PORTCULLIS. 2nd Annual Financial Services Cyber Security Summit. CBEST Workshop

Transcription

1 PORTCULLIS 2nd Annual Financial Services Cyber Security Summit CBEST Workshop

2 CBEST portcullis David Byrne CBEST Service Owner

3 Introduction Portcullis has been established for over 23 years as an independent professional services firm focused on security. Providing IA Consultancy, dedicated R&D, Forensics / Incident Response and security testing including intelligence-led services Red Teaming; War Gaming; CBEST / CSTAR. Portcullis was the first partner fully qualified under CBEST. Now one of six accredited partners of CBEST PT in the UK providing both CC SAM and CC SAS certified individuals.

4 Reading and References: Bank of England - /cbest.aspx Lists out an overview and key resources CREST - Much the same info as above BUT includes: List of certified providers Syllabus overviews for CC SAM, CC SAS and CC TIM certifications

5 Why are we here? Two quotes from the Financial Policy Committee: In June 2013: HM Treasury, working with the relevant Government agencies, the PRA, the Bank s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack. In September 2013: The Committee... encouraged Her Majesty s Treasury and the regulators to ensure that the various institutions at the core of the financial system, including banks and infrastructure providers, had a high level of protection against cyber attacks to ensure such attacks do not undermine the system.

6 Where does CBEST fit? CBEST-CSTAR CHECK/CREST PT Vulnerability Assessment Cyber Essentials Cyber Essentials Plus

7 What is CBEST? Formal framework and methodology for the delivery of intelligence-led, Red Teaming designed to replicate current threats and attack vectors Aimed at improving firms understanding of Cyber threats and focuses on the systems critical to operation of the UK economy A realistic assessment of how your organisation can withstand real world attacks through risk managed, open scope testing: An agreed approach to testing high value systems An understanding of the maturity level and current capabilities of the defences in place Actionable outcomes for improvement A move to break the constraints of typical assurance projects: Scenario and threat based objectives rather than specific system reviews Holistic assessment of people, processes and technology In line with UK Govt. strategy to develop industry capabilities

8 The Approach

9 Key Stages of CBEST Reconnaissance (Threat Intel) Staging - staging platforms will be implemented to emulate that of the agreed threat actors Exploitation - Identified vulnerabilities will be exploited to gain unauthorised access to the target. Control and Movement - Attempt to move from initial compromised systems to further vulnerable or high value systems. Actions On Target - Gaining further access on compromised systems and acquiring access to previously agreed target information and data. Persistence and egress - Mimicking an advanced attacker, persistent access to the network will be secured and simulated exfiltration of staged data performed.

10 Outcomes Threat Intelligence Report Test Plan Incident Response Maturity Report Security Improvement Plan System Security Blue Team Capability

11 Portcullis Journey to CBEST Founding members of CHECK and CREST Dedicated Research and Development function Delivering Security Testing and Consultancy for over 20 years Including War Gaming, Scenario based-testing and Red Teaming to Financial Services, Media, Retail, CNI and Government organisations Scenario based testing for the London 2012 Games - Case study available Invited to help shape the CBEST Framework First private company fully certified to deliver CBEST PT

12 CBEST Team Technical Director CBEST Service Owner CC SAM Dedicated Account Manager CC SAS Intrusion Analyst Exploit Developer Phishing Expert CREST Team Leaders

13 Questions from Banks Common questions raised throughout the initial engagement process: 1. Can you limit the scope / exclude specific systems? 2. What CEFs will you target? 3. What systems are in scope? 4. What scenarios will you test? 5. Can you provide the KPI details? 6. Is there a remediation window between TI reporting and PT scoping? 7. What is the best way to engage TI and PT?

14 How to engage PT and TI Firm TI Partner PT Partner

15 How to engage PT and TI Firm TI Partner PT Partner

16 How to engage PT and TI Firm TI Partner PT Partner Key message it doesn t matter! Every CBEST provider should be willing and able to work with anyone from the framework

17 BoE Q&A Useful to describe the Pre- and Post-CBEST processes? Thoughts on firms volunteering for CBEST? How would one go about this? Key considerations for scoping? Thoughts on the future of CBEST?

18 END OF PRESENTATION Presentation by: David Byrne Title: Service Owner Telephone: +44 (0)

19 CBEST Threat Intelligence June 2015

20 OVERVIEW Why Threat Intelligence in CBEST Demonstration What do we actually do? Summary

21 Digital Footprint Information intentionally projected, shared and pro-actively managed by an organisation Digital Shadow Information un-intentionally exposed that may reveal an attackers intentions or weakness in an organisation 3

22 The adversary has its own shadow Patterns of behavior Goals and Motives Attack vectors of choice Crime: Dark web activities Associations 4

23 (Cyber) threat intelligence - many different things

24 Technical data feeds 6

25 Human enriched feeds 7

26 Human first, curated feeds 8

27 Digital Shadows provides cyber situational awareness Alerts to potential threats, instances of sensitive data loss or compromised brand integrity. Analyze the adversary through an attacker s eye view Relevant, tailored threat intelligence based on sector, size, geography Robust library of attacker profiles, actor groups, TTPs Search beyond traditional dark web to include criminal sites, IRC, Tor, I2P 9

28 10

29 Digital Shadows SearchLight 11

30 Model overview ACTOR ACTIONS ASSETS Entity Model Goals: Motivation, intentions Capabilities: Resources, Skill, Access to target Recon Prep Infil exfil exploit Activity Model Activity Indicators Artifacts Output: Threat Scenarios to be used in a test 17

