Security at the Edge

January 2020

Approach to Defending Retail Stores Needs to Change

• What has changed?

• Why is it changing? Why now?

• Example: A Client’s Battle with CyberExtortion

• How should we respond?

• How can Reliant Help?

• Resources

Confidentiality

CIATriad

What’s Changed?

Confidentiality

CIATriad

What’s Changed?

Confidentiality

CIATriad

What’s Changed?

• New Components• IoT Devices - Cameras, Smart

Displays, Tablets, etc.

• Containers – Typically docker or LXC support Real-time control and interactivity

• MQTT - A lightweight messaging protocol for small sensors and mobile devices

• Message Broker – Typically Mosquito or RabbitMQ supports messaging between IoT devices and applications

What Else has Changed? – The Retail IOT

• New Security Issues• Patch/Vulnerability

Management• Audit Trails• Authentication• Inventory management• Physical/Logical Inventories• Security Testing• System Behavior Monitoring• Change Velocity

What Else has Changed? – The Retail IOT

• The Digital Store Mandate means:• IoT Devices in Store

• Applications and Systems to Drive them

• Huge content files

• AI, Machine Vision, Machine Learning

• Augmented/Virtual Reality

• Exponentially growing tender types

When Integrity/Availability are lost, your store ceases to operate!!

What is it Changing? Why Now?

Cross-Border Extortion is now possible:• Bitcoin provides currency for anonymous

transactions spanning the globe

• Bitcoin can be easily purchased and sold in every major currency on the planet

• Bitcoin’s decentralized architecture is entirely unregulated

Criminals now have a frictionless way to extort money from victims!!

What is it Changing? Why Now?

In the first 8 hours:• All enterprise applications were rendered unusable

• Most desktops & file servers were encrypted with ransomware

• Phones no longer worked

• AD root admin accounts compromised

The next day:• Office 365 accounts including email were revealed as

compromised

• Custom application code repositories encrypted

• Emails from executives directed financial people to change deposit accounts or redirect vendor payments

• Suggestions of sensitive data exfiltration

• Outreach to individual employees suggesting attackers had compromising information

• Processes like payroll and bid management ceased to operate

• External IPs were blacklisted due to spam activity

The message: “Resistance is Futile – Pay up and End the Pain Now”

A Client’s Battle w/Cyber-Extortion – The Attack

Network was declared “completely compromised” and no systems were trusted

• All WAN and LAN connections were severed

• New LAN was created

• Basic Infrastructure like AD and AV was rebuilt

• Inventory of “last good” backups was established

• Sandbox environment was created for evaluation of potentially compromised systems

• Only validated “clean” systems were “re-admitted” to the network

Over the next 45 days, Network was painstakingly reconstructed system-by-system and circuit-by-circuit.

• Office 365 accounts were cleaned

• Fresh backups were validated

• New AD/AV was deployed

• Admin accounts cleaned up

• Field offices received onsite visits to clean desktops and servers

• Remote access was secured w/logging and 2FA

• Log monitoring infrastructure was put in place

A Client’s Battle w/Cyber-Extortion – The Response

• Attackers entered the environment through compromised laptop used by a contract developer who had Admin Credentials on AD

• Evidence shows the planned their attack > 1 month after gaining access

• Attackers operated as a team – well-coordinated and well-planned:• Understanding the organizational structure

• Compromising executive email accounts

• Developing an inventory of IT assets to compromise

• Installing email forwarders to read employee emails• Executing a brute force ransomware attack across HQ and remote site servers

• They were not technically sophisticated• They did not touch critical Linux-based systems that were too hard to break into

• They penetrated the network and AD via a soft back door

• The attack was “point & click,” we saw little evidence of any real offensive security skills

• They were CRUEL - their goal was to:• Inflict the greatest possible damage

• In the least amount of time

• At the lowest possible cost

• Causing the most emotional distress

A Client’s Battle w/Cyber-Extortion – Observations

The Easy Stuff:• Least-privilege - Domain Admins• Validate backups• 2FA for remote- and admin-access• Proxy all outbound web traffic• Update your DR plan

More Involved:• Move away from Windows for high-value & mission critical apps• Where Windows is required, consider adaptive endpoint security products• Move to microservices to enable security and agility simultaniously• Logging and Security Monitoring

How to Respond – The Low Hanging Fruit

• In the Era of Cloud, vendor security program is critical

• All vendors should be able to provide evidence of controls via PCI DSS SP or (at least) a SOC2 audit

• Practice Least-Privilege and ensure that MFA is in use

• Ensure that contracts require vendors to help you in the event of a suspected breach

How to Respond – Third-Party Security Program

Defense in Depth Adaptive

How to Respond – Adaptive Approach to Security

Adaptive Security at the Edge – Honeypot Demo

• Critical business application narratives• Evaluation of remote/admin access and AAA

infrastructure• Inventory of mission critical applications and data• Analysis of DC & cloud-based infrastructure• Assessment of system backups• Analysis of inbound and outbound connectivity• Full vendor security assessment• Audit trails and monitoring• User/Admin security training• Assessment of Privacy Risk

Question: If an attacker wanted to cripple you, how could they do it?

Our professional services team is available to perform these services

How to Respond – A Different Type of Risk

• SFG Shared Assessments - Industry body dedicated to shared assessment methodologies: sharedassessments.org

• Center for Internet Security (CFS) Critical Security Controls: www.cisecurity.org/controls/

• Cloud Security Alliances (CSA) Consensus Assessment Initiative Questionnaire: cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-0-1/

• NIST CyberSecurity Framework: www.doi.org/10.6028/NIST.CSWP.04162018

Resources – Third-Party Risk

• Brian Krebs writes extensively on this topic: https://krebsonsecurity.com/tag/extortion/

• Other collections of information include:

• https://www.cisecurity.org/blog/cyber-extortion-an-industry-hot-topic/

• https://www.dhs.gov/topic/cybersecurity

• https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

Resources - CyberExtortion

• How To Face The Security Challenges In

Retail IoT Development?, Customer Think,

Ankit Singh, July 30, 2019.

www.Customerthink.com

• Securing the Retail IoT, Mark Weiner,

June 2019.

www.reliantsolutions.com/securing-the-

retail-iot/

Resources – Retail IOT Security