Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown...
Transcript of Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown...
![Page 1: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/1.jpg)
![Page 2: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/2.jpg)
Steven Dyer NSA IAM, NSA IEM, CISSP, CCSP, CCDP
Chief Technology Officer
Central Service Association
![Page 3: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/3.jpg)
Cyber Incident Response and Analysis
![Page 4: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/4.jpg)
Blue Team Security Audits
• 205 Utilities
• 41 Banks
• 13 Secure Buildings
• 3 Energy Generation Locations
![Page 5: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/5.jpg)
Security Agenda
• Latest Events…
• Who are the Real Players
• How Hackers Do It…
• Training
• Breaking In
• Log IT
![Page 6: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/6.jpg)
Group Exercise…
![Page 7: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/7.jpg)
Who is your assigned
Cyber Security person?
???????????????????
![Page 8: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/8.jpg)
"Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking . . . Social Engineering is the single greatest security risk in the decade ahead."
“91% of successful data breaches started with a spear-phishing email” - security software firm Trend Micro (2013)
(2014)
![Page 9: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/9.jpg)
![Page 10: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/10.jpg)
HACKING 101 Demo
Spear-Phishing
![Page 11: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/11.jpg)
![Page 12: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/12.jpg)
![Page 13: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/13.jpg)
Homeland Security Information
![Page 14: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/14.jpg)
![Page 15: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/15.jpg)
March 2015 Logs
![Page 16: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/16.jpg)
March 2015 Logs
![Page 17: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/17.jpg)
Utilities struggle to manage the security challenge…
Today, security is a
board-level agenda
item…
Primary Challenges
Nature & Motivation of Attacks(Fame fortune, market adversary)1
Research Infiltration Discovery Capture Exfiltration
A new market adversary
![Page 18: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/18.jpg)
The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems
that appear to be directly linked to the Internet and vulnerable to attack…… CNN Money Article 2013
![Page 19: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/19.jpg)
Password Cracking
Self-Replicating Code
1980 1985
Password Guessing
1990 1995
Exploiting Known Vulnerabilities
Disabling Audits Back Doors
Sweepers and Sniffers
Stealth Diagnostics
Packet Forgingand Spoofing
Hijacking Sessions
Low
High
Web BrowserPop-Ups
2000 Present
VBA, ActiveXFlash Tricks
SPAMTools
DoS, Buffer Overflow,Service Overwhelm
ZombieBots
OS SpecificAttack Tools
RDPExploits
Technical Knowledge Required
![Page 20: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/20.jpg)
HACKING 201 Demo
Stuxnet
![Page 21: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/21.jpg)
![Page 22: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/22.jpg)
CURRENT CYBERESPIONAGE CAMPAIGN TARGETS
INDUSTRIAL CONTROL SYSTEMS
(DRAGONFLY / ENERGETIC BEAR - HAVEX)
On June 23, 2014, Finnish security
research firm F-Secure reported on a
cyber campaign targeting SCADA and
the suppliers of equipment to these
sectors, including many in critical
infrastructure.
![Page 23: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/23.jpg)
HAVEX Info• According to a Symantec report on June
30 2014, Havex is what is known as a
“remote access Trojan,” or RAT, malware
that secretly enters a computer to give
hackers control of the machine. Symantec
and F-Secure say the malware ordinarily is
used only for spying, but can be modified
to sabotage a machine.
![Page 24: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/24.jpg)
Top 10% of Hackers Never Caught
SCADA
• Professional Hacker Would Not Directly Attack Networks or SCADA/DCS Systems in the U.S.
• Creates a Trojan (RootKit) That Will Allow Remote Control
• Plants Trojan in Zombie Host in the South Pacific
• Trojan “listens” for a specific string of characters in a chat room hosted in Europe (maybe even in another language)
• When Zombie finds a match on the set of characters, it then Automatically Begins Attacking Pre-Determined Sites and Systems
1. Hacker Determines that direct attack may be too risky
UNIVERSITY
2. Plant Trojanin Zombie Host
3. Trojan is programmed to listen to Chat Room in Europe for a specific message string.
CHATROOM
4. Hacker posts message on Chat Room
5. Trojan attacksTarget Networks
![Page 25: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/25.jpg)
Attacks from Last Traceable Point of Origin
10-30%
3-4%
1%
0.6%
0.3%
32.5% Unknown origin
USA• Hosted 50% of all phishing
sites in 1Q 2014• Hosted 45% of all phishing-based
keyloggers or Trojan downloadersChina• 55,000 malware/intrusion incidents on DoD systems in
2010; large but unspecified number blamed on China• Highest level of malware infections
Russia• Produces 77% of all spam• Source of many successful botnets;
Rustock, Grum, Cutwail , and more
*Trustwave Breach Report 2014
![Page 26: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/26.jpg)
Group Exercise…
• Training on up-to-date
ways to protect your
SCADA system
• Needs to be updated
every two years
![Page 27: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/27.jpg)
Utility SCADA Training
Research Improved security awareness and counter intelligence
Infiltration Systems to proactively monitor, improve, and protect
Discovery Ability to track and remediate
Capture Controls to protect target assets internally and
externally
Exfiltration Damage remediation and counter intelligence
The Attack The Countermeasure
![Page 28: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/28.jpg)
Research
• Google / Internet Mining • What Compliance Is Required• Social Engineering• Digging Through Trash
• Talk To Your Vendors
![Page 29: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/29.jpg)
Infiltration
• Physical Infiltration• Vendor Test• Hot Vendor Test• Customer Test• Walk In Off The Street Test• Warehouse Walkabout• Substation Bolt-Cutters
![Page 30: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/30.jpg)
Infiltration
• Pen Test• External Pen Test• Internal Pen Test • Secure Room Pen Test
• Email – Spear Phishing• Plant Thumb Drives
![Page 31: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/31.jpg)
Group Exercise…
• Put $5,000 in your
budget for a dedicated
log server and cheap
storage…
![Page 32: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/32.jpg)
Log Everything That Can Be Logged
• Syslog Server Firewall SCADA Systems Control Systems Anything
• Log Analyzer Sawmill Splunk
![Page 33: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/33.jpg)
What are we missing???
– Lack of a formal documented program and
procedures
– Need for an established cybersecurity team
– Need for incident response and disaster
recovery policies and/or directives
![Page 34: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/34.jpg)
Insufficient control of remote logging and
access.
– Weak enforcement of remote login policies
– Weak port security
– Network architecture not well understood and
internal networks not segmented
– Flat networks--devices not properly
configured
![Page 35: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/35.jpg)
• Media protection and control.
– Weak control of incoming and
outgoing media – use of USB drives
– Lack of encryption implementation
• Audit/logging events.
– Insufficient methods for monitoring
and control network events
– Lack of understanding of disaster
recovery techniques
![Page 36: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/36.jpg)
Group Exercise…
• Who do you contact
when something
happens???
![Page 37: Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA •Hosted 50% of all phishing sites in 1Q 2014 •Hosted 45% of all](https://reader034.fdocuments.us/reader034/viewer/2022050222/5f67de8fc21fc50c421b89a4/html5/thumbnails/37.jpg)
Steven Dyer Chief Technology Officer
Central Service AssociationCell: 662-491-2661 [email protected]