Cyber Security Threats and What you can do

Agenda

• Threat History• Current Threats• Breakdown of a Common Attack• What you can do

– Incident Response– Resources Available

CTS Security Operations Center

Provides centralized information sharing, monitoring, and analysis of Washington State security posture while mitigating risk and minimizing incident exposure.•Alerting•Risk Analysis•Incident Response•Vulnerability Management•Education and Awareness

Awareness Test:

http://www.youtube.com/watch?v=oSQJP40PcGI

Cyber Security in the News

1999 Threat - Melissa

• Sent copies of an infected Word Document to up to 50 people

• No damage to computers or files

• Overwhelmed Mail Servers

http://www.cert.org/advisories/CA-1999-04.html

2003 Threat – Slammer

• SQL Server Stack buffer overflow vulnerability

• Code execution at System user level

http://www.cert.org/advisories/CA-2003-04.html

2008 Threat – Conficker

• Windows server service vulnerability

• Multiple variants• Quickly took over

millions of computers• Disabled windows

services• Locked out users

Today’s Threats

Persistent•44% increase in breach incidents 2010-11 across multiple verticals (Source: Poneman Institute, 2011)

Sophisticated•Use of advanced techniques and tactics points to growing nation-state sponsorship and resourcing

Targeted•Shift to targeting of commercial sectors and government supply-chain providers•Larger attack plane•Consumerization of IT with pervasive use of social media, mobile devices , big data and cloud infrastructures

What I see at WA State

Reporting Period: 1Q 2013

What I deal withReporting Period: 3/1/13 – 3/15/13

• Web Site Defacement by Turkish Muslim Group• Attempted breach of VPN account• Multiple workstations attempting to communicate to Zeus

command and control servers• Web server participating in DDoS attack against foreign national• Multiple workstations attempting to communicate to Zero Access

command and control servers• Web site content management server software exploited• Anomalous traffic at agency firewall indicating insider threat• Open mail relay detected• Multiple SQL injection attempts of web application• Penetration test erroneously configured causing alerts

Advanced Persistent

Threats

Sophisticated attacks and well resourced

adversaries

Nation State Actors

Cyber Criminals

Open Source Intelligence Collection

Foreign Nationals

Black Markets

Non-Nation StateSub Contractors

Supply Chain Tampering

Third Countries

The Age of the APT

Phishing emails

A member of your staff receives a phishing email which may be personalized to attract their interest.

Common Attack

Drive-by download

The employee clicks on the link and gets infected by Trojan from drive-by download.

Adversary uses machine to gain access to internal network systems

Trojan installs backdoor which allows reverse connection to infected machine

Hacker dumps password hash and gains access to a critical server via RDP.

RDP

Data ex-filtration

Attacker encrypts sensitive files found on the critical server and transfers out data

Phishing emails

Attack Anatomy

Discovery of Company email AddressesJigsaw

Come up with a Scenario OWA UpgradeSecurity Alert

Build Phishing MessageSave .html file locallyUse a kit such as SET

Set up a real temporary domainMonitor effectiveness with scripts

Discovery of Company email AddressesJigsaw

Come up with a Scenario OWA UpgradeSecurity Alert

Build Phishing MessageSave .html file locallyUse a kit such as SET

Set up a real temporary domainMonitor effectiveness with scripts

Drive-by downloadPacking utilities / Metasploit / Backtrack

Alternately, purchase a SDK and sign the executable so that it is trusted

Test the executable or payload with free Antivirus packages

Microsoft Security EssentialsAVG

Await acknowledgement response from machine

Packing utilities / Metasploit / Backtrack

Alternately, purchase a SDK and sign the executable so that it is trusted

Test the executable or payload with free Antivirus packages

Microsoft Security EssentialsAVG

Await acknowledgement response from machine

Adversary uses machine to gain access to internal network systems RDP

Passwords enumerated and crackedMapping of other network devices

Active directory queriesAccess attempts with credentials

Passwords enumerated and crackedMapping of other network devices

Active directory queriesAccess attempts with credentials

Data ex-filtration

Data is compressedData is encrypted and sent over a common port such as 80 or 443Transmission is rate-limited to avoid detectionData is used for criminal purposes or to damage reputation

Data is compressedData is encrypted and sent over a common port such as 80 or 443Transmission is rate-limited to avoid detectionData is used for criminal purposes or to damage reputation

Recommendations

1. Build a strong security foundation

2. Have an Incident Response Plan ready

3. Know who to call

Build a Security Foundation

• SANS Top 20 Controls• Australia DOD Mitigations• NIST Guidelines

Develop Incident Response Mechanisms

• Have a plan– NIST 800-61.2

• Know the priority of your assets

• Exercise your plan– 15 minute tabletops– Functional exercise every 6

months

• Recognize that you will not be able to contain the incident yourself in many cases

Establish Partnerships

• MS-ISAC– Forensic Analysis– Log Analysis– Malware reverse engineering and disassembly– Vulnerability Scanning (Application and Host)

• FBI Cyber Task Force (CTF)– Incident Response– Threat assessment– Information Sharing

• EMD– Significant Cyber Event Response

Questions