Anatomy Of a Breach Discussion Marcus Lecuyer Area Vice President RSA Security – Canada November 4, 2015
Agenda Observations Attack Methodology Managing a Breach Lessons Learned Best Practices
RSA CONFIDENTIAL—INTERNAL USE ONLY
2
How Do Breaches Occur? Malicious Activities
Hacking incidents / Illegal access to databases containing personal data
Theft of computer notebooks, data storage devices or paper records containing personal data
Scams that trick organizations into releasing personal data of individuals Human Error
Loss of computer notebooks, data storage devices or paper records containing personal data
Sending personal data to a wrong e-mail or physical address, or disclosing data to a wrong recipient
Unauthorized access or disclosure of personal data by employees
Improper disposal of personal data (e.g. hard disk, storage media or paper documents containing personal data sold or discarded before data is properly deleted) Computer System Error
Errors or bugs in the programming code of websites, databases and other software which may be exploited to gain access to personal data stored on computer systems
RSA CONFIDENTIAL—INTERNAL USE ONLY
3
December 2013
April 2011 Threat Attack Method
Nation State
• • • • • •
Detection Impact Motive
Spear Phishing 3rd party Compromise Zero Day Malware C2 Lateral Movement Data Exfiltration
• • • • • •
Detected in flight
• •
Reputational Financial Leverage RSA information as an access point to target DIB, Fed Gov, Manufacturing
Estimated Cost of Breach Claim to Fame
Organized Crime
$66M
Most sophisticated attack in history
RSA CONFIDENTIAL—INTERNAL USE ONLY
Spear Phishing 3rd party Compromise Zero Day Vuln C2 Lateral Movement Data Exfiltration Undetected – Brian Krebs broke the news
• •
Executives Fired Financial
Financial Gain
$1 Billion
Largest cache of stolen CC’s in history
November 2014 Nation State / Insider?
• • • • •
3rd party Compromise Zero Day Vuln C2 Lateral Movement Data Exfiltration / destruction
Nation State
• • • •
Undetected – Actor left a message • • •
Executives Fired Financial Reputational
• • •
Hackitivist
Zero Day Vuln C2 Lateral Movement Data Exfiltration
TBD • Insider knowledge
Detected after 11 months
Undetected – Actor hosted an interview
Executives Fired Reputational Financial
Response to disgruntled Nation or Employees
Nation state compiling database of US personnel & intelligence operatives
$38M-$1B
$338M & up
Data destruction
July 2015
June 2015
Largest breach of personal data in history
• • •
Executives Fired Reputational Financial
Morally outraged about the dating service
Could be their business / IPO for $200M TBD Wow!
4
Online Trust Alliance Guide to data Protection & Breach Readiness (2013)
Verizon Data Breach Report 2014 Highlights
Verizon Data Breach Report 2015 Highlights
2,644 Breaches Studied
1367 Breaches Studied
2,122 Breaches Studied
267 Million Records
$5.5M cost per Breach
170 Million Malware Events – 70+% of malware samples are unique to an organization
$194 cost per Record
99% records lost due to external hacking
Breach vector – Web App 35% – Cyber-espionage 22 % – POS Intrusions 14% – Card skimmers 9%
Breach vector – POS Intrusions 28.5% – Crimeware 18.8%
97% of data breach incidents were avoidable
Perpetrators – 85% outsiders – 12% insiders – 3% partners Threat – – – – –
RSA CONFIDENTIAL—INTERNAL USE ONLY
actions Stolen Credentials 15% Export Data 11% Phishing 9% Ram Scraper 8%
– – –
Cyber Espionage 18% Insider 10.6% Web App 9.4%
– –
Physical Theft 3.3% Payment card Skimmers 3.1%
Cyber Espionage –
20.2% is focused on the Professional Firms
Backdoor 6%
5
The Adversary NATION STATE ACTORS
CRIMINALS
NON-STATE ACTORS
RSA CONFIDENTIAL—INTERNAL USE ONLY
Nation states Government, defense contractors, IP rich organizations, waterholes
Petty criminals
Organized crime
Unsophisticated, but noisy
Organized, sophisticated supply chains (PII, PCI, financial services, retail)
Insiders Various reasons, including collaboration with the enemy
Cyber-terrorists / Hacktivists
Political targets of opportunity, mass disruption, mercenary
6
Understanding the threat Attack Lifecycle
Recon Weaponization Delivery Exploitation Installation C2 Act on Objectives
