The Increasing Sophistication of Cyber Threatsecrisponsor.org/Npresentations/ct1-6b.pdf · PARSONS...
Transcript of The Increasing Sophistication of Cyber Threatsecrisponsor.org/Npresentations/ct1-6b.pdf · PARSONS...
Managing the Risks
The Increasing Sophistication of Cyber Threats
1
PARSONS PROPRIETARY
November 2012
Tom Roell
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
“Everybody is getting hit” Gen. Keith Alexander
the average number of days to
resolve a cyber attack was 18
days with an average cost to
the organization of $415,748.
Up 67% from previous year.
Ponemon Institute
“America is under attack…we
aren’t doing enough to stop it.”
“…businesses of
every type and size
are vulnerable to
attacks.”
“…malware (infected) more
than 4 million computers
located in more than 100
countries.”
“All it takes is one unsuspecting
user to click on the wrong link or
attachment and an entire network
is put at risk.”
2
“STUXNET, Duqu, Flame,
Wiper, Shamoon – Middle East
gets hit hard from all sides”
Director, U.S. Cyber Command, NSA
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Attack Types and Vectors
Types
Trojans Viruses Rootkits Malware Worms Spoofing Key logging Botnet Denial of Service
3
New malware created in 2011, by type
Vectors
Email Messages, Attachments Downloaded files Infected webpages Videos Popup windows Instant Messages Social Media Malware infections in 2011, by type
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Common Examples of Threats
Phishing Attacks – Phishing attack is a likely looking email containing malware (usually a link to a website or attachment that down loads files) that will poke a hole in the firewall and invite a hostile actor in.
Keystroke loggers – gain access to the network via PHISHING attacks, USB drives, files and record and send what keys were pressed.
Insider – can create havoc to sophisticated espionage. Tough to detect.
BotNet – basically a compromised network of computers or servers (could be worldwide) doing an adversary’s bidding. They can leverage your computer while you are still working on it.
Hacktivism – Anonymous, Lulzsec, Sword of Allah, others, targeting companies as they desire based on ideology.
4
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Advanced Persistent Threat (APT)
Advanced The hacker has the ability to evade detection and the capability to gain and maintain access to well protected networks and sensitive information contained within them. The hacker is generally adaptive and well resourced.
Persistent The persistent nature of the threat makes it difficult to prevent access to your computer network and, once the threat actor has successfully gained access to your network, very difficult to remove.
Threat The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically.
5
China J-20 U.S. F-22 Raptor
Are APTs a Risk To Your
Business?
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Who Are They and What Motivates Them? Anonymous, a group of
hacktivists originating in 2003. Motivation: Ideology
Honker Union of China (H.U.C.) is a group known for hacktivism, mainly present in Mainland China. Motivation: Nationalism
Cybercriminals Russia
Ukraine
Motivation: $$$$
Insider Threat Difficult to defend from
Least acknowledged when occurs
Motivation: Revenge, $$$$ 6
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Attackers vs Defenders Attackers
They eat, live and breath coming up with
attacks
They collaborate with one another
They share information and tools
They only need to be right once
Defenders Subject to budget pressures
Rarely get necessary training on latest
attack Tactics, Techniques, Procedures
Tools are expensive to purchase and may
not be worth cost
Many do not share information out of
fear of exposing weaknesses
We have to be right all the time
7
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Global Statistics: Data Breaches
79% victims of opportunity – easier prey than others.
96% of attacks were not highly difficult
94% of all data compromised involved network servers
85% of breaches took weeks or more to discover
92% of incidents were discovered by a 3rd party
8
97% of breaches were avoidable through
simple or intermediate controls
Origin of external agents by percent of breaches with internal
Verizon Data Breach Investigations Report: 2012
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Risks to Business and Corporations?
9
Loss of Reputation – Data that resides with you is no longer secure
Loss of Contracts – The trust with the customer dwindles
Culpability for poor performance based on hostile manipulated data – finished product does not work, is unsafe, or fails due to manipulated data.
Culpability for loss of Personally Identifiable Information
Culpability for loss of Customer data/information
Culpability for compromise of IP, yours or Trusted partner
Loss of information – Data has been stolen. Loss of intellectual property
Business disruption – functionality of networks is impacted
Revenue loss – inability to complete jobs.
Equipment damages – Destructive attacks that cause equipment loss
Other losses – administrative, personnel, etc.
Business Risk Corporate Risk
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Example #1 – Saudi Aramco
10
Target: Saudi Aramco operates the world's largest single hydrocarbon
network. Attacked 15 August, 2012
Attack Vector: Insider? (Malware Installation)
Perpetrators: “The Cutting Swords of Justice” (skilled amateurs)
Impact: 30K workstations had master boot record wiped of all data
(destructive attack). Reportedly did not impact petroleum production
network (separate network).
