dwp cyber resilience centre
TRANSCRIPT
Technology | Cyber Resilience Centre
Cyber Resilience Centre
Technology | Cyber Resilience Centre
Agenda
• Why are DWP a target?• Is it Cyber Crime or Cyber-Enabled?• Who are the Threat Actors?• Understanding the Threat Actors:
– Hostile Foreign Intelligence Services– Organised Crime Groups– Hackers/Hackivists/Script– Insider
• Cyber Attack Vectors• Cybercrime Community• Defence• Detection• Questions
Technology | Cyber Resilience Centre
Why are DWP a Target?• Financial - £170billion in benefits per
annum - £650million each working day
• Data – We hold millions of customer records.
• Employees – 84,000 staff
• Locations – Over 900 sites, with 720 Job Centres
• IT – We have:– over 100,000 endpoints– 1000+ applications– 3,500+ servers
Technology | Cyber Resilience Centre
Why are DWP a Target?
Technology | Cyber Resilience Centre
Why are DWP a Target?
Means tested benefit for people of working age who are on a low income:
• Income Support• Income-based Jobseekers Allowance• Income-related Employment and Support Allowance• Housing Benefit• Child Tax Credit• Working Tax Credit
Technology | Cyber Resilience Centre
Cyber Crime vs Cyber-Enabled
Traditional crimes augmented in some way by using computers.
Cybercrime Cyber-enabled Crime
Hacking Fraud
ID theft
Child Abuse
Malware
Denial of Service
Crimes where computers are an integral part of the offence
Technology | Cyber Resilience Centre
Who are the Threat Actors?
Threat Actors Motivation
Insiders All the above
Hacker/HacktivistScript Kiddie/Motivated Kudos
Hostile ForeignIntelligence Services Information
Organised CriminalGangs Money
Influence
Technology | Cyber Resilience Centre
Understanding the Threat ActorHFIS – Advanced Persistent Threat (APT)• State Sponsored
• Advanced Techniques:– Coordinated– Mission Orientated
• Persistent
• Greatest Threat:– Intent – Opportunity– Capability
Technology | Cyber Resilience Centre
Understanding the Threat ActorAdvanced Persistent Threat (APT) – Kill Chain
Tools only as advanced as they need to be
Spear Phishing one of the primary delivery methods
Technology | Cyber Resilience Centre
Understanding the Threat ActorOrganised Crime Groups (OCGs)• Financially motivated
• Generally target large blocks of people rather than individuals
• Malicious Software (MALWARE) used to target credentials, banking details, other finance based information, ransomware, etc.
• Structured like a business with various functions and suppliers:
– Coders– Infrastructure – Spam mailers– Help desks
Technology | Cyber Resilience Centre
Understanding the Threat ActorHackivist• Ideologically Motivated – Cyber Protest
• Highly capable individuals
• Hive mindset
• Anonymous, Lulzsec
• Attack types:– DDOS– Data theft– Website defacement
• Reputational damage
• Open to influence from external sources
Technology | Cyber Resilience Centre
Understanding the Threat ActorScript Kiddie• Motivated by:
– Impressing friends– Gaining credibility on forums
• Doesn’t have the skills to create tools and script, so uses premade ones
• Can download and use a tool, but may not know how it works or the full implications of its use
• Very little or no infrastructure
• Todays Script Kiddie tomorrows L33T Hacker?
Technology | Cyber Resilience Centre
Understanding the Threat ActorInsider
Motivators• Personal advancement• Profit• Accidents• Blackmail• Coercion• Espionage• Resentment• Disenfranchisement• Activism
Unwitting /Unintentional
Deliberate Insider
Volunteer / Self-initiated Insider
Recruited / Exploited Insider
Ex-employee
Threat Types
• CPNI: Many past cases have involved opportunistic exploitation (no intent)
• Many are volunteers
• Rarely single motivation• Combination of factors• Often not most obvious
Technology | Cyber Resilience Centre
Understanding the Threat ActorInsider
Jailed for5 years
Facilitating Access – Exploited Insider
Deliberate Insider
Volunteer
Jailed for30 years
Jailed for4 years, 4 months
Technology | Cyber Resilience Centre
IP address
BotSpear phishing Phishing
SpamTrojan
Malware
Cross site scriptingSQL Injection
Bot Herder
BotnetCyber Crime
Watering hole
VirusTOR
Dark WebDNS
HackerDDoS
Hidden Internet
Anonymous
Hacktivist RansomwareAVC
Zero day
Cyber Threat Vectors
Technology | Cyber Resilience Centre
Cyber Threat Vectors• Too many to cover in a 30 minute
presentation
• New vulnerabilities discovered all the time.– Zero Days (No patch available)– If public then assigned a CVE– Exploit-db.com
• Focus on 3 of the common attack vectors.– Phishing / Spear Phishing / Whaling– Injection attacks– DDoS
Technology | Cyber Resilience Centre
Cyber Threat Vectors
• Commonly delivered in email, but other messaging and social media platforms can be used.
