smelling the coffee: waking up to the challenge of it hackers gfao annual conference ... ·...

© 2014 McGladrey LLP. All Rights Reserved.


Smelling the Coffee: Waking Up to the Challenge of IT Hackers

GFAO Annual Conference May 18, 2014


Introduction

1

• Daimon Geopfert • McGladrey National Leader, Security and Privacy Consulting • Located in Detroit, MI • I am not an auditor but I play one on your network

• Penetration Testing • Vulnerability Assessment • Security Monitoring • Incident Response • Forensics & Investigations

• Former DoD, AFOSI-CCI, AIA

• All business, all the time


Overview and Misconceptions


Misconceptions

3

• Understand that modern threats are built to bypass preventative controls, but many organization place almost 100% reliance on these mechanisms for their security

• You must have robust detective and corrective controls

Threat Complexity

Critical Data and Systems

Vulnerability ManagementPatch Management

Access and AuthenticationIPS

Configuration ManagementAV Blocking

SIEM & MSSPIDS

DB Activity MonitoringCompliance MonitoringOperational Monitoring

AV Host & Network Alerts

Incident ResponseForensics

AV QuarantineIsolationDR/BC

Admin/Legal Actions


Misconceptions

• Compliance • • • • • • Compliance = You’ve built the foundation to get secure

• Security is not bought

• Tools are tools, not solutions • You can absolutely do security “on the cheap” if it is done

correctly • Security cannot be successful unless it is embedded in a

variety of enterprise policies and processes

• Security threats do not only come from “out there” • Attacks by rogue employees, mistakes, and fraud are not

common, but result in immense damage when they occur • Remember, once the bad guys breach your external boundary

they are now a version of insider threat

4


Misconceptions

Food For Thought: - Legacy Universe of Attackers

Underground markets bringing the two sides together - Motivated attackers place bounties for the skilled attackers to chase - Skilled attackers breach environments and sell access to motivated

5

Attackers with the

Skill

Attackers with the

Motivation

Attackers of Concern


Misconceptions

The attackers are not exactly who you think they are The underground economy has lowered the

knowledge threshold Skilled attackers make more money at less risk by

selling their knowledge in packaged form - Kits, automation, subscriptions, malware pre-packs, etc.

Result: Pseudo “APT” attackers - a.k.a “Idiots with nuclear weapons”


Security Threat Updates “When in danger or in doubt, run in circles, scream and shout.” [Herman Wouk]


Security Threats

Threats to systems and data have shifted rapidly in the last 24 months

Many of the standard methods of protection are now being bypassed with ease

Attackers have moved from brute force to simplicity, misdirection, abuse of trust

Over 90% of the incidents we have worked in the last 24 months have come from “the big 3” - Social Engineering - Client Side Attacks - Custom Malware


Social Engineering

9

• Fancy name for traditional “con games” • Attacking an environment via manipulating people • Focused on user habits, mannerisms, human nature, entrenched

organizational procedures and activities • The attack vector of choice for many advanced attackers

• Typical countermeasures such as firewalls, anti-virus, and intrusion detection systems are almost worthless

• Social Engineering can be technical in nature but inherently targets the weaknesses in humans rather than systems

• It can only be addressed via a combination of technical, administrative, and personnel controls


Social Engineering Tactics

10

•Example KISS attack: Credential Harvesting


Social Engineering Tactics

11

•Example KISS attack: Credential Harvesting


Client Side

12

•What is a client-side attack? • Flip the attack model on its head

• Traditional attacks are “server-side”

• The attacker goes after a service being “served” by the target

• In plain English, the attacker is going to the target system and directly attacking some resource

Mr. Hacker

Ports:

80

139

445

Etc.


Client Side

13

•A client-side attack means the attacker takes the role of the server and the victim is acting as the client

• The attacker offers something to the target

• In plain English, the attacker needs the target system to come to them or accept something from them

• Can be as simple as viewing a web page but can also involve local files such as documents

Mr. Hacker

Ports:

80

139

445

Etc. Mr. Target


Client Side

14

•Client-side attacks are effective because many organizations struggle patching non-OS software

• Web browsers, Java, Adobe, Quicktime, etc.


Custom Malware

15

• Common Controls • Is anti-virus deployed?

• Is it on users systems, servers, mail, etc?

• Are the signatures updated regularly?

• Are scans run regularly?

• Reality • Attackers purchase the same subscriptions and appliances as everyone

else in order to perform QA of their malware products

• AV, being signature based, is limited to what it knows

• What happens if attackers make AV look different?

