defending the academy - nwacc.org

Defending the AcademyMaintaining stakeholder confidence and trust in a changing digital worldRevision 004 / 09 October 2018

Christian Schreiber, CISM, PMP

Global Pursuit Specialist - FireEye

Introductions

2

©2018 FireEye | Private & Confidential

Personal background

20+ years IT and security experience•CISO positions: The University of Arizona,

University of Wisconsin – Whitewater• IT leadership: University of Wisconsin – Madison,

Central Michigan University•Serv ice prov ider leadership: SunGard Data

Systems / Ellucian

FireEye roles•Global Pursuit Specialist with focus on

universities / public sector•Program Executive supporting University of

California System since 2016

3


Who is FireEye? Unique visibility across attack lifecycle

Adversary IntelligenceDeploying global researchers with local knowledge

• 22 countries• 30+ languages• 150+ analysts & researchers

Machine IntelligenceGenerating attack telemetry globally

• 15,000+ network sensors• Millions of endpoints and email mailboxes • 56 countries• Performing tens of millions of malware

detonations per hour

Victim IntelligenceResponding to the most significant breaches

• 13+ years investigative expertise• 200+ of the Fortune 500• 26 countries with consultants

Campaign IntelligenceWitnessing attacks as they unfold

• 7 Security Operations Centers• 4M+ monitored endpoints• 120K+ analyst investigations*• 7 new attack groups identified*

* 2017 M anaged Defense statistics

More than 40% of R1 institutions are FireEye customers

4


Frequently consulted for cybersecurity insights

5

What is the world’s deadliest animal?

6


The mosquito kills more humans each yearthan any other animal*

7

830,000580,000

60,00024,200

17,4008,000

4,4003,5003,500

2,7001,600

1,000500

100100

6050

4010

6

MosquitoHuman

SnakeSandfly

DogKissing bug

Freshwater snailTsetse flyScorpion

Ascaris roundwormTapewormCrocodile

HippopotamusElephant

LionBee

TigerJellyfish

WolfShark

*Ramsey, Lisa. “The world’s deadliest animal isn’t a shark or even a human.” 25 April 2017. Available online at http://www.businessinsider.com/bill-gates-mosquitoes-deadliest-animals-2017-4

http://www.businessinsider.com/bill-gates-mosquitoes-deadliest-animals-2017-4

Macro trends impacting higher education

8


Sophistication of attackers

9

“The line between certain financial attackers and state-sponsored attackers no longer exists.”

* M andiant M -Trends 2017* Accessed online from http://www.dailymail.co.uk/news/article-2198755/Herbie-Goe s-For-Sale- Iconic-VW- Beet le-grab s-asking-price-96-000-youd-want-fully-lo aded.html


Resurgence of self-propagating malware

10

Spread using network worms

Exploit known vulnerabilities


Non-IT leaders more aware of cyber issues

11

Stakeholders asking more questions about cybersecurity posture•Boards•Presidents / Chancellors•Provosts / Deans•Donors / Alumni•Research sponsors•Auditors


Research sponsors adding cybersecurity requirements

12

Controlled Unclassified Information (CUI) / NIST 800-171

Information Security

Confidentiality

IntegrityAvailability

Most people associate cybersecurity with CONFIDENTIALITY

Sponsors also care about AVAILABILITYand INTEGRITY of data


CUI impact not limited to research

13

Institutions have “legal obligations to protect student information used in the administration of the Title IV Federal student financial aid programs.”

“NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.”

US Department of Education notices GEN-15-18 and GEN-16-12


Expectations for due diligence beginning to solidify

14

George W Bush• Designation and Sharing of Controlled

Unclassified Information (CUI) (07 May 2008)

Barack Obama• Executive Order 13556 – Controlled Unclassified

Information (04 Nov 2010)• Executive Order 13636 – Improving Critical

Infrastructure Cybersecurity (12 Feb 2013)

Donald J Trump• Presidential Executive Order on Strengthening

the Cybersecurity of Federal Networks and Critical Infrastructure (11 May 2017)

Guidance consistent across three administrations

Understanding advanced attacks

15


What do we mean by an “advanced attack?”

