Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why...
Transcript of Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why...
![Page 1: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/1.jpg)
Red TeamingSimulating Social Engineering Threats
Chong Rong Hwa & Terence TeoGovTech Red TeamAugust 2018
![Page 2: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/2.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
1. Who Are We?
2. Adversary Simulation
3. Cybersecurity in Healthcare
1. Social Engineering – A Relevant Threat
2. Key Takeaways
Presentation Outline
![Page 3: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/3.jpg)
GovTech Red Team
#WHOAREWE
![Page 4: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/4.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Critical Information Infrastructure –Government Sector Lead
Image source: Cyber Security Agency of Singapore
Image source: Benjamin Ang, Centre of Excellence for National Security
![Page 5: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/5.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Hard Cybersecurity Problems
• Phishing emails to deliver malware
• Social engineer through social media and messaging applications
Social Engineering Attacks
• Unmanaged IT Systems
• Projects hosted on insecure vendor’s hosting site
Shadow IT & Weak Hosting Sites
• Trusted hardware and trusted software vendors
• Internet facing that interacts with business partner’s portals that do not have end-to-end integrity protection.
Supply-chain Attack
![Page 6: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/6.jpg)
Adversary Simulation
![Page 7: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/7.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Holistic Security Testing Approach
• Important to test IT environment (People, Process & Technology)
• Incorporate 3 tiers into System Development Life Cycle (SDLC):o Secure configuration review
& Vulnerability Assessmento Penetration Testingo Adversary Simulation
RedTeaming
Penetration Testing(Defined and Dynamic)
Vulnerability Assessment(Continuous Scanning)
Modelled Against Threat Scenarios
Defined by Organisation’s
Scope
![Page 8: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/8.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
VAPT vs Red-teaming (Adversary Simulation)Why Adversary Simulation?
Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric security test, where the testers would focus on testing the security of the IT system, e.g. Web Application & S/W, that contains the data.
VAPT AnalogyTesters would validate the security of the safe toensure that it could not be opened withoutsecret and key.
Adversary Simulation (AS) is an adversarial‐goal centric security test, where the testers would test the IT environment, including PPT, with the goal of identifying the weakness that might lead to access of data.
E.g. Lack of IT administration process, insecure administrative laptop and etc.
AS AnalogyTesters would simulate an attacker to steal thegold bars (in the safe) that is located inside thebank.
The attacker would probably need to bypass thesecurity operations and do things like:• Social engineer the authorized personnel• Break through the windows• Compromise the security IT systems
IT Environment – Bank(People, Process & Tech)
IT System – SafeData – Gold Bar
![Page 9: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/9.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Adversary SimulationMethodology & Simulated Attackers
Planning and Preparation
Information Gathering
Conduct of Testing
After-action Analysis
• Preparation of attacker’s server• Coding and testing of tools• Research in technology
• Attack surface exploration• Network discovery• Social engineering
• People• Process• Technology
• Root cause analysis• Propose mitigation• Advise security consultant
Sophisticated threat actor An attacker with skills and abilities above run‐of‐the‐mill hackers, however, not as resourceful as state‐sponsored threat actors who are equipped with unknown hacking tools, tactics and procedures.
Malicious insiderAn attacker who is a person within the organization, such as an employee, former employee, contractor or business associate, who abuses their access to data and systems, to conduct malicious acts.
![Page 10: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/10.jpg)
Cybersecurity in Healthcare
![Page 11: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/11.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Digital Transformation of Healthcare
Image source: Opengovasia
Image source: Straits Times
![Page 12: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/12.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Cyberattacks in Healthcare
• Ranks among the top five industries most targeted by cyberattacks
• Puts not only patient data but also human lives at risk
• Become part of the organizational culture in both healthcare providers and medtech companies
• Governments can help by enacting industry-wide standards for cybersecurity in healthcare
Image source: GovTech Singapore
![Page 13: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/13.jpg)
Healthcare Data Breaches
![Page 14: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/14.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Healthcare Data Breaches
Image sources: Healthcare IT News
Image source: The Verge
![Page 15: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/15.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Timeline of Key HealthCare Cybersecurity Incidents
January 2015
May 2017
July 2018
Anthem Blue Cross (7.8million)
WannaCry Ransomware
SingHealth Data Breach (1.5million)
![Page 16: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/16.jpg)
Exploiting the weakest link – Us Humans
Social Engineering – A Relevant Threat
![Page 17: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/17.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
The use of psychological manipulation of people intoperforming actions or divulging confidential
information.What is social engineering?