7-Phase Model for how an adversary engages a victim Any disruption in the chain will impact their actions Human intervention is often required for success and failure All seven steps can be detected, prevented, or minimized
Note/ Attribution: ‘Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains’; Hutchins, Cloppert, Amin, Lockheed Martin CIRT; Proceedings of the 6th International Conference on Information Warfare, 2011
RSA CONFIDENTIAL—INTERNAL USE ONLY
7
The Cyber Kill Chain – Sophisticated Attacks
1 System Intrusion
TARGETED
SPECIFIC OBJECTIVE
Attack Begins
TIME
2
STEALTHY LOW AND SLOW
Cover-Up Discovery Leap Frog Attacks
3
INTERACTIVE HUMAN INVOLVEMENT
Cover-Up Complete
Dwell Time
Response Time
Attack Identified
1 RSA CONFIDENTIAL—INTERNAL USE ONLY
Decrease Dwell Time
2
Response
Speed Response Time 8
Objective: Affect the Attack Lifecycle Attack Lifecycle
Detect
Reconnaissance Weaponize Delivery Exploitation Installation C2 Action
RSA CONFIDENTIAL—INTERNAL USE ONLY
ü ü ü ü ü ü
Deny
Disrupt
Degrade
Deceive
ü ü ü ü ü
ü
ü
ü 9
In the Fog of War – What do we do? Elect a Breach Management Team – –
Ensure a clear command and reporting structure of key employees who would take charge and make time-critical decisions on steps to be taken to contain the breach and manage the incident This team should be sworn in and be made up of key people that represent core functions of your business (Security, IT, Finance, Legal, HR…..)
Engage a trusted source to assist in the Incident Response (IR) activities – –
Network / Endpoint forensics to understand the scope of the incident Who, impact, root cause, remediation steps….
Develop a communication plan (if required) which might include an outside PR & council –
This is for both internal (employees) and external (public) communication
Develop a technology roadmap & financial plan to close the capability gaps in the security defense strategy –
In order to be successful here the ROOT CAUSE is the most important
RSA CONFIDENTIAL—INTERNAL USE ONLY
10
Security Practices – Critical Checklist Business Risk Assessment Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring activities Active Directory Hardening Minimize number of admins Monitoring and alerting (Windows Event ID #566) Two factor admin access from hardened VDI platform Executable whitelisting on hardened DCs Disable default account and rename key accounts Complex passwords (9 & 15 Char)
Infrastructure & Logging Full and detailed logging & analysis Tighten VPN controls Increase controls on crypto keys Full packet capture at strategic network locations Network segmentation Team trained and focused on APT activity
Service Accounts Review accounts for privilege creep Change passwords frequently Do not embed credentials into scripts Minimize interactive login Restrict login only from required hosts
Web Access Block access to high risk and web filter categories Click through on medium risk websites Black hole dynamic DNS domains Authenticated internet access DNS traffic analysis
User Education Increase security training for IT Launch security improvement initiative Regular education of users on phishing attacks Regular education on social engineering Increase mail filtering controls
User Machine Hardening Limit local admin and randomize PW- change often Increase patching regime Enable security controls in applications Deep visibility to identify lateral movement Limit use of non-authorized an approved software
RSA CONFIDENTIAL—INTERNAL USE ONLY
11
How You Can Achieve Success? Be Methodical Develop Breach Management Plan – Not just incident response – Transcends IT & IT Security ▪ Must involve Operations, Finance, Risk, and Legal People & Process Are King ▪ This will enable effective measurement and discipline Technology Is A Necessary Foundation – Real-Time Visibility Fundamental ▪ Without this, you will not be able to disrupt the attack lifecycle
RSA CONFIDENTIAL—INTERNAL USE ONLY
12
Security Best Practices: Critical Checklist
There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.
Dmitri Alperovitch – Threat Research Analyst Discovered Operation Shady Rat (Remote Access Tool)
RSA CONFIDENTIAL—INTERNAL USE ONLY
13
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.