Financial Services Information Sharing & Analysis Center
THREAT INTELLIGENCE AND SHARING
CONNECTICUT DEPARTMENT OF BANKING SEPTEMBER 14, 2015
This FS-ISAC presentation is not for publication
Agenda Today
Notorious attacks and methods Anatomy of an Attack FS-ISAC Mission and Services Security Automation
2
3
BIGGEST COMPUTER HACKS OF ALL TIME
FS-ISAC, Not for publication
Adobe (October 2013) Number of people affected: 150 million (Email addresses and passwords for 150 million users, as well as credit card data for 2.9 million users)
How it happened: Hackers gained access to Adobe’s networks, though exactly how they did it has yet to be publicly revealed. In addition to stealing user information, attackers also downloaded the source code for a handful of Adobe programs, which essentially forms the foundation of the software.
eBay (May 2014) Number of records compromised: 145 million
The attack on its network compromised over 145 million customers’ passwords, usernames, email addresses, addresses, phone numbers and dates of birth.Despite being aware of the breach since February 2014, eBay only alerted its customers in June 2014 – a move that naturally angered some of those affected.
How it happened: Hackers used stolen employee details to break into its network
4FS-ISAC, Not for publication
Heartland Payment Systems (January 2009) Number of records compromised: 130 million customer card details
How it happened: A malware outbreak on its payment systems
Worse still, during an earnings call following the breach executives revealed the malware used to steal the information was successful because Heartland did not have antivirus software installed on its payment processing network at the time
TJX Companies (January 2007) Number of records compromised: 94 million
How it happened: A cartel of hackers infiltrated its network
The firm currently owns T.K.Maxx, T.J.Maxx, Marshalls, HomeGoods and HomeSense.
5
BIGGEST COMPUTER HACKS OF ALL TIME
FS-ISAC, Not for publication
Target (January 2014) Number of people affected: 110 million (40 million credit and debit card numbers, as well as 70 million consumer email addresses)
How it happened: Hackers used credentials from an HVAC contractor working within Target to then gain access to the retailer’s network.
Aftermath: Six months later, company CEO Gregg Steinhafel was forced to resign over the breach. In March, Target settled a class-action lawsuit for $10 million with individuals who had their credit and debit cards stolen.
Home Depot (September 2014) 109 million (53 million email addresses and 56 million credit and debit cards)
How it happened: Home Depot said hackers used a vendor’s login information to access the network and install malware on the retailer’s self-checkout systems, which fed the attackers information on credit card customers in the U.S. and Canada.
Aftermath: Cleaning up after the breach cost Home Depot an estimated $62 million. The company offered free credit monitoring to any customers who used a payment card at a Home Depot store after April 2014..
6
BIGGEST COMPUTER HACKS OF ALL TIME
FS-ISAC, Not for publication
Anthem (February 2015) 88 million (Social Security numbers, employment details, and other personal information, but no medical data)
How it happened: Investigators speculate the intrusion began months earlier and was perpetrated by Chinese government-sponsored hackers, who are also suspected of breaking into the networks of United Airlines and the U.S. government’s Office of Personnel Management.
Aftermath: Anthem offered free credit monitoring services to those affected by the attack.
JPMorgan Chase (July 2014) 83 million (Names, addresses, and phone numbers of account holders)
How it happened: According to the New York Times, hackers gained access to JPMorgan’s network via an employee’s credentials.
Aftermath: Investigators recently arrested four individuals suspected of taking part in the hack.
7
BIGGEST COMPUTER HACKS OF ALL TIME
FS-ISAC, Not for publication
U.S. Office of Personnel Management (June 2015) 22 million (Social Security numbers and other personal information for former and current U.S. government employees)
How it happened: Attackers suspected to be from the Chinese government stole login information from the employee of a third-party government contractor.
Aftermath: OPM Director Katherine Archuleta resigned, and the agency suspended its background check system until further notice.
