the breach kill chain and a layered security model · the breach kill chain and a layered security...

The Breach Kill Chain and

a Layered Security Model

April 2016

1 © 2016 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Speaker Today

Dan Hansen is a Director in Protiviti's IT Consulting Practice and leads the Security &

Privacy practice in the San Francisco Bay Area. He has over 15 years of experience in

delivering high value projects in multiple industries focusing on information security,

compliance, business continuity, and IT Audit.

Dan is a Certified Information Systems Auditor (CISA), Payment Card Industry Quality

Security Assessor (PCI-QSA) and Certified Business Continuity Professional (CBCP).

[email protected]



Agenda

Data Breach Overview

Layered Security

Data Breach Incident Response

What You Can Do Today

Questions

Data Breach Overview



Large Data Breaches of the Decade

Wyndham Hotels: Sued by the U.S.

Federal Government after sensitive

customer data, including credit card

numbers and personal information,

allegedly were stolen three times in

less than two years.

2008

AOL: Data on more than 20

million web inquiries, from

more than 650,000 users,

including shopping and

banking data were posted

publicly on a web site.

20062005

Google/other Silicon

Valley companies:

Stolen intellectual

property

2009

Sony's PlayStation Network:

77 million PlayStation

Network accounts hacked;

Sony is said to have lost

millions while the site was

down for a month.

2011

Monster.com:

Confidential

information of 1.3

million job seekers

stolen and used in a

phishing scam.

2007

2013

Target Credit and

Debit Card data

breach!

CardSystems Solutions: 40

million credit card accounts

exposed. CSS, one of the

top payment processors

for Visa, MasterCard,

American Express is

ultimately forced into

acquisition

"Some of the more obvious results of IS failures include reputational damage, placing

the organization at a competitive disadvantage, and contractual noncompliance.

These impacts should not be underestimated."

― The IIA Research Foundation

2014

Home Depot – new

largest credit card

breach!

Source: CNN, NBC, CSO Online

Anthem – Most

damaging identity

theft breach!

2015

http://www.cnn.com/2012/06/26/travel/wyndham-hacking/index.html

http://www.nbcnews.com/id/43847056/

http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century



Data Breach Statistics

Source: Verizon

Significant

threat actions

over time by

percentage.



Profiling Threat Actors

Layered Security



Layered Security Model



Defense in Depth

Compliance does not equal security!

Defense in depth is the coordinated

use of multiple security counter

measures to protect the integrity of

the information assets in an

enterprise.

If a hacker gains access to a

system, defense in depth minimizes

the adverse impact and gives

administrators and engineers time

to deploy new or updated counter

measures to prevent recurrence.

Physical Security

User Awareness

Firewalls and IDS/IPS

Logical Access

Anti-Virus

Patch Management

Device Configuration

Source: http://searchsecurity.techtarget.com/definition/defense-in-depth



Breach Kill Chain

Persist

Undetected

Initial

Attack

Vector

Establish

Foothold

Identify

Interesting

Data

Distribute

Ongoing

Collection

Malware

Exfiltrate

Data

Breach Kill Chain

The attack can be disrupted at any point in the kill chain. Ideally, a company

will have controls at each point to create a defense in depth strategy. "Cyber

kill chain" model shows cyber attacks can and do incorporate a broad range

of malevolent actions, from spear phishing and espionage to malware and

data exfiltration that may persist undetected for an indefinite period.



Layered Controls Using Breach Kill Chain

Phase / Phase Name

1 2 3 4 5 6

ControlInitial Attack

Vector

Establish

Foothold

Identify

Interesting Data

Distribute

Malware / Make

Persistent

Exfiltrate

Data

Persist

Undetected

Anti-Malware and Malware Detection X X X X

Application Whitelisting X X

Application Security X

Awareness Training X X

Change Management Procedures X

Data Encryption Techniques X

Data Loss Prevention Techniques X X

Data Reduction Techniques X

Endpoint Restrictions (disable removable media) X X

File Integrity Monitoring X X X

Internet Perimeter Controls X X

Log Review and Monitoring X X

Mobile Device Security X

Multi-Factor Authentication X X

Network Access Control X

Network Segmentation X X X

Outbound Traffic Restrictions & Filtering X X X X X

Privileged Account Management X X X

System Hardening & Secure Build Procedures X X X

Third Party Access Controls X

User Account Security X

Vulnerability Management/Patching X X X

Wireless Controls X X



Australian Signals Directorate Top 4

Mitigation strategy

User

Resistance

Upfront Cost

(Staff,

Equipment,

Technical

Complexity)

Maintenance

Cost

(Mainly

Staff)

Helps

Detect

Intrusions

Helps Mitigate

Intrusion

Stage 1: Code

Execution

Helps Mitigate

Intrusion

Stage 2:

Network

Propagation

Helps Mitigate

Intrusion

Stage 3: Data

Exfiltration

Application whitelisting of permitted/

trusted programs to prevent execution

of malicious or unapproved programs

including DLL files, scripts and

installers.

Medium High Medium Yes Yes Yes Yes

Patch applications (e.g., Java, PDF

viewers, Flash, web browsers and

Microsoft Office). Patch or mitigate

systems with 'extreme risk'

vulnerabilities within two days. Use the

latest version of applications.

