COMMON DATA BREACHES - MySeminars · 2018-09-18 · BIGGEST DATA BREACHES 2016 & 2017 WE CAN DO IT...

COMMON DATA BREACHES

IT’S CAUSES AND MITIGATION

STRATEGY

Presented by :

Krishna Rajagopal CEO, AKATI Consulting Group

HEALTHCARE CYBERSECURITY EXPERTS

AGENDA

Seminar Agenda

11.20 - 12.20 ( Presentation on Security )

WELCOME

1

ABOUT THE SPEAKER

Krishna Rajagopal from Malaysia.

Industry certifications – various certifications from Microsoft , Cisco, Sun, Adobe, EC-Council etc.

Consultant to the Enforcement body in Latin America, Africa, Saudi Arabia, Philippines.

Projects in Asia-Pacific, Europe, Middle East, USA, Caribbean.

WELCOME

COMMON DATA BREACHESIT’S CAUSES &

MITIGATION STRATEGYPresented by :

Krishna Rajagopal CEO, AKATI Consulting Group

2

OBJECTIVES

Provide insight into current efforts and future plans for corporate network security via Proactive Security.

Provide helpful perspective on nature of today’s Internet security risk

Provide guidelines to achieving goals of rock-solid networks.

Demonstrations of how simple & dangerous hacking really is…

PART 2: IS THERE ANY HOPE ?PART 1: ANGELS & DEMONS

PRESENTATION OUTLINE

PART 3: Q&A ?

3

PART 1 : ANGELS & DEMONS

THIS IS DARTH MAUL

He is a Hacker

Male

Between 14 and 34 years of age

Addicted to Computers

No permanent girlfriend

4

IN 2011, MAUL HACKED SONY (SEVERAL TIMES )

MAUL THEN BOUGHT HIMSELF A RANGE ROVER EVOQUE.

77millionDATA LEAKED

records

$ 171 millionFINANCIAL LOSS

SONY

Data including passwords and personal details were stored in clear text !

Majority of attacks were SQL Injection and DDoS

5

IN 2012, MAUL HACKED AMAZON & ZAPPOS AND .…

OH NEVERMIND..

24millionDATA LEAKED

records

N/AFINANCIAL LOSS

ZAPPOS

6

IN 2013, MAUL BRIEFLY HACKED US SATELLITES FOR ABOUT 12 MINUTES

HE DIDN'T GET ANYTHING OUT OF IT..

IN 2014, MAUL HACKED AND BROUGHT DOWN MT. GOX BITCOIN EXCHANGE

HE SPEND TWO MONTHS IN ARUBA.. NOT ALONE OF COURSE..

7

850,000DATA LEAKED

BTC

$ 450 millionFINANCIAL LOSS

MT GOXIt was launched in July 2010, and by 2013 was handling 70% of all Bitcoin transactions !

The attack led to the shutdown of Mt. Gox in Feb 2014

BUT..

In 2015 , Maul discovered that one of his girlfriends were cheating on him on a dating site..

This made him angry ..

8

IN 2015, MAUL HACKED ASHLEY MADISON

MAUL THEN WENT ON A CRUISE ON THE CARIBBEAN .. ALONE…

IN 2017, MAUL CREATED A RANSOMWARE AND WRECKED HAVOC ACROSS THE GLOBE

HE DECIDED TO REWARD HIMSELF WITH A $25M WATCH

9

200,000INFECTED

Computers

$4billionFINANCIAL LOSS

RANSOMWARE

THOSE ARE SMALL COMPANIES AND THEY’RE NOT FROM FSI OR CAPITAL INDUSTRY !

10

Bangladesh Central Bank Heist

Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded, with $20 million traced to Sri Lanka and $81 million to the Philippines.The New York Fed blocked the remaining thirty transactions, amounting to $850 million, at the request of Bangladesh Bank

FEB 2016

Qatar National Bank Hacked

1.4 gigabytes of sensitive customer data first appeared online that purportedly includes information on Qatar’s royal family !

