Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...
Transcript of Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...
t
Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000
Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008
ABN 14 098 237 908
1300 922 923 NATIONAL
+61 (2) 9290 4444 SYDNEY
+61 (3) 8376 9410 MELBOURNE
Presented by
The business case for
Dynamic Risk Assessment
Murray Goldschmidt, Chief Operating Officer
14-Nov-19
RMIA Conference 2019
Cyber Security
t
Agenda
13-Nov-19© Sense of Security Pty Ltd 2019 2
1. Cyber Security Risk Assessments – What
info is the board getting vs needing?
2. Cyber Security Risk Assessments – What
type?
3. Welcome to Dynamic Risk Assessments
4. Case Study – Critical Infrastructure DRA
Agenda
t
• Visibility
• Make informed
decisions about
the direction of
the business.
• Shareholder
value
Risk Assessments – What are the
obligations of the board?
13-Nov-19© Sense of Security Pty Ltd 2019 3
t
13-Nov-19© Sense of Security Pty Ltd 2019 4
t
Cyber Risk Assessments
13-Nov-19© Sense of Security Pty Ltd 2019 5
t
Cyber Risk Assessments
13-Nov-19© Sense of Security Pty Ltd 2019 6
t
Cyber Risk Assessments
13-Nov-19© Sense of Security Pty Ltd 2019 7
t
13-Nov-19© Sense of Security Pty Ltd 2019 8
t
13-Nov-19© Sense of Security Pty Ltd 2019 9
t
13-Nov-19© Sense of Security Pty Ltd 2019 10
t
13-Nov-19© Sense of Security Pty Ltd 2019 11
t
13-Nov-19© Sense of Security Pty Ltd 2019 12
t
13-Nov-19© Sense of Security Pty Ltd 2019 13
t
13-Nov-19© Sense of Security Pty Ltd 2019 14
https://www.logicmanager.com/erm-software/2017/09/13/equifax-data-
breach-point-of-no-return/
t
13-Nov-19© Sense of Security Pty Ltd 2019 15
t
13-Nov-19© Sense of Security Pty Ltd 2019 16
t
13-Nov-19© Sense of Security Pty Ltd 2019 17
https://www.gao.gov/assets/700/694158.pdf
t
Configuration Mgt Among a Litany of Other Problems
13-Nov-19© Sense of Security Pty Ltd 2019 18
t
Implication, Context & Understanding
13-Nov-19© Sense of Security Pty Ltd 2019 19
•Need to understand technical risks
•Which need technical controls
•Which need to be validated
•In the context in which you run your
business
ICU
t
How could they (you) be better
prepared to address cyber security
issues through risk assessment &
risk management?
13-Nov-19© Sense of Security Pty Ltd 2019 20
t
13-Nov-19© Sense of Security Pty Ltd 2019 21
Enter Dynamic Risk Assessments (Cyber)
Multi Dimensional• Profile the organisation (extensively)• Identify attack vectors• Determine susceptibility to vectors• Understand Stimulus & Response• Feedback, review, change approach,
on the fly• Provide the most relevant info to the
business to manage risk for yourCONTEXT
t
Management & Board Questions
13-Nov-19© Sense of Security Pty Ltd 2019 22
Aggregation of risks
Relationship between risk types
Impact to overall risk
Do we have a complete
understanding of our risks?
What about emerging threats that
weren’t previously considered?
How quickly can we respond?
Can we contain the impact to the
business?
t
Problems with Traditional Risk Assessment
13-Nov-19© Sense of Security Pty Ltd 2019 23
But we hired a security guard!
