Belgacom Security Convention. Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

Transcription

1 Belgacom Security Convention Tuesday 15 October 2013, Aula Magna, Louvain-la-Neuve

2 Belgacom Security Convention Introduction Geert Degezelle, Director Belgacom Security Solutions 10/17/2013 Slide 2

3 Intro The elephant in the room

4 Intro: is there an elephant in the room? Some words on the digital Belgacom 14-15/09: Belgacom launches clean-up operation after digital intrusion detected in the internal IT system 16/09: Belgacom communicates proactively about the incident Many speculations in the media about the perpetrators & their motives Belgacom sticks to the facts and continues to collaborate with judicial investigation No indications whatsoever that customers or their data have been impacted Belgacom further strengthens prevention with intensive and continuous monitoring No new elements at this stage, despite some rumours & wrong information leaked in the press Belgacom has chosen to communicate transparently about this incident and will continue to do so in the future whenever needed Bottom line, we were able to detect a highly sophisticated attack and we performed a successful clean-up Moving forward, resisting this kind of intrusion will be a joined challenge for all stakeholders involved, both private and public, on a national & international level

5 Belgacom Security Solutions 300+ Security Professionals in Belgacom Group, 100+ in Belgium 24/7 NOC Incident Management & Security Analysis : 400M events/d Belgacom Computer and Security Incident Response Team (CSIRT) Pro-Active benchmarking of the ICT Security landscape JCA Training Institute for ICT = student days/year in security Multiple delivery models: Cloud, On Site and Hybrid Corporate responsibility: kids Safer Internet (together with Child Focus & Microsoft) Peer Intelligence Exchange (eg Etis, Cert, Febelfin, LSEC, Etis, Beltug)

6 ICT Security Today 400B$ malware/d 334 BE attacks/m Outgrowing traditional crime figures vs Q % increase +300% for Android Malware vs 165 in in 2011 Slide 6

7 Hacker Industrialisation is a fact The Underground Embraces the Cloud Business Model Hacker Consumerisation Digital Currencies Anonymous Payment Exploit-as-a-Service, Malware-as-a-Service, Botnet as a Service,

8 4 major ICT Market Trends Impacting today s ICT security architecture IDC 2013: 31% of organisation has no mobile security management solution Mobile Cloud Security is the #1 cloud inhibitor Manage virtualised security Context and degree of trust will be very important ICT Security decision criteria Big Data Social Networks Privacy leakage Social Media Attacks Social Engineering Slide 8

9 Detection & Rapid Response will become a priority Prevention, the traditional approach to ICT Security, is being augmented with detection and response Focus on proactive monitoring to detect and contain attacks earlier in their lifecycle Speed of detection & response Simple infection Upgrade to more complex capabilities Distribute across the network Await Command & Control Center instructions Exfiltrate data By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in Source: Gartner Security 2020, July 2013

10 Belgacom Security Convention Agenda Plenary Sessions The evolving Cyber Threats Landscape Ulrich Seldeslachts, CEO, LSEC Cyber Security Incident Response at Belgacom Andy De Petter, Information Security Manager, Belgacom CERT of the European Institutions : Activities and lessons learned Freddy Dezeure, Head of CERT-EU 10/17/2013 Slide 10

11 Belgacom Security Convention The program continues Trends, case studies, live demos, legal aspects and technical update Cloud and Security Mobility and Security Data and Security 13:30 14:30 Protect your Business from external threats and cyber criminality Beyond BYOD, IT Consumerization & Mobile Enterprise Meet the Data Privacy Requirements 15:00 16:00 Secure your move to cloud computing Integrate successfully mobile device in your ICT The New, Continuous Security Model Do not forget the contest 10/17/2013 the winners will be communicated at 16.30! Win The last tickets for Belgium-Wales! or a free hacking training