2016

11

Banco del Austro’s SWIFT Network Hacked

Over 10 days, hackers used SWIFT credentials of a bank employee to modify transaction details for at least 12 transfers amounting to over $12 Million, which was transferred to accounts in Hong Kong, Dubai, New York and Los Angeles.

MAY 2016

ENOUGH ! ENOUGH !

12

Far Eastern International Bank - SWIFT again..

Hackers reportedly last week managed to steal almost $60 Million from Far Eastern International Bank in Taiwan by planting backdoors on the bank's servers and through the SWIFT interbank system.

2017

2017

13

I GIVE UP.

BUT C’MON THESE SECURITY ISSUES DON'T HAPPEN IN OUR COUNTRY / COMPANY..

14

BIGGEST DATA BREACHES 2016 & 2017

WE CAN DO IT !

HEALTHCARE BREACHES 2016 & 2017

WE CAN DO IT !15

INCIDENT 1

HACKING TEAM JULY 2015

16

HACKING TEAMThe company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down or maybe even sniff something that even customers aren't told about !

To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they're targeting with it.

HACKING TEAM

Hacking Team has even tried to sell to the Vatican ! They devised a malicious Bible app to infect religiously minded targets.

17

INCIDENT 2

18

INCIDENT 3

19

ASHLEY MADISON

ASHLEY MADISON

20

WHO WAS ON IT ? 13,000 - .MIL AND .GOV ADDRESSES. 804 FROM MICROSOFT.COM 313 FROM APPLE.COM 76 FROM BANKOFAMERICA.COM MOST POPULAR PASSWORDS ?

123456 PASSWORD 12345 QWERTY 12345678 ASHLEY ABC123 A**HOLE F***ME HUNTER 696969

• 22 - 15 • 681 -16 • 3,782 - 17. • 4 < 15

21

WHATS THE BIG DEAL ?

MINISTER JOHN GIBSON

22

CAPT. MICHAEL GORHUM

“I AM SORRY FOR BEING UNFAITHFUL. I KNOW THAT YOU WILL LEAVE ME NOW AND TAKE THE KIDS. I KNOW THAT I WILL BE FIRED FROM MY JOB AT YOUR FATHERS COMPANY AND THAT MY LIFE AS I KNOW IT IS GOING TO CHANGE DRASTICALLY FOR THE WORSE. SO I’M JUST GOING TOO MAKE IT EASY ON YOU. YOU GET EVERYTHING. GOODBYE”

DONALD BRADSHAW

23

LAWYERS IN AMERICA DESCRIBED IT AS 'CHRISTMAS IN SEPTEMBER'

INCIDENT 4

24

INTERNET OF THINGS WILL BE TARGETED AND EXPOSED

9

Internet of THINGS will be safe from technological attacks for now, but attackers will focus on retrieving data from THESE IoT devices

But soon with Open Interconnect Consortium (IOC)& HomeKit, there will be a shift in this, as common protocols and platforms will emerge. i.e IoT ransomware - Imagine smart cars held hostage..

MANCHESTER FORT SHOPPING PARK

25

WHO IS THE NEXT TARGET FOR MAUL ?

26

WHAT ARE MAUL’S ACTIVITY TREND ?

Figure 9 dives deeper into the specific varieties of threat actions observed over the last five years. The overall top twenty across the five-year span is listed in successive columns, and the lines connecting columns highlight how each action changes over time.. To be honest, concise commentary on this visualization may be impossible. Yes, it’s incredibly busy, but it’s also incredibly information-dense. Let your eyes adjust and then explore whatever strikes your fancy. As an example, follow RAM scrapers through the years. They start at #5 in 2009, drop way down over the next few years and then shoot up the charts to the #4 spot in 2013. We talk about that resurgence in the POS intrusions section of this report. Literally every item in Figure 9 has a story if you care to look for it. Enjoy.

