Security Essentials Start Here · In reality, companies and organizations struggle with: Threat...
Transcript of Security Essentials Start Here · In reality, companies and organizations struggle with: Threat...
Security Essentials – Start Here
5 best practices to secure your organization and prevent business injuring incidents
Teodor Cimpoesu, Technical Director, UTI-CERT
UTI-CERT @ certSIGN
• Clear legal requirements and compliance
• Disaster recovery and business continuity
• “Trusted Introducer” member
• ISO 27001 & 9001 compliance
• Regular internal pen testing and security audit
• Structure enhanced to cover variety of customers
• Oil and gas
• Utilities providers
• Banks
• Telecom
• Al around cyber security services and solutions
• Flexibility for special projects customized according to client needs
• Customizable services
• Adaptable SLA
• Training, Knowledge transfer and technical support
UTI-CERT
SOC
Vulnerability
Assessment
Security validation
(Pen testing) Security consulting Consulting
Monitoring
(SIEM)
Network
Security
Communication
Security
Data
Security
Managed
Services Endpoint
Security
Alerting
Services
Incident
Handling
Vulnerability
Handling
Vulnerability
Analysis CSIRT Malware
Analysis Forensics
Threat
Intelligence
Advanced
Monitoring
Cyber
Investigation
Special
Projects Research &
Development
Special
Services
1. Cybercrime & Risk
Word Economic Forum study on global risks
(2014) findings position Cyber attacks in high
likelihood / high impact.
Systemic risk is the risk of “breakdowns in an
entire system, as opposed to breakdowns in
individual parts and components”
Systemic risks are characterized by:
• modest tipping points combining indirectly
to produce large failures
• risk-sharing or contagion, as one loss
triggers a chain of others
• “hysteresis”, or systems being unable to
recover equilibrium after a shock
Cyber risks in key areas (e.g. financial) and
attacks on critical infrastructure pose a
systemic risk
Cyber risks in global context
Source: World Economic Forum, “Global Risks 2014” Ninth Edition
On the The Global Risks Interconnection
Map we can see the links and potential
influences of the systemic risks.
The Technological Risks are strongly linked
with geopolitical and economic risks.
Organized crime risk has a direct link to
them.
Mitigating one area involves taking into
consideration other indirect risk propagations
as well.
Cyber risks in global context
Source: World Economic Forum, “Global Risks 2014” Ninth Edition
Global Cybercrime
The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view.
Findings:
- Laws are fragmented, lack procedural powers and hinder intl cooperation.
- Law enforcement and criminal justice have limitations in their capacity to react and combat
- Preventions activities are lacking / require strengthening
Source: “Comprehensive Study on Cybercrime”, UN ODC
Global Cybercrime
The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view.
Findings:
- Laws are fragmented, lack procedural powers and hinder intl cooperation.
- Law enforcement and criminal justice have limitations in their capacity to react and combat
- Preventions activities are lacking / require strengthening
Source: “Comprehensive Study on Cybercrime”, UN ODC
Accelerators: business ecosystem
“The increasing frequency, variety, and complexity of attacks are the product of an emerging cybercrime-as-a-service provider market. This market allows malicious parties to execute attacks at considerably lower cost, with considerably lower levels of technical savvy.”
Research-as-a-Service
– Vulnerabilities, Exploits, IDs
Crimware-as-a-Service
– Development, Malware Services
Infrastructure-as-a-Service
– Botnets, Hosting, Exploitpacks
Hacking-as-a-service
– DoS, Password Cracking, Financials
Source: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee
Accelerators: Cheap & easy
Source: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee
Botnet business – Global/Local
Source: Anubis Networks
EU response to cybercrime
Policies and directives
• The Cybersecurity Strategy of the EU (2013)
• Directive 2013/40/EU on attacks against information systems
• Directive 2011/92/EU on combating the sexual exploitation of children online and child abuse
• ePrivacy Directive 2009/136/EC
• Framework Decision on combating fraud and counterfeit - 2001/413/JHA
Institutions & Initiatives
• 2013 - European Cybercrime Centre (EC3) @ EUROPOL
• 2004 - European Network and Information Security Agency (ENISA)
https://cybersecuritymonth.eu/
Cybersecurity Strategy Strategic Priorities
• Achieving cyber resilience
• Drastically reducing cybercrime
• Developing cyberdefence policy and capabilities
• Develop the industrial and technological resources for cybersec
• Establish a coherent international cyberspace policy for EU
Directive 2013/40/EU
• Deadline for transposition in the Member States 4.9.2015
• Guidelines and best practices
• EU countries must:
• have an operational national point of contact,
• use the existing network of 24/7 contact points ,
• respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided,
• collect statistical data on cybercrime.