It’s a “who” not a “what”•There is a human at the keyboard•Performing highly tailored and customized attacks•Targeted at YOU

Professional, organized, well funded•Attackers escalate sophistication of their tactics as needed•They remain relentlessly focused on their objective

If you kick them out, they WILL return•They have specific objectives•Their goal can be long-term or short-term•They use persistence tools and tactics to ensure ongoing access

16


Difficult to fully investigate once detected

17


What the customer thought they had contained

18


What was actually happening in their network

19

* M andiant M -Trends 2016

46% of compromises don’t

use malw are*


APT35 (Newscaster) Case Study*

20

Establish Foothold

Complete Mission

Initial Compromise

LateralMovement

MaintainPresence

Initial Recon

Escalate Privileges

Internal Recon

Logon to VPN using stolen credentials (no additional backdoors deployed by attacker)

Use extracted data to target other (partner) organizations for destructive attacks

PUPYRAT & BROKEYOLK to steal user’s credentials and maintain persistence

Use custom Mimikatz to steal additional credentials from 500+ remote hosts

Recon: Identify users of interest (executives, R&D, etc.)

Spear phishing email with l ink to malicious resume on compromised (legitimate) website

Use O365 admin tools to assign read access for targeted inboxes to a single compromised account

Logon to Outlook Web Access using compromised account to harvest data from hundreds of target inboxes



Social engineering primary method of entry

21

Email phishing

Social media

Telephone / Chat


Stolen credentials primary method of data exfiltration

22

Exploit authorized access by stealing legitimate credentials

Use cloud services to exfiltrate data


Once a target, always a target*

56%Incident Response

customers who experienced a

significant attack by the same or

similarly motivated attack group

within 19 months

49%Customers who had at least one significant attack

who were successfully

attacked again within one year

86%Customers who had more than one significant

attack who had more than one

unique attacker in their environment

23



Do advanced attacks really impact higher education?

24

“To run their spying campaign, the [Chinese] attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico…”*

* Perlroth, Nicole. “Hackers in China Attacked the Time for Last 4 Months.” 31 January 2013. Available online.


Iranian credential harvesting targeting universities

25

9 charged with data theft•Hacked 8,000 professors at 320 universities•144 U.S. universities were victims

Leveraged multiple techniques•Spear phishing•Password spray attacks

Attackers did not stop once exposed•Silent Librarian attackers charged in April 2018,

but attacks still ongoing as of August 2018•76 additional targeted universities in 14

countries since indictment

* Accessed online from https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/


Many threat groups target higher education

26

FireEye customers targeted by multiple threat groups, by industry*

0 1 2 3 4 5 6 7

Non-ProfitGovernment

Business and Professional ServicesTransportation and Logistics

OtherFinancial

EnergyBiotechnology and Pharmaceuticals

Retail and HospitalityMedia and Entertainment

HealthcareManufacturing

Construction and EngineeringEducation

TelecommunicationsHigh Tech

Number of different threat groups


Why target higher education

27


Why target higher education? FINANCIAL GAIN

28

Personal information theft

Intellectual property theft

Financial fraud

Payment extortion


Why target higher education? DISRUPT OPERATIONS

29

Data destruction

Denial of Service

Hactivism


Why target higher education? EXPLOIT INFRASTRUCTURE

30

Pass through attacks

Resource hijacking

Watering hole attacks


Why target higher education? GEOPOLITICAL OBJECTIVES

31

Steal personal information

Steal intellectual property

Monitor individuals


Why target higher education? CREDENTIAL THEFT

32

Allows attackers to hide in plain sight• (VPN, email, etc.)

Enables access to resources otherwise unavailable• (library resources, discounts, etc.)

Exploring security concepts

33


Some common Defense-in-Depth analogies

34

Network

Platform

Application

Data


What do these analogies have in common?

They describe methods of PREVENTING attackers from reaching your assets

35


Why are messages focused on prevention problematic?

36

No technical solution can prevent all attacks all the time

There will always be bad actors looking to exploit that security gap

Asymmetric Threat


Mitigate risk with a cyber resilience strategy

• Identify threats early to help prevent a security incident

Prevent Incidents

• Disrupt the attack chain and act to mitigate damage

Reduce Impact • Make better use

of your resources

Improve Efficiencies

37


Adopt a comprehensive framework to guide your program

38

Identify

Protect

Detect

Respond

Recover

* From NIST 800-171

e.g. NIST Cybersecurity Framework (CSF) core functions


Change your narrative when describing security goals

39

Art museum vs Castle• Museums must protect

valuable assets• ...while creating an open

welcoming environment• …and allowing visitors

within inches of the assets


Underlying security goals are different

Castle Analogy

• GOAL: Protect assets by preventingattackers from gaining entry

40

A museum cannot succeed if visitors have a difficult time gaining access

Museum Analogy

• GOAL: Protect assets while enabling visitors to gain entry


Key assets are treated differently

Castle Analogy

•GOAL: Most valuable assets are isolated making them difficult for attackers to reach

41

Visitors are encouraged to visit the most important assets in a museum

Museum Analogy

•GOAL: Most valuable assets are highlighted making them easier for visitors to reach


Monitoring is approached differently

Castle Analogy

•GOAL: Cover the perimeter thoroughly

•Focus on preventing bad actors from gaining access

42

Museums must assume bad actors can act from inside the perimeter

Museum Analogy

•GOAL: Cover the interior thoroughly

•Focus on preventing bad actors from exploiting access


How does a museum approach breach resilience?