Figure 9. Top 20 varieties of threat actions over time

20102009 20122011 2013

Use of stolen creds [hac] 422

Use of stolen creds [hac] 203Use of stolen creds [hac] 327



Export data [mal] 327



Export data [mal] 233Export data [mal] 103 Phishing [soc] 245

Phishing [soc] 181Phishing [soc] 62

Phishing [soc] 11

Phishing [soc] 10

Ram scraper [mal] 223




Backdoor [mal] 165

Backdoor [mal] 209

Backdoor [mal] 214

Backdoor [mal] 104

Backdoor [mal] 267

Use of backdoor or C2 [hac] 152


Use of backdoor or C2 [hac] 237Use of backdoor or C2 [hac] 202


Spyware/Keylogger [mal] 149

Spyware/Keylogger [mal] 215

Spyware/Keylogger [mal] 480Spyware/Keylogger [mal] 255

Spyware/Keylogger [mal] 28 Downloader [mal] 144

Downloader [mal] 181

Downloader [mal] 59

Downloader [mal] 15

Downloader [mal] 13

Capture stored data [mal] 133





C2 [mal] 119

C2 [mal] 183

C2 [mal] 61

C2 [mal] 15C2 [mal] 4

SQLi [hac] 109

SQLi [hac] 25

SQLi [hac] 53

SQLi [hac] 53SQLi [hac] 13

Brute force [hac] 108





Rootkit [mal] 106Rootkit [mal] 61

Rootkit [mal] 31

Rootkit [mal] 0Rootkit [mal] 0

Tampering [phy] 102

Tampering [phy] 56

Tampering [phy] 146

Tampering [phy] 300

Tampering [phy] 22

Disable controls [mal] 2

Disable controls [mal] 188 Disable controls [mal] 169



Password dumper [mal] 75



Password dumper [mal] 0Password dumper [mal] 0

Privillege abuse [mis] 65



Privillege abuse [mis] 59Privillege abuse [mis] 18

Scan network [mal] 62





Adminware [mal] 39

Adminware [mal] 33

Adminware [mal] 28

Adminware [mal] 47

Adminware [mal] 81

Footprinting [hac] 8Footprinting [hac] 4Footprinting [hac] 2

Footprinting [hac] 185

Footprinting [hac] 6


10 VERIZON ENTERPRISE SOLUTIONS

27

HOW DOES MAUL DO IT ?

“USUALLY, I JUST FIND ONE DISGRUNTLED EMPLOYEE. JUST ONE.”

28

WE ARE THE WEAKEST LINK ..

The backup email address on my Gmail account is that same .mac email address.

At 4:52 PM, they sent a Gmail password recovery email to the .mac account.

Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.

ICLOUD ATTACKED !

29

PART 2 : IS THERE ANY HOPE ?

BEFORE AN ATTACK

30

AFTER AN ATTACK

WHAT THE BOARD DOES NOT KNOW ABOUT CYBERSECURITY CAN HURT THEIR BOTTOM LINE ..

HOW IS THAT SO ?

31

79% OF C-LEVEL EXECUTIVES SAY EXECUTIVE-LEVEL INVOLVEMENT IS NECESSARY TO ACHIEVE EFFECTIVE CYBERSECURITY - PONEMON INSTITUTE

4 OUT 10 CFO’S SURVEYED SAY THEY ARE THE OWNER OR CO-OWNER OF CYBERSECURITY AT THEIR COMPANIES

74% OF C-LEVEL EXECUTIVES SURVEYED SAID THEIR COMPANY HAS NOT EXPERIENCED A DATA BREACH WHEN THEY ACTUALLY DID

• STRATEGIC RISK • TRANSACTION RISK • COMPLIANCE RISK • REPUTATION RISK • CYBER RISK • CREDIT RISK • INTEREST RATE RISK • LEGAL RISK • FOREIGN EXCHANGE RISK

CYBER RISK IS KEY !

