Security Essentials – Start Here

5 best practices to secure your organization and prevent business injuring incidents

Teodor Cimpoesu, Technical Director, UTI-CERT

UTI-CERT @ certSIGN

• Clear legal requirements and compliance

• Disaster recovery and business continuity

• “Trusted Introducer” member

• ISO 27001 & 9001 compliance

• Regular internal pen testing and security audit

• Structure enhanced to cover variety of customers

• Oil and gas

• Utilities providers

• Banks

• Telecom

• Al around cyber security services and solutions

• Flexibility for special projects customized according to client needs

• Customizable services

• Adaptable SLA

• Training, Knowledge transfer and technical support

UTI-CERT

SOC

Vulnerability

Assessment

Security validation

(Pen testing) Security consulting Consulting

Monitoring

(SIEM)

Network

Security

Communication

Security

Data

Security

Managed

Services Endpoint

Security

Alerting

Services

Incident

Handling

Vulnerability

Handling

Vulnerability

Analysis CSIRT Malware

Analysis Forensics

Threat

Intelligence

Advanced

Monitoring

Cyber

Investigation

Special

Projects Research &

Development

Special

Services

1. Cybercrime & Risk

Word Economic Forum study on global risks

(2014) findings position Cyber attacks in high

likelihood / high impact.

Systemic risk is the risk of “breakdowns in an

entire system, as opposed to breakdowns in

individual parts and components”

Systemic risks are characterized by:

• modest tipping points combining indirectly

to produce large failures

• risk-sharing or contagion, as one loss

triggers a chain of others

• “hysteresis”, or systems being unable to

recover equilibrium after a shock

Cyber risks in key areas (e.g. financial) and

attacks on critical infrastructure pose a

systemic risk

Cyber risks in global context

Source: World Economic Forum, “Global Risks 2014” Ninth Edition

On the The Global Risks Interconnection

Map we can see the links and potential

influences of the systemic risks.

The Technological Risks are strongly linked

with geopolitical and economic risks.

Organized crime risk has a direct link to

them.

Mitigating one area involves taking into

consideration other indirect risk propagations

as well.

Cyber risks in global context

Source: World Economic Forum, “Global Risks 2014” Ninth Edition

Global Cybercrime

The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view.

Findings:

- Laws are fragmented, lack procedural powers and hinder intl cooperation.

- Law enforcement and criminal justice have limitations in their capacity to react and combat

- Preventions activities are lacking / require strengthening

Source: “Comprehensive Study on Cybercrime”, UN ODC

Global Cybercrime

The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view.

Findings:

- Laws are fragmented, lack procedural powers and hinder intl cooperation.

- Law enforcement and criminal justice have limitations in their capacity to react and combat

- Preventions activities are lacking / require strengthening

Source: “Comprehensive Study on Cybercrime”, UN ODC

Accelerators: business ecosystem

“The increasing frequency, variety, and complexity of attacks are the product of an emerging cybercrime-as-a-service provider market. This market allows malicious parties to execute attacks at considerably lower cost, with considerably lower levels of technical savvy.”

Research-as-a-Service

– Vulnerabilities, Exploits, IDs

Crimware-as-a-Service

– Development, Malware Services

Infrastructure-as-a-Service

– Botnets, Hosting, Exploitpacks

Hacking-as-a-service

– DoS, Password Cracking, Financials

Source: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee

Accelerators: Cheap & easy

Source: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee

Botnet business – Global/Local

Source: Anubis Networks

EU response to cybercrime

Policies and directives

• The Cybersecurity Strategy of the EU (2013)

• Directive 2013/40/EU on attacks against information systems

• Directive 2011/92/EU on combating the sexual exploitation of children online and child abuse

• ePrivacy Directive 2009/136/EC

• Framework Decision on combating fraud and counterfeit - 2001/413/JHA

Institutions & Initiatives

• 2013 - European Cybercrime Centre (EC3) @ EUROPOL

• 2004 - European Network and Information Security Agency (ENISA)

https://cybersecuritymonth.eu/

Cybersecurity Strategy Strategic Priorities

• Achieving cyber resilience

• Drastically reducing cybercrime

• Developing cyberdefence policy and capabilities

• Develop the industrial and technological resources for cybersec

• Establish a coherent international cyberspace policy for EU

Directive 2013/40/EU

• Deadline for transposition in the Member States 4.9.2015

• Guidelines and best practices

• EU countries must:

• have an operational national point of contact,

• use the existing network of 24/7 contact points ,

• respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided,

• collect statistical data on cybercrime.