Image sources: Network Access(https://www.networkaccess.com/cyber‐criminals‐use‐social‐engineering‐hack‐businesses/)
![Page 18: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/18.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Why social engineer?
Why social engineer?
![Page 19: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/19.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Trust – Closely linked with benevolence,which leads to trust, resulting in informationleakage and compromise of system
Exploiting TRUST
![Page 20: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/20.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
DISC – Observable human behaviors (4 key traits)
Exploiting DISC
![Page 21: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/21.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Herd mentality – InfluenceExploitingHERD MENTALITY
![Page 22: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/22.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
![Page 23: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/23.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Social Engineer’s Playbook
1. Who am I?
2. What do I have to offer?
3. How long do I need?
4. Am I a threat?
The Big Four
![Page 24: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/24.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Sympathy
Exploiting Trust• Sympathy
![Page 25: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/25.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Assumed Authority
Exploiting Trust• Authority
![Page 26: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/26.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Scarcity - to create a feeling of urgency in adecision-making context
Image source: 9 essential ways to use Scarcity to increase sales – Kaleigh Moore(https://sumo.com/stories/scarcity‐marketing)
Exploiting Trust• Scarcity
![Page 27: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/27.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
![Page 28: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/28.jpg)
Common Social Engineering Delivery Techniques
![Page 29: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/29.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Phishing Vishing/SmishingIn-person
Impersonation
Social Engineering Techniques
Emails appearing to be from reputable sources with the goal of influencing or gaining personal information
Eliciting information or attempting to influence action via the telephone, may include such tools as “call/SMS spoofing.”
Pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.
![Page 30: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/30.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Types of Social engineering attacks:• Email
Types of Social engineering attacks:Email
Image source: OneSpan
![Page 31: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/31.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Types of Social engineering attacks:• Voice & Text Message
Types of Social engineering attacks:Voice & Text Message
Image sources: OneSpan
![Page 32: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/32.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Types of Social engineering attacks: • Man-in-the-middle
Types of Social engineering attacks: Man-in-the-middle
Image sources: OneSpan
![Page 33: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/33.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Types of Social engineering attacks:• Social Media
Types of Social engineering attacks:Social Media
Image sources: OneSpan
![Page 34: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/34.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Types of Social engineering attacks:• In-person ImpersonationTypes of Social
engineering attacks:In-person Impersonation
Image sources: VISTA InfoSec
![Page 35: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/35.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
New Email Phishing Campaign –Breach Data
Image source: IntelTechniques
![Page 36: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/36.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
New Email Phishing Campaign arising from SingHealth Data Breach
![Page 37: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/37.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Other phishing attacks arising from SingHealth Data Breach
Images source: The Straits Times
![Page 38: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/38.jpg)
Key Takeaways
![Page 39: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/39.jpg)
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Phishing techniques consider human behaviours to increase success rate
• Processes help to mitigate phishing attacks
• Cyber security awareness assessment identifies weaknesses in these processes and not People
• Determine level of security awareness maturity – SANS 5 stages Security Awareness MaturityModel (https://www.sans.org/sites/default/files/2018-
05/2018%20SANS%20Security%20Awareness%20Report.pdf)
Key Takeaways
![Page 40: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/40.jpg)
Questions?
Stay vigilant & don’t be an easy phishing target!
![Page 41: Red Teaming - Singapore Healthcare Management...VAPT vs Red-teaming (Adversary Simulation) Why Adversary Simulation? Vulnerability Assessment Penetration Testing (VAPT) is an asset‐centric](https://reader034.fdocuments.us/reader034/viewer/2022042314/5f02a2967e708231d4053f53/html5/thumbnails/41.jpg)
Thank you