12 The Market place is open Thank you

13 LSEC - Leaders in Security dinsdag 15 oktober 2013 LSEC The Evolving Cyber Threats Landscape Ulrich Seldeslachts, LLN, Aula Magna, October 15th, 2013 Welcome in the European Cyber Security Month : ECSM Leaders in Security LSEC, 2013, Private & Confidential, p 2 Source : ECSM, October Private & Confidential 1

14 LSEC - Leaders in Security dinsdag 15 oktober 2013 Welcome in the European Cyber Security Month : ECSM In Belgium, capital of Europe, you re on your own today Leaders in Security LSEC, 2013, Private & Confidential, p 3 Source : ECSM, October A masterpiece of marketing? Source : Leaders in Security LSEC, 2013, Private & Confidential, p 4 4 Private & Confidential 2

15 LSEC - Leaders in Security dinsdag 15 oktober 2013 Infected machines vs subscribers per ISP (spam) <5> Leaders in Security LSEC, 2013, for ACDC public, p 5 Source : Botnet mitigation and the role of ISPs, TU Delft, March 2013 Global Threat Map Today Luckily Luxemburg is smaller Leaders in Security LSEC, 2013, Private & Confidential, p 6 Source : Hostexploit, September 2013 Private & Confidential 3

16 LSEC - Leaders in Security dinsdag 15 oktober 2013 Global Threat Map Today Highest observed concentrations of malicious activity Leaders in Security LSEC, 2013, Private & Confidential, p 7 Source : Hostexploit, September 2013 Evolution : a decade of cyber threats Leaders in Security LSEC, 2013, Private & Confidential, p 8 Source : LSEC, ehealth, PWC - 02/ Private & Confidential 4

17 LSEC - Leaders in Security dinsdag 15 oktober 2013 Unique Samples added That was then : AV-Test.org's Sample Collection Growth All quiet on the western front Growth 3 Month Median Forecast Leaders in Security LSEC, 2013, Private & Confidential, p 9 Source : LSEC, Malware, McAfee September This is now How the west was won Leaders in Security LSEC, 2013, Private & Confidential, p 10 Source : LSEC, Security Innovations, IBM X-Force 09/ Private & Confidential 5

18 LSEC - Leaders in Security dinsdag 15 oktober 2013 That was then : End of 2007 End of Q Vulnerabilities ,700 31,600 Password Stealers ( Main variants ) Potentially Unwanted Programs Malware (families) (Families - DAT related) Malware Zoo (Collection) , , ,000 24,900 17, , ,000 30,000 (?) 8,600,000 13,000,000 Leaders in Security LSEC, 2013, Private & Confidential, p 11 Source : LSEC, Malware, McAfee September This is now Leaders in Security LSEC, 2013, Private & Confidential, p 12 Source : LSEC, Security Innovations, Websense 09/ Private & Confidential 6

19 LSEC - Leaders in Security dinsdag 15 oktober 2013 That was then Leaders in Security LSEC, 2013, Private & Confidential, p 13 Source : LSEC, Malware, McAfee September Evolution : this is today Leaders in Security LSEC, 2013, Private & Confidential, p 14 Private & Confidential 7

20 LSEC - Leaders in Security dinsdag 15 oktober 2013 This is now Leaders in Security LSEC, 2013, Private & Confidential, p 15 Source : PWC, March 2013 That was then Protection gap of hours with current solutions t0 Malware in the wild t1 t2 t3 Protection is available Malware discovered Protection is downloaded t4 Protection is deployed Leaders in Security LSEC, 2013, Private & Confidential, p 16 Source : LSEC, Malware, McAfee September Private & Confidential 8

21 LSEC - Leaders in Security dinsdag 15 oktober 2013 This is now Leaders in Security LSEC, 2013, Private & Confidential, p 17 Source : LSEC, Security Innovations, Websense 09/ That was then Leaders in Security LSEC, 2013, Private & Confidential, p Private & Confidential 9

