Perspectives on Cyber Security Strategies & Tactics Joshua Schmookler, Passaic County NJ MIS Department Security Administrator Micah Hassinger, Bergen County NJ Communications Director of Information Technology
Detect Respond Recover - Protect Who are the actors? What motivates them? The anatomy of an attack (What methodology do they use?) What is at stake?
Detect Respond Recover Protect Who are the actors? Nation-states China, US, Iran, Russia, etc. Cybercriminals Vladimir Tsastsin, EST Domains Inc. Lewys Martin Hacktivists Anonymous Terrorists
Detect Respond Recover Protect What motivates them? Nation-States Generally motivated by national interests Generally interested in stealing information from others to benefit their nation Sometimes interested in spying Flame Sometimes will become more aggressive, destroying information or other assets in a way that benefits national interests Stuxnet
Detect Respond Recover Protect What motivates them? Cybercriminals Mostly motivated by profit. Cryptolocker Click Fraud Infostealing Some people just want to watch the world burn Wiper Viruses
Detect Respond Recover Protect What motivates them? Hacktivists Want to make a point Deface websites Denial of Service Steal embarrassing information
Detect Respond Recover Protect What motivates them? Terrorists Similar to hacktivists in many ways Generally want to cause damage May be more sinister, wish to cause loss of life May be nation-state funded and motivated
Detect Respond Recover Protect Types of Attacks Malware Rootkits, Infostealers, Worms, Botnets, Trojans Man-in-the-Middle Man-in-the-Browser Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Password Dictionary & Brute Force Phishing & Social Engineering
Detect Respond Recover Protect What is at stake? Deletion of data Wiper/Cryptolocker Destruction of assets Batchwiper Stuxnet System failures Denial of Service Spying Flame
Detect Respond Recover Protect What is at stake? - Wiper Wiper was so effective, we know very little Wiper was so effective, it wiped itself out There is (still) some debate as to whether or not wiper even existed Was targeted at Iranian PC s, specifically affecting the energy sector Destroys nearly all data, leaving no traces Reports indicate Wiper destroyed over 30,000 Iranian PC s
Detect Respond Recover Protect What is at stake? - Stuxnet Specifically targets Siemens Step7 software Utilized an unprecedented four zero-day attacks simultaneously If Siemens Step7 is not detected, stuxnet does nothing When centrifuges are controlled by an infected machine, Stuxnet destroys the centrifuge It is estimated that Stuxnet destroyed nearly one fifth of Iranian centrifuges Flame and Duqu spawned from the same code base
Detect Respond Recover Protect What is at stake? Flame/Duqu Targeted malware directed at the middle east Designed to unobtrusively spy Capable of recording audio, screenshots, keyboard activity, network traffic, and webcam information Capable of turning PC into a Bluetooth beacon to record cell phone data Also capable of accessing documents on PC Supports kill command to wipe all traces from the affected PC Affected well over 1,000 machines 65% located in Middle East Huge majority in Iran
Detect Respond Recover Protect What is at stake? Cryptolocker Indiscriminate targeting Malware infects PC silently Encrypts files using an RSA-2048 key (Unbreakable) Holds files ransom for 10 days waiting for user to pay If user does not pay, the key is deleted, and files are lost forever
Threat Assessment / Hazard Identification What information needs protecting? Personally Identifiable Information (PII) Critical Infrastructure / Key Resources (CI/KR) LEO Networks 28 CFR Requirements Sensitive Information Networks / Systems
What is to be gained?
Don t let your network wear a red shirt!
Security Lifecycle
Detect Respond Recover Protect Anatomy of an attack
Detect Respond Recover Protect Anatomy of an attack
Detect Respond Recover Protect Have I been breached? User experience impacted Encrypted/Missing files User accounts locked Slow upload speed MX record blacklisted Deep packet analysis (RSA Security Analytics) IPS/Anti-Virus Log Security Log Analysis
Detect Respond Recover Protect How should we react? Threat remediation plan Security Information and Event Management (SIEM) Malware Protection Systems CERT (Computer Emergency Response Team)
Detect Respond Recover Protect What can we use to shield ourselves? Policies written by entity Patching and maintaining up to date operating systems and essential programs Intrusion Detection & Prevention Systems Traditional Firewalls Web/Email Filters Anti-Virus Security Information and Event Management (SIEM) Malware Protection Systems Unbiased Penetration Testing
Detect Respond Recover Protect What do I do now? Find Patient Zero Execute Threat Remediation Plan Isolate affected machines Restore damaged/lost files Evaluate policies to better protect Identify attack vector
Cyber Policy as a Defense Strategy Policy Password Complexity and Expiration Check for CVE s Use Policies External Device Policies (BYOD) Response Policy Hacking Event Response Employee training and education Patch Management
Layering Protection with Partnerships Regional Assets Maximize efficiency through shared costs and protection Leverage open-source communities Trade technical expertise for cost savings Reduce overhead
Information Sharing Communications Internal / External Communications Who do you share with? Automated Communications during an event Herd Immunity through communication Passive Alert Systems Big Data Analysis Herd Alertness
UASI Project Key Goals Secure networks from attack Protect against known, recently discovered, and unknown malware Integrate threat intelligence from MS-ISAC and other sources Increase incident reporting to NJ SARS Share actionable intelligence regarding detected threats with the region (and beyond) Coordinate Incident Reporting
UASI Project Phase 1 - Evaluation Identify key players in cyber security market Evaluate solutions from market leaders on-site, with real traffic Generate report detailing findings and recommending solution
UASI Project Phase 1 Evaluation Evaluated Solutions SafeMedia McAfee Network Security Platform (NSP) RSA Security Analytics (Formerly NetWitness) Sourcefire (now Cisco) 3D Series NGFW/NGIPS
UASI Project Phase 1 Evaluation Safemedia SafeMedia was found to be effective but small Ability to execute on the part of the company was lacking Very cost effective Very user friendly
UASI Project Phase 1 Evaluation McAfee NSP Not as user-friendly as Sourcefire and SafeMedia Very effective IPS Very effective malware platform Information sharing non-existent No Security Intelligence integration
UASI Project Phase 1 Evaluation RSA Security Analytics The least user friendly of the group Extremely effective analytics platform Very effective malware detection Good integration with Security Intelligence and Information Sharing Extremely expensive Can detect only. Does not block threats
UASI Project Phase 1 Evaluation Sourcefire Extremely user friendly Extremely effective IPS and Malware detection Excellent Security Intelligence and Information Sharing Capabilities Second least expensive platform Included firewall capabilities are an excellent value-add Additional value-add from optional URL filtering and optional endpoint Malware protection
UASI Project Phase 1 Evaluation Recommendation Based on the intensive (7 months) on-site evaluation, Sourcefire (now Cisco) was chosen as the platform that most meets the needs of the region, including integration with MS-ISAC which was defined as non-negotiable
UASI Project Phase 2 - Implementation Currently ongoing, implementation of the chosen solution will be completed within the next 21 days Coordination and planning are key to a successful implementation. When completed, the UASI area will be extremely well equipped to deal with cyber attacks, and share that actionable intelligence with the region and beyond
Any Questions? Joshua Schmookler Security Architect/Network Administrator Passaic County NJ MIS Department joshuas@passaiccountynj.org 973-881-4273 Micah Hassinger Director of Information Technology Bergen County NJ Communications micah@bcpsoc.com 201-785-8512 Thank you for your time!