Security at the Edge - Reliant Solutions · • The attack was “point & click,” we saw little...
Transcript of Security at the Edge - Reliant Solutions · • The attack was “point & click,” we saw little...
Security at the Edge
January 2020
Approach to Defending Retail Stores Needs to Change
• What has changed?
• Why is it changing? Why now?
• Example: A Client’s Battle with CyberExtortion
• How should we respond?
• How can Reliant Help?
• Resources
Confidentiality
CIATriad
What’s Changed?
Confidentiality
CIATriad
What’s Changed?
Confidentiality
CIATriad
What’s Changed?
• New Components• IoT Devices - Cameras, Smart
Displays, Tablets, etc.
• Containers – Typically docker or LXC support Real-time control and interactivity
• MQTT - A lightweight messaging protocol for small sensors and mobile devices
• Message Broker – Typically Mosquito or RabbitMQ supports messaging between IoT devices and applications
What Else has Changed? – The Retail IOT
• New Security Issues• Patch/Vulnerability
Management• Audit Trails• Authentication• Inventory management• Physical/Logical Inventories• Security Testing• System Behavior Monitoring• Change Velocity
What Else has Changed? – The Retail IOT
• The Digital Store Mandate means:• IoT Devices in Store
• Applications and Systems to Drive them
• Huge content files
• AI, Machine Vision, Machine Learning
• Augmented/Virtual Reality
• Exponentially growing tender types
When Integrity/Availability are lost, your store ceases to operate!!
What is it Changing? Why Now?
Cross-Border Extortion is now possible:• Bitcoin provides currency for anonymous
transactions spanning the globe
• Bitcoin can be easily purchased and sold in every major currency on the planet
• Bitcoin’s decentralized architecture is entirely unregulated
Criminals now have a frictionless way to extort money from victims!!
What is it Changing? Why Now?
In the first 8 hours:• All enterprise applications were rendered unusable
• Most desktops & file servers were encrypted with ransomware
• Phones no longer worked
• AD root admin accounts compromised
The next day:• Office 365 accounts including email were revealed as
compromised
• Custom application code repositories encrypted
• Emails from executives directed financial people to change deposit accounts or redirect vendor payments
• Suggestions of sensitive data exfiltration
• Outreach to individual employees suggesting attackers had compromising information
• Processes like payroll and bid management ceased to operate
• External IPs were blacklisted due to spam activity
The message: “Resistance is Futile – Pay up and End the Pain Now”
A Client’s Battle w/Cyber-Extortion – The Attack
Network was declared “completely compromised” and no systems were trusted
• All WAN and LAN connections were severed
• New LAN was created
• Basic Infrastructure like AD and AV was rebuilt
• Inventory of “last good” backups was established
• Sandbox environment was created for evaluation of potentially compromised systems
• Only validated “clean” systems were “re-admitted” to the network
Over the next 45 days, Network was painstakingly reconstructed system-by-system and circuit-by-circuit.
• Office 365 accounts were cleaned
• Fresh backups were validated
• New AD/AV was deployed
• Admin accounts cleaned up
• Field offices received onsite visits to clean desktops and servers
• Remote access was secured w/logging and 2FA
• Log monitoring infrastructure was put in place
A Client’s Battle w/Cyber-Extortion – The Response
• Attackers entered the environment through compromised laptop used by a contract developer who had Admin Credentials on AD
• Evidence shows the planned their attack > 1 month after gaining access
• Attackers operated as a team – well-coordinated and well-planned:• Understanding the organizational structure
• Compromising executive email accounts
• Developing an inventory of IT assets to compromise
• Installing email forwarders to read employee emails• Executing a brute force ransomware attack across HQ and remote site servers
• They were not technically sophisticated• They did not touch critical Linux-based systems that were too hard to break into
• They penetrated the network and AD via a soft back door
• The attack was “point & click,” we saw little evidence of any real offensive security skills
• They were CRUEL - their goal was to:• Inflict the greatest possible damage
• In the least amount of time
• At the lowest possible cost
• Causing the most emotional distress
A Client’s Battle w/Cyber-Extortion – Observations
The Easy Stuff:• Least-privilege - Domain Admins• Validate backups• 2FA for remote- and admin-access• Proxy all outbound web traffic• Update your DR plan
More Involved:• Move away from Windows for high-value & mission critical apps• Where Windows is required, consider adaptive endpoint security products• Move to microservices to enable security and agility simultaniously• Logging and Security Monitoring
How to Respond – The Low Hanging Fruit
• In the Era of Cloud, vendor security program is critical
• All vendors should be able to provide evidence of controls via PCI DSS SP or (at least) a SOC2 audit
• Practice Least-Privilege and ensure that MFA is in use
• Ensure that contracts require vendors to help you in the event of a suspected breach
How to Respond – Third-Party Security Program
Defense in Depth Adaptive
How to Respond – Adaptive Approach to Security
Adaptive Security at the Edge – Honeypot Demo
• Critical business application narratives• Evaluation of remote/admin access and AAA
infrastructure• Inventory of mission critical applications and data• Analysis of DC & cloud-based infrastructure• Assessment of system backups• Analysis of inbound and outbound connectivity• Full vendor security assessment• Audit trails and monitoring• User/Admin security training• Assessment of Privacy Risk
Question: If an attacker wanted to cripple you, how could they do it?
Our professional services team is available to perform these services
How to Respond – A Different Type of Risk
• SFG Shared Assessments - Industry body dedicated to shared assessment methodologies: sharedassessments.org
• Center for Internet Security (CFS) Critical Security Controls: www.cisecurity.org/controls/
• Cloud Security Alliances (CSA) Consensus Assessment Initiative Questionnaire: cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-0-1/
• NIST CyberSecurity Framework: www.doi.org/10.6028/NIST.CSWP.04162018
Resources – Third-Party Risk
• Brian Krebs writes extensively on this topic: https://krebsonsecurity.com/tag/extortion/
• Other collections of information include:
• https://www.cisecurity.org/blog/cyber-extortion-an-industry-hot-topic/
• https://www.dhs.gov/topic/cybersecurity
• https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf
Resources - CyberExtortion
• How To Face The Security Challenges In
Retail IoT Development?, Customer Think,
Ankit Singh, July 30, 2019.
www.Customerthink.com
• Securing the Retail IoT, Mark Weiner,
June 2019.
www.reliantsolutions.com/securing-the-
retail-iot/
Resources – Retail IOT Security