22 LSEC - Leaders in Security dinsdag 15 oktober 2013 This is now Leaders in Security LSEC, 2013, Private & Confidential, p This is now Leaders in Security LSEC, 2013, Private & Confidential, p 20 Source : LSEC, Innovations, Websense, 09/13 Private & Confidential 10

23 LSEC - Leaders in Security dinsdag 15 oktober 2013 Evolution : botnet that was then 21 Coreflood Trojan 500Gb of Data since ,000 bot IDs covering 16 months 8,485 bank accounts 740 accounts for one bank They had examined 79 accounts had total balances of $281,000 3,233 credit card accounts 151,000 accounts 58,391 social networking site accounts 4,237 online retailer accounts 416 stock trading accounts 869 payment processor accounts 413 mortgage accounts 422 finance company accounts Top botnets control 1M hijacked computers They can dump more than 100B spam messages on users daily Botnet # of bots Spam capability 1 Srizbi 315,000 60B/day 2 Bobax 185,000 9B/day 3 Rustock 150,000 30B/day 4 Cutwail 125,000 16B/day 5 Storm 85,000 3B/day 6 Grum 50,000 2B/day 7 Onewordsub 40,000 Unknown 8 Ozdok 35,000 10B/day 9 Nucrypt 20,000 5B/day 10 Wopla 20, M/day 11 Spamthru 12, M/day Leaders in Security LSEC, 2013, Private & Confidential, p 21 Source : LSEC, Malware, McAfee September 2008 Evolution : botnet this is now Leaders in Security LSEC, 2013, Private & Confidential, p 22 Source : LSEC ACDC, Cyberdefcon March Private & Confidential 11

24 LSEC - Leaders in Security dinsdag 15 oktober 2013 Carna Botnet : bots a research project Leaders in Security LSEC, 2013, Private & Confidential, p 23 Source : LSEC, ACDC, Cyberdefcon 03/ The point? Leaders in Security LSEC, 2013, Private & Confidential, p 24 Source : LSEC, ACDC, Cyberdefcon 03/ Private & Confidential 12

25 LSEC - Leaders in Security dinsdag 15 oktober 2013 How do we know? Leaders in Security LSEC, 2013, Private & Confidential, p 25 Source : LSEC, ACDC, Cyberdefcon 03/ Leaders in Security LSEC, 2013, Private & Confidential, p 26 Source : LSEC, ACDC, Cyberdefcon 03/2013 Private & Confidential 13

26 LSEC - Leaders in Security dinsdag 15 oktober 2013 Leaders in Security LSEC, 2013, Private & Confidential, p 27 ACDC & The European Commission's Cyber Security Strategy Trust and Security DG CONNECT - European Commission Private & Confidential 14

27 LSEC - Leaders in Security dinsdag 15 oktober 2013 Fragmented response Source : ENISA, 2012 : DG INFSO CIP PSP Leaders in Security LSEC, 2013, for ACDC public, p Pan European Approach Leaders in Security LSEC, 2013, for ACDC public, p Private & Confidential 15

28 LSEC - Leaders in Security dinsdag 15 oktober 2013 What Botnets do Leaders in Security LSEC, 2013, for ACDC public, p 31 Source : PCWorld, IBM WP2 Pilot Components & Technology Development Tools : (1) Sensors and detection tools for networks (2) Systems Infections infected websites analysis (3) Device Detection and mitigation multi-purpose tools for end users (4) Centralized Data Clearing House and (5) Pan-European Support Centre, T2.1: Establishing and Management of Pilot Governance Group. (LSEC) [M01-M27] T2.2 : Developing Technology Framework (ATOS) [M01-M06] T2.3 : Developing Pilot Component Task Forces (LSEC) [M01-M21] T.2.4 : Pilot Component Developments (LSEC, TID) [M03-M23] T2.5 : Change management (LSEC) [M06-M27] T2.6 : Component Development Quality control management (LSEC) [M06-M27] Leaders in Security LSEC, 2013, Private & Confidential, p 32 Leaders in Security LSEC, 2013, for ACDC public, p 32 Private & Confidential 16

