Hit by a Cyberattack: lesson learnedHow are we hacked and what to do when it happens IFE 8 december 2015

Jan Guldentops ( j@ba.be )BA N.V. ( http://www.ba.be )

Wie ben ik ?

Jan Guldentops (1973)

This year I'll be designing, building and securing server and network infrastructure for 20 years.

Founder of ULYSSIS (1994), Better Access (1996) en BA (2003)

Open Source Fundamentalist (after hours )

Strong practical, background in ICT security.

Security consultant by accident 1996 beroepskrediet

Pass a lot of my time in the lab ( R&D)

Belangrijk om te onthouden :

2 manieren waarop wij werken met lokale besturen : Leveren van volledige oplossingen

Leveren van huurlingen : consultants die tijdelijk de kennis van de ict-manager aanvullen

Leveren van technische ondersteuning en troubleshooting

Leveren oplossingen aan lokale besturen sinds 1996

In Short:

COMMON SENSE AS A SERVICE(CAAS)

The question is not if you're going to be hacked but when...

So what goes wrong ?How do you get hacked ?

The human factor

Stupidity, laziness and ignorance

Amateurisme

The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.

The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place.

Social engineering

If you want to know something, just ask ! People talk to much

Your organization is leaking info : Google is your friend

Stupid leaks : leaking confidential info in references, etc.

Key employees who are passionate about their work often tell you everything

Phishing

You are thinking about : Blond, Ukrainian ladies who can tell from your e-mail address you are the man of their live.

Badly written or translated

So obvious

But what if a phishing expedion was custom made to push your buttons ?

Spear Phishing

SinterklaasA custom built phishing expedition : Surprise from Sinterklaas ;

Well written e-mail

Perfect house style

Official url with a registered certificate

Send to 200+ it people 35% tried to fill in their userid/password.

Before the security-team blocked the URL

I am not who I am

We still use userid/password for authentication Bad passwords

Badly managed password

Unrealistic password policies

One password for everything ;

Clear text storage of passwords

No one centralised user and role management

Tunnels

Dozens of ways to set up a return tunnel from the inside of an organisation Openvpn, ssh, iodine ( ip-over-dns), httptunnel, etc.

Teamviewer, N-Able, Logmein, etc.

Hard to detect

Usually accidents waiting to happen

Others

Bad software ;

No structured updates ;

Security bolton instead of by design ;

Stuck in perimeter-security ;

Bad system management

Mobilization ;

Bring your own device ;

The stakes have changed

Globalization

Cyberpunks versus mob

Speed, damage

Target : 70.000.000 personal data

Exit security officer, CIO, CEO

Ashley Madison

So how do you know you are hacked ?

Obvious hacker : Defaces your website ;

Send all your contacts stupid spam ;

Uses all your cpu to mine bitcoins ;

Attacks the whole world directly from your systems ;

The discrete hacker ; Compromises your system and collects information

Eg Belgacom hack Compromised since at least 2007 !

So how do you find these ?

Integrity checks Host-based IDS

Honeypot

Network-based IDS

Analyze your logs SIEM

Monitor your infrastructure

What to do when you find something strange ?

Don't panic!

You're not the first to be hacked and certainly not the last.

Focus on analyzing the problems and securing your environment.

At least you know you are compromised...That's a good sign !

Handle the situation

Collect a team to handle the security situation.

These days there are cyber insurances AIG, Cyber contract, ADD, etc.

This can be made up of internal staff and or external consultants

Draft a plan

Execute it

Isolate or offline

Get the compromised applications, machines, account, data isolated and preferably offline.

Take care no other parts of your environment are infected.

Literally or virtually pulling the etherne tcable or power plug.

Preserve as much data as you canSecure backups !

Collect data

Collect as much data as you can : Log files ;

Network traffic ;

Forensic copies of compromised systems ; e.g Kali Linux

You'll need this to analyze what happened, what they took and who did it. Also legally important.

Find out what happened

Analyze the attack, find out what happened

Check what data and systems are compromised Presume everything is compromised until you know

Try to understand what happened

Find out what the consequences are...

Disclose and communicate

Disclose what happened in a structured, complete way: To law enforcement ;

To partners ;

To employees ;

To customers ;

Learn and adapt

Learn from your mistakes : Change your security policy and procedures

Learn from the hack and how your organization responded to it

Adapt

It will happen again, so get more ready for it

Thank You

Contact us

016/29.80.45

016/29.80.46

www.ba.be / Twitter: batweets

Remy TorenVaartdijk 3/501B-3018 Wijgmaal

j@ba.be

Twitter: JanGuldentops

http://be.linkedin.com/in/janguldentops/