The Increasing Sophistication of Cyber Threatsecrisponsor.org/Npresentations/ct1-6b.pdf · PARSONS...

Managing the Risks

The Increasing Sophistication of Cyber Threats

1

PARSONS PROPRIETARY

November 2012

Tom Roell

PARSONS PROPRIETARY

PARSONS PROPRIETARY

Approved for Public Release, Export Control

VB.01.2012

“Everybody is getting hit” Gen. Keith Alexander

the average number of days to

resolve a cyber attack was 18

days with an average cost to

the organization of $415,748.

Up 67% from previous year.

Ponemon Institute

“America is under attack…we

aren’t doing enough to stop it.”

“…businesses of

every type and size

are vulnerable to

attacks.”

“…malware (infected) more

than 4 million computers

located in more than 100

countries.”

“All it takes is one unsuspecting

user to click on the wrong link or

attachment and an entire network

is put at risk.”

2

“STUXNET, Duqu, Flame,

Wiper, Shamoon – Middle East

gets hit hard from all sides”

Director, U.S. Cyber Command, NSA

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Attack Types and Vectors

Types

Trojans Viruses Rootkits Malware Worms Spoofing Key logging Botnet Denial of Service

3

New malware created in 2011, by type

Vectors

Email Messages, Attachments Downloaded files Infected webpages Videos Popup windows Instant Messages Social Media Malware infections in 2011, by type

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Common Examples of Threats

Phishing Attacks – Phishing attack is a likely looking email containing malware (usually a link to a website or attachment that down loads files) that will poke a hole in the firewall and invite a hostile actor in.

Keystroke loggers – gain access to the network via PHISHING attacks, USB drives, files and record and send what keys were pressed.

Insider – can create havoc to sophisticated espionage. Tough to detect.

BotNet – basically a compromised network of computers or servers (could be worldwide) doing an adversary’s bidding. They can leverage your computer while you are still working on it.

Hacktivism – Anonymous, Lulzsec, Sword of Allah, others, targeting companies as they desire based on ideology.

4

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Advanced Persistent Threat (APT)

Advanced The hacker has the ability to evade detection and the capability to gain and maintain access to well protected networks and sensitive information contained within them. The hacker is generally adaptive and well resourced.

Persistent The persistent nature of the threat makes it difficult to prevent access to your computer network and, once the threat actor has successfully gained access to your network, very difficult to remove.

Threat The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically.

5

China J-20 U.S. F-22 Raptor

Are APTs a Risk To Your

Business?

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Who Are They and What Motivates Them? Anonymous, a group of

hacktivists originating in 2003. Motivation: Ideology

Honker Union of China (H.U.C.) is a group known for hacktivism, mainly present in Mainland China. Motivation: Nationalism

Cybercriminals Russia

Ukraine

Motivation: $$$$

Insider Threat Difficult to defend from

Least acknowledged when occurs

Motivation: Revenge, $$$$ 6

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Attackers vs Defenders Attackers

They eat, live and breath coming up with

attacks

They collaborate with one another

They share information and tools

They only need to be right once

Defenders Subject to budget pressures

Rarely get necessary training on latest

attack Tactics, Techniques, Procedures

Tools are expensive to purchase and may

not be worth cost

Many do not share information out of

fear of exposing weaknesses

We have to be right all the time

7

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Global Statistics: Data Breaches

79% victims of opportunity – easier prey than others.

96% of attacks were not highly difficult

94% of all data compromised involved network servers

85% of breaches took weeks or more to discover

92% of incidents were discovered by a 3rd party

8

97% of breaches were avoidable through

simple or intermediate controls

Origin of external agents by percent of breaches with internal

Verizon Data Breach Investigations Report: 2012

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Risks to Business and Corporations?

9

Loss of Reputation – Data that resides with you is no longer secure

Loss of Contracts – The trust with the customer dwindles

Culpability for poor performance based on hostile manipulated data – finished product does not work, is unsafe, or fails due to manipulated data.

Culpability for loss of Personally Identifiable Information

Culpability for loss of Customer data/information

Culpability for compromise of IP, yours or Trusted partner

Loss of information – Data has been stolen. Loss of intellectual property

Business disruption – functionality of networks is impacted

Revenue loss – inability to complete jobs.

Equipment damages – Destructive attacks that cause equipment loss

Other losses – administrative, personnel, etc.

Business Risk Corporate Risk

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Example #1 – Saudi Aramco

10

Target: Saudi Aramco operates the world's largest single hydrocarbon

network. Attacked 15 August, 2012

Attack Vector: Insider? (Malware Installation)

Perpetrators: “The Cutting Swords of Justice” (skilled amateurs)

Impact: 30K workstations had master boot record wiped of all data

(destructive attack). Reportedly did not impact petroleum production

network (separate network).

