Post on 17-Sep-2020
Stacey WrightSenior Intelligence Program Manager
MS-ISAC
State and Local Government Cyber Threat Landscape
What is your experience level with the cybersecurity preparations of your agency?
• None – I’m here because I’m curious and want to learn• Some – I get basic information/basic organizational
briefings• More than most – I’m on the team responsible for
addressing cybersecurity or cyber response• I’m responsible for the organization’s
cybersecurity/responsiveness to cyber concerns
3TLP: WHITE
Created via PPD 63, May 22,1998, to allow the private sector to come together, share information, perform analysis, and respond to incidents
ISACs Information Sharing and Analysis Centers
Legal Services
EMR-ISAC
4TLP: WHITE
Multi-State Information Sharing and Analysis Center
The MS-ISAC has been designated by DHS as the key resource for cyber threat
prevention, protection, response and recovery for the nation’s state, local,
tribal, and territorial governmentshttps://www.cisecurity.org/ms-isac/
5TLP: WHITE
Members include:• 50 State Governments• 79 DHS-Recognized Fusion Centers• 6 Territorial Governments• 39 Tribal Governments• More than 1,600 local governments
State, Local, Tribal, and TerritorialCities, counties, towns, airports, public education, police
departments, ports, transit associations, and more
MS-ISAC: Who We Serve
6TLP: WHITE
Free and VoluntaryNo Mandated Information Sharing
Only an NDA Required
Benefits of MS-ISAC Membership
Benefits:− Access to information, intelligence,
products, resources, and webcasts
− Insider access to federal information
− Training and resource discounts
− CIS SecureSuite discounts
− HSIN Community of Interest (COI)
− Cybersecurity exercise participation
− Malicious Code Analysis Platform (MCAP)
https://learn.cisecurity.org/ms-isac-registration
7TLP: WHITE
Criminals look for data...and governments have a lot of it!
Why SLTT Governments?
8TLP: WHITE
• Most common malware type: Financial• Most popular infection vector: Malspam• Common Tactics
– Scraping address books– Sending spam– Stealing banking and social media
passwords– Redirecting traffic to malicious sites– Gathering reconnaissance information
Malware Trends
9TLP: WHITE
Ransomware
MS-ISAC Ransomware Notifications CryptowallTesla/AlphacryptLockyCerberCryptXXXOther
Prevention Mechanisms1. Keep your systems patched2. Keep your AV up-to-date3. Email filtering4. End user training and awareness5. Have offline backups
Recent Trends1. New variants / TTPs 2. Ransomware-as-a-Service3. Used in extortion schemes4. Data exfiltration
MS-ISAC Ransomware Notifications
10TLP: WHITE
Plan
• Discuss what a ransomware infection would cost your specific agency and make decisions before infection occurs
• Keep in mind – in 20% of cases, decryption keys do not work
• Prepare and test protocols for multiple scenarios and have recovery plans in place
Ransomware - Don’t Be Next
Prevent
• Keep your systems patched –desktops and servers
• Ensure up-to-date backups are stored offline and regularly tested
• Email filtering
• Keep your AV and firewall patched
• End user training and awareness
11TLP: WHITE
Malware Initiation Vectors
12TLP: WHITE
1. CEO Compromise Variant− Results in a wire transfer; − Targets finance depts− Spoofed or compromised executive account− Millions lost
2. Purchase Order Variant− a.k.a. Bogus Invoice Scheme, Supplier Swindle− May include spoofed domains and copied purchase orders− Schools are frequent SLTT targets
3. W-2 Phishing Info Variant− Results in PII data breach− Targets finance or HR depts− Results in filing of fraudulent tax returns − Spoofed or compromised executive account
4. Attorney Impersonation Variant
BEC Scam Business Email Compromise
Where To Report?
1. The MS-ISAC (cisecurity.org/ms-isac)
2. IC3 (ic3.gov)
3. The IRS (irs.gov/help)
Where To Report?
1. The MS-ISAC (cisecurity.org/ms-isac)
2. IC3 (ic3.gov)
3. The IRS (irs.gov/help)
13TLP: WHITE
BEC: CEO Compromise Example
Areyouavailable?Wiretransferneedstogoout.Also whatisthebalanceofGeneralFundingAccount?Letmeknowwhenyouareready.Replyassoonaspossible.
