government technology alabama dgs 16 presentation - cyber security how do i know when im doing...
TRANSCRIPT
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Alabama Digital Summit 2016
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
CIA TriadEstablish IT Objective
• Confidentiality
• Integrity (remains constant)
• Availability
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Detection is the Weakest LinkCommon intrusion detection methods lack the ability to detect multistep blended attacks
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
WA/LinkedIN
Darkhotel / Cyrptolock
er
AP Tweet
Aramco /State of
MO
•Foreign governments that are interested in pilfering data, including intellectual property and R&D data across all verticals.
•Known Actors: NSA, GreenSky27, Unit 61398, TG2889, The DUKES
Nation State Actors (Espionage)
•Groups that are interested in pilfering data and applying extortion techniques and using stolen data for financial gain
•Known Actors: Digital Mobs in the Ukraine, Russia, China
Organized Crime (Monetary)
•Groups that use the network to compromise, destroy, or disrupt critical infrastructure or to harm the viability of our way of life
•Known Actors: Syrian Free Army / ISISTerrorist (Ideology)
•Are motivated by social issues and feel compelled to use hacking as a tool to fight perceived injustice
•Known Actors: Anonymous / Vikingdom / IndividualsHactivists (Justice)
Evolution of the Global Threat800 million versions of APTs (Achieved through combinations of malware)*MacAfee
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Is your Enterprise a Target?
. . .
Data at Risk: • Contracts and Legal Docs• PII/SPI/PHI/CMC/FTI
Emails/Texts/SSN#s (employees and citizens)
• Confidential information• Fiscal/ Budget Information• Bank Routing #s, credit card
data• Identification Cards, Access
to Restricted Areas• Police Body Cam Footage
Data at Risk: Medical information #s Research and or medical trial
Data PII/PHI/SPI/CMC
Emails/Texts/SSN #s (employees and patients)
Health Records Prescriptions Identification Cards, Access to
Restricted Areas
Data at Risk: Finances, spending accts Research Data Grants/ Sponsors Test scores Lesson Plans Credit Card data (PCI) PII/SPI (Emails/Texts/SSN#s
(employees and Students), Student Records Athletics (playbooks,
scouting, recruits)
State and Local Government Education Medical
Infrastructure at Risk: CRM Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility
Network
Infrastructure at Risk: • Emergency / 911 Call
Centers, • School System• Utilities/ Public Safety• Databases Websites• Wi-Fi/WAN/LAN/Mobility
Network
Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility
Network
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Target
Compromise
Breach
Cyber Kill Chain Framework(2010-2011)
Data at Risk: Medical information #s Research and or medical trial
Data PII/PHI/SPI/CMC
Emails/Texts/SSN #s (employees and patients)
Health Records Prescriptions Identification Cards, Access to
Restricted Areas
Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility
Network
Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility
Network
• Malicious Scanning / Social Engineering / Surveillance/ Internet VulnerabilitiesRecon
• Zeus, Nuclear, Angler, Spy Eye Kits , Custom code / Encrypted call back Public IP spaceStage
• Spear Phishing / Malvertising / Watering HolesLaunch• Internet wide or Specific Vulnerability with software
(Flash/Heartbleed/Shell code)Exploit• Start with basic Malware (RAT), identify adjacent systems,
callback to drop site for more specialized malware Install
• Establish connection (Web/Non standard Ports/Protocols)Call Back
(C&C)• Establish more persistence/ Conduct internal recon / Data
ExfiltrationPersist
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Stages of Malware (Inline Assembly)
Data at Risk: Medical information #s Research and or medical trial
Data PII/PHI/SPI/CMC
Emails/Texts/SSN #s (employees and patients)
Health Records Prescriptions Identification Cards, Access to
Restricted Areas
Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility
Network
Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility
Network
Recon
Stage
Launch• Launch payload against known vulnerability / Avoid
sandboxing heuristics and Dependency walkingExploit
• Download desired payload – Ransomware, key logger, ectInstall
• Execute payloadCall Back
(C&C)Persist
Sandbox Evasion Techniques:• Check Ram: Less than 1 GB probably on VM• Red Pill – Look for VMEs• Look for Input /output ports• Check access to the internet• Extended Sleep – Launch payload during reboot/shutdown (avoid WIN32)• Compress malicious code 20 layers deep
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Popular Hacker Tool Sets
Data at Risk: Medical information #s Research and or medical trial
Data PII/PHI/SPI/CMC
Emails/Texts/SSN #s (employees and patients)
Health Records Prescriptions Identification Cards, Access to
Restricted Areas
Infrastructure at Risk: Online testing Facilities Databases, Websites Wi-Fi WAN/LAN Mobility
Network
Infrastructure at Risk: Patient monitoring Nurse Call System life support systems Facilities (power, plumbing) Databases, Websites Wi-Fi/WAN/LAN/Mobility
Network
• Malicious Scanning – Check targeted Enterprises resiliencyEvader
• 802.11 – WIFI hackingAirCrak-NG
• Remote Authentication discovery and hacking toolHydra
• Host Discovery & Inspection of network trafficNMAP & Wire Shark
• Web Applications – tests processes to find vulnerabilitiesOWASP-ZAP & Burpsuit
• Detection and exploitation of SQL – Target DatabasesSQL Map
• Discovery and Information GatheringMaltego
• Pen-testing and exploit developmentMetasploit
• Password CrackingJohn the Ripper
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Cyber Protection ChainTool sets:• Skilled Security Personnel• Security Assessments• Managed SIEM
• Threat Intelligence (Open Source/collaboration)• IR Support
• Vulnerability Scanning and Patch Management• Penetration testing (Internal, External, Web Applications)
• DDoS Defense / TDoS Defense• DNS Security• Multifactor Authentication (Minimum Critical Applications)• End Point Security
• Forescout CouterTacK (IOT/BYOD/Rouge)• Access control (USB/Seize the Endpoint)
• Security Awareness/• Ethical Hack
• Malware/Threat Protection: Email, End Point, Network, Web, and Content (FireEye)• Network Based Firewall / MPLS
• Netbond to CSPs• Secure Email Gateway (ProofPoint)• Managed Web Application Firewall (WAF)• Incident Response
© AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
2016 Security Trends
Carry Over Trends from 2015:• Dynamic Detection and Threat Intelligence and Analytics• Vulnerability and Patch Management• MSSP – Managed SIEM /Improving Detection Times• Security Awareness• DDoS attacks Increasing• Move to MPLS / VPN
2016 Cyber Security Trends:• Shattered Perimeter -Explosion of Digital Enterprise, convenience vs. Security (Mobility,
IOT, BYOD) Assuming control of the End-Point• Visibility in SSL• Web Security – Potential of 1900 new gTLD (Advertising/Waterholes)• Virtualization of Security Appliances (Cloud/Provides Agility and Efficiency)• DNS (Securing port 53)