Low High High No Yes Possible No

Patch operating system vulnerabilities.

Patch or mitigate systems with 'extreme

risk' vulnerabilities within two days. Use

the latest suitable operating system.

Avoid Windows XP.

Low Medium Medium No Yes Possible No

Restrict administrative privileges to

operating systems and applications

based on user duties. Such users

should use a separate unprivileged

account for email and web browsing.

Medium Medium Low No Possible Yes No



Audit Report Presentation



NIST Cyber Security Framework

Data Breach Incident Response



The First 24 Hours Checklist

Record the date and time when the breach was discovered, as well as the current date and time

when response efforts begin (i.e., when someone on the response team is alerted to the breach).

Alert and activate everyone on the response team, including external resources, to begin

executing your preparedness plan.

Secure the premises around the area where the data breach occurred to help preserve evidence.

Stop additional data loss. Take affected machines offline but do not turn them off or start probing

into the computer until your forensics team arrives.

Document everything known thus far about the breach: Who discovered it, who reported it, to

whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how

was it stolen, what systems are affected, what devices are missing, etc.

Interview those involved in discovering the breach and anyone else who may know about it.

Document your investigation.

Review protocols regarding disseminating information about the breach for everyone involved in

this early stage.

Assess priorities and risks based on what you know about the breach.

Bring in your forensics firm to begin an in-depth investigation.

Notify law enforcement, if needed, after consulting with legal counsel and upper management.

Source: Experian

http://www.experian.com/assets/data-breach/brochures/response-guide.pdf




• Audit networks for possible rogue PING messages that contain custom text messages.

• Look for unauthorized FTP exfiltration on Internet-accessible hosts/servers.

• Looks for suspicious network traffic.

Traffic analysis on a sample of networks looking for suspicious traffic2

• Look for rogue applications in memory that may attempt to masquerade as svchost and/or

other programs on terminals and servers.

• Look for a rogue data manager application on internal LAN servers.

Forensics analysis on a sample of systems looking for malware and signs of intrusion1



What You Can Do Today (continued)

Pick a model and assess your security to that model.

At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD)

responds to could be prevented by following the Top 4 mitigation strategies listed in their

Strategies to Mitigate Targeted Cyber Intrusions:

• Use application whitelisting to help prevent malicious software and unapproved programs

from running.

• Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.

• Patch operating system vulnerabilities.

• Restrict administrative privileges to operating systems and applications based on user

duties.

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

Alignment to NIST, and Australian Signals Directorate best practices3

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm



What You Can Do Today (continued)

• Logging and monitoring

– Implement tools to detect anomalous network traffic and anomalous behavior by

legitimate users (compromised credentials).

– Offload logs to a dedicated server in a secure location where unauthorized users can't

tamper with them.

– Aggregates events and logs from network devices and applications.

– Uses intelligence to analyze and uncover malicious behavior on the network.

• Network architecture – FW outbound restrictions

• Secure remote access

• Implement data leakage prevention/detection tools to detect and help prevent data

exfiltration

• Incident Response Plans

– Invest in a dedicated incident response team (IRT) that has the knowledge, training and

certification to respond to a breach. For more information on IRT training, visit the

SANS Institute website.

– Test and document incident response plans to identify and remediate any gaps prior to

an attack.

– Plans should be updated periodically to address emerging threats.

– Look at controls relative to Breach Kill Chain.

Alignment to NIST, VISA, and Australian Signals Directorate best practices (continued)3



Questions

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=9S6ljd0XWvPWRM&tbnid=g5MIZI8IgeeEGM:&ved=0CAUQjRw&url=http://www.netanimations.net/Moving_Animated_Question_Marks_And_Exclamation_Point_Gif_Animations.htm&ei=_pw1U8dVo_DJAejtgYAE&bvm=bv.63808443,d.aWc&psig=AFQjCNG7ag8o8RmdP-VLT2cZA2hgkom2ig&ust=1396108764918307

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=9S6ljd0XWvPWRM&tbnid=g5MIZI8IgeeEGM:&ved=0CAUQjRw&url=http://www.netanimations.net/Moving_Animated_Question_Marks_And_Exclamation_Point_Gif_Animations.htm&ei=_pw1U8dVo_DJAejtgYAE&bvm=bv.63808443,d.aWc&psig=AFQjCNG7ag8o8RmdP-VLT2cZA2hgkom2ig&ust=1396108764918307



Contact

Powerful Insights. Proven Delivery.™

Phone: +1.925.984.5151

[email protected]

Daniel HansenDirector

San Francisco, CA

Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to

Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of

Robert Half International Inc. ("RHI"). RHI is a publicly-

traded company and as such, the materials, information,

ideas, and concepts contained herein are non-public,

should be used solely and exclusively to evaluate the

capabilities of Protiviti to provide assistance to your

Company, and should not be used in any inappropriate

manner or in violation of applicable securities laws. The

contents are intended for the use of your Company and

may not be distributed to third parties.

the breach kill chain and a layered security model · the breach kill chain and a layered security...

Documents