Cyber security and Incident Response Oliver Smith & Duncan Page
London School of Mines
What are we going to cover? • Threat landscape
• Effective incident response • An espionage case study
London School of Mines PwC
June 2015 Slide 2
The threat landscape
London School of Mines PwC
June 2015 Slide 3
What are we being told? “Business secrets are being stolen on an industrial scale” Sir Iain Lobban, head of GCHQ
“Hackers are as likely to steal company information from law firms as they are from the company itself” Jonathan Evans, Director General of MI5 Loss of IP through cyber attacks is “the greatest transfer of wealth in human history” General Keith Alexander, Director of the NSA London School of Mines PwC
June 2015 Slide 4
The new digital trust ecosystem “You’re more connected than ever before” Economic
Total business connectedness Industry/ competitors
Suppliers
Environmental
Customer
•
Everything is connected to everything else
•
There are no borders any more
Rapid systemic risks
• Fast knock on effect when there is a failure •
Use of third parties, ‘the cloud’
Risk to physical assets Service providers
Consumer
•
It’s not just about information
Everything is being attacked JV/ Partners
•
It’s not if, it’s when…(clichés usually exist for a reason…)
Technology London School of Mines PwC
June 2015 Slide 5
Let’s try and quantify this…
90 %
London School of Mines PwC
1.46 3.14 £m
205 days
June 2015 Slide 6
Who is attacking you? For the secrets
For the cause Espionage
Hacktivism
INSIDERS Terrorism / Sabotage
For the damage London School of Mines PwC
Organised Crime
For the money June 2015 Slide 7
Targeted threat actors Russia: 6 Turkey: 1
We currently track over 100 targeted threat actors from various countries. Spain: 1
These include groups sponsored directly by nation states as well as hackers-for-hire.
Korea: 4 Syria: 2
Iran: 8
Pakistan: 1
India: 2 China: 67
London School of Mines PwC
June 2015 Slide 8
Is it really happening?
London School of Mines PwC
June 2015 Slide 9
Threat Intelligence – a global snapshot
London School of Mines PwC
June 2015 Slide 9
Incident response
London School of Mines PwC
June 2015 Slide 11
Effective incident response
Threat intelligence
Technical incident response
Nontechnical incident response & crisis management
London School of Mines PwC
•
Ability to determine what threat you are responding to?
•
Ability monitor full social media feeds for evidence of breach leaking out?
•
Ability to conduct investigative work under legal professional privilege?
•
Ability to communicate out-of-band?
•
Ability to reach into intelligence sources to identify further indicators related to what you have found?
•
Ability to increase visibility of specific network segments or systems?
•
Ability to rapidly create steering committee with authority to act?
June 2015 Slide 12
Effective incident response What wave of compromise are you in?
•
How long have the attackers been in an environment?
•
How regularly do they access it?
•
How deeply are they entrenched?
•
How have you been communicating about remediation?
•
Has data already been exfiltrated?
London School of Mines PwC
Duration of compromise
•
Year
High Risk
Month
Week High Risk
Day Rolling Remediation
Surgical Strike
June 2015 Slide 13
Espionage case study
London School of Mines PwC
June 2015 Slide 14
Espionage case study
Client informed by a government agency of a high priority network intrusion
… 3 days before Christmas
…and were given a single IP address.
London School of Mines PwC
June 2015 Slide 15
Espionage case study: a global breach
Turkey UK
Bahrain
US
Japan Egypt
UAE India Malaysia
South Africa
London School of Mines PwC
Indonesia
Australia
June 2015 Slide 16
Espionage case study: a day in the life of the attacker xxxxme.org
2XX.1XX.1XX.2XX
WWW C2
WWW C2 DC (Two)
WS4 WS1
WS3
DC (One) WS6
WS2
WS5
DC (Three)
VPN London School of Mines PwC
VPN Host1 June 2015 Slide 18
Espionage case study: a day in the life
London School of Mines PwC
June 2015 Slide 20
Espionage case study: threat intelligence / APT infrastructure Threat category: Monitored DNS names: Monitored IP addresses: Threat focus: contracts.
London School of Mines PwC
APT/Espionage 524 107 targets a particular industry, government
June 2015 Slide 9
Any questions?
“… there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Robert S. Mueller III, Director, FBI March 2012 http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-worldoutsmarting-terrorists-hackers-and-spies
London School of Mines PwC
Slide 22
Oliver Smith
[email protected]
Duncan Page
[email protected]
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. London School of Mines PwC
June 2015 Slide 9