Risk correlation?Cumulative risk?Linear vs Interconnected Risks
t
13-Nov-19© Sense of Security Pty Ltd 2019 24
t
Case Study – Dynamic Risk Assessment
owner & operator of a critical infrastructure
13-Nov-19© Sense of Security Pty Ltd 2019 25
t
13-Nov-19© Sense of Security Pty Ltd 2019 26
t
13-Nov-19© Sense of Security Pty Ltd 2019 27
t
13-Nov-19© Sense of Security Pty Ltd 2019 28
t
13-Nov-19© Sense of Security Pty Ltd 2019 29
t
13-Nov-19© Sense of Security Pty Ltd 2019 30
t
13-Nov-19© Sense of Security Pty Ltd 2019 31
t
13-Nov-19© Sense of Security Pty Ltd 2019 32
t
13-Nov-19© Sense of Security Pty Ltd 2019 33
t
13-Nov-19© Sense of Security Pty Ltd 2019 34
https://www.gao.gov/assets/700/694158.pdf
t
13-Nov-19© Sense of Security Pty Ltd 2019 35
?SegmentationRate Limiting
t
13-Nov-19© Sense of Security Pty Ltd 2019 36
?Identification
t
13-Nov-19© Sense of Security Pty Ltd 2019 37
?Detection
t
1.Gain access to the network
2.Compromise the Microsoft Active Directory domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
Goal Oriented Risk Assessment
13-Nov-19© Sense of Security Pty Ltd 2019 38
t
•Reconnaissance
•Attack ==> Persistence
•Goal
The Approach – Dynamic Risk Assessment
13-Nov-19© Sense of Security Pty Ltd 2019 39
t
Enumerate the external perimeter as much as possible
(IP space, DNS records, Exposed services, technologies in play, SaaS/PaaS etc)
Reconnaissance phase
13-Nov-19© Sense of Security Pty Ltd 2019 40
Perform intelligence gathering on as many employees as possible
Identify possible WiFi networks used by the client.
Perform physical reconnaissance of the corporate offices and identify entry points for
gaining entry
t
Good Old O365 Defaults …..
13-Nov-19© Sense of Security Pty Ltd 2019 41
t
13-Nov-19© Sense of Security Pty Ltd 2019 42
An attacker successfully guesses a correct password using a password spraying
technique against an externally exposed outlook web application interface:
t
13-Nov-19© Sense of Security Pty Ltd 2019 43
The attacker attempts to login to the organisations office365 instances with the newly compromised
credentials but is greeted with a prompt for multi-factor authentication:
t
13-Nov-19© Sense of Security Pty Ltd 2019 44
Not to be deterred the attacker attempts to add the account via a local copy of outlook
t
13-Nov-19© Sense of Security Pty Ltd 2019 45
However, the attacker is also prompted to confirm his/her identity via MFA:
t
13-Nov-19© Sense of Security Pty Ltd 2019 46
Luckily for the attacker the Office 365 administrator has not correctly configured security
permissions for local Outlook applications. Which means the attacker can add a MFA source of
their choosing:
t
13-Nov-19© Sense of Security Pty Ltd 2019 47
The attacker then receives the MFA code and can proceed with adding the mailbox to their local
outlook instance:
t
13-Nov-19© Sense of Security Pty Ltd 2019 48
The attacker then receives the MFA code and can proceed with adding the mailbox to
their local outlook instance:
t
13-Nov-19© Sense of Security Pty Ltd 2019 49
After outlook is restarted, the attacker now has the new mailbox added to their local application
t
13-Nov-19© Sense of Security Pty Ltd 2019 50
The attacker can now access the organisations Office365 applications and services, all while using
their newly created MFA method:
t
Persistence phase
13-Nov-19© Sense of Security Pty Ltd 2019 51
t
• Social engineering
• Phishing
Persistence phase
13-Nov-19© Sense of Security Pty Ltd 2019 52
t
• Tailgating/physical access
LAN TURTLE
Persistence phase
13-Nov-19© Sense of Security Pty Ltd 2019 53
t
13-Nov-19© Sense of Security Pty Ltd 2019 54
t
13-Nov-19© Sense of Security Pty Ltd 2019 55
t
13-Nov-19© Sense of Security Pty Ltd 2019 56
Remote Access – Back Channel
CORP Network
t
1.Gain access to the network
2.Compromise the domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
The Goal
13-Nov-19© Sense of Security Pty Ltd 2019 57
#Goal 1 Achieved
t
13-Nov-19© Sense of Security Pty Ltd 2019 58
t
13-Nov-19© Sense of Security Pty Ltd 2019 59
I like to live dangerously!