32

2015 DATA BREACH INVESTIGATIONS REPORT 15

Of all the risk factors in the InfoSec domain, vulnerabilities are probably the most discussed, tracked, and assessed over the last 20 years. But how well do we really understand them? Their link to security incidents is clear enough after the fact, but what can we do before the breach to improve vulnerability management programs? These are the questions on our minds as we enter this section, and Risk I/O was kind enough to join us in the search for answers.

Risk I/O started aggregating vulnerability exploit data from its threat feed partners in late 2013. The data set spans 200 million+ successful exploitations across 500+ Common Vulnerabilities and Exposures (CVEs)11 from over 20,000 enterprises in more than 150 countries. Risk I/O does this by correlating SIEM logs, analyzing them for exploit signatures, and pairing those with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time. We focused on mining the patterns in the successful exploits to see if we could figure out ways to prioritize remediation and patching efforts for known vulnerabilities.

‘SPLOITIN TO THE OLDIES

In the inaugural DBIR (vintage 2008), we made the following observation: For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach [and 71% >1 year]. This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released.

We decided to see if the recent and broader exploit data set still backed up that statement. We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published. Our next step was to focus on the CVEs and look at the age of CVEs exploited in 2014. Figure 10 arranges these CVEs according to their publication date and gives a count of CVEs for each year. Apparently, hackers really do still party like it’s 1999. The tally of really old CVEs suggests that any vulnerability management program should include broad coverage of the “oldies but goodies.” Just because a CVE gets old doesn’t mean it goes out of style with the exploit crowd. And that means that hanging on to that vintage patch collection makes a lot of sense.

11 Common Vulnerabilities and Exposures (CVE) is “a dictionary of publicly known information security vulnerabilities and exposures.”—cve.mitre.org

VULNERABILITIESDo We Need Those Stinking Patches?

99.9%OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.

10

30

50

70

90

’99 ’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12 ’13 ’14YEAR CVE WAS PUBLISHEDNU

MBE

R OF

PUB

LISH

ED C

VEs E

XPLO

ITED

Figure 10. Count of exploited CVEs in 2014 by CVE publish date


to detect. In contrast, the prolific amount of malware hitting education institutions could be the byproduct of less-strict policies and controls, or a sign that Education users are easy pickings for high-volume opportunistic threats.

One other thing it means is that just because you haven’t seen similar spikes doesn’t mean you won’t. Make sure incident response plans include measures to handle a malware flood as well as a trickle.

The takeaway here is that while we’ve provided a baseline view of malware threat-event frequency, you should be capturing this data in your own environment, using it to understand how this overview compares to your own organization, and analyzing how your organization’s own view changes over time.

YOU’RE ABSOLUTELY UNIQUE—JUST LIKE EVERYONE ELSE

With volume and velocity out of the way, it’s time to turn our attention to the amount of variation (or uniqueness) across malware picked up by our contributors. Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.

We use “unique” here from a signature/hash perspective; when compared byte-to-byte with all other known malware, there’s no exact match. That’s not to say that what the malware does is also distinct. Criminals haven’t been blind to the signature- and hash-matching techniques used by anti-virus (AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior. The result is often millions of “different” samples of the “same” malicious program.

This is more than just the malware analyst form of omphaloskepsis (look it up). It has real-world consequences, which basically boil down to “AV is dead.” Except it’s not really. Various forms of AV, from gateway to host, are still alive and quarantining nasty stuff every day. “Signatures alone are dead” is a much more appropriate mantra that reinforces the need for smarter and adaptive approaches to combating today’s highly varied malware.

There’s another lesson here worth stating: Receiving a never-before-seen piece of malware doesn’t mean it was an “advanced” or “targeted” attack. It’s kinda cool to think they handcrafted a highly custom program just for you, but it’s just not true. Get over it and get ready for it. Special snowflakes fall on every backyard.

