Defending against Cyber Attacks

Transcription

1 2015 AMC Privacy & Security Conference Defending against Cyber Attacks MICHAEL DOCKERY CHRIS BEAL PAUL HOWELL Security & Privacy Track June 24, 2015

2 In the News 2015 MCNC General Use v1.0

3 Healthcare Data Breaches April % increase in healthcare data breaches in % higher than rate across all industries Majority caused by human error and lost or stolen devices 44% of healthcare breaches due to lost or stolen devices Accidental disclosure due to human error up 11% in 2014 Targeting of patient medical info an increasing issue Breaches resulting from targeted attacks up 82% in 2014 Breaches resulting from insider theft nearly doubled in MCNC General Use v1.0

4 Why Are Attackers Interested In Healthcare Targets? Medical data sets tend to be more complete compared to what can be obtained elsewhere Government ID, bank and credit card info, insurance info, physical descriptors, health status Can be used for ID theft, financial fraud, prescription fraud, obtaining passports, visas or other ID Translates to higher value for attackers Credit card numbers may fetch from $0.50 to $1.00 ID and insurance info worth up to $10 or as high as $50 depending on completeness of the record MCNC General Use v1.0

5 Healthcare Data Breaches April MCNC General Use v1.0

6 Why s It Getting Tougher? Threats Have Evolved Attackers Are Smarter & More Efficient Users are More Mobile (BYOD) Data Is More Distributed Everything is Interconnected Short Supply Motivations Are Focused on Near-Term 2015 MCNC General Use v1.0

7 [ 7] R & E Networks Not Immune

8 [ 8]

9 Questions for Panel What do you think is the most significant cyber threat facing healthcare today? Outline a strategy for defending against cyber attacks? Determine what his/her organization can do to improve its security posture against cyber attacks?

10 [ 10 ] Simple DDoS Attack

11 [ 11 ] Man in the Middle Attack

12 DDoS Bandwidth Use Source: Arbor Networks [ 12 ]

13 Multi-Vector and Adaptive Source: Coreo Network Security [ 13 ]

14 Defenses Watch what s happening on the network. Know which systems depend on external Internet access. Get an alternative to . Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Be ready for total shutdown, if necessary. Ask your ISP about their capabilities. Consider mitigation such as scrubbing services. For very large attacks, consider contacting a DDoS mitigation company. [ 14 ]

15 Defenses US-CERT Alert TA15-120A Securing End to End Communications Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration. Use VPNs and HTTPS Prepare your people for these advanced attacks by educating them on the dynamics, patterns, samples and frequency of attack methods attempted on other organizations. [ 15 ]

16 SIEM and Endpoint Failures Due to Inability to Detect Malware Mine for Windows Codes Indicative of Malware 1. Implement Malware Cheat Sheet Logging Recommendations Be prepared for incident and have logs available 2. Focus on codes that are indicative of Malware See Michael Gough s tutorials and slide shares Monitor CMD.EXE usage Process Create 4688 File/Registry Auditing 4663 Service Changed 4070 User Login Success 4624 Share Accessed Use analytics where possible to look for indicators of partner compromise. 4. Remove admin and ban usage/internet access using admin credentials

17 Analytics You May Already Have Source Proofpoint Malicious Links from Partners

18 Malicious Link Sorted for a Year by Partner, Source Proofpoint

19 Individual Partner Threat Report: Malicious Links, Source Proofpoint

20 Panel Questions What is working right now in Cyber Defense and what is broken? What are your go to resources which are giving you an edge? Any magic bullets?

21 Where To Begin? 2015 MCNC General Use v1.0

22 The Critical Security Controls A ready-made list of the things you should be thinking about and doing to protect your assets This is your map! What Are They? While not a replacement for a formal Risk Management program or framework, you can consider the controls as a foundational risk assessment A starting point for immediate, high-value action that is demonstrably consistent with formal risk assessment frameworks Not a on-size-fits-all solution. You still need to understand what s important to your business, your specific threat environment, and develop a plan for assessment, implementation, and ongoing management MCNC General Use v1.0

23 5 Critical Tenets 1 Offense Informs Defense Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known realworld attacks. 2 Prioritization Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment. 3 Metrics Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. 4 Continuous Diagnosis and Mitigation Carry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps. 5 Automation Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics MCNC General Use v1.0 Of an Effective Cyber Defense System

24 The Critical Security Controls 2015 MCNC General Use v1.0

25 Example CSC 5 What? Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. Why? Malware Defenses Malware is pervasive and used in the majority of modern attacks and data breaches, in order to compromise systems and account credentials 2015 MCNC General Use v1.0

26 Example CSC MCNC General Use v1.0 Malware Defenses ID # Description Category CSC 5-1 CSC 5-2 Use automated tools such as anti-virus, anti-spyware, host-based firewalls, and host-based IPS to continuously monitor systems for indicators of malware. Use anti-malware software that offers remote, cloud-based centralized management infrastructure to share intelligence and update managed systems. Quick Win Quick Win CSC 5-3 Disable auto-run feature for removable media and network shares. Quick Win CSC 5-4 Automatically scan removable media for malware upon connection to a system. Quick Win CSC 5-5 Scan all and block messages containing malicious content. Quick Win CSC 5-6 Enable features such as DEP, ASLR, containerization, etc. Quick Win CSC 5-7 Limit use of external devices to only where it is required. Quick Win CSC 5-8 Ensure that automated monitoring tools use behavior-based anomaly detection in addition to signature based detection. Visibility CSC 5-9 Use network-based malware scanning tools to detect and filter network traffic. Visibility CSC 5-10 Implement IR process to collect malware samples found to be running that were not caught by existing malware defenses. Advanced CSC 5-11 Enable DNS query logging to detect lookups for known bad sites. Advanced

27 First Five Quick Wins 1 Application Whitelisting CSC2 2 Use of Standard, Secure System Configurations CSC 3 3 Patch Application Software Within 48 Hours CSC 4 4 Patch System Software Within 48 Hours CSC4 5 Reduce Number of Users With Administrative Privileges CSC 3, CSC MCNC General Use v1.0

28 The Top 4 Strategies 1 Application Whitelisting Explicitly define the applications that are allowed to run on a system 2 Patch Applications Keep applications updated 3 Patch the Operating System Keep the OS and core components updated 4 Minimize Administrative Privileges Limit the power that users have on systems and what they are allowed to change 2015 MCNC General Use v1.0

29 Resources VER pdf Spotting the Adversary Windows Event Log Monitoring TSA SG NSA/CSS Information Assurance Service og_monitoring.pdf Windows Logging Cheat Sheet cheat sheet v11?related=4 Michael Gough s Logging Slides, Slideshare Episode #388 Paul s Security Weekly

30 Thank You Chris Beal Chief Security Architect on Twitter Paul Howell Internet2 Chief Cyberinfrastructure Security Officer Michael Dockery Information Security Officer Cincinnati Insurance Companies Disclaimer: The author s affiliation with The Cincinnati Insurance Companies is provided for identification purposes only, and is not intended to convey or imply Cincinnati Insurance s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author AMC Privacy & Security Conference