Lessons learned and best practices for cyber incidents

ATSAIC Geoff Noonan, US Secret Service

Renana Friedlich, EY

March 13, 2018

U.S. Department of Homeland Security

United StatesSecret Service

Page 2 Lessons learned and best practices for cyber incidents

Agenda

► Know your enemy

► What do they want

► War stories and recommendations

► Summary

Page 3 Lessons learned and best practices for cyber incidents

Know your enemy

Script kiddies

► Common

exploits,

easily

available

tools

Hacktivists

► Motivated by

ideology or

social justice

► Range of

capabilities

Insiders

► Malicious and

accidental

► Knowledge of

company and

business skills

Organized

crime

► Highly

networked,

highly

resourced and

motivated

State-

sponsored

attacks

► Heavily

resourced, have

access to most

advanced tools

Page 4 Lessons learned and best practices for cyber incidents

You can’t avoid being attacked or breached

Being attacked is unavoidable, so how prepared are you?

Can you answer yes to these five key questions?

But you can be prepared to protect the “crown jewels”

Valued assets

Intellectual property

People information

Financial information

Business information

(strategy

performance

transactions)

1. Do you know what

you have that

others may want?

2. Do you know how your

business plans could make

these assets more vulnerable?

3. Do you understand how these

assets could

be accessed or disrupted?

4. Would you know if you were

being attacked and if the assets

had been compromised?

5. Do you have a plan to

react to an attack and minimize

the harm caused?

Page 5 Lessons learned and best practices for cyber incidents

What CEOs and CIOs are asked during an incident (no particular order)

► What resources do you need?

► How long will X be down?

► What data (if any) was taken?

► How long was the attacker in our network before we shut

them down?

► What percentage of the way through the incident are you?

► What do we know about the attacker?

► What systems or technologies failed during the intrusion?

► Do we need to notify regulators? Should we issue a

statement?

► Are we 100% sure we’ve scoped the incident properly?

To answer these questions, you need an incident response

strategy and “battle-tested” incident response plans and procedures.

Page 6 Lessons learned and best practices for cyber incidents

What is incident response?

“An organized approach to addressing and managing the

aftermath of a security breach (also known as an incident).

The goal is to handle the situation in a way that limits

damage and reduces recovery time and cost.”

Event

An observable

occurrence in an

information system

that happened at

some point in time

and was written to a

log file

Incident

Any activity that

harms or represents a

threat to the whole or

part of the company

assets

Breach

An incident that

involved data

exfiltration

Source: EY’s IR brochure

Page 7 Lessons learned and best practices for cyber incidents

Data Exfiltration

► Following same “playbook” (no need to change):

► Gain access to internal company network

► Deploy remote access tool

► Obtain Windows Domain Administrator privileges

► Dump and crack password hashes of all corporate users

► Use cracked accounts to access sensitive data

► Extract data to a staging server

► Sell records when black market conditions are most favorable

Conduct

background

research

Execute initial

attack

Establish

foothold

Enable

persistence

Conduct

enterprise

reconnaissance

Move laterally

to new systems

Escalate

privileges

Gather and

encrypt data of

interest

Exfiltrate data

from victim

systems

Maintain

persistent

presence

Intelligence

gathering

Initial

exploitation

Command

and control

Privilege

escalation

Data

exfiltration

Page 8 Lessons learned and best practices for cyber incidents

Maksik Case Study

► “Maksik” is a Ukrainian carder well known for selling

stolen debit and credit card credentials on the black

market.

► Involved in several high-profile data breaches in the mid-

2000s, including Dave & Buster’s in 2007 and TJX

Companies, which was considered the largest breach for

its time at more than 45 million cards stolen that same

year.

► Among other things, he was highly sought after for his

ability to crack PINs and to make sure that packet sniffers

went undetected.