24 The 2005 analyses mostly came from data in the WildList, an effort started by Joe Wells and Sarah Gordon to maintain a list of malicious binaries that are active “in the field” for use by researchers and defenders. If that wave of nostalgia hit you as hard as it did us, you may be surprised and pleased to learn that the project is still active: wildlist.org/CurrentList.txt.

25 Where the actual family name could be discerned. Attribution is further made difficult due to the nonstandard signature naming conventions between vendors and the fact that some vendors, like FireEye, are able to catch malicious code behaviorally but are not always able to classify it precisely. Perhaps y’all could at least standardize on/a.SEParator and field-order pattern before next year’s report?

TAKE A WALK ON THE WILDLIST24

We managed to borrow a Wayback machine to take a trip to 4 BD (before DBIR) to pluck some research wisdom from one of our elder researchers. Specifically, we wanted to compare one of his findings from yesteryear against the current malware climate to see how much (or little) has changed.

The observation was that back in 2005, “just seven families represented about 70% of all malcode activity.” (For those interested, those were Mytob, Netsky, Zafi, Sober, Lovgate, Mydoom, and Bagle.) Fast-forward to 2014, and our analysis of the data from our network malware defense partners suggests that should be updated to read, “20 families represented about 70% of all malware activity.”25 (Today’s “sinister seven” are zbot, rerdom, zeroaccess, andromeda, expiro, asprox, gamaru, and sality.)

The key differences between the malcode of 2005 and malware of 2014 are that the older viruses were noisy e-mail worms with varying backdoor capabilities, whereas the common components of the 2014 “top seven” involve stealthy command-and-control botnet membership, credential theft, and some form of fraud (clickfraud or bitcoin mining). Alas, those were simpler times back in 2005.

70–90%OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.

2,500

5,000

7,500

10,000

# M

ALW

ARE

EVEN

TS (/

WEE

K)

0

2,500

5,000

7,500

10,000

2,500

5,000

7,500

10,000

# M

ALW

ARE

EVEN

TS (/

WEE

K)#

MAL

WAR

E EV

ENTS

(/W

EEK)

0

0

RETAIL

AVERAGEMALWAREEVENTS:

801

UTILITIES


772

EDUCATION


2,332

JAN APR JUL OCT JAN

JAN APR JUL OCT JAN

JAN APR JUL OCT JAN


BREACH DISCOVERY

Figure 5 offers a new twist on one of our favorite charts from the 2014 DBIR. It contrasts how often attackers are able to compromise a victim in days or less (orange line) with how often defenders detect compromises within that same time frame (teal line). Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.

Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise.

If you’re desperate for good news, you’ll be happy to see that 2014 boasts the smallest deficit ever recorded and the trend lines appear a bit more parallel than divergent. We’ll see if that’s a trick or a budding trend next year.

67% 55% 55% 61% 67% 62% 67% 89% 62% 77% 45%

2004 2006 2008 2010 2012 2014

0%

25%

50%

75%

100%

% W

HERE

“DAY

S OR

LES

S”

Time to Compromise

Time to Discover

Figure 5. The defender-detection deficit

60%IN 60% OF CASES, ATTACKERS ARE ABLE TO COMPROMISE AN ORGANIZATION WITHIN MINUTES.


Based on attacks observed by RiskAnalytics during 2014, 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour. That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness.

BEST WHEN USED BY…

Let’s say, for the sake of argument, that we share indicators quickly enough to help subsequent potential victims. The next thing we need to know is how long we can expect those indicators to remain valid (malicious, active, and worthy of alerting/blocking). We return to the RiskAnalytics data set to study that important question.

Figure 8 shows how long most IP addresses were on the block/alert list. We split the view up into Niddel’s inbound and outbound categories to see if that made a difference in longevity. While some hang around for a while (we restricted the graphic to seven days, but both charts have a fairly long tail), most don’t last even a day. Unfortunately, the data doesn’t tell us why they are so short-lived, but these findings track well with Niddel’s “cumulative uniqueness” observations.