29 LSEC - Leaders in Security dinsdag 15 oktober 2013 Leaders in Security LSEC, 2013, Private & Confidential, p 33 Source : LSEC, ACDC, Cyberdefcon 03/ This was yesterday Leaders in Security LSEC, 2013, Private & Confidential, p 34 Source : The Economist, 2012 Private & Confidential 17

30 LSEC - Leaders in Security dinsdag 15 oktober 2013 This is today Work with YOUR OWN tools 3/4 Leaders in Security LSEC, 2013, Private & Confidential, p 35 Source : Mobco, March 2013 This is tomorrow Leaders in Security LSEC, 2013, Private & Confidential, p 36 Source : Ericsson, January 2013 Private & Confidential 18

31 LSEC - Leaders in Security dinsdag 15 oktober 2013 This is today : key lessons! 1.It s about the data 2.Attribution 3.(Industrial) Espionage 4.Don t forget the insider 5.Your website next? 6.Going Social 7.Be innovative 8.Offensive defense 9.The truth is out there in the data 10.You re not alone Leaders in Security LSEC, 2013, Private & Confidential, p 37 It s about data Leaders in Security LSEC, 2013, Private & Confidential, p 38 Private & Confidential 19

32 LSEC - Leaders in Security dinsdag 15 oktober 2013 Attribution Leaders in Security LSEC, 2013, Private & Confidential, p 39 Source : PWC, March 2013 Attribution Leaders in Security LSEC, 2013, Private & Confidential, p 40 Source : LSEC, Security Innovations, Websense 09/2013 Private & Confidential 20

33 LSEC - Leaders in Security dinsdag 15 oktober 2013 (industrial) espionage PLa unit 61398, Datong Leaders in Security LSEC, 2013, Private & Confidential, p 41 Also consider insider threat Major threats perceived Leaders in Security LSEC, 2013, Private & Confidential, p 42 Source : IDC Energy insights, Security Survey, 2011 Private & Confidential 21

34 LSEC - Leaders in Security dinsdag 15 oktober 2013 Your website next? 14% increase in web application vulnerabilities Cross-site scripting represented 53% Leaders in Security LSEC, 2013, Private & Confidential, p 43 Source : LSEC, Security Innovations, IBM X-Force 09/2013 Going Social Leaders in Security LSEC, 2013, Private & Confidential, p 44 Source : LSEC, Security Innovations, IBM X-Force 09/2013 Private & Confidential 22

35 LSEC - Leaders in Security dinsdag 15 oktober 2013 Key threats 2012 Leaders in Security LSEC, 2013, Private & Confidential, p 45 be innovative think like a hacker Leaders in Security LSEC, 2013, Private & Confidential, p 46 Source : LSEC Big Data 2013, Splunk Private & Confidential 23

36 LSEC - Leaders in Security dinsdag 15 oktober 2013 (Think) Offensive Defense Leaders in Security LSEC, 2013, Private & Confidential, p The truth is out there in the data Leaders in Security LSEC, 2013, for ACDC public, p 48 Source : LSEC, Security Innovations, IBM X-Force 09/ Private & Confidential 24

37 LSEC - Leaders in Security dinsdag 15 oktober 2013 The truth is out there in the data Source : Symantec, Deepsight EWS, 2012 Leaders in Security LSEC, 2013, Private & Confidential, p 49 Source : LSEC, ACDC - Palo Alto, Wildfire, March 2013 You re not alone : basics Leaders in Security LSEC, 2013, Public, p 50 Private & Confidential 25

38 LSEC - Leaders in Security dinsdag 15 oktober 2013 About Information Sharing? Leaders in Security LSEC, 2013, Public, p 51 You re not alone : Start Sharing Effective Cyber Threat Intelligence and Information Sharing Leaders in Security LSEC, 2013, for ACDC public, p 52 Private & Confidential 26

