hit by a cyberattack: lesson learned
TRANSCRIPT
Hit by a Cyberattack: lesson learnedHow are we hacked and what to do when it happens IFE 8 december 2015
Jan Guldentops ( [email protected] )BA N.V. ( http://www.ba.be )
Wie ben ik ?
Jan Guldentops (1973)
This year I'll be designing, building and securing server and network infrastructure for 20 years.
Founder of ULYSSIS (1994), Better Access (1996) en BA (2003)
Open Source Fundamentalist (after hours )
Strong practical, background in ICT security.
Security consultant by accident 1996 beroepskrediet
Pass a lot of my time in the lab ( R&D)
Belangrijk om te onthouden :
2 manieren waarop wij werken met lokale besturen : Leveren van volledige oplossingen
Leveren van huurlingen : consultants die tijdelijk de kennis van de ict-manager aanvullen
Leveren van technische ondersteuning en troubleshooting
Leveren oplossingen aan lokale besturen sinds 1996
In Short:
COMMON SENSE AS A SERVICE(CAAS)
The question is not if you're going to be hacked but when...
So what goes wrong ?How do you get hacked ?
The human factor
Stupidity, laziness and ignorance
Amateurisme
The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.
The software installed on the public web servers was outdated and not patched.
No antivirus protection was present on the investigated servers.
An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place.
Social engineering
If you want to know something, just ask ! People talk to much
Your organization is leaking info : Google is your friend
Stupid leaks : leaking confidential info in references, etc.
Key employees who are passionate about their work often tell you everything
Phishing
You are thinking about : Blond, Ukrainian ladies who can tell from your e-mail address you are the man of their live.
Badly written or translated
So obvious
But what if a phishing expedion was custom made to push your buttons ?
Spear Phishing
SinterklaasA custom built phishing expedition : Surprise from Sinterklaas ;
Well written e-mail
Perfect house style
Official url with a registered certificate
Send to 200+ it people 35% tried to fill in their userid/password.
Before the security-team blocked the URL
I am not who I am
We still use userid/password for authentication Bad passwords
Badly managed password
Unrealistic password policies
One password for everything ;
Clear text storage of passwords
No one centralised user and role management
Tunnels
Dozens of ways to set up a return tunnel from the inside of an organisation Openvpn, ssh, iodine ( ip-over-dns), httptunnel, etc.
Teamviewer, N-Able, Logmein, etc.
Hard to detect
Usually accidents waiting to happen
Others
Bad software ;
No structured updates ;
Security bolton instead of by design ;
Stuck in perimeter-security ;
Bad system management
Mobilization ;
Bring your own device ;
The stakes have changed
Globalization
Cyberpunks versus mob
Speed, damage
Target : 70.000.000 personal data
Exit security officer, CIO, CEO
Ashley Madison
So how do you know you are hacked ?
Obvious hacker : Defaces your website ;
Send all your contacts stupid spam ;
Uses all your cpu to mine bitcoins ;
Attacks the whole world directly from your systems ;
The discrete hacker ; Compromises your system and collects information
Eg Belgacom hack Compromised since at least 2007 !
So how do you find these ?
Integrity checks Host-based IDS
Honeypot
Network-based IDS
Analyze your logs SIEM
Monitor your infrastructure
What to do when you find something strange ?
Don't panic!
You're not the first to be hacked and certainly not the last.
Focus on analyzing the problems and securing your environment.
At least you know you are compromised...That's a good sign !
Handle the situation
Collect a team to handle the security situation.
These days there are cyber insurances AIG, Cyber contract, ADD, etc.
This can be made up of internal staff and or external consultants
Draft a plan
Execute it
Isolate or offline
Get the compromised applications, machines, account, data isolated and preferably offline.
Take care no other parts of your environment are infected.
Literally or virtually pulling the etherne tcable or power plug.
Preserve as much data as you canSecure backups !
Collect data
Collect as much data as you can : Log files ;
Network traffic ;
Forensic copies of compromised systems ; e.g Kali Linux
You'll need this to analyze what happened, what they took and who did it. Also legally important.
Find out what happened
Analyze the attack, find out what happened
Check what data and systems are compromised Presume everything is compromised until you know
Try to understand what happened
Find out what the consequences are...
Disclose and communicate
Disclose what happened in a structured, complete way: To law enforcement ;
To partners ;
To employees ;
To customers ;
Learn and adapt
Learn from your mistakes : Change your security policy and procedures
Learn from the hack and how your organization responded to it
Adapt
It will happen again, so get more ready for it
Thank You
Contact us
016/29.80.45
016/29.80.46
www.ba.be / Twitter: batweets
Remy TorenVaartdijk 3/501B-3018 Wijgmaal
Twitter: JanGuldentops
http://be.linkedin.com/in/janguldentops/