2. Defence Fundamentals

SANS Top20 Critical Security Controls

1 Inventory of Authorized and Unauthorized Devices

2 Inventory of Authorized and Unauthorized Software

3 Secure Configurations (HW/SW/Mobile/Stations/Servers)

4 Continuous Vulnerability Assessment and Remediation

5 Malware Defenses

6 Application Software Security

7 Wireless Access Control

8 Data Recovery Capability

9 Security Skills Assessment and Appropriate Training

10 Secure Configurations for Network Devices

11 Limitation and Control of Network Ports, Protocols&Services

12 Controlled Use of Administrative Privileges

13 Boundary Defense

14 Maintenance, Monitoring, and Analysis of Audit Logs

15 Controlled Access Based on the Need to Know

16 Account Monitoring and Control

17 Data Protection

18 Incident Response and Management

19 Secure Network Engineering

20 Penetration Tests and Red Team Exercises

How to implement:

Update structured information on your inventory & classification. Continue with Threat Modeling, that will give the focus areas.

Evaluate written and technical policies. Test them in real life, daily operations.

Segregate, separate, define roles and limit access. Understand & adopt Zero Trust Model.

Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.

Assign job titles and duties for handling IR

Define management personnel who will support the incident handling process by acting in key decision-making roles. Org standards for time to report anomalous events

Publish information regarding reporting anomalies and incidents to the incident handling team. Run awareness training.

Source: SANS Institute – Critical Security Controls

Step 1: Know - what is a best practice and why

Modern Security Practices Intelligence driven

defense

Threat vector analysis

Data exfiltration analysis

Detection dominant design

Zero trust model

Intrusion kill chain

Attack hunting

Visibility analysis

Data visualization

Lateral movement analysis

Data ingress/egress mapping

Internal segmentation

Network security monitoring

Continuous monitoring

Step 1: Know - what is a best practice and why

• IDS & IPS with multiple deployment models

• DPI of IP & Serial SCADA protocols - DNP3, IEC 101/104/61850, ModBus. Each protocol packet is validated up to its function code and the command content.

• Model-based analytics for M2M sessions

• Self-learning of application behavioral model

• Signature Based for detect known vulnerability

• Task-based validation of H2M sessions

• Integration with physical security

• Authentication Proxy for access to end-devices o Encrypted VPN tunnels for inter-site connectivity

Step 1: Know - what is a best practice and why

Step 2: Discover - Assets and configuration audit

Step 2: Discover – Software Asset Management

Microsoft SAM

Control costs & risks

Tackle complexity

Optimize use of SW assets

Grow/optimize the infrastructure

Risk coverage

Non-compliance

Security

Business down-time

Legal & licensing

Overspending on licensing

Software conflicts

Source: “A Threat-Driven Approach to Cyber Security - Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber Security Organization”, Lockheed Martin Corp.

Step 3: Assess - the Threat (do Modeling)

Methodologies, e.g. IDDIL/ATC :

Covers critical security controls

(SANS / ISO27001)

I. Discovery

Identify ASSETS

Define the ATTACK SURFACE

Decompose the SYSTEM

Identify ATTACK VECTORS

List THREAT ACTORS

II. Implementation

Analysis & assessment

Triage

Control

Step 3: Assess - The actual vulnerabilities (do Scan/Pentest)

Step 4: Monitor – integrate, correlate, enrich

Source: HP Security

Threat Intelligence

Source: IBM

The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.

Data collected and warehoused by Security Intelligence solutions includes logs, events, network flows, user identities and activity, asset profiles and locations, vulnerabilities, asset configurations, and external threat data. Security Intelligence provides analytics to answer fundamental questions that cover the before/during/after timeline of risk and threat management.

Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.

Threat Intelligence. Compliance Management. Reporting and Scorecards.

SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention.