Facebook (July 2008) Number of records compromised: 80 million
How it happened: A bungled test for a new website design
Facebook software glitch publicly exposed 80,000,000 users' hidden information.
This FS-ISAC presentation is not for publication
Threat Trends
Cyber Crime Bad guys are mostly Eastern
European although Asian groups are also active
A complete service based economy supporting their activities
Attacks are a mix of social engineering and technical attack.
Hactivists “Anonymous” response to
WikiLeaks donation stoppage DDoS attacks Website defacement
Nation State Motivations: espionage,
disruption, or destruction Targeting Government +
private sector
This FS-ISAC presentation is not for publication
8
9FS-ISAC, Not for publication
ATTACKER MOTIVATION, CAPABILITY & INTENTWHO ARE THE ADVERSARIES?
Cyb
ercr
imin
als •Money
•Money
•And more money
•Large number of organized groups
•Skills from basic to advanced
•Present in virtually every country
•Up to $$$
Hac
ktiv
ists •Protest
•Revenge
•Large number of groups
•Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills"
•Up to $ -$$
Nat
ion
Sta
te •Acquiring Secrets for national security or economic benefit
•Small but growing number of countries with capability
•Larger array of ‘supported’ or ‘tolerated’ groups
•Up to $$$$+Op
po
rtu
nis
ts •Victims are selected because they show some form of weakness that an attack was is able to exploit.
•Financially driven
• Initial attacks lack sophistication and increase as more attacks are launched
•Up to $$
$ - Under thousands$$ - Tens to hundreds of thousands$$$ - Millions$$$$ - Tens to hundreds of millions$$$$$ - Billions
Hac
ktiv
ists
Dark Web: Connecting Miscreant Suppliers with Miscreant Buyers
• Online libraries and advertisements of stolen data• Education on how to launch spamming, phishing,
and key logging attacks• Advertisements for partners for complex fraud
schemes• Recruitment• Detailed info sharing on technical vulnerabilities of
software and specific financial institutions and their service providers
10
This FS-ISAC presentation is not for publication
• Phishing – Widespread email – lots of victims
• Spearphishing – Targeted email aimed at a few victims
• Drive by Download– the unintentional download of malicious
software, typically from an infected reputable site
• Compromised Vendors – any remote access is high prize target
• Malicious Mobile Apps – Free or fake mobile apps
• IT Supply Chain – compromise integrators / distributors
• IT Patch Management Systems – broad distribution of code
Still Lots of Opportunities for Malware
FS-ISAC, Not for publication 9
PHISHING VARIATIONS – STILL EFFECTIVE
• Phishing and Spearphishing remain a highly effective means of distributing destructive malware.
FS-ISAC, Not for publication 9
COMMON ATTACK SCENARIOADVERSARY GAINS FOOTHOLD
Organization Domain
Adversary
Compromised Web Site
Host 1
www.hackedsite.com
Tainted email sent to Organization‘s users
User clicks on link to compromised web site, remote admin tool installed
Additional tools uploaded
Using credentials gained, adversary works to establish additional footholds
Host 2
FS-ISAC, Not for publication 9
COMMON ATTACK SCENARIO: DATA MINING
Organization DomainHost 2 File
Server
Adversary frequently will perform data mining through a host (Host 2) other than the initially compromised host (Host 1)
Remote host may or may not be the same IP/Domain as initial attack
Host 1
Multiple files are typically extracted as an encrypted bundle
Adversary
Data mining typically occurs on file servers via share permissions
This FS-ISAC presentation is not for publication
Subject: DDOS ATTACK!Hello, To introduce ourselves first: http://www.coindesk.com/bitcoin-extortion-dd4bc-new-zealand-ddos-attacks http://bitcoinbountyhunter.com/bitalo.html http://cointelegraph.com/news/113499/notorious-hacker-group-involved-in-excoin-theft-owner-accuses-ccedk-of-withholding-info Or just google “DD4BC” and you will find more info. So, it’s your turn! All sites and servers of Anonymized Member are going under DDoS attack unless you pay 40 Bitcoin. Pay to Anonymized Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps.