2. Defence Fundamentals
SANS Top20 Critical Security Controls
1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations (HW/SW/Mobile/Stations/Servers)
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training
10 Secure Configurations for Network Devices
11 Limitation and Control of Network Ports, Protocols&Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance, Monitoring, and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
How to implement:
Update structured information on your inventory & classification. Continue with Threat Modeling, that will give the focus areas.
Evaluate written and technical policies. Test them in real life, daily operations.
Segregate, separate, define roles and limit access. Understand & adopt Zero Trust Model.
Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.
Assign job titles and duties for handling IR
Define management personnel who will support the incident handling process by acting in key decision-making roles. Org standards for time to report anomalous events
Publish information regarding reporting anomalies and incidents to the incident handling team. Run awareness training.
Source: SANS Institute – Critical Security Controls
Step 1: Know - what is a best practice and why
Modern Security Practices Intelligence driven
defense
Threat vector analysis
Data exfiltration analysis
Detection dominant design
Zero trust model
Intrusion kill chain
Attack hunting
Visibility analysis
Data visualization
Lateral movement analysis
Data ingress/egress mapping
Internal segmentation
Network security monitoring
Continuous monitoring
Step 1: Know - what is a best practice and why
• IDS & IPS with multiple deployment models
• DPI of IP & Serial SCADA protocols - DNP3, IEC 101/104/61850, ModBus. Each protocol packet is validated up to its function code and the command content.
• Model-based analytics for M2M sessions
• Self-learning of application behavioral model
• Signature Based for detect known vulnerability
• Task-based validation of H2M sessions
• Integration with physical security
• Authentication Proxy for access to end-devices o Encrypted VPN tunnels for inter-site connectivity
Step 1: Know - what is a best practice and why
Step 2: Discover - Assets and configuration audit
Step 2: Discover – Software Asset Management
Microsoft SAM
Control costs & risks
Tackle complexity
Optimize use of SW assets
Grow/optimize the infrastructure
Risk coverage
Non-compliance
Security
Business down-time
Legal & licensing
Overspending on licensing
Software conflicts
Source: “A Threat-Driven Approach to Cyber Security - Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber Security Organization”, Lockheed Martin Corp.
Step 3: Assess - the Threat (do Modeling)
Methodologies, e.g. IDDIL/ATC :
Covers critical security controls
(SANS / ISO27001)
I. Discovery
Identify ASSETS
Define the ATTACK SURFACE
Decompose the SYSTEM
Identify ATTACK VECTORS
List THREAT ACTORS
II. Implementation
Analysis & assessment
Triage
Control
Step 3: Assess - The actual vulnerabilities (do Scan/Pentest)
Step 4: Monitor – integrate, correlate, enrich
Source: HP Security
Threat Intelligence
Source: IBM
The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.
Data collected and warehoused by Security Intelligence solutions includes logs, events, network flows, user identities and activity, asset profiles and locations, vulnerabilities, asset configurations, and external threat data. Security Intelligence provides analytics to answer fundamental questions that cover the before/during/after timeline of risk and threat management.
Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.
Threat Intelligence. Compliance Management. Reporting and Scorecards.
SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention.
Step 4: Monitor – integrate, correlate, enrich
Threat Intel (TI) Frameworks
Indicators
STIX – Structured Threat Information eXpression (MITRE/OASIS)
TAXII – Trusted Automated eXchange of Indicator Information (MITRE/OASIS)
CYBOX – Cyber Observable eXpression (MITRE/OASIS)
OpenIOC – Open Indicators of Compromise (FireEYE/Mandiant)
IODEF – Incident Object Description Exchange Format (IETF – RFC5070).