Step 4: Monitor – integrate, correlate, enrich

Threat Intel (TI) Frameworks

Indicators

STIX – Structured Threat Information eXpression (MITRE/OASIS)

TAXII – Trusted Automated eXchange of Indicator Information (MITRE/OASIS)

CYBOX – Cyber Observable eXpression (MITRE/OASIS)

OpenIOC – Open Indicators of Compromise (FireEYE/Mandiant)

IODEF – Incident Object Description Exchange Format (IETF – RFC5070).

YARA - Yet Another Regex Analyzer – binary pattern scanning (OSS)

SNORT - real-time analysis of network traffic (CISCO).

Enumerations

MMDEF - Malware Metadata Exchange Format (IEEE)

MAEC - Malware Attribute Enumeration and Characterization (MITRE).

CAPEC – Common Attack Pattern Enumeration and Classification (MITRE).

CVE - Common Vulnerabilities and Exposures (MITRE)

CVSS - Common Vulnerability Scoring System (NIST)

CPE – Common Platform Enumeration (NIST)

OVAL - Open Vulnerability and Assessment Language (MITRE)

OSVDB - Open Sourced Vulnerability Database (OSF)

MITRE – Not-for-profit org that operates US federally funded research centers.

PCAP PCAPNG

CEF Syslog

NetFlow S-Flow

TAXII STIX

MAEC

CAPEC

CYBOX

MMDEF

OpenIOC

YARA

JSON YAML XML

CVE

OVAL

IODEF

Step 4: Monitor – integrate, correlate, enrich

Anubis Network Cyberfeed – Helping an energy

company and its customers stopping cyber threats

Challenge

Availability and reliability of networks and

infrastructure, which can be compromised by

malware designed to impact network and employee

productivity.

Solution

the company is now able to detect devices and

machines related to information stealing Trojans

using real-time security data feeds via API access, a

live dashboard and plugins to its SIEM system

(SPLUNK):

• Detect networks and devices compromised with

persistent or new malware families;

• Understand malware landscape at the company,

network, local, country level;

• Track botnet behavior, growth, dispersion and

lifetime;

• Intercept and monitor communications between

malware and C&C server;

• Ability to define business rules to query

communication data details between

compromised devices and C&C.

Business benefits

Amongst other client detected an infected

internal machine that only appeared on

weekend days.

Used Cyberfeed to pinpoint the

compromised machine finding it was a

person accessing the network through an

infected personal device.

TI Case Study

In reality, companies and organizations struggle with:

Threat detection, investigation and incident response is immature

Determining the root cause of incidents and then containing and remediating them is the tough nut

Making use of security intelligence

Evaluating assets risk state

SIEM tools also require advanced skills and knowledge

Many SIEM are verbose –give too many FPs

Many attacks spread over larger period of time and context may be lost / lacking

Step 5: React – timely & well-informed. Hunt for it.

Ideal SOC / IR Team

• Duty officer / Tier 1 Analyst – takes care of all incoming requests. Ensure that all incidents have owners.

• Triage officer / Tier 1 Analyst – deal with the reported incidents, decides whether it is an incident and is to be be handled, and by whom

• Incident handler / Tier 2 Incident Responder – works on the incident: analyze data, create solutions, resolve the technical details and communicates about the progress to the manager and the constituents.

• Incident handler / Tier 3 Subject Matter Expert – advanced analyst that deals with complex cases that involve a cross-filed investigation.

• Incident manager – responsible for the coordination of all incident handling activities. Represents the team in communicating to the outside 3rd parties.

Source: “Ten Strategies of a World-Class Cybersecurity Operations Center” (MITRE)

Services staffing:

• to deliver two core services of the distribution of advisory bulletins as well as incident handling: a minimum of 4 FTE.

• For a full service CSIRT during office hours, and maintaining systems: a minimum of 6 to 8 FTE.

• For a fully staffed 24x7 shift (2 shifts during out-of-office hours), the minimum is about 12 FTE.

Step 5: React – timely & well-informed. Hunt for it.

Investigative Lifecycle:

Initial Evidence

Create IOCs for Host&Network

Deploy IOCs in the Enterprise – e.g. IDS/SIEM

Identify Additional Suspect Systems

Collect Evidence

Analyze Evidence

Refine & Create new IOCs

Source: “An Introduction to OpenIOC”, Mandiant

Step 5: React – timely & well-informed. Hunt for it.

"The old mantra of “trust but verify” just isn’t working. “Never trust and verify” is how we must apply security in this era of sophisticated breaches.

