the breach kill chain and a layered security model · the breach kill chain and a layered security...
TRANSCRIPT
The Breach Kill Chain and
a Layered Security Model
April 2016
1 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Speaker Today
Dan Hansen is a Director in Protiviti's IT Consulting Practice and leads the Security &
Privacy practice in the San Francisco Bay Area. He has over 15 years of experience in
delivering high value projects in multiple industries focusing on information security,
compliance, business continuity, and IT Audit.
Dan is a Certified Information Systems Auditor (CISA), Payment Card Industry Quality
Security Assessor (PCI-QSA) and Certified Business Continuity Professional (CBCP).
2 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Agenda
Data Breach Overview
Layered Security
Data Breach Incident Response
What You Can Do Today
Questions
Data Breach Overview
4 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Large Data Breaches of the Decade
Wyndham Hotels: Sued by the U.S.
Federal Government after sensitive
customer data, including credit card
numbers and personal information,
allegedly were stolen three times in
less than two years.
2008
AOL: Data on more than 20
million web inquiries, from
more than 650,000 users,
including shopping and
banking data were posted
publicly on a web site.
20062005
Google/other Silicon
Valley companies:
Stolen intellectual
property
2009
Sony's PlayStation Network:
77 million PlayStation
Network accounts hacked;
Sony is said to have lost
millions while the site was
down for a month.
2011
Monster.com:
Confidential
information of 1.3
million job seekers
stolen and used in a
phishing scam.
2007
2013
Target Credit and
Debit Card data
breach!
CardSystems Solutions: 40
million credit card accounts
exposed. CSS, one of the
top payment processors
for Visa, MasterCard,
American Express is
ultimately forced into
acquisition
"Some of the more obvious results of IS failures include reputational damage, placing
the organization at a competitive disadvantage, and contractual noncompliance.
These impacts should not be underestimated."
― The IIA Research Foundation
2014
Home Depot – new
largest credit card
breach!
Source: CNN, NBC, CSO Online
Anthem – Most
damaging identity
theft breach!
2015
5 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Data Breach Statistics
Source: Verizon
Significant
threat actions
over time by
percentage.
6 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Profiling Threat Actors
Layered Security
8 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Layered Security Model
9 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Defense in Depth
Compliance does not equal security!
Defense in depth is the coordinated
use of multiple security counter
measures to protect the integrity of
the information assets in an
enterprise.
If a hacker gains access to a
system, defense in depth minimizes
the adverse impact and gives
administrators and engineers time
to deploy new or updated counter
measures to prevent recurrence.
Physical Security
User Awareness
Firewalls and IDS/IPS
Logical Access
Anti-Virus
Patch Management
Device Configuration
Source: http://searchsecurity.techtarget.com/definition/defense-in-depth
10 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Breach Kill Chain
Persist
Undetected
Initial
Attack
Vector
Establish
Foothold
Identify
Interesting
Data
Distribute
Ongoing
Collection
Malware
Exfiltrate
Data
Breach Kill Chain
The attack can be disrupted at any point in the kill chain. Ideally, a company
will have controls at each point to create a defense in depth strategy. "Cyber
kill chain" model shows cyber attacks can and do incorporate a broad range
of malevolent actions, from spear phishing and espionage to malware and
data exfiltration that may persist undetected for an indefinite period.
11 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Layered Controls Using Breach Kill Chain
Phase / Phase Name
1 2 3 4 5 6
ControlInitial Attack
Vector
Establish
Foothold
Identify
Interesting Data
Distribute
Malware / Make
Persistent
Exfiltrate
Data
Persist
Undetected
Anti-Malware and Malware Detection X X X X
Application Whitelisting X X
Application Security X
Awareness Training X X
Change Management Procedures X
Data Encryption Techniques X
Data Loss Prevention Techniques X X
Data Reduction Techniques X
Endpoint Restrictions (disable removable media) X X
File Integrity Monitoring X X X
Internet Perimeter Controls X X
Log Review and Monitoring X X
Mobile Device Security X
Multi-Factor Authentication X X
Network Access Control X
Network Segmentation X X X
Outbound Traffic Restrictions & Filtering X X X X X
Privileged Account Management X X X
System Hardening & Secure Build Procedures X X X
Third Party Access Controls X
User Account Security X
Vulnerability Management/Patching X X X
Wireless Controls X X
12 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Australian Signals Directorate Top 4
Mitigation strategy
User
Resistance
Upfront Cost
(Staff,
Equipment,
Technical
Complexity)
Maintenance
Cost
(Mainly
Staff)
Helps
Detect
Intrusions
Helps Mitigate
Intrusion
Stage 1: Code
Execution
Helps Mitigate
Intrusion
Stage 2:
Network
Propagation
Helps Mitigate
Intrusion
Stage 3: Data
Exfiltration
Application whitelisting of permitted/
trusted programs to prevent execution
of malicious or unapproved programs
including DLL files, scripts and
installers.
