The Anatomy of a Data Breach - Security Interest Group …€¦ · The Anatomy of a Data Breach...
44
The Anatomy of a Data Breach Andreas Fuhrmann SKyPRO AG [email protected] John Waters SailPoint [email protected]
Transcript of The Anatomy of a Data Breach - Security Interest Group …€¦ · The Anatomy of a Data Breach...
SKyPRO AG
Facts SKyPRO AG
• SKyPRO– founded April 1987– CHF 350‘000 AK– 50 employees– Headquarter in Cham– Development Office in the Ukraine– Sales Office in USA– CHF 7 Mio. Turnover
• we do– Identity & Access Governance (IAG) solution in Bank, Insurance, Industry,
Government, Schools and Service Companies– Conulting, Conception, Implementation and Operation of IAG and security
solutions– 30 years of experience as IT service company and over 15 years in IAG– SailPoint Partner
Facts SKyPRO AG
USASales Office
SwitzerlandHeadquarter
UkraineDevelopment
Switzerland• IAG Services• Consulting• Conception• Implementation• Operation & Support
USA• Distribution IAG Products
Ukraine• Development Office• Support Center• 7x24h Hotline• Marketing
Learn from the past
Learn from the past
What can we learn from the past
6
FORENSICS AND POST BREACH ANALYSIS SHOWS• Identity is a common weakness• Entitlement and access is the attack target
FORENSICS AND POST BREACH ANALYSIS SHOWS• Identity is a common weakness• Entitlement and access is the attack target• Files are responsible for 60% of breaches• …..and are the most difficult to detect
SECURITY ERRORS AND WEAKNESSES ARE SPREAD OUT OVER A “CYBER KILL CHAIN”
• Poor account controls• Weak passwords• Orphan accounts• Weak inventory and cataloging• Over assignment of user access• Unstructured Data Insanity
The Cyber Link Kill Chain
The Cyber Kill Chain
INTRODUCED BY LOCKHEED MARTIN ‘99• Anatomy of a typical cyber breac• Plots the path of an attack• Reference model for cyber defense
PHASES OF ATTACK• Reconnaissance• Weaponization• Delivery• Infiltration
8
The Cyber Kill Chain
9
Biggest area of weakness
The Cyber Kill Chain
10
RECONNAISSANCE
INFILTRATION
EXPLOITATION
EXFILTRATION
The Anatomy of a Data Breach
11
The Anatomy of a Data Breach
12
THE VICTIM• A market leading manufacturing company with strong IP• Big B2B and B2C presence on-line
The Players
THE ATTACKER• A known organized crime syndicate in China• Money, time and resources
The Anatomy of a Data Breach
13
Timeline
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
The Anatomy of a Data Breach
14
Reconnaissance
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
External web and network scanning. Fuzz all externally facing resources…
The Anatomy of a Data Breach
15
Reconnaissance
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
External web and network scanning. Fuzz all externally facing resources…
Research on executives, employees, contractors and suppliers.
The Anatomy of a Data Breach
16
Reconnaissance
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
External web and network scanning. Fuzz all externally facing resources…
Research on executives, employees, contractors and suppliers.
Blanket phishing attempts and targeted reconnaissance.
The Anatomy of a Data Breach
17
Infiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
Spear phished an executive. Drive-by download executed. Local admin exploit.
The Anatomy of a Data Breach
18
Infiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Lateral movement to several windows servers in test with default accounts & passwords
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
Spear phished an executive. Drive-by download executed. Local admin exploit.
The Anatomy of a Data Breach
19
Infiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Lateral movement to several windows servers in test with default accounts & passwords
Extensive inventory & scanning. Attack on the PAM tool resulting in escalation of privileges
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
Spear phished an executive. Drive-by download executed. Local admin exploit.
The Anatomy of a Data Breach
20
Exploitation
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Brute force password attacks on AD domain,
local apps and SaaS services.
Found password xls files and powershell scripts with
domain admin credentials
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
The Anatomy of a Data Breach
21
Exploitation
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Brute force password attacks on AD domain,
local apps and SaaS services.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
Scraped company SharePoint portal. Fake account to request &
receive access to Salesforce.
The Anatomy of a Data Breach
22
Exploitation
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Brute force password attacks on AD domain,
local apps and SaaS services.
APP & DB access to main LOB system.Escalated AD group access.
Created domain admin account.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
Scraped company SharePoint portal. Fake account to request &
receive access to Salesfoce.