Page 9 Lessons learned and best practices for cyber incidents

Maksik

► Banks provide CPP

information to USSS

► Identify major card

distributor/ many arrests

► Establish a U/C with

credibility on carding forums

► Major U/C buy of ten of

thousands of dumps

► Establish personal

relationship

► Dust off our passports

Page 10 Lessons learned and best practices for cyber incidents

Ransomware

Page 11 Lessons learned and best practices for cyber incidents

Business email compromise

Targeted affiliate

Parentholding

company

Victim receives phishing email in personal Yahoo Mail account.

1

Wiretransfer

Domain

Phishing email directs victim to provide their business Gmail credentials.

2

Attacker blocks all emails from parent to victim’s Gmail account.

5

Attacker finds wire transfer forms in victim’s Gmail.

4

Parent validates request and transmits funds.

8

Day 1 Day 2 Day 4

Attacker sends wire request to parent from fake associated press user email account.

7

Attacker registers fake affiliate domain.

6

Attacker accesses victim’s Gmail account.

3

Page 12 Lessons learned and best practices for cyber incidents

Lessons learned from breach investigations

► Compliance ≠ secured

► Audit did not test for current attack path

► Too many ways to get to sensitive data

► Not enough protection of privileged domain

administrator / service accounts

► “Blind spots” on network identified after

breach

► Not enough logs

► Breaches detected via external parties vs.

internal monitoring capabilities

Page 13 Lessons learned and best practices for cyber incidents

Steps to take before a cyber intrusion or attack occurs

1. Identify your “crown jewels”

2. Develop an actionable response plan

3. Have appropriate technology controls

4. Have Appropriate Authorization in Place

to Permit Network Monitoring

5. Make your Legal Counsel familiar with

incident management

6. Engage with Law Enforcement Before an

Incident

7. Establish relationships with cyber

information sharing organizations

Page 14 Lessons learned and best practices for cyber incidents

Steps to take before a cyber intrusion or attack occurs (cont.)

2. Map all entry points for third-party vendor

access to the environment, identify

controls and review notification

requirements

3. Clearly define investigation objectives

4. Engage in advance with retainer provider

and outside counsel

5. Identify all regulatory and notification

requirements

6. Protect privilege

7. Review log retention policy and increase

logging

Page 15 Lessons learned and best practices for cyber incidents

After a Computer Incident

1. Continue monitoring the network for any

anomalous activity to make sure the

intruder has been expelled and you have

regained control of your network.

2. Conduct a post-incident review to identify

deficiencies in planning and execution of

your incident response plan.

Page 16 Lessons learned and best practices for cyber incidents

Cybersecurity countermeasure frameworkA new approach

Establish a strong governance program to continuously drive and sustain improvements

Govern

Threat intelligence

Risk tolerance

Business priorities

Complicate

Respond

DetectEducate

Complicate an attacker’s

ability to achieve their

objective

Implement controls to detect

the attack before meaningful

business impact is

accomplished

Effectively and efficiently

respond and remediate

an attack

Maintain a security-

conscious workforce

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and

advisory services. The insights and quality services we

deliver help build trust and confidence in the capital markets

and in economies the world over. We develop outstanding

leaders who team to deliver on our promises to all of our

stakeholders. In so doing, we play a critical role in building a

better working world for our people, for our clients and for our

communities.

EY refers to the global organisation and may refer to one or

more of the member firms of Ernst & Young Global Limited,

each of which is a separate legal entity. Ernst & Young

Global Limited, a UK company limited by guarantee, does

not provide services to clients. For more information about

our organisation, please visit ey.com.

© 2017 Ernst & Young. Published in Ireland. All Rights

Reserved.

SCORE no. XXXXXXXXX

1703-2214616

ED None

The Irish firm Ernst & Young is a member practice of

Ernst & Young Global Limited. It is authorised by the Institute

of Chartered Accountants in Ireland to carry on investment

business in the Republic of Ireland.

Ernst & Young, Harcourt Centre, Harcourt Street, Dublin 2,

Ireland.

Information in this publication is intended to provide only a

general outline of the subjects covered. It should neither be

regarded as comprehensive nor sufficient for making

decisions, nor should it be used in place of professional

advice. Ernst & Young accepts no responsibility for any loss

arising from any action taken or not taken by anyone using

this material.

ey.com