• The goal is to get the victim to take the bait, whether it be:– Open an attached document.– Click on a link– Respond with your personal details
• Difference between the 3:– Phishing: Cast the net far and wide– Spear Phishing: Targeting just a few fish– Whaling: Targeting the big fish (Board Level)
• Verizon 2013: 95% of State affiliated cyber espionage used spear-phishing to accomplish the initial compromise
Phishing / Spear Phishing / Whaling
Technology | Cyber Resilience Centre
Cyber Threat VectorsPhishing / Spear Phishing / Whaling - Examples
Technology | Cyber Resilience Centre
Cyber Threat Vectors
• Injection attacks occur when an attacker adds additional text to data that gets passed to an application, which then treats the additional data as a further instruction.
• Most common type of web application security risk for the last 6 years– OWASP (Open Web Application Security Project)
• SQL Injection most common type of injection attack.– Structured Query Language
• Can lead to:– Unauthorised access– Direct access to the data stored on a database– Access to the Database Management System (DBMS)– Access to the underlying Operating System
Injection Attacks
Technology | Cyber Resilience Centre
Cyber Threat VectorsInjection Attacks – How Does It Work?
Technology | Cyber Resilience Centre
Cyber Threat VectorsInjection Attacks – SQL Injection Made Easy?• As with most attacks, there are tools that will do the work for you
Technology | Cyber Resilience Centre
Cyber Threat VectorsInjection Attacks – SQL Injection Made Easy?• As with most attacks, there are tools that will do the work for you• If you need help to run the tool, look it up on YouTube
Technology | Cyber Resilience Centre
Cyber Threat VectorsDenial of Service (DoS) Attack
• Basic Principle: throw more data at the web server than it can handle and it will stop responding.
• Lots of different flavours– syn floods– http floods
• collateral damage
Technology | Cyber Resilience Centre
Cyber Threat VectorsDistributed Denial of Service (DDoS) Attack
• Reflective and amplification attacks.
• Abusing features of legitimate protocols and applications.– DNS– NTP
• Many protocols can return more data than the original request. – 60 Bytes to 4000+ Bytes for DNS
• Spamhaus attack– 350gbps
Technology | Cyber Resilience Centre
Cybercrime Community
• Numerous forums to support cybercrime
• Facilitating the buying and selling of:– Credit card details– Personal information– Malware– Exploits– Phishing kits– Login details
• Use of the TOR network
• Often by invitation only.
Technology | Cyber Resilience Centre
Defence
• You can deploy:– Firewalls– WAFs– IDS / IPS– Antivirus– AD Group Policy– etc
HOWEVER• Don’t forget the weakest link in the chain
– It’s really hard to defend against the ‘bad day at the office’
• Educate, educate, and educate again– Spear phishing targets are picked for a reason
Defence in Depth
Technology | Cyber Resilience Centre
Detection
• Numerous log types:– Proxy logs– Firewall– DNS– Many more
HOWEVER
• Need to be effectively monitored– SIEM
• How long?
WHY?
• Average number of days from breach to detection: 205• Victims notified by an external entity: 69%
Detecting the Attacks
Technology | Cyber Resilience Centre
DetectionRecovery - Reputational
18th Oct 8th Nov 21st Nov 2008 2009 2010 2011 2012 2013 2014 20152007
Reputational Damage
Time
8th Nov: HMRC Senior Management Informed
18th Nov: Scotland Yard takes full control
Staff member sends unencrypted CDs in post. Not received.
20th Nov: Chairman Resigns
21st Nov: PM issues public apology
14th Nov: Met informed after HMRC fail to find CDs
19th Nov: Banks informed
15th Nov: ICO & SOCA informed
9th Nov 2015: Director GCHQ cites HMRC loss as key example of on-going negative perception as a result of data breaches
The reputational impact of a data breach can be highly damaging and take a long time to fix
Technology | Cyber Resilience Centre
DetectionRecovery – Understanding What Happened
December January February March April May June July
20152014Time
4m 19.7m
Initial estimates from OPM indicated that 4m people were affected
9th Jul: OPM investigation concludes that 19.7m affected
Large scale data breach happens
Apr: OPM detects breach 12th Jun: OPM
detects second breach
16th Jun: OPM Director appears before the House, stating 4.2m may be affected. Calls for Director and CISO to step down
The data breach remained undetected for at least 4 months
18m
23rd Jun: FBI Estimate
4th Jun: OPM Estimate
9th Jul: Final OPM Impacted
OPM Data Breach: Timeline of events
The initial estimate of the impact of the breach was vastly underestimated. It took a month to reach the actual figure
Identifying, sizing and quantifying the impact of a data breach can take a significant amount of time
Technology | Cyber Resilience Centre
Questions