Cyber security and Incident Response Oliver Smith & Duncan Page

London School of Mines

What are we going to cover? • Threat landscape

• Effective incident response • An espionage case study

London School of Mines PwC

June 2015 Slide 2

The threat landscape

London School of Mines PwC

June 2015 Slide 3

What are we being told? “Business secrets are being stolen on an industrial scale” Sir Iain Lobban, head of GCHQ

“Hackers are as likely to steal company information from law firms as they are from the company itself” Jonathan Evans, Director General of MI5 Loss of IP through cyber attacks is “the greatest transfer of wealth in human history” General Keith Alexander, Director of the NSA London School of Mines PwC

June 2015 Slide 4

The new digital trust ecosystem “You’re more connected than ever before” Economic

Total business connectedness Industry/ competitors

Suppliers

Environmental

Customer

•

Everything is connected to everything else

•

There are no borders any more

Rapid systemic risks

• Fast knock on effect when there is a failure •

Use of third parties, ‘the cloud’

Risk to physical assets Service providers

Consumer

•

It’s not just about information

Everything is being attacked JV/ Partners

•

It’s not if, it’s when…(clichés usually exist for a reason…)

Technology London School of Mines PwC

June 2015 Slide 5

Let’s try and quantify this…

90 %

London School of Mines PwC

1.46 3.14 £m

205 days

June 2015 Slide 6

Who is attacking you? For the secrets

For the cause Espionage

Hacktivism

INSIDERS Terrorism / Sabotage

For the damage London School of Mines PwC

Organised Crime

For the money June 2015 Slide 7

Targeted threat actors Russia: 6 Turkey: 1

We currently track over 100 targeted threat actors from various countries. Spain: 1

These include groups sponsored directly by nation states as well as hackers-for-hire.

Korea: 4 Syria: 2

Iran: 8

Pakistan: 1

India: 2 China: 67

London School of Mines PwC

June 2015 Slide 8

Is it really happening?

London School of Mines PwC

June 2015 Slide 9

Threat Intelligence – a global snapshot

London School of Mines PwC

June 2015 Slide 9

Incident response

London School of Mines PwC

June 2015 Slide 11

Effective incident response

Threat intelligence

Technical incident response

Nontechnical incident response & crisis management

London School of Mines PwC

•

Ability to determine what threat you are responding to?

•

Ability monitor full social media feeds for evidence of breach leaking out?

•

Ability to conduct investigative work under legal professional privilege?

•

Ability to communicate out-of-band?

•

Ability to reach into intelligence sources to identify further indicators related to what you have found?

•

Ability to increase visibility of specific network segments or systems?

•

Ability to rapidly create steering committee with authority to act?

June 2015 Slide 12

Effective incident response What wave of compromise are you in?

•

How long have the attackers been in an environment?

•

How regularly do they access it?

•

How deeply are they entrenched?

•

How have you been communicating about remediation?

•

Has data already been exfiltrated?

London School of Mines PwC

Duration of compromise

•

Year

High Risk

Month

Week High Risk

Day Rolling Remediation

Surgical Strike

June 2015 Slide 13

Espionage case study

London School of Mines PwC

June 2015 Slide 14

Espionage case study

Client informed by a government agency of a high priority network intrusion

… 3 days before Christmas

…and were given a single IP address.

London School of Mines PwC

June 2015 Slide 15

Espionage case study: a global breach

Turkey UK

Bahrain

US

Japan Egypt

UAE India Malaysia

South Africa

London School of Mines PwC

Indonesia

Australia

June 2015 Slide 16

Espionage case study: a day in the life of the attacker xxxxme.org

2XX.1XX.1XX.2XX

WWW C2

WWW C2 DC (Two)

WS4 WS1

WS3

DC (One) WS6

WS2

WS5

DC (Three)

VPN London School of Mines PwC

VPN Host1 June 2015 Slide 18

Espionage case study: a day in the life

London School of Mines PwC

June 2015 Slide 20

Espionage case study: threat intelligence / APT infrastructure Threat category: Monitored DNS names: Monitored IP addresses: Threat focus: contracts.

London School of Mines PwC

APT/Espionage 524 107 targets a particular industry, government

June 2015 Slide 9

Any questions?

“… there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Robert S. Mueller III, Director, FBI March 2012 http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-worldoutsmarting-terrorists-hackers-and-spies

London School of Mines PwC

Slide 22

Oliver Smith [email protected]

Duncan Page [email protected]

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. London School of Mines PwC

June 2015 Slide 9