Right now we are running small demonstrative attack on one of your IPs: Don't worry, it will not be hard (we will try not to crash it at this moment) and will stop in 30 minutes. It's just to prove that we are serious. We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours to get it and pay us.
DD4BC (Distributed Denial of Service for BitCoin) attack
DDOS ATTACK
Internet
Company X network and web server
Company X edge router
Your Internet ISP
Compromised PCs
Your customers
Servers controlled by attackers
DDoS Solutions Solutions – ISP
DDoS Monitoring DDoS Mitigation
Normal Internet Traffic
Netflow and SNMP info from ISP router
Internet ISP
Company X network
Company X edge router
DDOS Mitigation
Internet ISPDDoS Monitoring facility
Company X network
Company X edge router
Evolution from Disruptive to Destructive Attacks
18
Advanced DDOS – 2012, 2013• 40+ FIs targeted, wake-up call for FS industry• Resulted in dynamic, effective information sharing
Shamoon – 2012• Malware executable spread using network shared drives• Corrupts files and wipes device boot blocks at specified date • A group named "Cutting Sword of Justice" claimed
responsibility• Attack on 30,000 Saudi Aramco workstations
South Korean Attacks – 2013• 2 banks, media company and insurance company, patch
systems targeted• Wipers hit Windows, Linux and UNIX OS and removed file
systems. Over 3,000 machines made unbootable
Evolution from Disruptive to Destructive Attacks
19
Sony Pictures– 2014• Data breach but more importantly destructive malware installed on their
network and core systems including back-up.• Intellectual property and sensitive information released publically.• Impact– financial system data destroyed, inability to disburse payments or
produce financials for extended period.
60 Minutes news program update on impact—
• 40,000 computers made unbootable• 800 servers turned into junk• Directories destroyed, without the directories, the data was made
inaccessible.
This FS-ISAC presentation is not for publication
Ransomware
20
Is the Financial Services Sector Ready for Destructive or Data Integrity Attacks?
21
• Destructive Malware/Data Integrity Task Forceo Kick off meeting on May 20o Over 70 volunteers from broker-dealers,
exchanges, banks, payment processors, insurance, government
o Goal: develop best practices for detection and recovery from destructive malware or data integrity attacks.
Overview of FS-ISAC
To be forewarned is to be fore-armed
Information Sharing
• 18 Defined Sectors:
Critical Infrastructure
Agriculture and FoodDefense Industrial BaseEnergyHealthcare & Public HealthBanking & FinanceWaterChemicalCommercial FacilitiesCritical ManufacturingDams
CommunicationsPostal & ShippingTransportation SystemsGovernment FacilitiesEmergency ServicesNuclear Reactors, Materials & WasteInformation TechnologyNational Monuments & Icons
National Council of ISACsISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors, and with government. ISACs take an all-hazards approach. Services provided by ISACs include risk mitigation, incident response, alert and information sharing. Member benefits vary across the ISACs and can include: access to a 24/7 security operations center, briefings, white papers, threat calls, webinars, and anonymous CIKR Owner/Operator reporting.