The Anatomy of a Data Breach
23
Exfiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Downloaded password hashes/database for several internal systems
Pulled down terrabytes of damaging files found in file shares and the internal SharePoint sites.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
The Anatomy of a Data Breach
24
Exfiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Downloaded password hashes/database for several internal systems.
Pulled customer and sales data from Salesforce and stole product plans from the IP DB.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
The Anatomy of a Data Breach
25
Exfiltration
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
Downloaded password hashes/database for several internal systems.
Pulled customer and sales data from Salesforce and stole product plans from the IP DB.
Pulled every file from the file shares including financials, client and employee data.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
The Anatomy of a Data Breach
Damage Assessment
26
• COMPANY FINANCIALS EXPOSED
• EMPLOYEE DATA SOLD ON THE DARK WEB
• COMPANY IN CHINA OPENS SELLING A DUPLICATE PRODUCT
• REPUTATIONAL DAMAGE
• LOSS OF PARTNERS AND CUSTOMERS
• EMPLOYEE DISSATISFACTION
• RESIGNATION OF THE CISO
The Anatomy of a Data Breach
What went wrong?
27
WRONG MISSED PROTECTIONS
MISSEDDETECTIONS
IAG Protection & Detection
28
IAG Protection & Detection
29
INVENTORY & VISIBILITY
STRONGAUTHENTICATION
PASSWORD CONTROLS
LIFECYCLE MANAGEMENT
PAM GOVERNANCE
REQUEST CONTROLS
DATA ACCESS GOVERNANCE
INTEGRATED IAM AWARE SECURITY
IAG Protection & Detection
The Anatomy of a Data Breach - Timeline
30
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Visibility & Inventory
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
VISIBILITY & INVENTORYDefault accounts and passwords.Orphan account management.Automated recertification.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
31
IAG Protection & Detection
Strong Authentication
32
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
STRONG AUTHENTICATIONMulti-factor.Step-up.Context & behavior.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Password Management
33
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
PASSWORD MANAGEMENTStrong password policies.Lifecycle enforcement.Change detection & alerting.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Lifecycle Management
34
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
LIFECYCLE MANAGEMENTKnown JML state transitions.Embedded data triggers.Detective controls & policy checks.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
PAM Governance
35
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
PAM GOVERNANCEInventory & modeling for PAM.Visibility & certification.Detective & preventive controls.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Access Request Management
36
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
ACCESS REQUEST MANAGEMENTApprovals & audit. Preventive policy evaluation.Access risk modeling.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Data Access Governance
37
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
DATA ACCESS GOVERNANCEEffective access modeling.Classification & categorization.File access alerts.
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
IAG Protection & Detection
Integrated Identity Aware Security
38
JAN2014
APRIL2015
DEC2015
JAN2016
AUG2015
RECONNAISSANCE INFILTRATION EXPLOITATION EXFILTRATION
INTEGRATED IDENTITY AWARE SECURITYIAM & security as one integrated strategy.Shared IAM context.Integrated IAM response actions.
IAG Protection & Detection
39
INVENTORY & VISIBILITY
STRONGAUTHENTICATION
PASSWORD CONTROLS
LIFECYCLE MANAGEMENT
PAM GOVERNANCE
REQUEST CONTROLS
DATA ACCESS GOVERNANCE
INTEGRATED IAM AWARE SECURITY
IAG Protection & Detection
40
INVENTORY & VISIBILITY
STRONGAUTHENTICATION
PASSWORD CONTROLS
LIFECYCLE MANAGEMENT
PAM GOVERNANCE
REQUEST CONTROLS
DATA ACCESS GOVERNANCE
INTEGRATED IAM AWARE SECURITY
IAM SENSORS
IAG Sensors
41
IAG Sensors
Detecting Attacks
42
ACCOUNT “HONEY POTS”• Fake accounts with login alerts• Deliberately weak passwords• Automatically created and managed• Spread out over apps and infrastructure
!
FILE & FOLDER “TRIP WIRES”• Fake files and folders• Appealing names and content• Pre-set file access alerts• Spread out over cloud and on-premises file shares
!
Unpublished Work of SKyPRO, All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of SKyPRO. Access to this work is restricted to SKyPRO employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SKyPRO. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SKyPROmakes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features orfunctionality described for SKyPRO products remains at the sole discretion of SKyPRO. Further, SKyPRO reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SKyPRO marks referenced in this presentation are trademarks or registered trademarks of SKyPRO in Switzerland and other countries. All third-party trademarks are the property of their respective owners.