Ultimately, the data speaks to a need for urgency: The faster you share, the more you (theoretically) will stop. This is just one data source, though, and one that is geared toward threats of a more opportunistic, high-volume, and volatile nature (e.g., brute forcing, web app exploits, etc.) rather than more “low and slow” targeted attacks. To test whether these findings apply more broadly, we’d be happy to incorporate data from a wider range of willing participants next year. In the meantime, we encourage others who have such data to share it. Only when we measure our intelligence systems will we know what they’re really doing for us and how we can improve them.

But the overall takeaway would appear to be valid regardless: We need to close the gap between sharing speed and attack speed.

CHOOSE THE WELL OVER THE FIRE HOSE

Ultimately, what is presented here is good news (organizations are indeed sharing). However, we’d like to recommend that if you do produce threat intel, focus on quality as a priority over quantity. Where an opportunity for detection presents itself, seize it in the way that offers the greatest longevity for your efforts. Certainly, anything that leads to the discovery of an incident is worthwhile, but in most cases, context is key. Those consuming threat intelligence, let it be known: An atomic indicator has a life of its own that may not be shared with another. Focus less on being led to water and work on characterizing where the well resides. Expect more out of your communities, and where possible, reciprocating context enables a wider audience to make additional determinations that enable a broader defensive capability.

3.5k4.9k3.4k

10.8k3.2k

9.0k2.8k

7.9k3.5k

8.4k6.3k

11.2k

1

2

3

4

5

6

7

DAYS

ON

LIST

116.0k403.6k

Figure 8.Count of indicators by days observed in at least one feed

We need to close the gap between sharing speed and attack speed.


Figure 19 from the 2014 DBIR presented the frequency of incident patterns across the various industry verticals. The major takeaway was that different industries exhibit substantially different threat profiles and therefore cannot possibly have the same remediation priorities. That may be a rather “no duh” finding, but keep in mind most security standards treat all requirements as equal stepping stones on a path to 100% compliance. Past reports have emphasized that with security, there is no “one size fits all” approach. It is our fervent hope that that data sowed some seeds of change, and this year we’d like to help grow that crop a bit more.

Whereas last year’s report asked “Do all organizations share similar threat profiles?”, we now want to explore what we believe to be a much better question: “Which industries exhibit similar threat profiles?” Just as our nine patterns helped to simplify a complex issue last year, we believe that answering this question can help clarify the “so what?” question for different verticals. Figure 19 measures and provides, at least in part, the answer to that question.28

28 To look up the three-digit NAICS codes, visit: census.gov/eos/www/naics/index.html

INDUSTRY PROFILESRaising the Stakes with Some Takes on NAICS

With security, there is no “one size fits all” approach.

211

213

221

311

315

324

325

333

334

335

336

339 423

424

441

443

444

445

446 447

448

451452453454

481

483

485

486

491511

512

515

517 518

519

521

522

523

524525

531

532

541

551

561611621

622623624711713

721

722

812813

814

921

922923

926

928

¬ Accommodation

¬ Administrative

¬ Educational

¬ Entertainment

¬ Financial Services

¬ Healthcare

¬ Information

¬ Management

¬ Manufacturing

¬ Mining

¬ Other Services

¬ Professional

¬ Public

¬ Real Estate

¬ Retail

¬ Trade

¬ Transportation

¬ Utilities

Figure 19. Clustering on breach data across industries


ONE PHISH, TWO PHISH

In previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.

Now, these messages are rarely sent in isolation—with some arriving faster than others. Many are sent as part of a slow and steady campaign.9 The numbers again show that a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey, and it’s bag it, tag it, sell it to the butcher (or phishmonger) in the store.

How long does an attacker have to wait to get that foot in the door? We aggregated the results of over 150,000 e-mails sent as part of sanctioned tests by two of our security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data (where the real damage is done). The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.

The reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.

How long do you suppose you have until the first message in the campaign is clicked? Not long at all, with the median time to first click coming in at one minute, 22 seconds across all campaigns.With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.