• Financial Services ISAC • National Health ISAC• Aviation ISAC• Defense Industrial Base ISAC • Downstream Natural Gas ISAC• Emergency Services ISAC• Electricity Sector ISAC • IT ISAC • Maritime ISAC • Multi-State ISAC• Communications ISAC• Nuclear Energy ISAC • Oil and Gas ISAC • Public Transit ISAC
• Real Estate ISAC• Research and Education ISAC• Supply Chain ISAC• Surface Transportation ISAC• Water ISAC• Retail ISAC (new)• Legal ISAC (soon)
A nonprofit private sector initiative formed in 1999Designed/developed/owned by financial services industry Mitigate cybercrime, hactivist, nation state activityProcess thousands of threat indicators per month2004: 68 members; 2015: 6000+ members Sharing information globally
FS-ISAC MISSION: Sharing Timely, Relevant, Actionable Cyber and Physical
Security Information & Analysis
25
Financial Institutions (FIs) of all types and sizes – 6,000 banking, insurance, brokerage, payments, hedge fund and credit card companies – join the FS-ISAC to:
• Gain actionable insights into the latest security threats, vulnerabilities, trends, and technologies
• Gather additional details in a timely manner about a specific attack• Learn about other institutions’ experiences and mitigation strategies
through anonymous and attributed submissions• Remain current with what federal, state, and local government
agencies, regulators and law enforcement are doing• Protect and secure their data and mitigate risk
FS-ISAC Timely and Actionable Threat Intelligence for Community
Banks & Credit Unions
26
The Source for Critical InformationThe member-owned FS-ISAC performs four broad functions:
1. Foster cooperation and communication among member FIs, to their mutual benefit, using a secure trust network2. Gather information about threats against the financial services industry, including member submissions, plus unique access to domestic and international government resources3. Research and analyze information received to validate accuracy and severity, and recommend actions4. Disseminate insights into threats and mitigation strategies to members using secure and effective methods, depending on the urgency and nature of the alert
27
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Foster CooperationPerhaps the biggest impact that FS-ISAC has is getting Financial Institutions talking with one another. Through regularly scheduled calls, in-person meetings, rapid and timely sharing between and among members, webinars and other communication paths, community banks and credit unions are able to learn what peer organizations are facing, how they’re responding, and generally share information.
• Attendance at member meetings - Semi-annual member meetings and summits• Member contact directory - Contains valuable administrative and contact information for FS-ISAC member institutions
28
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Community Institution Council (CIC)
Peer community institutions (~2000) are brought together to identify common concerns and develop actions and industry best practices to address those issues and strengthen policies. The CIC assists community institutions in achieving mature security programs and more effective security and risk solutions by leveraging internal, industry and government contacts and subject matter experts to help institutions with their prioritized objectives.
29
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Research and AnalyzeWith access to the industry’s brightest minds, FS-ISAC is able to quickly assess any situation and recommend response strategies. Upon receiving a submission, FS-ISAC’s Security Operation Center analysts verify and analyze the threat and identify recommended solutions before alerting FS-ISAC members.Gather InformationFS-ISAC is the preferred distribution vehicle for threat information from:
• Members - Members share information through anonymous and attributed submissions and listserv. They can also submit topics of interest for member surveys.• Government agencies - Domestic and international government agencies contribute intelligence and collaboration• Partners – iSight Partners, Secunia, MSA, NC4 and others• Industry Regulators
30
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Disseminate InsightsFS-ISAC offers a wide range of channels to distribute information, depending on the nature of the information and the urgency with which it needs to be communicated.• Crisis Notifications - In the event of a crisis, the FS-ISAC uses its automated service, the Critical Infrastructure Notification System (CINS), to reach its membership in a matter of minutes via multiple communication channels (voice, email, pager, SMS text).• Email Notifications - Members can customize email notification preferences to ensure they receive just the information relevant to their operations.• Watch Desk - Security analysts are available via email and fax to address specific mitigation strategies
31
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Disseminate Insights• Daily Summary Report - A daily digest is created for quick perusal of the current state and previous day’s events in an easily consumable format.• Monthly Cyber Security Tips Newsletter - A newsletter with the latest security tips can be customized with your organizations name and logo to be sent to employees and customers.• Soltra Edge – The first industry driven threat intelligence sharing platform. Soltra Edge is designed to facilitate the collection of cyber threat intelligence from various sources, convert it into an industry standard language and provide timely information on which users can decide to take action to better protect their company.• Weekly Risk Summary – A weekly risk summary for C-suite management provides a high level recap of security threats, impact to Financial Intuitions and remedial steps.
