targeted intrusion

Targeted intrusion

Reconnaissance

Exfiltration

Command and control

Data collectionand staging

You’ve been hacked!

The OWASP Foundationhttp://www.owasp.org

What the Board & Chief Executives Need to Know

Tim Scully

The Cyber Threat, Trophy Information&

the Fortress Mentality

The OWASP Foundationhttp://www.owasp.orgYou’ve been hacked!

Penetration testing (“AVA”, “Red Teaming”, “Black Box Hack”, “Ethical Hacking”…)• Legal (with CEO’s permission) • Specify trophy information• Use only publicly known vulnerabilities• No physical security breaches• No unethical action• No “special” capability• No artificial constraints

If this can be done repeatedly without being detected while our are hands tied, what can real hackers with real capability

do without these constraints?

100% success in stealing

the trophy information!


The ‘new reality’ – a pervasive & persistent

cyber threat

February 2012. VeriSign was “hacked repeatedly by outsiders who stole undisclosed information from the leading internet infrastructure company” in 2010. (smh.com.au) “security breaches … were not sufficiently reported to management” – Verisign SEC Filing

March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing data related to the SecurID authentication system. “It is likely that RSA growth will remain a bit slower as remediation efforts continue” - David Goulden, EMC CFO

May 2011. Lockheed Martin was hit with a “significant and tenacious” cyber attack, using the breached RSA SecurID authentication data. "The fact is, in this new reality, we are a frequent target of adversaries around the world." - Sondra Barbour, CIO

April 2011. DELL Australia’s customer data was compromised, during a breach of US-based e-mail service provider epsilon.(Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott International, Kraft, Tivo and others).

“China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal.” - Bloomberg

Stuxnet, Duqu, Flame?


How senior executives see the cyber threat & their

preparedness

What they said about the threat… Conundrum Reality“The cyber threat is a growing menace”

“Threat actors’ innovation is faster than industry’s”

“Targeted exploitation of their network would affect competitiveness”

Yet… only a minority say the current risk of targeted cyber exploitation is high!

They will not publicly admit their organisation’s inability to fight off cyber intruders

What they said about their preparedness… Conundrum Reality“We are well equipped to prevent such attacks”

But they are vague about their actual defences

“We’ve got AV, firewalls, IDS, IPS…”

But… “we (and Govt) should do more on cyber security”

“It won’t happen to me!”


But it will happen to you…targeted cyber intrusion

Any organisation whose Internet-connected network has information of value to a sophisticated cyber threat actor

is likely already compromised

Attackers cannot be kept ‘on the outside’; everything on the inside is not secure

“To defend everything is to defend nothing”Frederick the Great


Techie Mindset

• Trophy information?

• Deal with threats in isolation

• Poor upward communication

It’s all in the mind!

Boundary Protection Mindset

• Anti-virus, firewalls

• IDS, IPS, ‘magic’ box, set & forget

• System-centric

Compliance Mindset

• Box ticking (“We're compliant!”)

• Audit, not assessment

• Perpetuates boundary mindset

Executive Mindset

…


The Consequence …“Fortress Mentality”


OWASP PurposeBe the thriving global community that drives visibility and evolution

in the safety and security of the world’s software.

The threat…capability & intent


What (or who) is the Advanced Persistent Threat?

To find this document, Google “cyber mitigation”

“Over 85% of the targeted cyber intrusions that DSD responded to in 2010 could have been prevented by applying

only the first four of the 35 recommended mitigation strategies.”

The OWASP Foundationhttp://www.owasp.orgWhat does an APT look like?

Threat

• Capability + Intent

• Strategic Goals

• Multi-source Collection Plan

• Multi-agency Coordination

Advanced

• Sophisticated

• Agile, adaptive, innovative

• Full spectrum TTPs

• Off the shelf + tailor-made

Persistent

• Not opportunistic

• Clandestine

• Varied tempo, dwell time

• Works to a tactical plan

If they are detected by traditional measures, are they really an APT or

were they meant to be detected?


Level 1: meet due diligence & compliance needs only• Most basic “housekeeping” measures• Reduce opportunity to intrude (i.e. reduce your “target

surface”)• Measures should include: Patch Control , Vulnerability

Management, Privilege Management, Change & Configuration Control Management, Intrusion Detection/Prevention

• Are they good enough to detect a targeted intrusion?

What can we do about it? Levels of security…

Level 2: more investment to protect info beyond basic compliance • Increased risks need more sophisticated measures • More continuous monitoring of network data flow • Measures should include: Security Information and Event

Management, Data Segregation, Whitelisting, Exception Monitoring, Application and Network Penetration Testing

• Should consider managed security service


Level 3: when consequences of targeted cyber intrusions are serious or catastrophic for operational effectiveness, competitiveness, reputation or the national interest• Detect, isolate, monitor and terminate cyber threats• Includes “low probability, high consequence” events• Owners and operators of critical infrastructure systems should

seriously consider these measures• Systematic approach to cyber intrusion management• Backed by highly skilled cyber security analysts and practitioners

with continual visibility of network data flow• Measures should include:

• Whole of enterprise data collection system (“data probes”)• Data leak prevention• Database activity monitoring • Data analytics • Cyber event investigation• More…

What can we do about it? Levels of security…

The OWASP Foundationhttp://www.owasp.orgThe Board owns this risk

A cyber security breach is no longer an IT problem. It is a problem for the Board. It may:• cause significant reputational

damage• damage share price• compromise strategic

negotiations or transactions• provide an opportunity for a

class action• result in market disclosures and

compliance breaches• Undermine years of R&D• sabotage critical systems

“security breaches … were not sufficiently reported to

management” – Verisign SEC Filing

“It is likely that RSA growth will remain a bit slower as

remediation efforts continue” - David Goulden, EMC CFO

“China-based hackers looking to derail the $40 billion

acquisition… zeroed in on the law firms handling the deal”

– Bloomberg re Potash Corp.


The advantage is with the aggressor

• Advanced, persistent response

• Make it harder & more risky

National cyber security will leverage all available capabilities

• Government, industry, academia

• International partnerships

• Strong leadership, sharing & trust

Resilience through real defence-in-depth

• No fortress mentality

• Know your trophy info & protect it

Technical prowess is not enough

• Accountability at senior levels

• Holistic policy, sound governance

• Adequate resourcing & comms

Our behaviour is our weakest link

Principles for Cyber Security

The OWASP Foundationhttp://www.owasp.orgCyber Warfare?

Tim Scully [email protected]

The Economist 7 May 2009

targeted intrusion

Documents

cyber security

cyber intruderswhat

tenacious cyber attack

advanced persistent

information of value

undisclosed information

trophy informationuse

new reality