31 Threat profiles 23

32 Intel link charts 25

33 Portal screenshot (Dashboard) 20

34 Portal Screenshot 1 21

35 Example incident 22

36 timelines 24

37 THREAT LED SECURITY TESTING In May 2014, the Bank of England, Certified Register of Ethical Security Testers (CREST) launched CBEST. CBEST is a threat led approach to conducting security testing. Why is it different? 1. It aims for realistic tests based upon a set of evidence of threats observed in the wild. Tailored to the client. UK Intelligence support this input. 2. It is focused on testing the resilience of systems to attacks. 3. It is much broader in scope than a traditional pen test (a red team approach) Tests are voluntary and the working style is intended to be collaborative

38 2 REPORTING TYPES PRODUCED 1 Threat Intelligence Report 2 Targeting (Foot printing) Report Provides analysis of threat groups based on thorough research Evidence to justify and support actions of testing team OUTPUT: Threat Scenarios USE CASE: Provides supporting evidence for use in security test. Broad analysis of digital footprint to identify riskier areas NOT a full reconnaissance exercise OUTPUT: Initial targets for test USE CASE: Provides input into reconnaissance phase of security test.

39 TI Report Approach INPUTS THREAT LIBRARY OSINT RESEARCH 1 Background Research 2 Develop Threat Summary (Landscape) SCORED THREAT TYPES 3 Develop Actor Profiles SPECIFIC ACTORS (Model) 4 Develop Threat Scenarios THREAT SCENARIOS

40 OSINT Hostile Mentions in Social Media Search over Dark Web Marketplaces Looking for mentions of client across hostile actors. Delivered as filtered alerts. Brings Twitter traffic into scope Identifying discussions on specific fora that might show threats to NS&I, includes ToR and IRC Intelligence Profiles Access to our curated intelligence profiles RFI Requests for Information Tailored Incidents We can provide a default number of hours of analyst time each month to respond to situational awareness requests. We can take your threat profiles as an input and can focus collection on specific groups, countries or other places of concern. We would continue tailor the service based on new finding and your previous incidents and concerns

41 Threat landscape Threat source Capability Intent/ activity Threat score to Client Insider intentional* H H 16 Nation State Disruption and Attack (CNA) VH M 15 Nation State Espionage (CNE) VH M 15 Organised Crime Economic H M 12 Nation State Proxy M M 9 Hacktivist L-M M 6 Journalist/researcher L L 4 Organised Crime Extortion M VL 3 Insider unintentional VL VL 1 Scoring based on high watermark assessment

42 THREAT PROFILES CONSIDERED Islamic Republic of Iran (CNA) Peoples Republic of China (CNE) Russian Speaking O.C.G. Al-Qassam Cyber fighters (CNA) Anonymous / Occupy (hacktivism)

43 THREAT SCENARIO Russian Speaking O.C.G. Islamic Republic of Iran (CNA) Peoples Republic of China (CNE)

44 SCENARIOS AS Narrative

45 Mapping to a storyline

46 Mapping to a storyline

47 Key outputs Scenarios Threat scenario Based on detailed research Emulating real threat Tailored to YOUR assets Goals A set of Goals for the test team A set of agreed flags the team must capture Evidence A lot of Supporting Evidence to show that the test is real Validated by GCHQ SUPPORTS SELECTION OF TARGET and TEST PLAN PRIORITISES FLAGS AGAINST GOALS AND MOTIVATION BACKS UP BUSINESS CASE FOR MITIGATING CONTROLS

48 Project plan and structure 30

49 TI Project plan (6 + 3 Weeks) KEY: Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 1 Deliverable Milestone Configure Collect & Collate Work Commences Workshop DS Tasks Client Tasks C Config Doc Agreed Analyse TI Report Write up Digital Footprint Write up Testing Reconaissance QA INTERNAL 1 2 TI Report Foot printing Report Final Reports CONTINUE MONITORING Alerts Incident Management (SOC) A A Alerts A Alerts A Threat and DL Monitoring

50 What happens with GCHQ Input? Report submitted to BofE BoE submit report to GCHQ Meeting booked by BofE to discuss review outputs Client/TI Provider/ BoE/ GCHQ Week 1 Week 2 Week 3 BoE Reviews (2 weeks) GCHQ Review (2 weeks) Collate Feedback

51 Key performance indicators for TI SAY IT SEE IT PROVE IT 23 measures H/M/L in 6 Categories - Organisation - Direction - Collection - Processing - Dissemination - Review

52 CBEST is an opportunity A justification for a broad test A live measurement of the playbook in realistic circumstances A way of trying out threat intelligence, or comparing it to existing feeds or capability Validation of existing thinking and controls, risk and response plans Evidence to support business cases Use a regulatory driver to support a business case to achieve the things you wanted to do anyway

53 Why we can help Experienced Led development of the TI standards Delivered 5 existing tests Breadth of research Only provider including a breadth of OSINT. Specific to you not a copy/paste, we talk about your assets, your threats. Tailored not just a subscription to existing threat data. Focused on evidence of threat to YOUR assets, based on evidence of threats to YOUR business.

54 SUMMARY A company looking at the digital shadows cast by threats An approach based on real scenarios, goals and evidence Opportunity: use it as a business case We re there to help

55 Thank you For enquiries concerning CBEST/CSTAR contact Portcullis at London San Francisco Level 39, One Canada Square, London, E14 5AB 535 Mission St, Fl. 14, San Francisco, CA (0)