• Many organizations are dealing with malware outbreaks, of varying scales, on a monthly basis


Custom Malware

16

• Malware Generation Rates


Recommendations


Recommendations

Bring security into Risk Management process Necessary to create APPROPRIATE controls

Horses and fences… It is not meant to bring risk to zero It is only meant to create a rational, non-emotional approach to

managing risk Notice the loop…

External Drivers

Industry Regulatory Threats

Risk Management

OversightAnalyze and

Design

ImplementDeploy and

Educate

Internal DriversBusiness Processes

Policies and Procedures

Metrics

Resources


Recommendations – Social Engineering

Conduct regular training and awareness campaigns in this area Hint: they do not need to be expensive, try

forwarding sample news articles

Conduct a social engineering test at least once a year Do NOT punish failure, identify areas that need

additional training

Do NOT punish failure User has the “Uh Oh” moment If you nuke the first person that comes forward, what

will the rest do?


Recommendations – Client Side

Understand the most common way for a system to be compromised isn’t from someone “shooting at it”

If employees can add new software to a system it must still be properly maintained

Turn on auto-updates Disable it if not used Understand that your IT team often cannot see the status of 3rd

party apps such as Java, Quicktime, Flash, etc.

“I looked but didn’t download anything” isn’t safe These attacks are no longer limited to the dark underbelly

of the Internet “Waterhole” Attacks


Recommendations – Custom Malware

Understand AV is becoming less and less effective Foundational element of your security posture, but don’t

place sole reliance on these solutions PCs need to do more for malware protection than say “we

have AV” Utilize different AV solutions at different points in the

network Users and admins need to be aware of malware-ish

activity and actively report it Resource utilization, odd account activity, new/missing/altered

files, odd connections, odd web activity such as redirects, pop-ups, odd email activity especially sent items, etc.


Recommendations

So what do we do? - Heavy focus on consolidated security monitoring - Log more. Bring it together. Use it. Period. - “87% percent of victims had evidence of the breach in their

log files, yet missed it.“ Verizon 2010 Data Breach Report


Recommendations Attacker Model

www.aicpa.org/fvs


Recommendations IR Models

www.aicpa.org/fvs


Recommendations - IR

Plan for failure. Make your goal to fail gracefully and minimize damage. - Ensure that the business is ready to survive a failure or breach - Preventative controls WILL fail at some point

Comprehensive IR plans - Formal, Preplanned, and Exercised - Develop Scenarios

• What if we want to prosecute? • What if we think sensitive data has been exposed? Customer

data? • What if it can’t be contained? What if we can’t trust our own

systems? • What if it got into our financial/accounting/reporting/payment

systems?


Summary

Don’t Panic Plan to fail, but plan to fail gracefully Ability to know when a control has failed Ability to recover quickly and with minimal damage

We’ve pointed out methods to bypass individual types of controls on a case by case basis

Consolidated, robust controls defense-in-depth style are effective Just because the attacker got into the network doesn’t mean they

have “won”, the party just started Do not become a “hacker snack” Hard and crunchy on the outside, soft and gooey in the middle Every hoop you force the attacker to jump through is a chance for

you to detect them… if you are watching You don’t need to out run the bear…


Questions ? [email protected]

mailto:[email protected]�


McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP.


McGladrey LLP

One South Wacker Drive, Suite 800 Chicago, IL 60606

312.634.3400

www.mcgladrey.com

Mark Lanterman Computer Forensic Services

The Impact of Digital Evidence

Metadata is often described as

“data about data.”

This is metadata.

There are two components to any computer generated file or document.

1. the content of the document;

2. the layer of information about the data

• Metadata may include a file’s name, size and creation/deletion date.

• It may also include the source of the data, its author, time it took to create, whether others have viewed it, printed it and so on.

• Allows compilation of critical timelines

Fraudulent ACH • $952,800 wire

• Romania

• RSA token

• Bookkeeper- denies knowledge

• Bank uncooperative

Analysis

•No evidence of wire initiation

• Reviewing account balances only

• Zeus

Fraudulent ACH • Federal law enforcement

• Romanian law enforcement

• Do-wrongers = sloppy paperwork

Track Data...

Marketplace

Questions & Comments

Mark Lanterman Computer Forensic Services 601 Carlson Parkway Suite 1250 Minnetonka, MN 55305 952.924.9920 [email protected] www.compforensics.com

smelling the coffee: waking up to the challenge of it hackers gfao annual conference ... ·...

Documents