Stacey WrightSenior Intelligence Program Manager

MS-ISAC

State and Local Government Cyber Threat Landscape

What is your experience level with the cybersecurity preparations of your agency?

• None – I’m here because I’m curious and want to learn• Some – I get basic information/basic organizational

briefings• More than most – I’m on the team responsible for

addressing cybersecurity or cyber response• I’m responsible for the organization’s

cybersecurity/responsiveness to cyber concerns

3TLP: WHITE

Created via PPD 63, May 22,1998, to allow the private sector to come together, share information, perform analysis, and respond to incidents

ISACs Information Sharing and Analysis Centers

Legal Services

EMR-ISAC

4TLP: WHITE

Multi-State Information Sharing and Analysis Center

The MS-ISAC has been designated by DHS as the key resource for cyber threat

prevention, protection, response and recovery for the nation’s state, local,

tribal, and territorial governmentshttps://www.cisecurity.org/ms-isac/

5TLP: WHITE

Members include:• 50 State Governments• 79 DHS-Recognized Fusion Centers• 6 Territorial Governments• 39 Tribal Governments• More than 1,600 local governments

State, Local, Tribal, and TerritorialCities, counties, towns, airports, public education, police

departments, ports, transit associations, and more

MS-ISAC: Who We Serve

6TLP: WHITE

Free and VoluntaryNo Mandated Information Sharing

Only an NDA Required

Benefits of MS-ISAC Membership

Benefits:− Access to information, intelligence,

products, resources, and webcasts

− Insider access to federal information

− Training and resource discounts

− CIS SecureSuite discounts

− HSIN Community of Interest (COI)

− Cybersecurity exercise participation

− Malicious Code Analysis Platform (MCAP)

https://learn.cisecurity.org/ms-isac-registration

7TLP: WHITE

Criminals look for data...and governments have a lot of it!

Why SLTT Governments?

8TLP: WHITE

• Most common malware type: Financial• Most popular infection vector: Malspam• Common Tactics

– Scraping address books– Sending spam– Stealing banking and social media

passwords– Redirecting traffic to malicious sites– Gathering reconnaissance information

Malware Trends

9TLP: WHITE

Ransomware

MS-ISAC Ransomware Notifications CryptowallTesla/AlphacryptLockyCerberCryptXXXOther

Prevention Mechanisms1. Keep your systems patched2. Keep your AV up-to-date3. Email filtering4. End user training and awareness5. Have offline backups

Recent Trends1. New variants / TTPs 2. Ransomware-as-a-Service3. Used in extortion schemes4. Data exfiltration

MS-ISAC Ransomware Notifications

10TLP: WHITE

Plan

• Discuss what a ransomware infection would cost your specific agency and make decisions before infection occurs

• Keep in mind – in 20% of cases, decryption keys do not work

• Prepare and test protocols for multiple scenarios and have recovery plans in place

Ransomware - Don’t Be Next

Prevent

• Keep your systems patched –desktops and servers

• Ensure up-to-date backups are stored offline and regularly tested

• Email filtering

• Keep your AV and firewall patched

• End user training and awareness

11TLP: WHITE

Malware Initiation Vectors

12TLP: WHITE

1. CEO Compromise Variant− Results in a wire transfer; − Targets finance depts− Spoofed or compromised executive account− Millions lost

2. Purchase Order Variant− a.k.a. Bogus Invoice Scheme, Supplier Swindle− May include spoofed domains and copied purchase orders− Schools are frequent SLTT targets

3. W-2 Phishing Info Variant− Results in PII data breach− Targets finance or HR depts− Results in filing of fraudulent tax returns − Spoofed or compromised executive account

4. Attorney Impersonation Variant

BEC Scam Business Email Compromise

Where To Report?

1. The MS-ISAC (cisecurity.org/ms-isac)

2. IC3 (ic3.gov)

3. The IRS (irs.gov/help)

Where To Report?

1. The MS-ISAC (cisecurity.org/ms-isac)

2. IC3 (ic3.gov)

3. The IRS (irs.gov/help)

13TLP: WHITE

BEC: CEO Compromise Example

Areyouavailable?Wiretransferneedstogoout.Also whatisthebalanceofGeneralFundingAccount?Letmeknowwhenyouareready.Replyassoonaspossible.

SentfrommyiPhone

Date:FROM:CEOTO:FinanceDepartmentSUBJECT:Question

From an ExecutiveFinancial aim

Social Engineering

Formatting error

Abrupt text to mimic urgent email from a mobile device

14TLP: WHITE

BEC: W-2 Phishing Example

Appears legitimate

Refers to some “problem”

1st Direct to credential harvesting website Social engineering:

Signed by trusted party

2nd Directs to credential harvesting website

15TLP: WHITE

Plan• Have a policy for reporting BEC

and similar phishing emails

• Educate finance and HR departments

• Collaborate with finance and HR departments to ensure their policies are supported by technological solutions (e.g. encryption)

• Train users in detecting social engineering attempts

BEC - Don’t Be Next

Prevent • Add warning banners for emails

from external sources

• Implement filters at your email gateway

React• ~72 hours to stop a wire transfer

• Report BEC scams/attempts to:- IC3/FBI at https://bec.ic3.gov/- MS-ISAC at soc@msisac.org - Tax-related scams/attempts

also to: IRS at https://www.irs.gov

16TLP: WHITE

• October 19 - Kennedy Space Center, FL• October 25 - Hudson, OH• October 26 – Phoenix, AZ- Desert Willow Conference Center• October 27 – Denver, CO- History Colorado Center• October 30 – Nashville, TN- HCA Main Presentation Stage• November 3 – Boston, MA• November 7 - Kansas City, KS - Kansas City Public Library• November 8 - Los Angeles (Thousand Oaks), CA – Amgen, Inc.• New York City, NY - Date TBD• Dallas, TX- Date TBD

