![Page 1: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/1.jpg)
Monthly Cyber Threat Briefing April 2015
![Page 2: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/2.jpg)
2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Presenters • Dennis Palmer - Senior Security Analyst, HITRUST
• Colby DeRodeff - Chief Strategy Officer, ThreatStream
• Adam Meyers - VP – Threat Intelligence, CrowdStrike
• Bob Walder - President & CTO, NSS Labs, Inc.
• Len Bledsoe. – Cyber Security Analyst , Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human
![Page 3: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/3.jpg)
3 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Agenda • NSS Labs-Emerging and unknown exploits and product
effectiveness
• CrowdStrike- Threat Actors Overview • ThreatStream- Operationalizing and Leveraging CTX
• Health and Human Services- Current Threat Dissection • HITRUST- CSF Controls related to ongoing threats
• DHS/CERT- Trends and uncategorized indicators • Question and Answer session
![Page 4: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/4.jpg)
4 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Capabilities Report
• Flash, Java, Silverlight, and Internet Explorer are widely used enterprise applications that were aggressively targeted in March.
• The Angler exploit kit was the most prevalent exploit kit.
• CryptoWall activity continued to surge
Data from February 2015 -‐ NSS Labs
![Page 5: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/5.jpg)
5 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Targeted Applications and Operating Systems
Data from March 2015 -‐ NSS Labs
Application/OS Combination Windows 7 SP1 Windows 8 Windows Vista SP1 Windows XP SP3
Adobe Flash Player 11.4 • Adobe Flash Player 13 • • Internet Explorer 10 • • • Internet Explorer 7 • • • Internet Explorer 8 • • • Internet Explorer 9 • • • Java 6 Update 23 • Java 7 • Java 7 Update 2 • Silverlight 4.0.6 • • Silverlight 5 •
![Page 6: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/6.jpg)
6 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Top Command and Control Hosting by Geo
Data from March 2015 - NSS Labs
Country Rank South Korea 1 China 2 United States 3 United Kingdom 4 Hong Kong 5 Russia 6 Germany 7 British Virgin Islands 8 Czech Republic 9 Spain 9
![Page 7: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/7.jpg)
7 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
C&C server locations & callback ports 10 commonly used command and control (C&C) server locations in
combination with 10 commonly used callback ports
Data from March 2015 - NSS Labs
Country/Port 25 80 443 2012 8080 1287 5555 2015 1111 7758
China • • • • • • • • • • France • • Germany • • Hong Kong • • • Japan • • Netherlands • • South Korea • Ukraine • • United Kingdom • United States • • •
![Page 8: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/8.jpg)
8 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CAWS: All Threats for March
March 2015 - NSS Labs
![Page 9: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/9.jpg)
9 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CAWS: Top Apps Targeted
March 2015 - NSS Labs
![Page 10: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/10.jpg)
10 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Are you are protected?
CAWS/InSight NGFW Devices: March 2015 - NSS Labs
![Page 11: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/11.jpg)
11 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
NGIPS Group Test 6 products (anonymized) and security effectiveness (live threats from CAWS)
NGIPS 2015 - NSS Labs
99.5% 98.5%
74.7%
94.6% 94.6% 100.0%
0%
20%
40%
60%
80%
100%
Live Exploits Blocked
![Page 12: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/12.jpg)
12 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
![Page 13: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/13.jpg)
13 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
![Page 14: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/14.jpg)
14 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trends Targeting Healthcare • Proprietary Medical technology/design information
• Pharmaceutical Intellectual Property
• Sensitive information on designated VIP patients
• Broad collection to facilitate targeting of individuals
• Monetization of PII
![Page 15: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/15.jpg)
15 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Deep Panda IOCs
![Page 16: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/16.jpg)
16 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Deep Panda IOCs
![Page 17: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/17.jpg)
17 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Making Intelligence Actionable • Cyber Threat Exchange for Healthcare • Enables actionable intelligence
• Cross Industry Collaboration • Proactive detection of new threats
• Security Infrastructure Integration
![Page 18: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/18.jpg)
18 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
I want to collaborate, but what do I share? Lets start with what can actually be shared:
Now what use cases? • What do you see in the SOC?
– Phishing Campaigns
– Suspicious / Scanning / Bruteforce Login IPs
– Logins from Hosting providers
– Malware outbreaks – File MD5s
You’re Not Alone – Collaboration is a Force Multiplier
Email addresses
File Hashs (MD5 / SHA256
Domain Names URLs
User Agents
EXTERNAL DATA:
![Page 19: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/19.jpg)
19 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Information Sharing and Collaboration Proven benefits • Provides Situational Awareness and context across
organizational and geographical boundaries • Force multiplier – leverage your peers • Data Classifications Rules
– TLP Protocol
• Actor / Campaign Details • Automated distribution • Platform Agnostic • Anonymous and Secure
19 hitrustalliance.net/cyber-threat-xchange/
![Page 20: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/20.jpg)
20 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
20 hitrustalliance.net/cyber-threat-xchange/
![Page 21: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/21.jpg)
21 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
![Page 22: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/22.jpg)
22 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
0 10000 20000 30000 40000 50000 60000 70000 80000 90000
Feb Mar
Community IOCs
Compromised CredenIals
0
5
10
15
20
Feb
Mar
Threat Intelligence Packages General PlaOorm StaIsIcs
![Page 23: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/23.jpg)
23 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/142
![Page 24: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/24.jpg)
24 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action • Threat Intelligence Packages Actively Being Submitted by Community
Premera Breach Details Continued
https://hitrustctx.threatstream.com/tip/179
![Page 25: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/25.jpg)
25 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/184
![Page 26: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/26.jpg)
26 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
HHS – Credential Harvesting • Compromised credentials have potential to be
leveraged in future attacks
• Uptick in credential harvesting emails received across Enterprise in March
• ~13700 emails received containing domains of credential harvesting sites
• Training and educating program implemented
• Reduction of credential harvesting emails planned via technical solution
Top Credential Harvesting Domains: § Wix[.]com § Weebly[.]com § Jimdo[.]com § Coffeecup[.]com
Email Subject Lines used: § IT service DESK § USER VERIFICATION § Updating § OUTLOOK LATEST UPDATE
![Page 27: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/27.jpg)
27 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Compromised Credentials
– Control Reference: 01.d User Password Management
• Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.
• Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.
![Page 28: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/28.jpg)
28 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Compromised Credentials
– Control Reference: 01.j User Authentication for External Connections
• Control Text: Appropriate authentication methods shall be used to control access by remote users.
• Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique
![Page 29: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/29.jpg)
29 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Suspicious Domain Registrations
– Control Reference: 01.i Policy on the Use of Network Services
• Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.
• Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.
![Page 30: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/30.jpg)
30 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Dropper tools dropping basic Backdoors / RATs
– Control Reference: 09.j Controls Against Malicious Code
• Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
![Page 31: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/31.jpg)
31 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
DHS/CERT
• Trends and uncategorized indicators
![Page 32: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/32.jpg)
32 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Questions and Answers
![Page 33: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/33.jpg)
33 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Sign up for briefings and alerts
– www.hitrustalliance.net/cyberupdates/
• CyberRX 2.0 exercise information, or Spring 2014 exercise findings
– www.hitrustalliance.net/cyberrx/
• Cyber Threat Xchange (free subscription)
– hitrustalliance.net/ctx-registration/
![Page 34: Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo](https://reader036.vdocuments.net/reader036/viewer/2022070912/5fb45c598ad6f83ebe3727d3/html5/thumbnails/34.jpg)
34 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Additional content available at:
– https://hitrustalliance.net/content-spotlight/