Perspectives on Cyber Security Strategies & Tactics

Joshua Schmookler, Passaic County NJ MIS Department

Security Administrator

Micah Hassinger, Bergen County NJ Communications

Director of Information Technology

Detect – Respond – Recover - Protect

• Who are the actors?

• What motivates them?

• The anatomy of an attack (What methodology do they use?)

• What is at stake?

Detect – Respond – Recover – ProtectWho are the actors?

• Nation-states

• China, US, Iran, Russia, etc.

• Cybercriminals

• Vladimir Tsastsin, EST Domains Inc.

• Lewys Martin

• Hacktivists

• Anonymous

• Terrorists

Detect – Respond – Recover – ProtectWhat motivates them? – Nation-States

• Generally motivated by national interests

• Generally interested in stealing information from others to benefit their nation

• Sometimes interested in spying

• Flame

• Sometimes will become more aggressive, destroying information or other assets in a way that benefits national interests

• Stuxnet

Detect – Respond – Recover – ProtectWhat motivates them? – Cybercriminals

• Mostly motivated by profit.

• Cryptolocker

• Click Fraud

• Infostealing

• Some people just want to watch the world burn

• Wiper Viruses

Detect – Respond – Recover – ProtectWhat motivates them? – Hacktivists

• Want to make a point

• Deface websites

• Denial of Service

• Steal embarrassing information

Detect – Respond – Recover – ProtectWhat motivates them? – Terrorists

• Similar to hacktivists in many ways

• Generally want to cause damage

• May be more sinister, wish to cause loss of life

• May be nation-state funded and motivated

Detect – Respond – Recover – ProtectTypes of Attacks

• Malware

• Rootkits, Infostealers, Worms, Botnets, Trojans

• Man-in-the-Middle

• Man-in-the-Browser

• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

• Password Dictionary & Brute Force

• Phishing & Social Engineering

Detect – Respond – Recover – ProtectWhat is at stake?

• Deletion of data

• Wiper/Cryptolocker

• Destruction of assets

• Batchwiper

• Stuxnet

• System failures – Denial of Service

• Spying

• Flame

Detect – Respond – Recover – ProtectWhat is at stake? - Wiper

• Wiper was so effective, we know very little

• Wiper was so effective, it wiped itself out

• There is (still) some debate as to whether or not wiper even existed

• Was targeted at Iranian PC’s, specifically affecting the energy sector

• Destroys nearly all data, leaving no traces

• Reports indicate Wiper destroyed over 30,000 Iranian PC’s

Detect – Respond – Recover – ProtectWhat is at stake? - Stuxnet

• Specifically targets Siemens Step7 software

• Utilized an unprecedented four zero-day attacks simultaneously

• If Siemens Step7 is not detected, stuxnet does nothing

• When centrifuges are controlled by an infected machine, Stuxnet destroys the centrifuge

• It is estimated that Stuxnet destroyed nearly one fifth of Iranian centrifuges

• Flame and Duqu spawned from the same code base

Detect – Respond – Recover – ProtectWhat is at stake? – Flame/Duqu

• Targeted malware directed at the middle east

• Designed to unobtrusively spy

• Capable of recording audio, screenshots, keyboard activity, network traffic, and webcam information

• Capable of turning PC into a Bluetooth beacon to record cell phone data

• Also capable of accessing documents on PC

• Supports “kill” command to wipe all traces from the affected PC

• Affected well over 1,000 machines

• 65% located in Middle East

• Huge majority in Iran

Detect – Respond – Recover – ProtectWhat is at stake? – Cryptolocker

• Indiscriminate targeting

• Malware infects PC silently

• Encrypts files using an RSA-2048 key (Unbreakable)

• Holds files ransom for 10 days waiting for user to pay

• If user does not pay, the key is deleted, and files are lost forever

Threat Assessment / Hazard Identification

• What information needs protecting?

• Personally Identifiable Information (PII)

• Critical Infrastructure / Key Resources (CI/KR)

• LEO Networks

• 28 CFR Requirements

• Sensitive Information

• Networks / Systems

What is to be gained?

Don’t let your network wear a red shirt!

Security Lifecycle

Detect – Respond – Recover – ProtectAnatomy of an attack

Detect – Respond – Recover – ProtectAnatomy of an attack

Detect – Respond – Recover – ProtectHave I been breached?