39 LSEC - Leaders in Security dinsdag 15 oktober 2013 Information Sharing? Information Sharing Leaders in Security LSEC, 2013, Public, p 53 ers/wp_verizon-incident-sharing-metricsframework_en_xg.pdf You re not alone : share facts Leaders in Security LSEC, 2013, Public, p 54 Private & Confidential 27

40 LSEC - Leaders in Security dinsdag 15 oktober 2013 You re not alone : Leaders in Security LSEC, 2013, Public, p 55 Preliminary ACDC Results - impact Leaders in Security LSEC, 2013, for ACDC public, p 56 Private & Confidential 28

41 LSEC - Leaders in Security dinsdag 15 oktober 2013 Preliminary ACDC Results impact Leaders in Security LSEC, 2013, for ACDC public, p 57 Information Sharing ISACs : Sector approach Eg FS-ISAC, ISACs in NL Trusted entities established by CI/KR owners and operators. Comprehensive sector analysis Reach-within their sectors, with other sectors, and with government to share critical information All-hazards approach Threat level determination for sector Or CERT.BE Leaders in Security LSEC, 2013, Public, p 58 Private & Confidential 29

42 LSEC - Leaders in Security dinsdag 15 oktober 2013 FS-ISACS Model starting in Belgium Cyber & Physical alerts from 24/7 Security Ops Center Briefings/white papers Risk Mitigation Toolkit Document Repository Anonymous Submissions Committee Listservs Member surveys Bi-weekly Threat calls Special info sharing member conference calls Crisis Management process CMLT, CINS Semi-annual conferences Webinars Regional Program Viewpoints Leaders in Security LSEC, 2013, Public, p 59 Interested in finding out more? Cyber Security, challenging for ICT Security Industry & Research 2013, Monday October 21 st 2013 Prof. Jos Dumortier, ICRI : challenges related to the legal system and cyber crime Business Forensics : Real time monitoring & Adaptive Cyber Intelligence Reinder Wolthuis, TNO : Establishing an effective cyber security strategy Raj Samani, McAfee : evolutions of cyber threats from an ict industry perspective Prof. Bart Preneel, COSIC : challenges for engineering state of the art solutions Prof. Maire O Neil, CSIT : research experiences from the Centre of Information Technologies Agoria, Diamant, Reyerslaan 80 - Brussels Leaders in Security LSEC, 2013, Public, p 60 Private & Confidential 30

43 LSEC - Leaders in Security dinsdag 15 oktober 2013 About LSEC 1. Leaders In Security : a non-profit Flemish (vzw) association that aims to inform organizations and government on the evolutions and challenges of information security : 1. Data protection : protection of data, users, information and systems, 2. Security management : standards, legal, good practices 3. Tools and technologies : networking, encryption, virtualization 2. Over 120 members, e-security companies in Belgium, reaching out to more than ict professionals and security professionals 3. Coordinating and partnering in 8 international industry & research projects 4. More than 40 thought leading activities per year : 1. Seminars, discussions, trade shows, 2. with over 2000 documents (white papers, business cases, presentations, on information security related matters) 3. Regular news letters, invitations, discussion for a Visit for more information and documenation Leaders in Security LSEC, 2013, Private & Confidential, p 61 Creating Security Awareness 1. Publications 2. Seminars, Conferences, Workshops 3. International representation Leaders in Security LSEC, 2013, Private & Confidential, p 62 Private & Confidential 31

44 LSEC - Leaders in Security dinsdag 15 oktober 2013 Thought Leadership Leaders in Security LSEC, 2013, Private & Confidential, p Private & Confidential 32

45 LSEC - Leaders in Security dinsdag 15 oktober 2013 LSEC, Sirris & Agoria ICT : SaaSification support Leaders in Security LSEC, 2013, Private & Confidential Best practices, advisory and bootcamps to facilitate migration to cloud for companies with software related products and services Guidance on cloud providers, developments towards cloud, security mechanisms, strategic benefit Self-assessment for cloud readiness Formaling User Requirements, Defining Research Agenda Leaders in Security LSEC, 2013, Private & Confidential, p 66 Private & Confidential 33