43

Identify

Protect

Detect

Respond

Recover



44

Identify•Maintain accurate inventory•Identify v isitors (tickets / passes)•Employee background checks

Protect

Detect

Respond

Recover* Accessed online from http://www.montel.com/en/markets/museum-mobile-shelving-storage/museums



45

Identify

Protect•Implement physical barriers to protect high-

risk assets•Limit visitor flow to specific entry points•Implement addit ional visitor checkpoints

around high-risk collect ions

Detect

Respond

Recover* Accessed online from https://www.louvre.fr/en/security-officer



46

Identify

Protect

Detect•Pervasive monitoring (cameras, motion

sensors)•Apply intelligence with AI, facial

recognit ion, etc.•Deploy guards to monitor visitor activity

Respond

Recover



47

Identify

Protect

Detect

Respond•Empower guards to respond to threats•On-demand protective barriers•Fire / smoke suppression systems

Recover

* Accessed online from https://www.asmag.com/showpost/13890.aspx



48

Identify

Protect

Detect

Respond

Recover•Insurance•Escalation to law enforcement•Tracking devices to locate objects

* Accessed online from https://www.smithsonianmag.com/smart-news/professor-helps-bust-italian-art-theft-ring-180963563/

Building a cyber resilience strategy

49


Where should you focus limited resources?

50

Identify

Protect

Detect

Respond

Recover


Balance your investment and strategies

51

DETECTION, RESPONSE, & RECOVERY are often less robust


52

Identify


Maintain inventory of your data assets

53

“If we guard our toothbrushes and diamonds with equal zeal, we’ll lose fewer toothbrushes and more diamonds.” – McGeorge Bundy


Understand your regulations

54

Map data assets to regulations

Map regulations to your security framework

Don’t let new regulations distract from your strategy

* Accessed online from http://themetapicture.com/i-get-easily-distracted/


Understand your security responsibilities

55

"Security and Compliance is a shared responsibility between AWS and the customer…”*

Providers help secure underlying components, but you are ultimately responsible for securing your data. * Amazon AWS. “Shared Responsibility Model.” Available online at https://aws.amazon.com/compliance/shared-

responsibility-model/


56

Protect


Operationalize your security efforts

57

Incorporate security into daily processes

Cannot delegate to security team


Continuously train your stakeholders

58

Require at ALL levels of the organization

Everyone understands role and responsibilities


Maintain your technology with good hygiene

59

Patch in a timely manner

Use supported OS versions

Implement comprehensive malware prevention


Strengthen your architecture

60

Separate what’s truly public from what should be internal

Risk-based network segmentation

Role-based data segregation


Strengthen your authentication

61

Use credential and privilege management tools

Use multi-factor authentication

Authenticate DEVICES that connect to your networks


62

Detect

Respond


Extend your visibility across the enterprise

63

Implement monitoring and detection tools at trust boundaries

Ensure availability and integrity of logs


Strengthen your detection and response capabilities

64

Don’t rely on prevention alone

Limit attacker dwell time

Practice regularly (e.g. table top drills)


65

Recover


Engage your leadership before a crisis occurs

66

Evaluate potential value of cyber insurance

Implement proactive incident response retainers

Identify and train crisis response team members


Maintain your business continuity and recovery plans

67

Determine your risk tolerance

•E.g. are hot/cold standby sites needed?

Restore from backup when cost effective (and no regulatory issue)

Test your backup/recovery processes, tools, and procedures

* Accessed online from https://www.canada15edgedatacenters.com/good-info-on-backup-disa ster-recovery/


68

Report your Progress


Maintain your metrics and share with stakeholders

69

Provide answers, not alerts


70

What we learned today

71


72

You cannot prevent all attacks all the time


73

You can describe your goals differently


74

You can mitigate risk with cyber resilience

Identify

Protect

Detect

Respond

Recover


75

* Accessed online from http://themetapicture.com/i-get-easily-distracted/

You can avoid chasing every new regulation


76

You can show you’re better than you were yesterday!

Questions?

77

Thank you!

78

defending the academy - nwacc.org

Documents