Transcript APT_The threat is real, well-funded, and coming for your

APT: The threat is real,
well-funded, and coming
for your data.
Jesse Fernandez
About Me
Jesse Fernandez currently works as a Senior IS Audit
Specialist in the insurance industry. In his role, Fernandez
conducts complex information security audits. Recently,
Fernandez worked with the PCI DSS Standards Council to
develop guidance around conducting a PCI DSS risk
assessment in the role of Content-Coordinator to ensure
document consistency, technical soundness, and assist in the
development of the table of contents. Fernandez holds the
GSLC, GSEC, GCIH, CISSP, and CISA certifications and has
over ten years of industry experience.
Agenda
•APT
•Favored Means of Attack
•Best Practices
Advanced Persistent
Threat (APT)
• "An adversary that possesses sophisticated levels of expertise and
significant resources which allow it to create opportunities to achieve
its objectives by using multiple attack vectors (e.g., cyber, physical,
and deception). These objectives typically include establishing and
extending footholds within the information technology infrastructure of
the targeted organizations for purposes of exfiltrating information,
undermining or impeding critical aspects of a mission, program, or
organization; or positioning itself to carry out these objectives in the
future. The advanced persistent threat: (i) pursues its objectives
repeatedly over an extended period of time; (ii) adapts to
defenders’ efforts to resist it; and (iii) is determined to
maintain the level of interaction needed to execute its
objectives."
- NIST
A Serious Threat (2009)
• “Cyber threat is one of the most serious economic
and national security challenges we face as a
nation.”
• “America's economic prosperity in the 21st century
will depend on cybersecurity.”
- Barack Obama May 29, 2009
http://www.whitehouse.gov/the_press_office/Remarks-by-thePresident-on-Securing-Our-Nations-Cyber-Infrastructure
A Serious Threat (2012)
•621 confirmed breaches
•44 million records compromised
•“State-affiliated actors tied to China
(accounted) for about one-fifth (125) of all
breaches.”
Source - Verizon
APT1
• Mandiant released report exposing the
Comment Crew (APT1) on February 19, 2013
http://intelreport.mandiant.com/
• Alleged that APT1 is a military group
belonging to the People's Republic of China
• China denies the allegations
APT1
• 141 detected intrusions since 2006 across 20
industries such as Financial Services, IT,
Electronics, Health Care, Manufacturing,
Construction, Transportation, Food and
Agriculture
• 115/141 (81%) detected intrusions were U.S.
companies
APT1
• "Drained terabytes of data from companies like CocaCola"
• “RSA was amongst those attacked"
• "On average the group would stay inside a network,
stealing data and passwords, for a year; in one case it
had access for four years and 10 months."
Source – New York Times
A Serious Expense
•According to the Ponemon Institute, the cost of a malicious or
criminal data breach in the United States was $277 per record
during 2012 (max = 100K records)
•According to the Washington Post, the APT attack against RSA
cost EMC (RSA parent company) $66 million (to investigate
attack, harden systems, and work with customers).
What is your organizations’ reputation worth?
•IP?
Well-Funded
Source: Mandiant report
U.S. & China Talks
•Meeting to discuss “the theft of intellectual
property from American companies.”
•“Attacks have resulted in the greatest transfer
of wealth in history.”
Source – New York Times
Recon
• Attackers perform reconnaissance activities on
the targeted organization
• Once desired information is obtained,
attackers attempt social engineering attacks
(amongst other things)
• Only need to succeed once
For example
• We will illustrate the power of obtaining public
information
What can I find?
It gets better
• Social Network Sites – Linked in, Facebook,
Twitter, Google+, “insert social engineering (er
social networking) site here”
Wait, there is more
• No wonder I get so much spam!
Social Engineering
“Social engineering is using deception,
manipulation and influence to convince a human
who has access to a computer system to do
something.”
Source - Time.com
Social Engineering 2.0 –
Spear Phishing
• “The practice of sending fraudulent e-mails to extract
financial data from computer users for purposes of
identity theft, by mimicking a sender that the recipient
knows.” Source – Dictionary.com
• “Spear phishing continues to be a favored means by
APT attackers to infiltrate target networks.” Source –
Trend Micro
• Targeted & Effective
Spear Phishing
Source - New York Times
Spear Phishing
•
New York Times Hack (8/27/13)
•
The Syrian Electronic Army took credit for the attack
(also attacked Twitter)
•
“The attackers sent an email to the New York Time’s
domain name registrar, Melbourne IT”
•
“Two staff members opened a fake email seeking
login details.” – the staff members worked for an
Indian Internet service provider that was one of
Melbourne IT’s resellers
Source – NBC News
Pwn3d
• Now that they tricked your user and have
compromised a system, the real fun begins
• The attacker is now inside your environment
• Your company just became a statistic
• Various avenues of attack
Don’t become a statistic
Digital weapons are expensive!
