port of seattle security presentation david morris
TRANSCRIPT
Cyber Security Threats and What you can do
Agenda
• Threat History• Current Threats• Breakdown of a Common Attack• What you can do
– Incident Response– Resources Available
CTS Security Operations Center
Provides centralized information sharing, monitoring, and analysis of Washington State security posture while mitigating risk and minimizing incident exposure.•Alerting•Risk Analysis•Incident Response•Vulnerability Management•Education and Awareness
Awareness Test:
http://www.youtube.com/watch?v=oSQJP40PcGI
Cyber Security in the News
1999 Threat - Melissa
• Sent copies of an infected Word Document to up to 50 people
• No damage to computers or files
• Overwhelmed Mail Servers
http://www.cert.org/advisories/CA-1999-04.html
2003 Threat – Slammer
• SQL Server Stack buffer overflow vulnerability
• Code execution at System user level
http://www.cert.org/advisories/CA-2003-04.html
2008 Threat – Conficker
• Windows server service vulnerability
• Multiple variants• Quickly took over
millions of computers• Disabled windows
services• Locked out users
Today’s Threats
Persistent•44% increase in breach incidents 2010-11 across multiple verticals (Source: Poneman Institute, 2011)
Sophisticated•Use of advanced techniques and tactics points to growing nation-state sponsorship and resourcing
Targeted•Shift to targeting of commercial sectors and government supply-chain providers•Larger attack plane•Consumerization of IT with pervasive use of social media, mobile devices , big data and cloud infrastructures
What I see at WA State
Reporting Period: 1Q 2013
What I deal withReporting Period: 3/1/13 – 3/15/13
• Web Site Defacement by Turkish Muslim Group• Attempted breach of VPN account• Multiple workstations attempting to communicate to Zeus
command and control servers• Web server participating in DDoS attack against foreign national• Multiple workstations attempting to communicate to Zero Access
command and control servers• Web site content management server software exploited• Anomalous traffic at agency firewall indicating insider threat• Open mail relay detected• Multiple SQL injection attempts of web application• Penetration test erroneously configured causing alerts
Advanced Persistent
Threats
Sophisticated attacks and well resourced
adversaries
Nation State Actors
Cyber Criminals
Open Source Intelligence Collection
Foreign Nationals
Black Markets
Non-Nation StateSub Contractors
Supply Chain Tampering
Third Countries
The Age of the APT
Phishing emails
A member of your staff receives a phishing email which may be personalized to attract their interest.
Common Attack
Drive-by download
The employee clicks on the link and gets infected by Trojan from drive-by download.
Adversary uses machine to gain access to internal network systems
Trojan installs backdoor which allows reverse connection to infected machine
Hacker dumps password hash and gains access to a critical server via RDP.
RDP
Data ex-filtration
Attacker encrypts sensitive files found on the critical server and transfers out data
Phishing emails
Attack Anatomy
Discovery of Company email AddressesJigsaw
Come up with a Scenario OWA UpgradeSecurity Alert
Build Phishing MessageSave .html file locallyUse a kit such as SET
Set up a real temporary domainMonitor effectiveness with scripts
Discovery of Company email AddressesJigsaw
Come up with a Scenario OWA UpgradeSecurity Alert
Build Phishing MessageSave .html file locallyUse a kit such as SET
Set up a real temporary domainMonitor effectiveness with scripts
Drive-by downloadPacking utilities / Metasploit / Backtrack
Alternately, purchase a SDK and sign the executable so that it is trusted
Test the executable or payload with free Antivirus packages
Microsoft Security EssentialsAVG
Await acknowledgement response from machine
Packing utilities / Metasploit / Backtrack
Alternately, purchase a SDK and sign the executable so that it is trusted
Test the executable or payload with free Antivirus packages
Microsoft Security EssentialsAVG
Await acknowledgement response from machine
Adversary uses machine to gain access to internal network systems RDP
Passwords enumerated and crackedMapping of other network devices
Active directory queriesAccess attempts with credentials
Passwords enumerated and crackedMapping of other network devices
Active directory queriesAccess attempts with credentials
Data ex-filtration
Data is compressedData is encrypted and sent over a common port such as 80 or 443Transmission is rate-limited to avoid detectionData is used for criminal purposes or to damage reputation
Data is compressedData is encrypted and sent over a common port such as 80 or 443Transmission is rate-limited to avoid detectionData is used for criminal purposes or to damage reputation
Recommendations
1. Build a strong security foundation
2. Have an Incident Response Plan ready
3. Know who to call
Build a Security Foundation
• SANS Top 20 Controls• Australia DOD Mitigations• NIST Guidelines
Develop Incident Response Mechanisms
• Have a plan– NIST 800-61.2
• Know the priority of your assets
• Exercise your plan– 15 minute tabletops– Functional exercise every 6
months
• Recognize that you will not be able to contain the incident yourself in many cases
Establish Partnerships
• MS-ISAC– Forensic Analysis– Log Analysis– Malware reverse engineering and disassembly– Vulnerability Scanning (Application and Host)
• FBI Cyber Task Force (CTF)– Incident Response– Threat assessment– Information Sharing
• EMD– Significant Cyber Event Response
Questions