BEC Workshops

https://nhisac.org/events/nhisac-events/business-e-mail-compromise-workshop/

Free, half-day workshops

17TLP: WHITE

Identified Data Breaches

2012 2013 2014 2015 2016 2017

Vectors

Keylogging Malware Phishing SQLi Unknown Vector

2012 2013 2014 2015 2016 2017

Entities

TERRITORY STATE LOCAL EDU

18TLP: WHITE

• Extortion demands; Bitcoin payments• Known CTAs: Lizard Squad, Armada Collective,

LulzSec, New World Hacking, Phantom Squad

Hoax Extortion Schemes

19TLP: WHITE

High Profile Event Related Domains

Domains Registered Containing “Equifax”

20TLP: WHITE

Website Defacements by Month

0

50

100

150

200

250

Aug16

Sep16

Oct16

Nov16

Dec16

Jan17

Feb17

Mar17

Apr17

May17

Jun17

Jul17

Aug17

21TLP: WHITE

BOD 17-01 on KasperskyWho:• Kaspersky Lab

– Russian cybersecurity & antivirus company– Founded by former software engineer for Soviet

Military Intelligence

Federal Changes:• July 11: GSA removed Kaspersky Lab from the

list of approved vendors • September 13: DHS issued BOD 17-01

Binding Operational Directive

MS-ISAC recommendation: SLTTs should follow the guidance in the federal directive.

Source:https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01

22TLP: WHITE

BOD 18-01 on Email & Web Security• Enable STARTTLS on all Internet-facing email

servers;• Enable valid SPF/DMARC records and

implement specific DMARC policy rules;• Disable SSLv2 and SSLv3 on email and web

servers;• Disable 3DES and RC4 on email and web

servers;• use HTTPS-only with HSTS;

MS-ISAC recommendation: SLTTs should follow the guidance in the federal directive.

Source:https://cyber.dhs.gov/

23TLP: WHITE

• Targets 4-way handshake of WPA2 Protocol• Man-in-the-Middle attack• Forces nonce and session key reuse in WPA2• Weaknesses are in the Wi-Fi standard not individual

implementations• Android and Linux can be tricked into using an all zero

encryption key

Key Reinstallation Attacks (KRACK)

1. We need a session key. Here’s random data to use.

2. OK. Here’s random data from me to use.

3. I think we have enough data

4. Yep! I agree

5. Session Key = PSK + random data + random dataSources:https://www.krackattacks.com/https://www.kb.cert.org/vuls/id/228519

24TLP: WHITE

• Vulnerability in an implementation of RSA key generation due to a fault in an Infineon Technologies code library

– RSA Library version v1.02.013

• Key test available at: https://keychest.net/roca

NOT a vulnerability in the RSA algorithm

Key Reinstallation Attacks (ROCA)

Sources:https://crocs.fi.muni.cz/public/papers/rsa_ccs17

25TLP: WHITE

Low Hanging Fruit!a. Designate someone to be responsibleb. Set expectationsc. Get your domain

1. PATCH!2. Use defensive software3. Back-up4. Train users5. Enforce passwords standards6. Share intelligence7. Work with the MS-ISAC

What Can You Do?

26TLP: WHITE

• Be prepared− Learn from others’ best practices− Gather intel to help you be proactive

• Be willing to ask for help− Identify other resources to augment

what you are doing

• Be a part of the solution− Take part in information sharing

Share Information

27TLP: WHITE

• Support:– Network Monitoring Services– Research and Analysis– Incident Response

• Analysis:– Threats & Trends– Vulnerabilities– Attacks & TTPs– Cyber Threat Actor Activity

• Reporting:– Cyber Alerts & Advisories – IP & Domain Monitoring– Automated Indicator Sharing– Strategic Intelligence

24x7 Security Operations CenterCentral location to report any cybersecurity incidents

To report an incident or request assistance:

Phone: 1-866-787-4722Email: soc@msisac.org

28TLP: WHITE

• IPs connecting to malicious C2s

• Compromised IPs• Indicators of compromise

from the MS-ISAC network monitoring (Albert)

• Notifications from Spamhaus

Monitoring of IP Range & Domain Space

IP Monitoring Domain Monitoring• Notifications on

compromised user credentials, open source and third party information

• Vulnerability Management Program (VMP)

Send domains, IP ranges, and contact info to:

soc@msisac.org

29TLP: WHITE

Who do I call?

To join or get more information:https://learn.cisecurity.org/ms-isac-registration

Security Operations Center (SOC)SOC@msisac.org - 1-866-787-4722

31 Tech Valley Dr., East Greenbush, NY 12061-4134www.cisecurity.org

Which of the following topic areas matter most to you? (select all that apply)

• The current threat environment• How different types of attacks work• New and emerging malicious cyber activity• Malicious actors and their motivations• Investigative techniques• How to protect my agency

31

Questions?

Stacey WrightSenior Intelligence Program Manager

Stacey.Wright@cisecurity.org

MS-ISAC 24x7 Security Operations Center1-866-787-4722

SOC@msisac.org