• User experience impacted

• Encrypted/Missing files

• User accounts locked

• Slow upload speed

• MX record blacklisted

• Deep packet analysis (RSA Security Analytics)

• IPS/Anti-Virus Log

• Security Log Analysis

Detect – Respond – Recover – ProtectHow should we react?

• Threat remediation plan

• Security Information and Event Management (SIEM)

• Malware Protection Systems

• CERT (Computer Emergency Response Team)

Detect – Respond – Recover – ProtectWhat can we use to shield ourselves?

• Policies – written by entity

• Patching and maintaining up to date operating systems and essential programs

• Intrusion Detection & Prevention Systems

• Traditional Firewalls

• Web/Email Filters

• Anti-Virus

• Security Information and Event Management (SIEM)

• Malware Protection Systems

• Unbiased Penetration Testing

Detect – Respond – Recover – ProtectWhat do I do now?

• Find Patient Zero

• Execute Threat Remediation Plan

• Isolate affected machines

• Restore damaged/lost files

• Evaluate policies to better protect

• Identify attack vector

Cyber Policy as a Defense Strategy

• Policy

• Password Complexity and Expiration

• Check for CVE’s

• Use Policies

• External Device Policies (BYOD)

• Response Policy

• Hacking Event Response

• Employee training and education

• Patch Management

Layering Protection with Partnerships

• Regional Assets

• Maximize efficiency through shared costs and protection

• Leverage open-source communities

• Trade technical expertise for cost savings

• Reduce overhead

Information Sharing

• Communications

• Internal / External Communications – Who do you share with?

• Automated Communications during an event

• Herd Immunity through communication

• Passive Alert Systems

• Big Data Analysis

• Herd Alertness

UASI ProjectKey Goals

• Secure networks from attack

• Protect against known, recently discovered, and unknown malware

• Integrate threat intelligence from MS-ISAC and other sources

• Increase incident reporting to NJ SARS

• Share actionable intelligence regarding detected threats with the region (and beyond)

• Coordinate Incident Reporting

UASI ProjectPhase 1 - Evaluation

• Identify key players in cyber security market

• Evaluate solutions from market leaders on-site, with real traffic

• Generate report detailing findings and recommending solution

UASI ProjectPhase 1 – EvaluationEvaluated Solutions

• SafeMedia

• McAfee Network Security Platform (NSP)

• RSA Security Analytics (Formerly NetWitness)

• Sourcefire (now Cisco) 3D Series NGFW/NGIPS

UASI ProjectPhase 1 – Evaluation

Safemedia

• SafeMedia was found to be effective but small

• Ability to execute on the part of the company was lacking

• Very cost effective

• Very user friendly

UASI ProjectPhase 1 – Evaluation

McAfee NSP

• Not as user-friendly as Sourcefire and SafeMedia

• Very effective IPS

• Very effective malware platform

• Information sharing non-existent

• No Security Intelligence integration

UASI ProjectPhase 1 – Evaluation

RSA Security Analytics

• The least user friendly of the group

• Extremely effective analytics platform

• Very effective malware detection

• Good integration with Security Intelligence and Information Sharing

• Extremely expensive

• Can detect only. Does not block threats

UASI ProjectPhase 1 – Evaluation

Sourcefire

• Extremely user friendly

• Extremely effective IPS and Malware detection

• Excellent Security Intelligence and Information Sharing Capabilities

• Second least expensive platform

• Included firewall capabilities are an excellent value-add

• Additional value-add from optional URL filtering and optional endpoint Malware protection

UASI ProjectPhase 1 – Evaluation

Recommendation

• Based on the intensive (7 months) on-site evaluation, Sourcefire (now Cisco) was chosen as the platform that most meets the needs of the region, including integration with MS-ISAC which was defined as non-negotiable

UASI ProjectPhase 2 - Implementation

• Currently ongoing, implementation of the chosen solution will be completed within the next 21 days

• Coordination and planning are key to a successful implementation.

• When completed, the UASI area will be extremely well equipped to deal with cyber attacks, and share that actionable intelligence with the region and beyond

Any Questions?Joshua Schmookler

Security Architect/Network Administrator – Passaic County NJ MIS Department

joshuas@passaiccountynj.org

973-881-4273

Micah Hassinger

Director of Information Technology – Bergen County NJ Communications

micah@bcpsoc.com

201-785-8512

Thank you for your time!