Targeted intrusion Reconnaissance Exfiltration Command and control Data collection and staging...
-
Upload
amanda-rogers -
Category
Documents
-
view
221 -
download
0
Transcript of Targeted intrusion Reconnaissance Exfiltration Command and control Data collection and staging...
Targeted intrusion
Reconnaissance
Exfiltration
Command and control
Data collectionand staging
You’ve been hacked!
The OWASP Foundationhttp://www.owasp.org
What the Board & Chief Executives Need to Know
Tim Scully
The Cyber Threat, Trophy Information&
the Fortress Mentality
The OWASP Foundationhttp://www.owasp.orgYou’ve been hacked!
Penetration testing (“AVA”, “Red Teaming”, “Black Box Hack”, “Ethical Hacking”…)• Legal (with CEO’s permission) • Specify trophy information• Use only publicly known vulnerabilities• No physical security breaches• No unethical action• No “special” capability• No artificial constraints
If this can be done repeatedly without being detected while our are hands tied, what can real hackers with real capability
do without these constraints?
100% success in stealing
the trophy information!
The OWASP Foundationhttp://www.owasp.org
The ‘new reality’ – a pervasive & persistent
cyber threat
February 2012. VeriSign was “hacked repeatedly by outsiders who stole undisclosed information from the leading internet infrastructure company” in 2010. (smh.com.au) “security breaches … were not sufficiently reported to management” – Verisign SEC Filing
March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing data related to the SecurID authentication system. “It is likely that RSA growth will remain a bit slower as remediation efforts continue” - David Goulden, EMC CFO
May 2011. Lockheed Martin was hit with a “significant and tenacious” cyber attack, using the breached RSA SecurID authentication data. "The fact is, in this new reality, we are a frequent target of adversaries around the world." - Sondra Barbour, CIO
April 2011. DELL Australia’s customer data was compromised, during a breach of US-based e-mail service provider epsilon.(Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott International, Kraft, Tivo and others).
“China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal.” - Bloomberg
Stuxnet, Duqu,
Flame?
The OWASP Foundationhttp://www.owasp.org
How senior executives see the cyber threat & their
preparedness
What they said about the threat… Conundrum Reality
“The cyber threat is a growing menace”
“Threat actors’ innovation is faster than industry’s”
“Targeted exploitation of their network would affect competitiveness”
Yet… only a minority say the current risk of targeted cyber exploitation is high!
They will not publicly admit their organisation’s inability to fight off cyber intruders
What they said about their preparedness… Conundrum Reality
“We are well equipped to prevent such attacks”
But they are vague about their actual defences
“We’ve got AV, firewalls, IDS, IPS…”
But… “we (and Govt) should do more on cyber security”
“It won’t happen to me!”
The OWASP Foundationhttp://www.owasp.org
But it will happen to you…targeted cyber intrusion
Any organisation whose Internet-connected network has information of value to a sophisticated cyber threat actor
is likely already compromised
Attackers cannot be kept ‘on the outside’; everything on the inside is not secure
“To defend everything is to defend nothing”Frederick the Great
The OWASP Foundationhttp://www.owasp.org
Techie Mindset
• Trophy information?
• Deal with threats in isolation
• Poor upward communication
It’s all in the mind!
Boundary Protection Mindset
• Anti-virus, firewalls
• IDS, IPS, ‘magic’ box, set & forget
• System-centric
Compliance Mindset
• Box ticking (“We're compliant!”)
• Audit, not assessment
• Perpetuates boundary mindset
Executive Mindset
…
The OWASP Foundationhttp://www.owasp.org
The Consequence …“Fortress Mentality”
The OWASP Foundationhttp://www.owasp.org
OWASP PurposeBe the thriving global community that drives visibility and evolution
in the safety and security of the world’s software.
The threat…capability & intent
The OWASP Foundationhttp://www.owasp.org
What (or who) is the Advanced Persistent Threat?
To find this document, Google “cyber mitigation”
“Over 85% of the targeted cyber intrusions that DSD responded to in 2010 could have been prevented by applying
only the first four of the 35 recommended mitigation strategies.”
The OWASP Foundationhttp://www.owasp.orgWhat does an APT look like?
Threat
• Capability + Intent
• Strategic Goals
• Multi-source Collection Plan
• Multi-agency Coordination
Advanced
• Sophisticated
• Agile, adaptive, innovative
• Full spectrum TTPs
• Off the shelf + tailor-made
Persistent
• Not opportunistic
• Clandestine
• Varied tempo, dwell time
• Works to a tactical plan
If they are detected by traditional measures, are they really an APT or
were they meant to be detected?
The OWASP Foundationhttp://www.owasp.org
Level 1: meet due diligence & compliance needs only• Most basic “housekeeping” measures• Reduce opportunity to intrude (i.e. reduce your “target
surface”)• Measures should include: Patch Control , Vulnerability
Management, Privilege Management, Change & Configuration Control Management, Intrusion Detection/Prevention
• Are they good enough to detect a targeted intrusion?
What can we do about it? Levels of security…
Level 2: more investment to protect info beyond basic compliance • Increased risks need more sophisticated measures • More continuous monitoring of network data flow • Measures should include: Security Information and Event
Management, Data Segregation, Whitelisting, Exception Monitoring, Application and Network Penetration Testing
• Should consider managed security service
The OWASP Foundationhttp://www.owasp.org
Level 3: when consequences of targeted cyber intrusions are serious or catastrophic for operational effectiveness, competitiveness, reputation or the national interest• Detect, isolate, monitor and terminate cyber threats• Includes “low probability, high consequence” events• Owners and operators of critical infrastructure systems should
seriously consider these measures• Systematic approach to cyber intrusion management• Backed by highly skilled cyber security analysts and practitioners
with continual visibility of network data flow• Measures should include:
• Whole of enterprise data collection system (“data probes”)• Data leak prevention• Database activity monitoring • Data analytics • Cyber event investigation• More…
What can we do about it? Levels of security…
The OWASP Foundationhttp://www.owasp.orgThe Board owns this risk
A cyber security breach is no longer an IT problem. It is a problem for the Board. It may:
• cause significant reputational damage
• damage share price
• compromise strategic negotiations or transactions
• provide an opportunity for a class action
• result in market disclosures and compliance breaches
• Undermine years of R&D
• sabotage critical systems
“security breaches … were not sufficiently reported to
management” – Verisign SEC Filing
“It is likely that RSA growth will remain a bit slower as
remediation efforts continue” - David Goulden, EMC CFO
“China-based hackers looking to derail the $40 billion
acquisition… zeroed in on the law firms handling the deal”
– Bloomberg re Potash Corp.
The OWASP Foundationhttp://www.owasp.org
The advantage is with the aggressor
• Advanced, persistent response
• Make it harder & more risky
National cyber security will leverage all available capabilities
• Government, industry, academia
• International partnerships
• Strong leadership, sharing & trust
Resilience through real defence-in-depth
• No fortress mentality
• Know your trophy info & protect it
Technical prowess is not enough
• Accountability at senior levels
• Holistic policy, sound governance
• Adequate resourcing & comms
Our behaviour is our weakest link
Principles for Cyber Security
The OWASP Foundationhttp://www.owasp.orgCyber Warfare?
Tim Scully [email protected]
The Economist 7 May 2009