Quote: https://networkinferno.net/implementing-a-zero-trust-security-architecture

Actually a Russian proverb, “Доверяй но проверяй”,

Suzanne Massie, a writer on Russia, taught Pr. Ronald Raegan

Step 5: React – timely & well-informed. Hunt for it.

Questions? Thoughts?

Teodor.Cimpoesu@certsign.ro +40722.754.319, @cteodor UTI-CERT Team contacts: CERT@uti.ro

3. Research

clickSIGN Online

Function as a service

Private Key in Cloud

Local Component: Web Browser

Sign and Verify

Web Service architecture

Files Stored in Office 365

File always in the cloud, never on the local machine

Native signatures, PDF signatures, CMS-RFC5652 signatures

WhatYouSeeIsNotWhatYouGet - WebRole1:

•web service interface

- Share Point Worker:

• files manager

- Signature Worker:

•signature manager

diskSAFE for the Cloud

• User interface and the driver were adapted to work with data in chunks

• Sync module ensures that data chunks are synchronized between local and cloud storage

Classic work patterns

•Pattern 1:

1. PC1 – a virtual encrypted disk is created for sync with cloud storage

2. PC2 – in the second PC, virtual encrypted disk is imported from the configured cloud storage folder

3. PC1 – a secondary user is added for the second PC – the entire file containing encrypted disk is synced to cloud storage by the client

4. PC2 – the secondary user will be able to access the encrypted disk after he gets the entire file.

On a large disk, any small modification triggers entire content synchronization

• Pattern 2:

1. PC1 – a virtual encrypted disk is created. It is copied on a usb stick

2. PC2 – in the second PC, virtual encrypted disk is imported from the usb stick

3. PC1 – a file is created and stored in the virtual encrypted disk. The entire disk must be copied to usb stick

4. PC2 – the disk is mounted from the usb stick

Cloud based work patterns

•Pattern 1:

1. PC1 – a virtual encrypted disk is created for sync with Dropbox 2. PC2 – in the second PC, virtual encrypted disk is imported 3. PC1 – a secondary user is added for the second PC 4. PC2 – the secondary user is able to access the encrypted disk Different from typical usage, when a user is added, instead of replicating all the data with the cloud only one chunk is synchronized

• Pattern 2:

1. PC1 – a virtual encrypted disk is created for sync with Dropbox 2. PC2 – in the second PC, virtual encrypted disk is imported 3. PC1 – a file is created and stored in the virtual encrypted disk 4. PC2 – the disk is mounted and the file is present Dependant on the size, when the file is stored on the disk, just the affected chunks are synced. Some real-life performance figures:

•* 4MB - 1Mb/s - 32s; 4MB - 10Mb/s - 3.2s; 4MB - 100Mb/s - 0.3s

•* 10MB - 1Mb/s- 80s; 10MB - 10Mb/s - 8s; 10MB - 100Mb/s - 0.8s

Computing on encrypted data

Experimental facts •The practical implementation for determining X>Y and X=Y (followed by the corresponding experimental results) was built on top of HElib library . It consists in coding the

•corresponding compute recursive functions (C/C++ code). In this manner, we

•used the leveled version of the BGV FHE scheme (embedded in the 2014 version of HElib).

•The reported time for the comparison of two 8-bit integers, X > Y , is 12 seconds (for 128 bits

•of the claimed security and using one core of an Intel(R) Xeon(R) E5-1620 at 3.6 GHz).

Experimental facts •Finding the maximum number working with an encrypted array:

•Security - 140 bits

•Time - 1295 sec

•Memory - 3.8 GB

•No of elements in the array - 16

•The conducted tests involved an workstation with an x64 of openSUSE 12.1 distribution (Intel i7-4710HQ processor running at 3.5 GHz, one core and 8GB RAM). This is the needed time costs for the homomorphic evaluation of

•the GETMAX function for an array of integer values (of n = 8 bits length).

TTP

The approach is straightforward, we use a webcrawler for the site and a

browser extension for the user experience

Cryptography comes into place with digital signatures and timestamping

TTP

Firefox add-on works with our server sending captured images, Heritrix is used for crawling and storing data

Signature service is used to sign and timestamp captured images and sites. Advanced signatures are used

to be validated at a later point in time

All signatures are stored for presentation to interested users.