32
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
Membership Sized to Fit Your InstitutionFS-ISAC community bank members take advantage of a host of important benefits, including early notification of security threats and attacks, anonymous information sharing across the financial services industry, regularly scheduled community institution council calls, payment risk council calls, and member meetings for a smaller membership fee than larger financial institutions.
Basic Membership Core Membership$250 for one user ID $850 for 4 user IDs
To become an FS-ISAC Member contact [email protected] or go to www.fsisac.com/comparison-char t to review membership benefits and determine the appropriate FS-ISAC membership level for your organization.
33
Timely and Actionable Threat Intelligence for Community Banks & Credit Unions
FS-ISAC Operations
Information Security
Physical Security
Business Continuity/ Disaster
Response
Fraud Investigations
Payments/ Risk
Member Communications
CERTs
FS Regulators
Law Enforcement
Other Intel Agencies
Information Sources
Cross Sector (other ISACS)
Open Sources (Hundreds)
GO
VE
RN
ME
NT
SO
UR
CE
S
CR
OS
S S
EC
TO
R
SO
UR
CE
S
34
FS-ISAC 24x7Security Operations Center
Alerts
Member Submissions
iSIGHT Partners Info Sec
Secunia Vulnerabilities
Wapack LabsMalware
Forensics
NC4 Phy Sec Incidents
MSA Phy Sec Analysis
PR
IVA
TE
SO
UR
CE
S
Information Sharing & Analysis Tools
Readiness Exercises Government Sponsored
Exercises Cyber Attack against Payment
Processes (CAPP) Exercise Advanced Threat/DDoS Exercise Industry exercises-Systemic
Threat, Quantum Dawn Two, etc.
Threat Data, Information Sharing Anonymous Submissions CyberIntel Listserver Relevant/Actionable Cyber &
Physical Alerts (Portal) Special Interest Group Email
Listservers Document Repository Member Contact Directory Member Surveys Risk Mitigation Toolkit Threat Viewpoints
Ongoing Engagement Bi-weekly Threat Calls Emergency Member Calls Semi-Annual Member Meetings
and Conferences Regional Outreach Program Bi-Weekly Educational Webinars
35 Financial Services Information Sharing & Analysis Center
36
Information Sharing: Traffic Light Protocol
• Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group
• This information may be shared with FS-ISAC members.
• Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums
• This information may be shared freely and is subject to standard copyright rules
FS-ISAC Circles of Trust
FS-ISAC
CYBER INTEL BRC
CIC
BDC
CAC
TICPPISC
CHEF
AMC
IRC
PRC
• Clearing House and Exchange Forum (CHEF)• Payments Risk Council (PRC)• Payments Processor Information Sharing Council
(PPISC)• Business Resilience Committee (BRC)• Threat Intelligence Committee (TIC) • Community Institution Council (CIC)• Insurance Risk Council (IRC)• Compliance and Audit Council (CAC)• Cyber Intelligence Listserv• Asset Manager Council (AMC)• Broker-Dealer Council (BDC)
Member Reports Incident to Cyber Intel list, or via anonymous submission through portal
Members respond in real time with initial analysis and recommendations
SOC completes analysis, anonymizes the source, and generates alert to general membership
Types of Information SharedCyber Threats,
Vulnerabilities, IncidentsPhysical Threats,
Incidents
Malicious Sites Threat Actors, Objectives Threat Indicators Tactics, Techniques, Procedures Courses of Action Exploit Targets Denial of Service Attacks Malicious Emails:
Phishing/Spearphishing Software Vulnerabilities Malicious Software Analysis and risk mitigation Incident response
Terrorism Active Shooter Hurricanes Earthquakes Other meteorological events Geopolitical impacts Pandemic Type, location, severity Impact analysis and risk mitigation Business resilience preparation and
incident response
38 Financial Services Information Sharing & Analysis Center
Alert Types
ANC: Announcements
CYT:Cyber Threat
CYI: Cyber Incidents
COI: Collective Intelligence
CYV: Cyber Vulnerability
PHT:Physical Threats
PHI: Physical Incidents
Understanding FS-ISAC Emails and Alerts
Depending on your role, you don’t have to follow every update, but FS-ISAC
recommends following these key reports. Doing so will limit emails to about 10/day
Step 2: Understand the Criticality and Priority
• ANC = Priority – 1-10, 8-10 is high priority• CYV = Risk – 1-10, 8-9 is Urgent, 10 is Crisis• CYT = Risk – 1-10, 8-9 is Urgent, 10 is Crisis• COI – No Criticality Metric• PHT = Risk – 1-10. 8-9 is Urgent, 10 is Crisis
Step 3: Make Choices Based on role
• Analysts and those involved in risk assessment or vulnerability/patch management should receive CYV alerts.