Medium High Medium Yes Yes Yes Yes
Patch applications (e.g., Java, PDF
viewers, Flash, web browsers and
Microsoft Office). Patch or mitigate
systems with 'extreme risk'
vulnerabilities within two days. Use the
latest version of applications.
Low High High No Yes Possible No
Patch operating system vulnerabilities.
Patch or mitigate systems with 'extreme
risk' vulnerabilities within two days. Use
the latest suitable operating system.
Avoid Windows XP.
Low Medium Medium No Yes Possible No
Restrict administrative privileges to
operating systems and applications
based on user duties. Such users
should use a separate unprivileged
account for email and web browsing.
Medium Medium Low No Possible Yes No
13 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Audit Report Presentation
14 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
NIST Cyber Security Framework
15 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
NIST Cyber Security Framework
Data Breach Incident Response
17 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The First 24 Hours Checklist
Record the date and time when the breach was discovered, as well as the current date and time
when response efforts begin (i.e., when someone on the response team is alerted to the breach).
Alert and activate everyone on the response team, including external resources, to begin
executing your preparedness plan.
Secure the premises around the area where the data breach occurred to help preserve evidence.
Stop additional data loss. Take affected machines offline but do not turn them off or start probing
into the computer until your forensics team arrives.
Document everything known thus far about the breach: Who discovered it, who reported it, to
whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how
was it stolen, what systems are affected, what devices are missing, etc.
Interview those involved in discovering the breach and anyone else who may know about it.
Document your investigation.
Review protocols regarding disseminating information about the breach for everyone involved in
this early stage.
Assess priorities and risks based on what you know about the breach.
Bring in your forensics firm to begin an in-depth investigation.
Notify law enforcement, if needed, after consulting with legal counsel and upper management.
Source: Experian
What You Can Do Today
19 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What You Can Do Today
• Audit networks for possible rogue PING messages that contain custom text messages.
• Look for unauthorized FTP exfiltration on Internet-accessible hosts/servers.
• Looks for suspicious network traffic.
Traffic analysis on a sample of networks looking for suspicious traffic2
• Look for rogue applications in memory that may attempt to masquerade as svchost and/or
other programs on terminals and servers.
• Look for a rogue data manager application on internal LAN servers.
Forensics analysis on a sample of systems looking for malware and signs of intrusion1
20 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What You Can Do Today (continued)
Pick a model and assess your security to that model.
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD)
responds to could be prevented by following the Top 4 mitigation strategies listed in their
Strategies to Mitigate Targeted Cyber Intrusions:
• Use application whitelisting to help prevent malicious software and unapproved programs
from running.
• Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.
• Patch operating system vulnerabilities.
• Restrict administrative privileges to operating systems and applications based on user
duties.
http://www.asd.gov.au/infosec/top35mitigationstrategies.htm
Alignment to NIST, and Australian Signals Directorate best practices3
21 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What You Can Do Today (continued)
• Logging and monitoring
– Implement tools to detect anomalous network traffic and anomalous behavior by
legitimate users (compromised credentials).
– Offload logs to a dedicated server in a secure location where unauthorized users can't
tamper with them.
– Aggregates events and logs from network devices and applications.
– Uses intelligence to analyze and uncover malicious behavior on the network.
• Network architecture – FW outbound restrictions
• Secure remote access
• Implement data leakage prevention/detection tools to detect and help prevent data
exfiltration
• Incident Response Plans
– Invest in a dedicated incident response team (IRT) that has the knowledge, training and
certification to respond to a breach. For more information on IRT training, visit the
SANS Institute website.
– Test and document incident response plans to identify and remediate any gaps prior to
an attack.
– Plans should be updated periodically to address emerging threats.
– Look at controls relative to Breach Kill Chain.
Alignment to NIST, VISA, and Australian Signals Directorate best practices (continued)3
22 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Questions
23 © 2016 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Contact
Powerful Insights. Proven Delivery.™
Phone: +1.925.984.5151
Daniel HansenDirector
San Francisco, CA
Confidentiality Statement and Restriction for Use
This document contains confidential material proprietary to
Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of
Robert Half International Inc. ("RHI"). RHI is a publicly-
traded company and as such, the materials, information,
ideas, and concepts contained herein are non-public,
should be used solely and exclusively to evaluate the
capabilities of Protiviti to provide assistance to your
Company, and should not be used in any inappropriate
manner or in violation of applicable securities laws. The
contents are intended for the use of your Company and
may not be distributed to third parties.