YARA - Yet Another Regex Analyzer – binary pattern scanning (OSS)
SNORT - real-time analysis of network traffic (CISCO).
Enumerations
MMDEF - Malware Metadata Exchange Format (IEEE)
MAEC - Malware Attribute Enumeration and Characterization (MITRE).
CAPEC – Common Attack Pattern Enumeration and Classification (MITRE).
CVE - Common Vulnerabilities and Exposures (MITRE)
CVSS - Common Vulnerability Scoring System (NIST)
CPE – Common Platform Enumeration (NIST)
OVAL - Open Vulnerability and Assessment Language (MITRE)
OSVDB - Open Sourced Vulnerability Database (OSF)
MITRE – Not-for-profit org that operates US federally funded research centers.
PCAP PCAPNG
CEF Syslog
NetFlow S-Flow
TAXII STIX
MAEC
CAPEC
CYBOX
MMDEF
OpenIOC
YARA
JSON YAML XML
CVE
OVAL
IODEF
Step 4: Monitor – integrate, correlate, enrich
Anubis Network Cyberfeed – Helping an energy
company and its customers stopping cyber threats
Challenge
Availability and reliability of networks and
infrastructure, which can be compromised by
malware designed to impact network and employee
productivity.
Solution
the company is now able to detect devices and
machines related to information stealing Trojans
using real-time security data feeds via API access, a
live dashboard and plugins to its SIEM system
(SPLUNK):
• Detect networks and devices compromised with
persistent or new malware families;
• Understand malware landscape at the company,
network, local, country level;
• Track botnet behavior, growth, dispersion and
lifetime;
• Intercept and monitor communications between
malware and C&C server;
• Ability to define business rules to query
communication data details between
compromised devices and C&C.
Business benefits
Amongst other client detected an infected
internal machine that only appeared on
weekend days.
Used Cyberfeed to pinpoint the
compromised machine finding it was a
person accessing the network through an
infected personal device.
TI Case Study
In reality, companies and organizations struggle with:
Threat detection, investigation and incident response is immature
Determining the root cause of incidents and then containing and remediating them is the tough nut
Making use of security intelligence
Evaluating assets risk state
SIEM tools also require advanced skills and knowledge
Many SIEM are verbose –give too many FPs
Many attacks spread over larger period of time and context may be lost / lacking
Step 5: React – timely & well-informed. Hunt for it.
Ideal SOC / IR Team
• Duty officer / Tier 1 Analyst – takes care of all incoming requests. Ensure that all incidents have owners.
• Triage officer / Tier 1 Analyst – deal with the reported incidents, decides whether it is an incident and is to be be handled, and by whom
• Incident handler / Tier 2 Incident Responder – works on the incident: analyze data, create solutions, resolve the technical details and communicates about the progress to the manager and the constituents.
• Incident handler / Tier 3 Subject Matter Expert – advanced analyst that deals with complex cases that involve a cross-filed investigation.
• Incident manager – responsible for the coordination of all incident handling activities. Represents the team in communicating to the outside 3rd parties.
Source: “Ten Strategies of a World-Class Cybersecurity Operations Center” (MITRE)
Services staffing:
• to deliver two core services of the distribution of advisory bulletins as well as incident handling: a minimum of 4 FTE.
• For a full service CSIRT during office hours, and maintaining systems: a minimum of 6 to 8 FTE.
• For a fully staffed 24x7 shift (2 shifts during out-of-office hours), the minimum is about 12 FTE.
Step 5: React – timely & well-informed. Hunt for it.
Investigative Lifecycle:
Initial Evidence
Create IOCs for Host&Network
Deploy IOCs in the Enterprise – e.g. IDS/SIEM
Identify Additional Suspect Systems
Collect Evidence
Analyze Evidence
Refine & Create new IOCs
Source: “An Introduction to OpenIOC”, Mandiant
Step 5: React – timely & well-informed. Hunt for it.
"The old mantra of “trust but verify” just isn’t working. “Never trust and verify” is how we must apply security in this era of sophisticated breaches.
