2P monitoring DNS monitoring Watchlist monitoring External Cyber Threat Intelligence Feeds Internal Threat Intelligence Feeds Proactive Surveillance Near-Real Time Criminal Surveillance Recovered PII & Company Confidential Data Cyber Threat Intelligence Collection Research, and Analysis Process All Source Fusion Ideally, cyber intelligence should flow to a central cyber threat intelligence function to be normalized, enriched, and then distributed to the appropriate function using automation where possible. Risk Assessment Process Urgent security control updates IP reputation data for authentication Threat Intelligence Reporting Risk Acceptance Process Risk Mitigation & Remediation Line of Business Teams Security, Fraud and Operational Risk Teams Proactive Surveillance Proactive Surveillance 3 rd Parties, Subsidiaries 16 Cyber espionage: The harsh reality of advanced security threats

18 Proactive Defense Capability Measuring cyber threat intelligence capability maturity It has been our experience that many of our larger clients are between level 2 and level 3. Cyber Threat Intelligence Capability Maturity Matrix Capability Measurement Area A. Situational Awareness B. Actionable Intelligence C. Malware Forensic Analysis Capability C B A Adaptive Authentication Manual Malware Forensics Brand Monitoring & Awareness Situational Awareness of Threats to Financial Services Sector Automated Security Control Updates Automated Malware Forensic Analysis Process D. Quality of Intelligence E. Depth of Intelligence Distribution F. Proactive Threat Planning G. Event Correlation E D Cyber Intel from Law Enforcement Manual Intelligence Distribution to Limited Audience Cyber Intelligence from Criminal Surveillance Cyber Intelligence Distributed to Fraud Operations Cyber Intelligence from Self Managed HoneyPots & Baiting Operations Cyber Intelligence Distributed to Subsidiaries & Key Suppliers H. Operations I. Type of Intelligence F Manual Cyber Threat Modeling Automated Cyber Threat Modeling Risk Based Decisioning Support G Security Event Management Pilot Security Event Management System with Basic Correlation Cyber Threat Analysis Portal with Targeted Use Case Correlation Insider Threat & Cross Channel Fraud Monitoring I H Help Desk Signature Based Security Controls Security Opertations Center Internal Log Collection Cyber Intelligence Team Focused on General Threats and Hi-Level Security Briefings Commercial Threat Intelligence Feed Cyber Intelligence Analysts Assigned to Technology Categories Threat Specific Open Source Intelligence Feeds Cyber Intelligence Analysts Assigned to Business Functions Self Generated Threat Intelligence Cyber Threat Intelligence Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 17 Cyber espionage: The harsh reality of advanced security threats

19 Sample leading practices for a cyber threat intelligence function 1. Organization Resources dedicated toward reviewing and analyzing emerging threats. Annual budget for security control upgrades, new detection tools, and intelligence sources Cyber command center 2. Process Daily regimen to review and communicate emerging threat data Threat matrix Scenario planning 3. Malware forensic capability Ability to rapidly collect and review forensic information from devices that are suspect. Network extrusion monitoring 4. Perimeter monitoring Network conversation recording and reconstruction 5. All Source Intel fusion Automated, monitored, incremental feeds with aging algorithm. Two-way, cross-industry intelligence sharing Contingency plans for loss of intelligence sources 6. Metrics and reporting Regular cyber bulletin updates. Threat briefings by line of business/delivery channel Automated custom alerting based on thresholds 7. Threat modeling Capability to model and analyze the likelihood that an emerging threat will impact an organization and identify where the weaknesses are that will be exposed 8. Threat lifecycle management Case management tools to coordinate cyber incidents across multiple business areas and support organizations 9. Research and development 10. Supporting capabilities Threat intelligence teams should work in conjunction with internal security teams to identify new strategies and solutions for testing and improving the security posture of customer devices and banking applications Patch management Vulnerability management Incident Response Configuration management Security event management 18 Cyber espionage: The harsh reality of advanced security threats

20 Evolving with the changing cyber threat environment Fundamental change in the threat Historical threat landscape Generic attack tools and resources General targeting and exploiting Often easily thwarted by existing security controls Basic methodology and processes Often done in plain sight Focus is finding any information that will work Often noisy and clumsy techniques Need for a fundamental change to security Existing cyber-security landscape Perimeter security focused (Castle mentality) Information silos often based on organization Inwardly focused with manual analysis Signature based and reactive controls Too much data and too many alerts Often resource constrained Focus on preserving the status quo Emerging threat landscape Highly evolved specialized criminal products Able to target specific entities Advanced malware and hardware development Increased use of anonymization Moving beyond traditional security controls More complete attack methodology Increased use of encryption and stealth Increased use of Social Media Increased use of foreign carrier networks Evolving cyber-security landscape Unique solution set for each organization Solutions cannot be mass produced Must be fully integrated with business operations Solutions often require non-cyber integration Outward looking cyber threat intelligence Create security before the emergency! Prevention focused versus reaction focused Process and people focused versus technology Humans are more important than technology Not only more technology; use existing better! Quality is better than quantity! 19 Cyber espionage: The harsh reality of advanced security threats

21 Cyber threat analyst tradecraft Cyber Threat Intelligence Data Acquisition Sources, Proactive Acquisition, Data Normalization Cyber Criminal Profiling Techniques, Methodologies, Tools, and Information Sources for determining how Criminals are currently operating. Cyber Threat Risk Analysis Techniques and Methodologies for understanding likelihood of impact, determining scope, and assessing existing security posture. Network Forensics Tools, Techniques, and Analysis Methods for exposing active compromises, intrusions, and extrusions. Cyber security analyst Emerging Cyber Threat Management Identification, Analysis, Threat Vector Considerations, Security Control Considerations, and Action Planning Malware Forensics Tools, Techniques, and Analysis Methods for examining and understanding malicious code and how it is impacting your organization. Cyber Threat Incident Response Methodologies, Key Tools, Escalation Procedures for handling security incidents and breaches. Cyber Threat Internal Log Collection & Analysis Tools, techniques, behavioral analysis, correlation rules, and threat patterns. Understanding ways to reduce noise levels and properly tune security controls. 20 Cyber espionage: The harsh reality of advanced security threats

22 Special Operations Forces (SOF) Truths Advanced threats have always required advanced capabilities and methodologies to counter them and re-seize the operational momentum. The development and implementation of these advanced capabilities and methodologies has been driven by those who are not satisfied with merely performing the status quo SOF Truths Humans are more important than hardware Quality is better than quantity Special Operations Forces cannot be mass produced Competent Special Operations Forces cannot be created after emergencies occur Most special operations require non-sof assistance Cyber Truths Integrated processes are more important then technology silos Can t chase the latest technology, must employ basic technologies to their fullest potential The cyber Jedi Knight is grown over time Cyber defense is more than incident response; it must include predictive Cyber Intelligence Must be fully integrated into all business processes Sure I am this day we are masters of our fate, that the task which has been set before us is not above our strength; that its pangs and toils are not beyond our endurance. As long as we have faith in our own cause and an unconquerable will to win, victory will not be denied us. 21 Cyber espionage: The harsh reality of advanced security threats Sir Winston Churchill

23 Contact information Rich Baich Principal Deloitte & Touche LLP Cyber espionage: The harsh reality of advanced security threats

24 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited