monthly cyber threat briefing - hitrust · 2015-10-12 · © 2015 hitrust, frisco, tx. all rights...

Monthly Cyber Threat Briefing February 2015

2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Revised Format •   Based on Feedback •  Goal is to make the information more useful and usable •   Purpose:

–  Provide situational awareness of current and emerging cyber threats relevant to healthcare organizations

–  Provide insights into threat actors including motives and methods –  Provide insights into information security product effectiveness –  Sharing metrics on the effectiveness of information sharing across the

industry and compared to other industries –  Share lessons learned and best practices


Revised Format •  Situational awareness

–  Emerging cyber threats and associated vulnerabilities

–   Information security product effectiveness

–  Threat actors and their motives

•  Retrospective review

–  What cyber threats are being seen in healthcare

–  How effectively are we information sharing in industry and across industries


Revised Format •   Information Security Controls

–  What CSF controls relate to current and emerging cyber risks

•  Education

–  Best practices

–  Lessons learned

–  CISO perspectives

•  Need feedback


Presenters •  Daniel Nutkis - CEO, HITRUST •  Dennis Palmer - Senior Security Analyst, HITRUST •  Colby DeRodeff - Chief Strategy Officer, ThreatStream •  Adam Meyers - VP – Threat Intelligence, CrowdStrike •  Bob Walder - President & CTO, NSS Labs, Inc.

•  Mike Backherms – Senior Analyst, US CERT / Department of Homeland Security

•  Wesley Snell Jr. - Director, Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human


Threat Capabilities Report Flash, Silverlight, and Internet Explorer are widely used applications that were targeted in February 2015 as seen by NSS Labs

–  exploit techniques discovered in November 2014 made it considerably easier to write exploits against them

–  Source code and backend data for Rig exploit kit was leaked online during the month of February

Data from February 2015 -‐ NSS Labs


Targeted Applications and Operating Systems App/OS Combination Windows 7 Windows 7

SP1 Windows 8 Windows 8.1

Windows Vista SP1

Windows XP SP3

Adobe Flash Player 11.4 •

Adobe Flash Player 13 • Internet Explorer 10

• Internet Explorer 11 • Internet Explorer 6

• Internet Explorer 7 • • Internet Explorer 8 • • • Internet Explorer 9 • • • Silverlight 4.0.6

• Silverlight 5 • !

Data from February 2015 -‐ NSS Labs


Top Command and Control Hosting by Geo

Country/Port 80 81 2014 3204 8888 5555 5895 5682 1113 6311

China • • • • • • Hong Kong • • • Poland • Taiwan • United States • • • • •

!

Commonly used command and control server locations in combination with 10 commonly used callback ports

Data from February 2015 - NSS Labs


Rig Exploit Kit Exploit Capabilities •   Java •   Silverlight •   Internet Explorer •   Flash

Successful Exploits Per Operating System

Exploit Count Operating System % Distribution

2729 Windows 7 39.7%

1483 Windows 8.1 21.6%

891 Unknown 12.9%

857 Windows XP 12.5%

549 Windows Vista 8.0%

169 Windows 8 2.5%

93 Windows Server 2003 1.4%

90 Windows 2000 1.3%

20 Windows 98 0.3%

NSS Labs


Rig Exploit Kit Exploits by Browser

Exploit Count Browser % Distribution

2988 MSIE 11.0 43.5%

1198 MSIE 8.0 17.4%

795 Unknown 11.6%

766 MSIE 9.0 11.1%

656 MSIE 7.0 9.5%

430 MSIE 10.0 6.3%

40 MSIE 6.0 0.6%

Exploits by Country

Exploit Count CountryCode % Distribution

3849 IT 55.9%

2118 US 30.8%

211 XX 3.1%

131 SG 1.9%

81 CA 1.2%

49 CZ 0.7%

39 AU 0.6%

37 FR 0.5% NSS Labs


Trending

Compromised Credentials –  Currently Tracking 1.12 Million –  Action:

•  Customized alerting •  Forcing password changes •  Monitoring access


Trending

Suspicious Domain Registrations –  Currently Tracking 226 new in last 3 weeks –  Action:

•  Blocking at Proxy / Firewall •  Takedown •  Sinkhole for research purposes

Dropper tools dropping basic Backdoors / RATs –  PlugX, Poison Ivy


Example Suspicious Domain Registrations (company)real.netRegistrant Name: Kenji HiraiwaRegistrant Organization: GMO DigiRock, Inc.Registrant Street1: 3-1 Ofuka-cho

(company)solutions.comRegistrant Name: Registration PrivateRegistrant Organization: Domains By Proxy, LLCRegistrant Street: DomainsByProxy.com

(company)401k.comRegistrant Name: Jeremy RettichRegistrant Street: 2111 Allendale PlaceRegistrant City: Nolensville


Threat Anatomy Mapping to the Cyber Kill Chain


Threat Anatomy—Current Example Weaponization and Delivery

–  Fake site setup like myhealthcareee.com or Citrix remote management style

–  Site looks legit


Threat Anatomy—Current Example Delivery

–   Internal users targeted •   LinkedIn is a powerful tool •   Phishing emails sent


Threat Anatomy—Current Example Exploit / Installation •  Drop tools on website – collect logins •  Credentials compromised / User machine compromised •  Can now interact to drop additional targeted code


Threat Anatomy—Current Example Command and Control •   Admin tools to hide

•   Domain credentials •   Inter Recon

•   Lateral movement to medical records

Actions •   Data exfiltration

•   Common methods –  SCP, FTP, SFTP HTTP Upload


Threat Actor Analysis - Deep Panda

•  Discussion on motives and methods


CozyCar Malware Activity •  Public sector targeting with activity

dating to mid-2014 •  Spear-phishing used as primary

means of delivery •  Malware improvements most likely to

overcome detection – even use of Twitter for additional commands

•  Message lures change in each campaign—most recently focus on finance and economics

Malicious Websites: §   fese[]eu §   doa.la[]gov §   europeanissuers[]eu §   diplomacy[]pl §   frontrage360[]com §   courtnotify.elpasotexas[]gov §   sanjosemaristas[]com

Source: HHS


CSF Controls Related to Threats •   CSF Control for Compromised Credentials

–   Control Reference: 01.d User Password Management

•   Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

•   Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.

–   Control Reference: 01.j User Authentication for External Connections

•   Control Text: Appropriate authentication methods shall be used to control access by remote users.

•   Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique


CSF Controls Related to Threats •   CSF Control for Suspicious Domain Registrations

–   Control Reference: 01.i Policy on the Use of Network Services

•   Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

•   Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.

–   Control Reference: 01.m Segregation in Networks

•   Control Text: Groups of information services, users, and information systems should be segregated on networks

•   Implementation Requirement: Security gateways (e.g. a firewall) shall be used between the internal network, external networks (Internet and 3rd party networks), and any demilitarized zone (DMZ).


CSF Controls Related to Threats •   CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code

•  Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.


Making Intelligence Actionable •   Cyber Threat Exchange for Healthcare •   Enables actionable intelligence •   Cross Industry Collaboration •   Proactive detection of new threats


Components of a Collaboration Platform

Threat Team

Threat Intel Collected

Manual Analysis

Upload to internal site

Retrieval of Threat

Intel

Manual load to SIEM

Analysis and feedback to Threat Team

Threat Team Threat Team OPS Team OPS Team OPS Team

Data: Pre-Process / Format

Threat Team

Automated Process

Threat Intel Collected

Upload to OPTIC

Threat Team

Pre Process, Aggregate, Analyze,

Analyst Feedback and Collaboration

Alert Analysis

Security Infrastructure

Legacy Process

48% cite reduction in incidents through early prevention due to CTI −SANS CTI Survey


Information Sharing and Collaboration •  Provides Situational Awareness and context across organizational

and geographical boundaries

•  Force multiplier – leverage your peers

•  Data Classifications Rules

•  TLP Protocol

•  Automated distribution

•  Platform Agnostic


I want to collaborate, but what do I share? Lets start with what can actually be shared:

Now what use cases? •   What do you see in the SOC?

–   Phishing Campaigns

–   Suspicious / Scanning / Bruteforce Login IPs

–   Logins from Hosting providers

–   Malware outbreaks – File MD5s

You’re Not Alone – Collaboration is a Force Multiplier

Email addresses

File Hashs (MD5 / SHA256

Domain Names URLs

User Agents

EXTERNAL DATA:


Evolving research—not just IOCs Research /

Author Community

Review

Publish / Distribute

SIEM / Alerting

Data Classification Applied

Feedback, Collaboration, Validation


https://hitrustctx.threatstream.com/tip/8

Collaboration in Action •   Threat Intelligence Packages Actively Being Submitted by Community

(86 Public or Trusted Community Submissions


Collaboration in Action



Additional Information •   Sign up for briefings and alerts

–  www.hitrustalliance.net/cyberupdates/

•   CyberRX 2.0 exercise information, or Spring 2014 exercise findings

–  www.hitrustalliance.net/cyberrx/

•   Cyber Threat Xchange (free subscription)

–  hitrustalliance.net/ctx-registration/


Additional Information •  Additional content available at:

–  https://hitrustalliance.net/content-spotlight/

monthly cyber threat briefing - hitrust · 2015-10-12 · © 2015 hitrust, frisco, tx. all rights...

Documents