I login as a Domain Admin
t
13-Nov-19© Sense of Security Pty Ltd 2019 60
t
13-Nov-19© Sense of Security Pty Ltd 2019 61
t
1.Gain access to the network
2.Compromise the domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
The Goal
13-Nov-19© Sense of Security Pty Ltd 2019 62
#Goal 2 Achieved
t
13-Nov-19© Sense of Security Pty Ltd 2019 63
t
13-Nov-19© Sense of Security Pty Ltd 2019 65
t
13-Nov-19© Sense of Security Pty Ltd 2019 66
t
13-Nov-19© Sense of Security Pty Ltd 2019 67
t
13-Nov-19© Sense of Security Pty Ltd 2019 68
I like to live dangerously!
I login as a Domain Admin
t
13-Nov-19© Sense of Security Pty Ltd 2019 69
t
13-Nov-19© Sense of Security Pty Ltd 2019 70
t
1.Gain access to the network
2.Compromise the domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
The Goal
13-Nov-19© Sense of Security Pty Ltd 2019 71
#Goal 3 Achieved
t
13-Nov-19© Sense of Security Pty Ltd 2019 72
t
13-Nov-19© Sense of Security Pty Ltd 2019 73
t
1.Gain access to the network
2.Compromise the domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
The Goal
13-Nov-19© Sense of Security Pty Ltd 2019 74
#Goal 4 Achieved
t
13-Nov-19© Sense of Security Pty Ltd 2019 75
t
1.Gain access to the network
2.Compromise the domain
3.Locate, access and exfiltrate the primary datasets
4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions
5.Compromise isolated systems responsible for delivering critical services
The Goal
13-Nov-19© Sense of Security Pty Ltd 2019 76
#Goal 5 Achieved
t
13-Nov-19© Sense of Security Pty Ltd 2019 77
Living off the LandAll goals achieved without
exploiting any vulnerabilities
t
Security Controls in Place (Good Risk Mgt)
13-Nov-19© Sense of Security Pty Ltd 2019 78
• ISO 27001 (ISMS)• Network Access Control• Outsourced Cyber Security Monitoring• Firewalls, VPNs, Vuln Mgt, Anti Malware etc etc• MFA on Remote Access• MFA on Email• Strong Password Policy• Password Vault for Key Servers with Unique passwords• Privilege Access Mgt Controls – Limited Admins• Swipe Cards for Office Locations
t
Let down by ….
13-Nov-19© Sense of Security Pty Ltd 2019 79
• Physical access to office• Assumptions on security controls in O365• MFA not correctly configured• Cached admin credentials• Password reuse• Inadequate BIOS controls; Inconsistent Disk Encryption• Falling dominos …. Once Domain is Compromised• SecOps asleep at the wheel• File Server -> Change Requests -> SOPs with system
names -> password safe -> server access -> password safe -> data decryption -> browser cached creds -> system access
t
• Risk Assessments for this Org were all ok :)
• Risk assessments were asking the right questions – but in isolation
• The business operates in an ecosystem - everything is connected and
related
• There were no “vulnerabilities” yet the business was totally
compromised
• Risks needs to be assessed dynamically, with context
• “Dynamic Risk Assessments" should be included to give additional
assurance that controls in place are adequate & effective.
Conclusion
13-Nov-19© Sense of Security Pty Ltd 2019 80
Red Team Assessment
t
• Cyber Risk Assessments require CONTEXT. You need to
understand your environment, your business systems and the
attack vectors that are likely to apply to YOU.
• A Risk Assessment is really only as good as the scope of what
you are looking at. Choose a narrow scope and you will only
protect against a subset of the possible threats (and probably the
wrong ones). You really need to be asking the RIGHT questions,
not just a bunch of questions.
• Attacks generally exploit technical weaknesses and people.
Buying technology doesn’t fix this. The implementation and
ongoing management of the technology is paramount. Personnel
need to operate as Human Firewalls.
3 Key Take Aways
13-Nov-19© Sense of Security Pty Ltd 2019 81
t
Do you have
any questions?
13-Nov-19© Sense of Security Pty Ltd 2019 82
t
Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000
Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008
ABN 14 098 237 908
Contact us to discuss how our
security solutions can help protect
your most vital assets.
1300 922 923 NATIONAL
+61 (2) 9290 4444 SYDNEY
+61 (3) 8376 9410 MELBOURNE
senseofsecurity.com.au