According to Forbes, zero day exploits can be
sold “(you can sell a zero day exploit to) a
government agency, (if you) don’t ask too many
questions, and get paid a quarter of a million
dollars.”
Source - Forbes
So
• Must have robust security policies
• Must identify and classify data
• Must perform a risk assessment
• Must secure your environment
Information Security
Policies
• SANS has published various security policies and has
given organizations the right to modify them to fit their
needs
http://www.sans.org/security-resources/policies/
• Work with your legal team
• Revisit your policies periodically (as the business
changes)
Information Sensitivity
Policy
“The Information Sensitivity Policy is intended
to help employees determine what information
can be disclosed to non-employees, as well as
the relative sensitivity of information that
should not be disclose outside of < Company
Name> without proper authorization.”
Source - SANS
Find your data
• Talk to the business, walkthrough their processes
• What/Where are your most valuable assets?
• If you don’t know where your data is, don’t worry the
attackers will find it for you
Data Classification
• Classify your data
• Define data owner’s responsibility
• Protect your most critical data accordingly
• Attackers will go after your most valuable information,
after all they need to make money for their efforts
Manage
rd
3
parties
• Do you provide any valuable information to 3rd
parties?
• If so, need to ensure 3rd party protects your
data
• Reputation risk
Risk Assessment
• What threats do we face?
• What can go wrong?
• Are we running vulnerable or outdated systems?
• Are our systems compliant with internal and/or
regulatory requirements?
Regulatory Compliance
•Know what applies (PCI DSS, SOX, HIPAA,
GLBA, etc)
•Understand the intent
•Privacy Policy (ask the lawyers about this one)
•Due care
Audit Plan
•What does the audit universe look like?
•Do you currently do business in an industry known
to have been a target?
•Are you in talks to acquire another company (or
be acquired)?
•Be aware that laws/regulations typically lag
behind technology
Laws vs. Tech
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_fi
nal.pdf
Best Practices
Now that you know what assets you are trying to
protect and the residual risk present in your
environment, the real fun (err work) begins
Let’s explore some best practices – remember,
we can’t cover all of them in one hour
Perimeter Protection
•DMZ
•Firewalls
•NIDS
•Secure coding (OWASP)
•WAF (protect vs. SQL Injection, XSS, CSRF)
Segment Network
• Understand your environment
• Follow the data
• Limit available paths
Protect Users
•Limit admin access
•Malware protection
•DLP (to prevent users from storing/transmitting
your most sensitive data everywhere)
Application Whitelisting
•Feature in Windows XP, Server 2003 and
above (Software Restriction Policies)
•Created with Group Policy
•Microsoft has overview and how-to guide
http://technet.microsoft.com/enus/library/bb457006.aspx
Why Use Application
Whitelisting
“Hostile code can take many forms. It can range from native
Windows executables (.exe), to macros in word processing
documents (.doc), to scripts (.vbs).”
“Viruses and worms often use social engineering to trick
users into activating them. With the sheer number and variety
of forms that code can take, it can be difficult for users to
know what is safe to run and what is not. When activated,
hostile code can damage content on a hard disk, flood a
network with a denial-of-service attack, send confidential
information out to the Internet, or compromise the security of
a machine.”
Source - Microsoft
BYOD
•For employee-owned devices (BYOD), consider
implementing a solution that will allow the
organization to centrally manage the devices
•Ensure internal policies cover BYOD
•Educate the users on your policies prior to
granting BYOD access to corporate data
Protect Data
• Encrypt
• Segment
• Limit authorized access (need-to-know)
Access Controls
• Weak passwords can be cracked
• Have more stringent requirements for
administrators
• Two-factor authentication
Physical Security
•Ensure employees can differentiate employees
from non-employees
•Ensure data center has access restrictions
•Ensure internal procedures are followed
Harden Systems
• Use industry accepted standards such as
those published by the Center for Internet
Security (CIS)
• Understand application requirements
• Remove unnecessary components
Maintain Systems
• Patch management and/or system upgrades
• Run only supported versions
• EOL
Identify Vulnerabilities
• Review the results of vulnerability scans
• Ensure high risk vulnerabilities are resolved in
a timely manner
• Monitor remediation efforts, make this part of
your audit plan
Pen Testing
• Consider having an internal team conduct pen
testing to identify the low hanging fruit (then bring
in the pros)
• Learn the fundamentals
• Tools are your friend
Pen Testing
•Ensure a reputable team conducts pen testing
in your environment periodically
•Did your intrusion analyst team detect the pen
test?