THERE ARE PLENTY OF PHISH IN THE SEA

We looked at organization demographics to see if one department or user group was more likely than another to fall victim to phishing attacks. Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments. Then again, opening e-mail is a central, often mandatory component of their jobs.

When we studied how many people actually clicked a link after they opened the e-mail, we found a great deal of overlap in the confidence intervals for each department…which is a fancy way of saying that we can’t say there’s a statistical difference between these departments.

9 Unless we’re talking about a very targeted spear-phishing campaign.10 apwg.org/resources/apwg-reports

50 %NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.

Figure 9.APWG site and domains per month since 2012

DOING MORE WITH LESSThe payload for these phishing messages has to come from somewhere. Data from the Anti-Phishing Working Group (APWG)10 suggests that the infrastructure being used is quite extensive (over 9,000 domains and nearly 50,000 phishing URLs tracked each month across the Group’s members). The charts in Figure 9 also show that the attackers have finally learned a thing or two from the bounty of their enterprise breaches and may even have adopted a Lean Six Sigma approach to optimize operations.

UNIQUE DOMAINS UNIQUE SITES

0

5,000

10,000

15,000

0

20,000

40,000

60,000

MAY 12 NOV 12 MAY 13 NOV 13 MAY 14 MAY 12 NOV 12 MAY 13 NOV 13 MAY 14

COUN

T

WHAT THE HACK ?

Motivation and decision to act

Determine objective

Select avenue of approach

Acquire capability

Develop access

Implement actions Assess Restrike

Financial gainPoliticsHarass or embarrass, etc.

Steal dataDestroy dataManipulate data

Network: Website, EmailInsiderSupply Chain

BuildHireUse existing capability

InsiderCompromise supply chainSQL injectionSpear phishing

Establish presence on targetMove laterally on networkSteal dataDestroy dataManipulate dataCover tracks

Were actions successful?Were actions sufficient?Were objectives satisfied?

YesNo

Lockheed Martin’s Cyber Kill Chain Methodology for Cyber Attackers

SOURCE : AKATI CONSULTING - HACKER MODUS OPERANDI

33

SOLUTION ?

SOURCE : AKATI CONSULTING - CYBERSECURITY TACTICAL ASSESSMENT SERVICE

Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)

Action on Objectives

Intrusion Kill Chain

Campaign Analysis – Tools, Techniques and Procedures

Detect Deny Disrupt Degrade Deceive Destroy

Leverage, discover, analyze Atomic, computed and behavior indicators

Research identification and selection of targets, often represented as crawling internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.

Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client applications data files such as Adobe PDF or Microsoft Office documents serve as the weaponized deliverable.

Transmission of the weapon of the targeted environment using vectors like email attachments, websites, and USB removable media.

After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability.

Installation of a remote access Trojan or backdoor on the victim’s system allows the adversary to maintain persistence inside the environment.

Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel.

Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim’s environment.

Red Team Methodology

Blue Team Methodology

EXTERNAL THREATS - EXTERNAL PEN TEST

INTERNAL THREATS - INTERNAL PEN TEST

PEOPLE THREATS - AWARENESS , SIMULATION

PHASE 1

PHASE 2

PHASE 3

34

“My computer has antivirus software. That means I’m protected, right?”

“I don’t need to worry about computer security—I’m not in office right now.”

“I trust my colleagues—why shouldn’t I share my password with them?”

“I have a brand new computer. Do I really need to install updates?”

“I watch streaming movies online instead of downloading them. So, I’m safe… right?”

DO THESE SOUND FAMILIAR ?

STEP TWO STEP THREESTEP ONE STEP FOUR

Put A Lock On Your Password — Keep It A Secret !

Make it long, make it strong

Never reveal it to anyone

Use a Password Manager / Token

SECURE YOUR PASSWORDS

35


Guard Against Computer Bugs — Use Protective Software

Host firewalls are pre-installed & available on machines running Windows, Linux, and Mac OS X. Be sure they’re turned on and configured correctly!