Cost : Massive. 10 days to repair, restore operations.
No exfiltration, No espionage, No ransom, No money
Just Malicious Destruction
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Example #2 – Qatari RasGas
11
Target: World’s largest producer of liquefied natural gas (LNG).
Distributes about 36 million tons annually. Attacked 27 August, 2012
Attack Vector: Malicious software (Malware Installation)
Perpetrators: Possibly same as Aramco hackers
Impact: Corporate network and email down. Website down.
Reportedly did not impact production operations (separate network).
Cost of attack: Weeks to restore operations. Loss of reputation.
No exfiltration, No espionage, No ransom, No money
More Malicious Destruction
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Example #3 – Telvent Canada Ltd.
12
Target:. An IT and industrial automation company specializing in
Supervisory Control and Data Acquisition (SCADA) systems, GIS and
related IT systems for pipeline, energy utility, traffic, agriculture and
environmental monitoring industries. Hack discovered on 10 September,
2012
Attack Vector: Malicious software (Malware Injection)
Perpetrators: China (The Comment Group)
Impact: Data exfiltration of project files related to a control system used
in portions of the electrical grid, oil and gas pipeline systems in North
America, as well as in some water system networks.
Cost of attack: Loss of IP. Loss of reputation. Control Systems at Risk.
Data Exfiltration
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Example #4 – Banking Industry
13
Target:. JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank,
HSBC, Bank of America, Citigroup, Wells Fargo, since 19 September.
Attack Vector: Hacked data center servers
Perpetrators: Izz ad-Din al-Qassam Cyber Fighters – claimed
responsibility. However security experts now believe multiple, well
organized hackers were responsible. Appear to originate in Iran,
Russia.
Impact: Customers unable to access accounts, conduct business.
Cost of attack: Customers unable to conduct business.
Largest DDOS In History "What we are experiencing is a dramatic uptick in the size and
sophistication of DDoS attacks to a level not previously observed,"
Scott Hammack, Prolexic
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Example #5 – Defense Contractors
14
Target:. RSA, L-3, Northrop Grumman,
Lockheed Martin.
Attack Vector: Spear Phishing, Poison
Ivy backdoor
Perpetrators: China?
Impact: Massive.
Cost of attack: Cost to EMC, RSA’s
parent company to replace 44M tokens:
$66M plus lost reputation. LM, L-3,
Northrop Grumman unknown.
They Want Our Intellectual Property
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cybercrime Attack Trends: Sophistication
Cybercriminals using business models to maximize profits
15
Before After
SpyEye – buy full version:
$4,000
Buy SpyEye binary with set-up and
injections for $600
Zeus – buy full version: $10,000 Buy Zeus recompile, 2 for $380
HTML Injections come with
TrojanBuy
Buy customized $50 - $75
Injections crypts – not sold Buy for $5 each or $50 per month
unlimited
Anti-security software – not
sold
One time license fee $250 + $10 for
upgrades
Cyber Underground is Primed and Loaded
With New Tools
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cyber Security Threat Trends
16
• Industrial Control Systems (ICS) will be targeted more
• Rise in sophistication of attacks
• Continued Cyber-warfare (Sons of Stuxnet, Duqu, Flame)
• Social networks and Mobile devices will be targeted more
• Cybercriminals will increasingly target small to medium
businesses in addition to large corporations
• Cyber Industrial warfare driven by Advanced Persistent
Threats
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cyber Risk Management: A Board Level Responsibility
Strategic Benefits
Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organization.
Financial Benefits
Providing financial benefit to the organization through the reduction of losses and improved “value for money” potential.
Operational Benefits
Organizations are prepared for most eventualities, being assured of adequate contingency plans.
17
Top-level, executive commitment ensures sufficient
resources are available to develop and implement
effective, organization-wide risk management programs.
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Benefits of managing risks of cyber threats
Enable new business scenarios securely B2B: partner extranets, document collaboration,
transactions
Remote access, wireless access
Comply with regulations
Increase employee productivity Ensure productive Internet usage, legal liability
Guarantee high availability and up-time of critical IT assets
Reduce security risks & cost Downtime from malware attacks
IP theft or system breach by hackers
IP theft or system breach by insider threat
Protect Reputation of Brand
18
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Effectively Managing Risk
Assignment of risk management responsibilities to senior leaders/executives;
Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems;
Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and
Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs.