46 LSEC - Leaders in Security dinsdag 15 oktober 2013 Cybersecurity, Privacy & Trustworthy ICT Innovations Innovation framework for security solutions & services Best practices on ICT security innovation development Guidance for ICT Security companies on new product & service development Leaders in Security LSEC, 2013, Private & Confidential NOT THE END More information, registration and follow-up Q or C Ulrich Seldeslachts ulrich@lsec.be Leaders in Security LSEC, 2013, Private & Confidential, p 68 Private & Confidential 34

47 Belgacom Cyber Security Incident Response October 2013 overview version 2.2 Belgacom CSIRT - confidential

48 cyber security incident response team agenda SDE&W 2012 Introduction CSIRT Mission CSIRT a closer look Organization Service objectives Incident types Examples CSIRT a standalone initiative? Timespan of events during a breach Sharing knowledge is strength ETIS EU CERT Network Q&A Belgacom CSIRT - confidential Slide 2

49 cyber security incident response team CERT activities in Europe SDE&W 2012 Belgacom CSIRT - confidential Slide 3

50 cyber security incident response team mission statement SDE&W 2012 The Belgacom CSIRT (BGC-CSIRT) provides information and assistance to reduce the risks of computer security incidents as well as responding effectively to such incidents when they occur. Belgacom CSIRT - confidential Slide 4

51 cyber security incident response team service objectives SDE&W Initial impact assessment & analysis of an information security incident (remote or on-site) 2. Contain (public) exposure in case of an information security incident 3. Provide technical support to the Belgacom Emergency Response Team (BERT) during the handling of an information security incident Belgacom CSIRT - confidential Slide 5

52 cyber security incident response team management support SDE&W 2012 A Group Information Security Steering Committee has been established in January Its purpose is to provide leadership in the protection of the Belgacom Group assets and technology. Committee membership includes representation of all business units: Products & Solutions Management Legal Customer ICT Customer Operations ICT Internal Audit Risk & Insurance Architecture, Programs & Project Office Network Engineering & Operations Group Strategy Group Human Resources A full authority is granted to the BGC-CSIRT to immediately mitigate the impact of an information security incident. Belgacom CSIRT - confidential Slide 6

53 cyber security incident response team incident categories SDE&W 2012 Belgacom CSIRT - confidential Slide 7

54 cyber security incident response team incident definitions severity 1 SDE&W 2012 Successful compromise with potentially elevated privileges. Successful compromise of multiple customer accounts (>20). Service attacks with significant impact on Belgacom operations. Vulnerabilities detected that are externally exploitable, without any in-depth knowledge. Massive disclosure of proprietary information. Widespread instances of malicious code on corporate assets. Active public impersonation of Belgacom or any of its brands. Detection of impairment of any security safeguard (high risk of exposure) Successful abuse of compromised customer equipment. Incident affecting critical systems or information with potential to be revenue or customer impacting. Severity 1 incident means that higher management (Permanent members of GISSC), Legal department, and External Communications get notified and updated on the incident. Belgacom CSIRT - confidential Slide 8

55 cyber security incident response team incidents by category overview 2012 SDE&W 2012 Belgacom CSIRT - confidential Slide 9

56

57 cyber security incident response team anonymous threat 15/06 SDE&W 2012 Anonymous threat to liberate the Belgian Internet on the 15 th of June Initial risk assessment made by Belgacom Cyber Security Incident Response Team in close collaboration with operational teams. Assessment got confirmed by the Belgian Federal Police (Computer Crime Unit). Operational readiness prepared on Internet backbone to detect and resist possible attacks towards critical infrastructure. Communications within Network Operations Center and Call Centers in case of any major event during the 15 th of June. Alarming configured and distributed throughout BGC-CSIRT core team and operational onduty personnel. Belgacom CSIRT - confidential Slide 11