Use anti-virus, anti-malware and a firewall or security suite that includes all three. This is like keeping your doors and windows locked at home.

STOP MALWARE !


Keep Your Computer Up To Speed — Install Software Updates

Get the latest software updates : Keep your applications and operating system sharp and healthy

Make regular backups !

KEEP YOUR TOOLS SHARP !

36


Stay Aware On The Internet — It Can Keep You Safe !

Cyber criminals like Maul make sites look legitimate to steal your information or spread malware to your computer or mobile device without you even knowing.

Browse the internet safely : Make your browser safe and avoid dodgy websites

NEVER EVER CLICK A LINK IN AN EMAIL

BE SAFE !

WHAT ABOUT CORPORATE NETWORKS ?

37

DEFENSE IN DEPTH

DEFENSE IN DEPTH www.intel.com/IT 5

Defense in Depth Strategy Optimizes Security IT@Intel White Paper

Our strategy evolved as we established our IT

information risk and security organization, building

on information warfare theory and venerable

security approaches. We took the mature IT security

model of prevention, detection, and response, and

added a fourth key element: prediction.

The addition of prediction creates the continually

evolving structure that is necessary to adapt to

the fluid nature of information security threats.

Prediction gives us insights into the most likely

threats, methods, and targets, which allow us

to efficiently focus resources in the prevention,

detection, and response areas. Conversely,

learnings in these areas feed back into the

prediction teams to promote better assessments,

forming a continual performance improvement

loop as shown in Figure 1.

Our strategy enables us to reduce the risk of

losses as well as the associated cost. The earlier

we can interdict a threat, the more we reduce the

potential loss. The cost of predicting or preventing

an attack is a fraction of the cost of responding

to a successful attack, as shown in Figure 2.

Prediction Prediction is an invaluable first step in the

efficient use of security resources. Although

the truly paranoid may disagree, not everyone

SolutionOver the past six years, Intel IT has evolved a defense in depth strategy to meet these challenges. Our strategy has been proven to work over time in many different security disciplines. We have found that this strategy is highly effective at providing overall security assurance, as well as establishing cost-effective, scalable, and adaptive programs that keep pace with changing threats.

PreventionSecuring the computing environment with current tools, patches, updates, and best-known methods in a timely manner. Represents the bulk of cost-effective security capabilities and facilitites better Detection.

PredictionProactively seeks to identify attackers, their objectives, and their methods prior to materialization of viable attacks. Enables and maximizes Prevention activities.

DetectionVisibility to key areas and activities. Effective monitoring to identify issues, breaches, and attacks. Drives immediate interdiction by Response capabilities.

ResponseEfficient� management� of� efforts� to� contain,� repair, and recover as needed to return the environment to normal operations. Reduces losses by rapidly addressing issues and feeds intelligence into Prediction and Prevention areas.

Figure 1. Intel IT’s defense in depth strategy provides a performance improvement loop that helps improve our security strategy.

38

LETS TALK ABOUT YOU & ME ..

HUMAN VULNERABILITY IS NATURAL

39

• FIREWALLS ARE NOT ENOUGH • SECURITY AWARENESS EDUCATION

SOMETIMES FAILS MISERABLY • POSTERS DON’T WORK • COMPLIANCE HAS US RACING TO THE

BOTTOM

PART 3 : Q & A ?

40

www.akati.com/warlockFOR MORE INFO, VISIT OUR BLOG

And while you're there sign up for

our FREE security advisory services !

THANKS FOR LISTENING !THANK YOU

41

COMMON DATA BREACHES - MySeminars · 2018-09-18 · BIGGEST DATA BREACHES 2016 & 2017 WE CAN DO IT...

Documents

Transcript of COMMON DATA BREACHES - MySeminars · 2018-09-18 · BIGGEST DATA BREACHES 2016 & 2017 WE CAN DO IT...