Quote: https://networkinferno.net/implementing-a-zero-trust-security-architecture
Actually a Russian proverb, “Доверяй но проверяй”,
Suzanne Massie, a writer on Russia, taught Pr. Ronald Raegan
Step 5: React – timely & well-informed. Hunt for it.
Questions? Thoughts?
[email protected] +40722.754.319, @cteodor UTI-CERT Team contacts: [email protected]
3. Research
clickSIGN Online
Function as a service
Private Key in Cloud
Local Component: Web Browser
Sign and Verify
Web Service architecture
Files Stored in Office 365
File always in the cloud, never on the local machine
Native signatures, PDF signatures, CMS-RFC5652 signatures
WhatYouSeeIsNotWhatYouGet - WebRole1:
•web service interface
- Share Point Worker:
• files manager
- Signature Worker:
•signature manager
diskSAFE for the Cloud
• User interface and the driver were adapted to work with data in chunks
• Sync module ensures that data chunks are synchronized between local and cloud storage
Classic work patterns
•Pattern 1:
1. PC1 – a virtual encrypted disk is created for sync with cloud storage
2. PC2 – in the second PC, virtual encrypted disk is imported from the configured cloud storage folder
3. PC1 – a secondary user is added for the second PC – the entire file containing encrypted disk is synced to cloud storage by the client
4. PC2 – the secondary user will be able to access the encrypted disk after he gets the entire file.
On a large disk, any small modification triggers entire content synchronization
• Pattern 2:
1. PC1 – a virtual encrypted disk is created. It is copied on a usb stick
2. PC2 – in the second PC, virtual encrypted disk is imported from the usb stick
3. PC1 – a file is created and stored in the virtual encrypted disk. The entire disk must be copied to usb stick
4. PC2 – the disk is mounted from the usb stick
Cloud based work patterns
•Pattern 1:
1. PC1 – a virtual encrypted disk is created for sync with Dropbox 2. PC2 – in the second PC, virtual encrypted disk is imported 3. PC1 – a secondary user is added for the second PC 4. PC2 – the secondary user is able to access the encrypted disk Different from typical usage, when a user is added, instead of replicating all the data with the cloud only one chunk is synchronized
• Pattern 2:
1. PC1 – a virtual encrypted disk is created for sync with Dropbox 2. PC2 – in the second PC, virtual encrypted disk is imported 3. PC1 – a file is created and stored in the virtual encrypted disk 4. PC2 – the disk is mounted and the file is present Dependant on the size, when the file is stored on the disk, just the affected chunks are synced. Some real-life performance figures:
•* 4MB - 1Mb/s - 32s; 4MB - 10Mb/s - 3.2s; 4MB - 100Mb/s - 0.3s
•* 10MB - 1Mb/s- 80s; 10MB - 10Mb/s - 8s; 10MB - 100Mb/s - 0.8s
Computing on encrypted data
Experimental facts •The practical implementation for determining X>Y and X=Y (followed by the corresponding experimental results) was built on top of HElib library . It consists in coding the
•corresponding compute recursive functions (C/C++ code). In this manner, we
•used the leveled version of the BGV FHE scheme (embedded in the 2014 version of HElib).
•The reported time for the comparison of two 8-bit integers, X > Y , is 12 seconds (for 128 bits
•of the claimed security and using one core of an Intel(R) Xeon(R) E5-1620 at 3.6 GHz).
Experimental facts •Finding the maximum number working with an encrypted array:
•Security - 140 bits
•Time - 1295 sec
•Memory - 3.8 GB
•No of elements in the array - 16
•The conducted tests involved an workstation with an x64 of openSUSE 12.1 distribution (Intel i7-4710HQ processor running at 3.5 GHz, one core and 8GB RAM). This is the needed time costs for the homomorphic evaluation of
•the GETMAX function for an array of integer values (of n = 8 bits length).
TTP
The approach is straightforward, we use a webcrawler for the site and a
browser extension for the user experience
Cryptography comes into place with digital signatures and timestamping
TTP
Firefox add-on works with our server sending captured images, Heritrix is used for crawling and storing data
Signature service is used to sign and timestamp captured images and sites. Advanced signatures are used
to be validated at a later point in time
All signatures are stored for presentation to interested users.