19
NIST SP 800-39, Managing Information Security Risk
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Common Cyber Security practices
Prevention, Detection and Remediation
Monitoring and Reporting
Incident Handling and Response Coordination
Network Analysis
Host Forensic Analysis
Code Forensics / Malware Analysis
Vulnerability Assessment & Management
20
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Common Cyber Security practices
Prevention, Detection and
Remediation
Measures taken to defend networks
Monitoring and Reporting
Analysts using network tools to
identify/notify of security incidents
Continuously for best results
Incident Handling and Response
Coordination
Process and procedures that allow
recovery from an attack
Critical to success
Network Analysis
Inspecting network traffic to
determine what happened
21
Host Forensic Analysis
Inspecting hardware to determine
what happened
Code Forensics / Malware Analysis
Inspecting malicious code (virus, etc.)
to understand threat
Provides clues to originator, damage
potential, remediation solutions
Vulnerability Assessment &
Management
Scanning of networks to identify
workstations/servers at risk
Provides input to overall risk to
network(s)
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
What companies are doing to reduce risk
Employee Awareness Training Provides a solid return on investment
Cyber Threat Intelligence Analysis Identify existing and emerging threats and take proactive measures
Security Information and Event Management Provides correlated visibility across network
Reduces time to detect, alert and respond to Advanced Persistent Threats
SANS Top 20 Security Controls 94% reduction in "measured" security risk
Cyber Security Standards Compliance ISO/NIST/NERC/PCI-DSS
22
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cyber Security Information Sharing
23
Organizations with an Info sharing role:
• Defense Industrial Base (DIB) • DIB Collaborative Information Sharing Environment (DCISE) • DIB Cyber Pilot • Defense Cyber Crime Center (DC3) • DHS-Computer Emergency Response Team (CERT) • Industrial Controls Systems Joint Working Group (ICSJWG) • Information Sharing and Analysis Centers (ISAC) • Cyber Threat Intelligence Coordinating Group (CTICG) • National Cybersecurity and Communications Integration
Center • DoD Joint Cybersecurity Services Pilot (JCSP)
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cyber Security Information Sharing
24
National
Security
Agency
Department
of Justice
Federal
Bureau of
Investigation
Alcohol
Tobacco
and
Firearms
Department
of
Homeland
Security
Department
of Defense
The
White
House
ISPs DIB
CIPCAC
OIA
ISC-CERT
US-CERT
NCICC
CT-ICG
PPWCG
JCSP
DIB Cyber Pilot
DC3 DCISE
IT ISAC
NCC
REN ISAC
WATER ISAC
ST ISAC
FIRST OBSERVER
SC ISAC
MARITIME
ISAC
HEALTH
ISAC
ISACS EMR
ISAC
ES ISAC
FS ISAC
CSCWG
ICASI
REAL ESTATE
ISAC
NEI
APTA
Key Institutions In The Cyber Security PPP Landscape
Rachel Nyswander Thomas
GCCs
SCCs
IT SCC
IT
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Cyber Security Standards – Example #1
25
Key Standards and Guidelines FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Controls) FIPS Publication 140-2 (Security Requirements for Crypto Modules) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-37 (System Risk Management Framework) NIST Special Publication 800-39 (Enterprise-Wide Risk Management) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping) SANS Top 20 Security Controls for Effective Cyber Defense ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Technology innovations present increased risk
Mobile computing Problem: Target rich environment
for cybercriminals
Risk: higher level of loss of info, loss
of data control, etc.
Remediation: IT manages mobile
devices, A/V, anti-malware
Cloud computing Problem: How is my data not mixed
with other data
Who at my Provider has access?
Risk: Unauthorized access to
sensitive data, loss/theft
Remediation: Know how your
provider will protect your data
26
The number of malware modifications targeting Android OS
Blackberry 10 first to receive FIPS 140-2 certification
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
What can we do from a legal perspective?
27
Reporting Computer Hacking, Fraud and Other Internet-Related Crime
Type of Crime
Appropriate federal
investigative law enforcement
agencies
Computer intrusion (i.e. hacking) •FBI local office
•U.S. Secret Service
•Internet Crime Complaint Center
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Summary
Cyber Threats are increasing and expanding
Risk is severe
Security Standards and Risk Management Can
Reduce Risk Security control framework, standards
Risk management
Information sharing
Proactive Defense
28
Application of Security Standards
and Risk Management are Enablers
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Questions?
29
PARSONS PROPRIETARY
PARSONS PROPRIETARY
Approved for Public Release, Export Control
VB.01.2012
Intelligence and Risk Management Strategy
Intelligence-driven cyber security operations is part of a risk management strategy that addresses the threat component of risk
It incorporates Analysis of adversaries
Their capabilities
Objectives
Doctrine and limitations
Its a continuous process and leverages indicators to discover new activity and enables proactive security measures that can lower risk
30