58 cyber security incident response team anonymous unvealed? SDE&W 2012 Belgacom CSIRT - confidential Slide 12

59 cyber security incident response team it s not only banks SDE&W 2012 Belgacom CSIRT - confidential Slide 13

60 cyber security incident response team it s not always easy SDE&W 2012 belgacomfon.com belgacomfrance.com belacom.com belgacom-skynet.nl belgacomcloud.be belgacomnet.com belgacomskinet.net belgacomskynet.nl usersbelgacom.net belgacom.info belgacom.hu belgacombedanktu.com proximus.info wwwbelgacom.net proximus.nl wwwbelgacom.be begacom.net belgacom.cz wwwproximus.be belgacom.pro e-proximus.be belgacom.de myproximus.com adslbelgacom.com belgacom.pl Belgacom CSIRT - confidential Slide 14

61 cyber security incident response team it s not only SME SDE&W 2012 Belgacom CSIRT - confidential Slide 15

62 cyber security incident response team advanced persistent threat september 2013 SDE&W /09 Belgacom launches an important clean-up operation, after its security experts detected a digital intrusion in the internal IT-system. 16/09: Belgacom communicates proactively about the incident and how it has been managed. Investigating authorities & official institutions (e.g. Privacy Commission) respond positively to this approach. Many speculations in the media about the perpetrators & their motives: Belgacom sticks to the facts and continues to collaborate with judicial investigation. No indications whatsoever that customers or their data have been impacted. Belgacom further strengthens prevention with intensive and continuous monitoring of all ITsystems. No new elements at this stage, despite some rumors & wrong information leaked to the press. Belgacom has chosen to communicate transparently about this incident and will continue to do so in the future whenever needed. Bottom line, we were able to detect a highly sophisticated attack and we performed a successful clean-up. Moving forward, resisting this kind in intrusion will be a joined challenge for all stakeholders involved, both private and public, on a national & international level. Belgacom CSIRT - confidential Slide 16

63 belgacom cyber security incident response team a standalone initiative? Belgacom CSIRT - confidential

64 cyber security incident response team how long does it take? SDE&W 2012 Belgacom CSIRT - confidential Source: Verizon DBIR 2012 Slide 18

65 cyber security incident response team sharing knowledge is strength SDE&W 2012 telco intelligence reaching out to other peers what are successful practices, and which offer the best value for money which internal sources of information is everyone using, to build knowledge and intelligence about incidents and trends (eg SIEM, log correlation, ) which incidents are other CERT/SOC handling, and how can it help the others process & tooling what utilities are used, that could be shared and even possibly integrated which documented processes are used to handle incidents share experiences with any kind of tooling do s, don ts operational collaboration put processes in place, in order to be able to quickly respond to cross-border sector-wide incidents (eg conference bridge, etc) Bi-weekly conference calls to share intelligence on incidents Yearly face-to-face meetings Direct mobile contacts shared between CERT/CSIRT contacts (mandatory for participation) Belgacom CSIRT - confidential Slide 19

66 cyber security incident response team sharing knowledge is strength SDE&W 2012 Belgacom CSIRT - confidential Slide 20

67 Slide 21 cyber security incident response team questions? SDE&W 2012 Andy De Petter

68 APT, it hits us all! Experiences in targeted attacks Freddy Dezeure 16/10/2013

69 CERT-EU Set-up Created 6/2011 EU Institutions own CERT Supports 60+ entities (EU institutions, bodies, agencies) Small (16 people), specialised team Provides operational IT security support to its clients Cooperates closely with internal ITsec teams Specialised in targeted attacks Reports to inter-institutional Steering Board 2

70 CERT-EU Constituents Located in many different EU countries From users Different legal entities Cross-sectoral Government, foreign policy, embassies Banking, energy, pharmaceutical, chemical, food, telecom Maritime, rail and aviation safety Law enforcement (EUROPOL, FRONTEX, EUPOL) and justice Research, hi-tech, navigation (GALILEO), defence (EUMS, EDA) High-value targets