•Monitor remediation efforts, make this part of
your audit plan
Change Control
•System Baseline
•Ensure all changes made to systems and/or
applications are documented, validated, and can
be tracked
•Ensure unauthorized changes are detected
Intrusion Detection
• What would happen in your organization if
executive management learned that the network
has been compromised for a year or more?
• Prevention is great, but you
must detect
• Incident response
• Make this part of your audit plan
Real World Example
Source - Mandiant report
What we could do
http://www.filext.com
We don’t have/can’t …
•Remember, segmentation is your friend
•Looking for abnormal traffic
•Need correct placement of sensors and plenty of
skilled analysts to have a chance
User Education
• Help defend against social engineering attacks –
making the attacks less effective
• Eliminates confusion - let users know what they
are responsible for
• Review materials to ensure they are based on
the risk your organization faces, make this part of
your audit plan
Combat Social
Engineering
• Do internal testing
• Be consistent
• Review metrics, make this part of your audit
plan
Rehearsal
•Practice, Practice, Practice
•Don’t be afraid of playing with technology
•Attackers are getting better – we need to get
better too
Conclusion
• Practice due care
• Secure your environment so that attackers
need to utilize its costly digital weapons to
succeed
• In the event of a successful attack, must
detect and control the damage (incident
response)
Resources
•http://www.whitehouse.gov/the_press_office/Remarksby-the-President-on-Securing-Our-Nations-CyberInfrastructure
•http://intelreport.mandiant.com/
•http://www.nytimes.com/2013/02/19/technology/chinasarmy-is-seen-as-tied-to-hacking-againstus.html?pagewanted=all&_r=0
•http://www.time.com/time/magazine/article/0,9171,20893
44,00.html#ixzz2NFNfIKT6
Resources
•http://www.forbes.com/sites/andygreenberg/2012/03/23/
shopping-for-zero-days-an-price-list-for-hackers-secretsoftware-exploits/
•http://dictionary.reference.com/
•http://www.sans.org/security-resources/policies/
•http://www.verizonenterprise.com/DBIR/2013/
Resources
•http://www.sans.org/securityresources/policies/Information_Sensitivity_Policy.pdf
•http://www.cisecurity.org/
•https://www.owasp.org/index.php/Main_Page
•http://www.trendmicro.com/cloudcontent/us/pdfs/security-intelligence/white-papers/wpspear-phishing-email-most-favored-apt-attack-bait.pdf
Resources
•http://www.whitehouse.gov/assets/documents/Cyberspa
ce_Policy_Review_final.pdf
•http://filext.com/file-extension/RAR
•http://www.nytimes.com/2008/04/16/technology/16whale
.html
•http://www.theiia.org/guidance/standards-andguidance/ippf/definition-of-internal-auditing
Resources
•https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_W
P_Ponemon-2013-Cost-of-a-Data-BreachReport_daiNA_cta72382.pdf
•http://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-onrsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html
•http://www.nytimes.com/2013/06/02/world/asia/us-and-china-to-holdtalks-on-hacking.html?pagewanted=all&_r=1&
•http://technet.microsoft.com/en-us/library/bb457006.aspx
•http://www.nbcnews.com/technology/new-york-times-hacked-syrianelectronic-army-suspected-8C11016739
Want More?
• In my opinion SANS offers the best training in the
industry
• Audit 307: Foundations of Auditing Security and
Controls of IT Systems: IT systems are fundamental to many of
the controls that need to be audited for organizations today. It's important
for auditors to have a foundational understanding of networks and
systems and the controls that should be in place. During this course, we
discuss the principles around IT controls, the primary regulatory drivers
for IT audit, the audit process, and the primary IT audit controls that
auditors should be aware of.
• SANS.org great resource (webcasts, policy templates,
training)
Thank you
Contact – jessefernandezsec(at)gmail(dot)com