• Intelligence analysts may also want to participate on the Cyber Intel listserv. POCs are automatically added, but a portal account is not necessary if you wish to add additional analysts to the distribution
• Provide portal accounts to your staff based on each individual’s role. This will allow them to employ portal filtering for their unique assignments
• We provide summary reports for mangers and technical reports for analysts. Making informed choices based on your role eliminates unneeded emails
Determining which information is of value to your organization is one FS-ISAC cannot know. We can however, assist in providing you with guidance in parsing and forwarding FS-ISAC Alerts.
The email “subject” line in FS-ISAC alerts sent to the membership uses the following format • [Alert_Type][Criticality]: [Alert_Title]
Step 1: Understand the Alert Type
Key Components of Alerts
Be aware of FS-ISAC’s Traffic Light Protocol
The abbreviation and criticality level will always appear in the subject line, along with the title
Following the TLP Color, the alert will go into more detail such as the type of threat, summary, and handling instructions
FS-ISAC, Not for publication 9
RISK SUMMARY REPORTING
Weekly Risk Summary Reports provide C-Level management with overviews of the weeks top critical threats
Security Automation Will Revolutionize Information Sharing
THREATS (& INTELLIGENCE) GROWING FAST117,339 incoming attacks every day 42.8 million security incidents detected in 2014 48% over 2013
Cyber Intelligence related to this exponential threat activityis directly correlated
Today, intelligence information is measureddaily in Gigabytes
Too much to manually share and process(emailing and cutting ‘n pasting into tools)
Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC
S O LT RA | A N F S - I S A C D TC C C O M PA N Y
THE NEED FOR SPEEDAttackers Act 150x Faster Than Victims Respond Minutes vs. Weeks/ Months
Initial Attack to Initial
Compromise(Shorter Time
Worse)
Initial Compromise to
Data Exfiltration(Shorter Time
Worse)
Initial Compromise to Discovery
(Longer Time Worse)
Seconds
Hours Days Weeks Months
10% 12% 2% 0% 1%
14% 25% 8% 8%
0% 0% 2%
Defenders take a long time to feel the impact of an
attack
Attackers have honed their skills to come at you
rapidly
13% 29% 54%
Minutes
75%
8% 38%
INTELLIGENCE-DRIVEN COMMUNITY DEFENSE
Central IntelligenceRepository
Organization With
Intelligence
TrustedMember
Organizations
Maturing An Intelligence Ecosystem Standards-based Machine Speed Communication End-to-End (Sensor to Control) Community Defense Model
Cyber Threat
Contact Information
46
Rick Lacafta, Director -Insurance,
Community Institutions, Compliance and Audit,
Broker Dealers [email protected]
Jeff Korte, Director Community Institutions [email protected]
New Membership:
Robin Fantin, Vice President [email protected]
Membership Support:
Beth Hubbard, Director of Member Services [email protected]
www.fsisac.com
Financial Services Information Sharing & Analysis Center
Thank You for Your Time Today
Financial Services Information Sharing & Analysis Center
Top Related