Cost : Massive. 10 days to repair, restore operations.

No exfiltration, No espionage, No ransom, No money

Just Malicious Destruction

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Example #2 – Qatari RasGas

11

Target: World’s largest producer of liquefied natural gas (LNG).

Distributes about 36 million tons annually. Attacked 27 August, 2012

Attack Vector: Malicious software (Malware Installation)

Perpetrators: Possibly same as Aramco hackers

Impact: Corporate network and email down. Website down.

Reportedly did not impact production operations (separate network).

Cost of attack: Weeks to restore operations. Loss of reputation.

No exfiltration, No espionage, No ransom, No money

More Malicious Destruction

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Example #3 – Telvent Canada Ltd.

12

Target:. An IT and industrial automation company specializing in

Supervisory Control and Data Acquisition (SCADA) systems, GIS and

related IT systems for pipeline, energy utility, traffic, agriculture and

environmental monitoring industries. Hack discovered on 10 September,

2012

Attack Vector: Malicious software (Malware Injection)

Perpetrators: China (The Comment Group)

Impact: Data exfiltration of project files related to a control system used

in portions of the electrical grid, oil and gas pipeline systems in North

America, as well as in some water system networks.

Cost of attack: Loss of IP. Loss of reputation. Control Systems at Risk.

Data Exfiltration

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Example #4 – Banking Industry

13

Target:. JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank,

HSBC, Bank of America, Citigroup, Wells Fargo, since 19 September.

Attack Vector: Hacked data center servers

Perpetrators: Izz ad-Din al-Qassam Cyber Fighters – claimed

responsibility. However security experts now believe multiple, well

organized hackers were responsible. Appear to originate in Iran,

Russia.

Impact: Customers unable to access accounts, conduct business.

Cost of attack: Customers unable to conduct business.

Largest DDOS In History "What we are experiencing is a dramatic uptick in the size and

sophistication of DDoS attacks to a level not previously observed,"

Scott Hammack, Prolexic

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Example #5 – Defense Contractors

14

Target:. RSA, L-3, Northrop Grumman,

Lockheed Martin.

Attack Vector: Spear Phishing, Poison

Ivy backdoor

Perpetrators: China?

Impact: Massive.

Cost of attack: Cost to EMC, RSA’s

parent company to replace 44M tokens:

$66M plus lost reputation. LM, L-3,

Northrop Grumman unknown.

They Want Our Intellectual Property

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cybercrime Attack Trends: Sophistication

Cybercriminals using business models to maximize profits

15

Before After

SpyEye – buy full version:

$4,000

Buy SpyEye binary with set-up and

injections for $600

Zeus – buy full version: $10,000 Buy Zeus recompile, 2 for $380

HTML Injections come with

TrojanBuy

Buy customized $50 - $75

Injections crypts – not sold Buy for $5 each or $50 per month

unlimited

Anti-security software – not

sold

One time license fee $250 + $10 for

upgrades

Cyber Underground is Primed and Loaded

With New Tools

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cyber Security Threat Trends

16

• Industrial Control Systems (ICS) will be targeted more

• Rise in sophistication of attacks

• Continued Cyber-warfare (Sons of Stuxnet, Duqu, Flame)

• Social networks and Mobile devices will be targeted more

• Cybercriminals will increasingly target small to medium

businesses in addition to large corporations

• Cyber Industrial warfare driven by Advanced Persistent

Threats

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cyber Risk Management: A Board Level Responsibility

Strategic Benefits

Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organization.

Financial Benefits

Providing financial benefit to the organization through the reduction of losses and improved “value for money” potential.

Operational Benefits

Organizations are prepared for most eventualities, being assured of adequate contingency plans.

17

Top-level, executive commitment ensures sufficient

resources are available to develop and implement

effective, organization-wide risk management programs.

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Benefits of managing risks of cyber threats

Enable new business scenarios securely B2B: partner extranets, document collaboration,

transactions

Remote access, wireless access

Comply with regulations

Increase employee productivity Ensure productive Internet usage, legal liability

Guarantee high availability and up-time of critical IT assets

Reduce security risks & cost Downtime from malware attacks

IP theft or system breach by hackers

IP theft or system breach by insider threat

Protect Reputation of Brand

18

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Effectively Managing Risk

Assignment of risk management responsibilities to senior leaders/executives;

Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems;

Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and

Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs.

