© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Alabama Digital Summit 2016

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

CIA TriadEstablish IT Objective

• Confidentiality

• Integrity (remains constant)

• Availability

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Detection is the Weakest LinkCommon intrusion detection methods lack the ability to detect multistep blended attacks

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

WA/LinkedIN

Darkhotel / Cyrptolock

er

AP Tweet

Aramco /State of

MO

•Foreign governments that are interested in pilfering data, including intellectual property and R&D data across all verticals.

•Known Actors: NSA, GreenSky27, Unit 61398, TG2889, The DUKES

Nation State Actors (Espionage)

•Groups that are interested in pilfering data and applying extortion techniques and using stolen data for financial gain

•Known Actors: Digital Mobs in the Ukraine, Russia, China

Organized Crime (Monetary)

•Groups that use the network to compromise, destroy, or disrupt critical infrastructure or to harm the viability of our way of life

•Known Actors: Syrian Free Army / ISISTerrorist (Ideology)

•Are motivated by social issues and feel compelled to use hacking as a tool to fight perceived injustice

•Known Actors: Anonymous / Vikingdom / IndividualsHactivists (Justice)

Evolution of the Global Threat800 million versions of APTs (Achieved through combinations of malware)*MacAfee

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Is your Enterprise a Target?

. . .

Data at Risk: • Contracts and Legal Docs• PII/SPI/PHI/CMC/FTI

Emails/Texts/SSN#s (employees and citizens)

• Confidential information• Fiscal/ Budget Information• Bank Routing #s, credit card

data• Identification Cards, Access

to Restricted Areas• Police Body Cam Footage

Data at Risk: Medical information #s Research and or medical trial

Data PII/PHI/SPI/CMC

Emails/Texts/SSN #s (employees and patients)

Health Records Prescriptions Identification Cards, Access to

Restricted Areas

Data at Risk: Finances, spending accts Research Data Grants/ Sponsors Test scores Lesson Plans Credit Card data (PCI) PII/SPI (Emails/Texts/SSN#s

(employees and Students), Student Records Athletics (playbooks,

scouting, recruits)

State and Local Government Education Medical

Infrastructure at Risk: CRM Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility

Network

Infrastructure at Risk: • Emergency / 911 Call

Centers, • School System• Utilities/ Public Safety• Databases Websites• Wi-Fi/WAN/LAN/Mobility

Network

Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility

Network

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Target

Compromise

Breach

Cyber Kill Chain Framework(2010-2011)

Data at Risk: Medical information #s Research and or medical trial

Data PII/PHI/SPI/CMC

Emails/Texts/SSN #s (employees and patients)

Health Records Prescriptions Identification Cards, Access to

Restricted Areas

Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility

Network

Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility

Network

• Malicious Scanning / Social Engineering / Surveillance/ Internet VulnerabilitiesRecon

• Zeus, Nuclear, Angler, Spy Eye Kits , Custom code / Encrypted call back Public IP spaceStage

• Spear Phishing / Malvertising / Watering HolesLaunch• Internet wide or Specific Vulnerability with software

(Flash/Heartbleed/Shell code)Exploit• Start with basic Malware (RAT), identify adjacent systems,

callback to drop site for more specialized malware Install

• Establish connection (Web/Non standard Ports/Protocols)Call Back

(C&C)• Establish more persistence/ Conduct internal recon / Data

ExfiltrationPersist

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Stages of Malware (Inline Assembly)

Data at Risk: Medical information #s Research and or medical trial

Data PII/PHI/SPI/CMC

Emails/Texts/SSN #s (employees and patients)

Health Records Prescriptions Identification Cards, Access to

Restricted Areas

Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility

Network

Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility

Network

Recon

Stage

Launch• Launch payload against known vulnerability / Avoid

sandboxing heuristics and Dependency walkingExploit

• Download desired payload – Ransomware, key logger, ectInstall

• Execute payloadCall Back

(C&C)Persist

Sandbox Evasion Techniques:• Check Ram: Less than 1 GB probably on VM• Red Pill – Look for VMEs• Look for Input /output ports• Check access to the internet• Extended Sleep – Launch payload during reboot/shutdown (avoid WIN32)• Compress malicious code 20 layers deep

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Popular Hacker Tool Sets

Data at Risk: Medical information #s Research and or medical trial

Data PII/PHI/SPI/CMC

Emails/Texts/SSN #s (employees and patients)

Health Records Prescriptions Identification Cards, Access to

Restricted Areas

Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility

Network

Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility

Network

• Malicious Scanning – Check targeted Enterprises resiliencyEvader

• 802.11 – WIFI hackingAirCrak-NG

• Remote Authentication discovery and hacking toolHydra

• Host Discovery & Inspection of network trafficNMAP & Wire Shark

• Web Applications – tests processes to find vulnerabilitiesOWASP-ZAP & Burpsuit

• Detection and exploitation of SQL – Target DatabasesSQL Map

• Discovery and Information GatheringMaltego

• Pen-testing and exploit developmentMetasploit

• Password CrackingJohn the Ripper

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

Cyber Protection ChainTool sets:• Skilled Security Personnel• Security Assessments• Managed SIEM

• Threat Intelligence (Open Source/collaboration)• IR Support

• Vulnerability Scanning and Patch Management• Penetration testing (Internal, External, Web Applications)

• DDoS Defense / TDoS Defense• DNS Security• Multifactor Authentication (Minimum Critical Applications)• End Point Security

• Forescout CouterTacK (IOT/BYOD/Rouge)• Access control (USB/Seize the Endpoint)

• Security Awareness/• Ethical Hack

• Malware/Threat Protection: Email, End Point, Network, Web, and Content (FireEye)• Network Based Firewall / MPLS

• Netbond to CSPs• Secure Email Gateway (ProofPoint)• Managed Web Application Firewall (WAF)• Incident Response

© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.

2016 Security Trends

Carry Over Trends from 2015:• Dynamic Detection and Threat Intelligence and Analytics• Vulnerability and Patch Management• MSSP – Managed SIEM /Improving Detection Times• Security Awareness• DDoS attacks Increasing• Move to MPLS / VPN

2016 Cyber Security Trends:• Shattered Perimeter -Explosion of Digital Enterprise, convenience vs. Security (Mobility,

IOT, BYOD) Assuming control of the End-Point• Visibility in SSL• Web Security – Potential of 1900 new gTLD (Advertising/Waterholes)• Virtualization of Security Appliances (Cloud/Provides Agility and Efficiency)• DNS (Securing port 53)