71 CERT-EU Partners - Peers

72 Announcements (News) CERT-EU webportal Sources Automatic gathering of information on threats and vulnerabilities Clustering of breaking news RSS enabled on all screens CERT-EU advisories and white papers

73 Services Constituents Constituents Constituents Constituents Front-end services Back-end services Initial services Prototype/future services Announcements (EMM) Alerts Incident Handling Incident Analysis CERT-EU Incident Response Support Incident Response Coordination Malware analysis Tech Watch Threat assessment Security Tools «Open» sources Websites Newsletter Blogs Forums etc Third Party Monitoring Services CERTs Gov CERTs NCIRC etc Constituents Information on incidents Specialised support CERTs Itsec companies Law enforcement etc

74 Statistics Alerts (Jan Sep) 400 Incident Response Coordination (Jan Sep) 11

75 Alerts Source of alert Clients 20% Other CERTs 20% Automated sources 60% Nature of alert Malicious s (spear phishing) Compromised systems Vulnerable systems (SQL, XSS) Leaked usernames / passwords DDOS 8

76 Incident response coordination Coordination of response to targeted attacks Provision of "internal" expertise to the constituent CERT-EU expertise and tools «On call» expertise in the constituency Liaison and coordination with third parties Other CERTs Specialist IT security companies On-site support if requested Constituent remains fully in charge 9

77 APT Challenges Adversary s persistence They know what they want and they pursue their goal They will repeatedly try to get in Once they re in they try to stay When you throw them out they will try to come back New intrusion and persistence techniques Unknown vulnerabilities (0-days) Changing malware signatures, polymorphous, individualised Changing C&C, dyndns, parking domains, individualised Usage of reputed sites (facebook, flickr, Twitter, blogs) for C&C Water holing sites

78 APT: difference in speed Initial infection almost impossible to avoid Take control over the infrastructure: 10 -> 48hours Detection: more than 1 year (or never) Remediation: 1-6 months 11

79 Initial infection

80 Proxy DC Server C&C

81 Infection Proxy DC Server C&C

82 Lateral move Proxy DC Server C&C

83 Access to corporate assets Proxy DC Server C&C

84 Access to corporate assets Proxy DC Server C&C

85 Detection A/V Multiple A/V systems HIDS Log analysis Detection of anomalous events (overnight activities, multiples interactive login attempts, unusual admin workstations etc.) User awareness Passive malevolence monitoring NIDS / IPS with private rules

86 Scoping Malware reversing Internal Scanning for IOCs in the network and systems (HIDS) Scanning for anomalous traffic Hits on the proxy/ids External Has anybody else seen this? No? -> You re on your own Yes? -> Multiply knowledge on IOCs What s the timeline Sinkholing

87 Pass the Hash Compromise a host Steal credentials using local admin or system rights (hashes or password in clear) Memory (SSO, running process, services, etc) Wait for interactive, local logon (incl. batch/services), create a need for troubleshooting, dump logon sessions Use the stolen credentials Depending on the privileges of the stolen credential, access: Other workstations, servers or Domain Controller DC: dump the Active Directory Use the password or pass-the-hash (network logon only) Repeat until you get the domain privileges Success within hours

88 Pass the Hash Lessons learnt Avoid WS to be contaminated Avoid contamination to spread Local admin rights for users Local admin passwords and functional passwords Interactive logon by help desk or system admin Measures on infrastructure and organisational level Don t give normal user extensive privileges Don t let privileged users run the risk of being contaminated Enforce the policies Microsoft white paper (Measures to be taken of information asset level as well) Risk assessment Segmentation

89 Pass the Hash Lessons learnt Production Domain(s) Admin Environment Power: Domain Controllers IPsec Domain Admins Data: Servers and Applications IPsec Threats: Internet Access: Users and Workstations Sensitive Server & Application Admins Management and Monitoring