19

NIST SP 800-39, Managing Information Security Risk

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Common Cyber Security practices

Prevention, Detection and Remediation

Monitoring and Reporting

Incident Handling and Response Coordination

Network Analysis

Host Forensic Analysis

Code Forensics / Malware Analysis

Vulnerability Assessment & Management

20

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Common Cyber Security practices

Prevention, Detection and

Remediation

Measures taken to defend networks

Monitoring and Reporting

Analysts using network tools to

identify/notify of security incidents

Continuously for best results

Incident Handling and Response

Coordination

Process and procedures that allow

recovery from an attack

Critical to success

Network Analysis

Inspecting network traffic to

determine what happened

21

Host Forensic Analysis

Inspecting hardware to determine

what happened

Code Forensics / Malware Analysis

Inspecting malicious code (virus, etc.)

to understand threat

Provides clues to originator, damage

potential, remediation solutions

Vulnerability Assessment &

Management

Scanning of networks to identify

workstations/servers at risk

Provides input to overall risk to

network(s)

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

What companies are doing to reduce risk

Employee Awareness Training Provides a solid return on investment

Cyber Threat Intelligence Analysis Identify existing and emerging threats and take proactive measures

Security Information and Event Management Provides correlated visibility across network

Reduces time to detect, alert and respond to Advanced Persistent Threats

SANS Top 20 Security Controls 94% reduction in "measured" security risk

Cyber Security Standards Compliance ISO/NIST/NERC/PCI-DSS

22

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cyber Security Information Sharing

23

Organizations with an Info sharing role:

• Defense Industrial Base (DIB) • DIB Collaborative Information Sharing Environment (DCISE) • DIB Cyber Pilot • Defense Cyber Crime Center (DC3) • DHS-Computer Emergency Response Team (CERT) • Industrial Controls Systems Joint Working Group (ICSJWG) • Information Sharing and Analysis Centers (ISAC) • Cyber Threat Intelligence Coordinating Group (CTICG) • National Cybersecurity and Communications Integration

Center • DoD Joint Cybersecurity Services Pilot (JCSP)

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cyber Security Information Sharing

24

National

Security

Agency

Department

of Justice

Federal

Bureau of

Investigation

Alcohol

Tobacco

and

Firearms

Department

of

Homeland

Security

Department

of Defense

The

White

House

ISPs DIB

CIPCAC

OIA

ISC-CERT

US-CERT

NCICC

CT-ICG

PPWCG

JCSP

DIB Cyber Pilot

DC3 DCISE

IT ISAC

NCC

REN ISAC

WATER ISAC

ST ISAC

FIRST OBSERVER

SC ISAC

MARITIME

ISAC

HEALTH

ISAC

ISACS EMR

ISAC

ES ISAC

FS ISAC

CSCWG

ICASI

REAL ESTATE

ISAC

NEI

APTA

Key Institutions In The Cyber Security PPP Landscape

Rachel Nyswander Thomas

GCCs

SCCs

IT SCC

IT

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Cyber Security Standards – Example #1

25

Key Standards and Guidelines FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Controls) FIPS Publication 140-2 (Security Requirements for Crypto Modules) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-37 (System Risk Management Framework) NIST Special Publication 800-39 (Enterprise-Wide Risk Management) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping) SANS Top 20 Security Controls for Effective Cyber Defense ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Technology innovations present increased risk

Mobile computing Problem: Target rich environment

for cybercriminals

Risk: higher level of loss of info, loss

of data control, etc.

Remediation: IT manages mobile

devices, A/V, anti-malware

Cloud computing Problem: How is my data not mixed

with other data

Who at my Provider has access?

Risk: Unauthorized access to

sensitive data, loss/theft

Remediation: Know how your

provider will protect your data

26

The number of malware modifications targeting Android OS

Blackberry 10 first to receive FIPS 140-2 certification

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

What can we do from a legal perspective?

27

Reporting Computer Hacking, Fraud and Other Internet-Related Crime

Type of Crime

Appropriate federal

investigative law enforcement

agencies

Computer intrusion (i.e. hacking) •FBI local office

•U.S. Secret Service

•Internet Crime Complaint Center

http://www.fbi.gov/contact-us/field/field-offices

http://www.secretservice.gov/field_offices.shtml

http://www.ic3.gov/default.aspx

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Summary

Cyber Threats are increasing and expanding

Risk is severe

Security Standards and Risk Management Can

Reduce Risk Security control framework, standards

Risk management

Information sharing

Proactive Defense

28

Application of Security Standards

and Risk Management are Enablers

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Questions?

29

PARSONS PROPRIETARY

PARSONS PROPRIETARY


VB.01.2012

Intelligence and Risk Management Strategy

Intelligence-driven cyber security operations is part of a risk management strategy that addresses the threat component of risk

It incorporates Analysis of adversaries

Their capabilities

Objectives

Doctrine and limitations

Its a continuous process and leverages indicators to discover new activity and enables proactive security measures that can lower risk

30

The Increasing Sophistication of Cyber Threatsecrisponsor.org/Npresentations/ct1-6b.pdf · PARSONS...

Documents

Transcript of The Increasing Sophistication of Cyber Threatsecrisponsor.org/Npresentations/ct1-6b.pdf · PARSONS...