SentfrommyiPhone
Date:FROM:CEOTO:FinanceDepartmentSUBJECT:Question
From an ExecutiveFinancial aim
Social Engineering
Formatting error
Abrupt text to mimic urgent email from a mobile device
14TLP: WHITE
BEC: W-2 Phishing Example
Appears legitimate
Refers to some “problem”
1st Direct to credential harvesting website Social engineering:
Signed by trusted party
2nd Directs to credential harvesting website
15TLP: WHITE
Plan• Have a policy for reporting BEC
and similar phishing emails
• Educate finance and HR departments
• Collaborate with finance and HR departments to ensure their policies are supported by technological solutions (e.g. encryption)
• Train users in detecting social engineering attempts
BEC - Don’t Be Next
Prevent • Add warning banners for emails
from external sources
• Implement filters at your email gateway
React• ~72 hours to stop a wire transfer
• Report BEC scams/attempts to:- IC3/FBI at https://bec.ic3.gov/- MS-ISAC at soc@msisac.org - Tax-related scams/attempts
also to: IRS at https://www.irs.gov
16TLP: WHITE
• October 19 - Kennedy Space Center, FL• October 25 - Hudson, OH• October 26 – Phoenix, AZ- Desert Willow Conference Center• October 27 – Denver, CO- History Colorado Center• October 30 – Nashville, TN- HCA Main Presentation Stage• November 3 – Boston, MA• November 7 - Kansas City, KS - Kansas City Public Library• November 8 - Los Angeles (Thousand Oaks), CA – Amgen, Inc.• New York City, NY - Date TBD• Dallas, TX- Date TBD
BEC Workshops
https://nhisac.org/events/nhisac-events/business-e-mail-compromise-workshop/
Free, half-day workshops
17TLP: WHITE
Identified Data Breaches
2012 2013 2014 2015 2016 2017
Vectors
Keylogging Malware Phishing SQLi Unknown Vector
2012 2013 2014 2015 2016 2017
Entities
TERRITORY STATE LOCAL EDU
18TLP: WHITE
• Extortion demands; Bitcoin payments• Known CTAs: Lizard Squad, Armada Collective,
LulzSec, New World Hacking, Phantom Squad
Hoax Extortion Schemes
19TLP: WHITE
High Profile Event Related Domains
Domains Registered Containing “Equifax”
20TLP: WHITE
Website Defacements by Month
0
50
100
150
200
250
Aug16
Sep16
Oct16
Nov16
Dec16
Jan17
Feb17
Mar17
Apr17
May17
Jun17
Jul17
Aug17
21TLP: WHITE
BOD 17-01 on KasperskyWho:• Kaspersky Lab
– Russian cybersecurity & antivirus company– Founded by former software engineer for Soviet
Military Intelligence
Federal Changes:• July 11: GSA removed Kaspersky Lab from the
list of approved vendors • September 13: DHS issued BOD 17-01
Binding Operational Directive
MS-ISAC recommendation: SLTTs should follow the guidance in the federal directive.
Source:https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
22TLP: WHITE
BOD 18-01 on Email & Web Security• Enable STARTTLS on all Internet-facing email
servers;• Enable valid SPF/DMARC records and
implement specific DMARC policy rules;• Disable SSLv2 and SSLv3 on email and web
servers;• Disable 3DES and RC4 on email and web
servers;• use HTTPS-only with HSTS;
MS-ISAC recommendation: SLTTs should follow the guidance in the federal directive.
Source:https://cyber.dhs.gov/
23TLP: WHITE
• Targets 4-way handshake of WPA2 Protocol• Man-in-the-Middle attack• Forces nonce and session key reuse in WPA2• Weaknesses are in the Wi-Fi standard not individual
implementations• Android and Linux can be tricked into using an all zero
encryption key
Key Reinstallation Attacks (KRACK)
1. We need a session key. Here’s random data to use.
2. OK. Here’s random data from me to use.
3. I think we have enough data
4. Yep! I agree
5. Session Key = PSK + random data + random dataSources:https://www.krackattacks.com/https://www.kb.cert.org/vuls/id/228519
24TLP: WHITE
• Vulnerability in an implementation of RSA key generation due to a fault in an Infineon Technologies code library
– RSA Library version v1.02.013
• Key test available at: https://keychest.net/roca
NOT a vulnerability in the RSA algorithm
Key Reinstallation Attacks (ROCA)
Sources:https://crocs.fi.muni.cz/public/papers/rsa_ccs17
25TLP: WHITE
Low Hanging Fruit!a. Designate someone to be responsibleb. Set expectationsc. Get your domain
1. PATCH!2. Use defensive software3. Back-up4. Train users5. Enforce passwords standards6. Share intelligence7. Work with the MS-ISAC
What Can You Do?
26TLP: WHITE
• Be prepared− Learn from others’ best practices− Gather intel to help you be proactive
• Be willing to ask for help− Identify other resources to augment
what you are doing
• Be a part of the solution− Take part in information sharing
Share Information
27TLP: WHITE
• Support:– Network Monitoring Services– Research and Analysis– Incident Response
• Analysis:– Threats & Trends– Vulnerabilities– Attacks & TTPs– Cyber Threat Actor Activity
• Reporting:– Cyber Alerts & Advisories – IP & Domain Monitoring– Automated Indicator Sharing– Strategic Intelligence
24x7 Security Operations CenterCentral location to report any cybersecurity incidents
To report an incident or request assistance:
Phone: 1-866-787-4722Email: soc@msisac.org
28TLP: WHITE
• IPs connecting to malicious C2s
• Compromised IPs• Indicators of compromise
from the MS-ISAC network monitoring (Albert)
• Notifications from Spamhaus
Monitoring of IP Range & Domain Space
IP Monitoring Domain Monitoring• Notifications on
compromised user credentials, open source and third party information
• Vulnerability Management Program (VMP)
Send domains, IP ranges, and contact info to:
soc@msisac.org
29TLP: WHITE
Who do I call?
To join or get more information:https://learn.cisecurity.org/ms-isac-registration
Security Operations Center (SOC)SOC@msisac.org - 1-866-787-4722
31 Tech Valley Dr., East Greenbush, NY 12061-4134www.cisecurity.org
Which of the following topic areas matter most to you? (select all that apply)
• The current threat environment• How different types of attacks work• New and emerging malicious cyber activity• Malicious actors and their motivations• Investigative techniques• How to protect my agency
31
Questions?
Stacey WrightSenior Intelligence Program Manager
Stacey.Wright@cisecurity.org
MS-ISAC 24x7 Security Operations Center1-866-787-4722
SOC@msisac.org