Anatomy Of a Breach Discussion

Size: px

Start display at page:

Download "Anatomy Of a Breach Discussion"

Charles Jordan
7 years ago
Views:

1 Anatomy Of a Breach Discussion Marcus Lecuyer Area Vice President RSA Security Canada November 4, 2015

2 Agenda Observations Attack Methodology Managing a Breach Lessons Learned Best Practices 2

3 How Do Breaches Occur? Malicious Activities Hacking incidents / Illegal access to databases containing personal data Theft of computer notebooks, data storage devices or paper records containing personal data Scams that trick organizations into releasing personal data of individuals Human Error Loss of computer notebooks, data storage devices or paper records containing personal data Sending personal data to a wrong or physical address, or disclosing data to a wrong recipient Unauthorized access or disclosure of personal data by employees Improper disposal of personal data (e.g. hard disk, storage media or paper documents containing personal data sold or discarded before data is properly deleted) Computer System Error Errors or bugs in the programming code of websites, databases and other software which may be exploited to gain access to personal data stored on computer systems 3

4 April 2011 December 2013 November 2014 June 2015 July 2015 Threat Nation State Organized Crime Nation State / Insider? Nation State Hackitivist Attack Method Spear Phishing 3rd party Compromise Zero Day Malware C2 Lateral Movement Data Exfiltration Spear Phishing 3rd party Compromise Zero Day Vuln C2 Lateral Movement Data Exfiltration 3rd party Compromise Zero Day Vuln C2 Lateral Movement Data Exfiltration / destruction Zero Day Vuln C2 Lateral Movement Data Exfiltration TBD Insider knowledge Detection Detected in flight Undetected Brian Krebs broke the news Undetected Actor left a message Detected after 11 months Undetected Actor hosted an interview Impact Reputational Financial Executives Fired Financial Executives Fired Financial Reputational Executives Fired Reputational Financial Executives Fired Reputational Financial Motive Leverage RSA information as an access point to target DIB, Fed Gov, Manufacturing Financial Gain Response to disgruntled Nation or Employees Nation state compiling database of US personnel & intelligence operatives Morally outraged about the dating service Estimated Cost of Breach $66M $1 Billion $38M-$1B $338M & up Could be their business / IPO for $200M TBD Claim to Fame Most sophisticated attack in history Largest cache of stolen CC s in history Data destruction Largest breach of personal data in history Wow! 4

5 Online Trust Alliance Guide to data Protection & Breach Readiness (2013) Verizon Data Breach Report 2014 Highlights Verizon Data Breach Report 2015 Highlights 2,644 Breaches Studied 1367 Breaches Studied 2,122 Breaches Studied 267 Million Records Breach vector 170 Million Malware Events $5.5M cost per Breach Web App 35% Cyber-espionage 22 % 70+% of malware samples are unique to an organization $194 cost per Record 99% records lost due to external hacking 97% of data breach incidents were avoidable POS Intrusions 14% Card skimmers 9% Perpetrators 85% outsiders 12% insiders 3% partners Threat actions Stolen Credentials 15% Export Data 11% Phishing 9% Ram Scraper 8% Breach vector POS Intrusions 28.5% Crimeware 18.8% Cyber Espionage 18% Insider 10.6% Web App 9.4% Physical Theft 3.3% Payment card Skimmers 3.1% Cyber Espionage 20.2% is focused on the Professional Firms Backdoor 6% 5

6 The Adversary NATION STATE ACTORS Nation states Government, defense contractors, IP rich organizations, waterholes CRIMINALS NON-STATE ACTORS Petty criminals Unsophisticated, but noisy Insiders Various reasons, including collaboration with the enemy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) Cyber-terrorists / Hacktivists Political targets of opportunity, mass disruption, mercenary 6

7 Understanding the threat Attack Lifecycle Recon Weaponization Delivery Exploitation Installation C2 Act on Objectives 7-Phase Model for how an adversary engages a victim Any disruption in the chain will impact their actions Human intervention is often required for success and failure All seven steps can be detected, prevented, or minimized Note/ Attribution: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains ; Hutchins, Cloppert, Amin, Lockheed Martin CIRT; Proceedings of the 6th International Conference on Information Warfare,

8 The Cyber Kill Chain Sophisticated Attacks 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response 8

9 Objective: Affect the Attack Lifecycle Attack Lifecycle Detect Deny Disrupt Degrade Deceive Reconnaissance Weaponize ü ü Delivery Exploitation ü ü ü ü üü ü ü Installation C2 ü ü Action ü ü 9

10 In the Fog of War What do we do? Elect a Breach Management Team Ensure a clear command and reporting structure of key employees who would take charge and make time-critical decisions on steps to be taken to contain the breach and manage the incident This team should be sworn in and be made up of key people that represent core functions of your business (Security, IT, Finance, Legal, HR..) Engage a trusted source to assist in the Incident Response (IR) activities Network / Endpoint forensics to understand the scope of the incident Who, impact, root cause, remediation steps. Develop a communication plan (if required) which might include an outside PR & council This is for both internal (employees) and external (public) communication Develop a technology roadmap & financial plan to close the capability gaps in the security defense strategy In order to be successful here the ROOT CAUSE is the most important 10

11 Security Practices Critical Checklist Business Risk Assessment Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring activities Active Directory Hardening Minimize number of admins Monitoring and alerting (Windows Event ID #566) Two factor admin access from hardened VDI platform Executable whitelisting on hardened DCs Disable default account and rename key accounts Complex passwords (9 & 15 Char) Infrastructure & Logging Full and detailed logging & analysis Tighten VPN controls Increase controls on crypto keys Full packet capture at strategic network locations Network segmentation Team trained and focused on APT activity Service Accounts Review accounts for privilege creep Change passwords frequently Do not embed credentials into scripts Minimize interactive login Restrict login only from required hosts Web Access Block access to high risk and web filter categories Click through on medium risk websites Black hole dynamic DNS domains Authenticated internet access DNS traffic analysis User Education Increase security training for IT Launch security improvement initiative Regular education of users on phishing attacks Regular education on social engineering Increase mail filtering controls User Machine Hardening Limit local admin and randomize PW- change often Increase patching regime Enable security controls in applications Deep visibility to identify lateral movement Limit use of non-authorized an approved software 11

12 How You Can Achieve Success? Be Methodical Develop Breach Management Plan Not just incident response Transcends IT & IT Security Must involve Operations, Finance, Risk, and Legal People & Process Are King This will enable effective measurement and discipline Technology Is A Necessary Foundation Real-Time Visibility Fundamental Without this, you will not be able to disrupt the attack lifecycle 12

13 Security Best Practices: Critical Checklist There are only two types of companies those that know they ve been compromised, and those that don t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised. Dmitri Alperovitch Threat Research Analyst Discovered Operation Shady Rat (Remote Access Tool) 13

14 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

After the Attack. The Transformation of EMC Security Operations

After the Attack. The Transformation of EMC Security Operations After the Attack The Transformation of EMC Security Operations Thomas Wood Senior Systems Engineer, GSNA CISSP RSA, The Security Division of EMC Thomas.WoodJr@rsa.com 1 Agenda Review 2011 Attack on RSA