Port of seattle security presentation david morris
- 1. Cyber Security Threats and What you can do
- 2. Agenda • Threat History • Current Threats • Breakdown of a Common Attack • What you can do – Incident Response – Resources Available
- 3. CTS Security Operations Center Provides centralized information sharing, monitoring, and analysis of Washington State security posture while mitigating risk and minimizing incident exposure. •Alerting •Risk Analysis •Incident Response •Vulnerability Management •Education and Awareness Awareness Test: http://www.youtube.com/watch?v=oSQJP40PcGI
- 4. Cyber Security in the News
- 5. 1999 Threat - Melissa • Sent copies of an infected Word Document to up to 50 people • No damage to computers or files • Overwhelmed Mail Servers http://www.cert.org/advisories/CA-1999-04.htm
- 6. 2003 Threat – Slammer • SQL Server Stack buffer overflow vulnerability • Code execution at System user level http://www.cert.org/advisories/CA-2003-04.htm
- 7. 2008 Threat – Conficker • Windows server service vulnerability • Multiple variants • Quickly took over millions of computers • Disabled windows services • Locked out users
- 8. Today’s Threats Persistent •44% increase in breach incidents 2010-11 across multiple verticals (Source: Poneman Institute, 2011) Sophisticated •Use of advanced techniques and tactics points to growing nation-state sponsorship and resourcing Targeted •Shift to targeting of commercial sectors and government supply-chain providers •Larger attack plane •Consumerization of IT with pervasive use of social media, mobile devices , big data and cloud infrastructures
- 9. What I see at WA State Reporting Period: 1Q 2013
- 10. What I deal with Reporting Period: 3/1/13 – 3/15/13 • Web Site Defacement by Turkish Muslim Group • Attempted breach of VPN account • Multiple workstations attempting to communicate to Zeus command and control servers • Web server participating in DDoS attack against foreign national • Multiple workstations attempting to communicate to Zero Access command and control servers • Web site content management server software exploited • Anomalous traffic at agency firewall indicating insider threat • Open mail relay detected • Multiple SQL injection attempts of web application • Penetration test erroneously configured causing alerts
- 11. Advanced Persistent Threats Sophisticated attacks and well resourced adversaries Nation State Actors Cyber Criminals Open Source Intelligence Collection Foreign Nationals Black Markets Non-Nation State Sub Contractors Supply Chain Tampering Third Countries The Age of the APT
- 12. Phishing emails A member of your staff receives a phishing email which may be personalized to attract their interest. Common Attack
- 13. Drive-by download The employee clicks on the link and gets infected by Trojan from drive-by download.
- 14. Adversary uses machine to gain access to internal network systems Trojan installs backdoor which allows reverse connection to infected machine Hacker dumps password hash and gains access to a critical server via RDP. RDP
- 15. Data ex-filtration Attacker encrypts sensitive files found on the critical server and transfers out data
- 16. Phishing emails Attack Anatomy Discovery of Company email Addresses Jigsaw Come up with a Scenario OWA Upgrade Security Alert Build Phishing Message Save .html file locally Use a kit such as SET Set up a real temporary domain Monitor effectiveness with scripts Discovery of Company email Addresses Jigsaw Come up with a Scenario OWA Upgrade Security Alert Build Phishing Message Save .html file locally Use a kit such as SET Set up a real temporary domain Monitor effectiveness with scripts
- 17. Drive-by download Packing utilities / Metasploit / Backtrack Alternately, purchase a SDK and sign the executable so that it is trusted Test the executable or payload with free Antivirus packages Microsoft Security Essentials AVG Await acknowledgement response from machine Packing utilities / Metasploit / Backtrack Alternately, purchase a SDK and sign the executable so that it is trusted Test the executable or payload with free Antivirus packages Microsoft Security Essentials AVG Await acknowledgement response from machine
- 18. Adversary uses machine to gain access to internal network systems RDP Passwords enumerated and cracked Mapping of other network devices Active directory queries Access attempts with credentials Passwords enumerated and cracked Mapping of other network devices Active directory queries Access attempts with credentials
- 19. Data ex-filtration Data is compressed Data is encrypted and sent over a common port such as 80 or 443 Transmission is rate-limited to avoid detection Data is used for criminal purposes or to damage reputation Data is compressed Data is encrypted and sent over a common port such as 80 or 443 Transmission is rate-limited to avoid detection Data is used for criminal purposes or to damage reputation
- 20. Recommendations 1. Build a strong security foundation 2. Have an Incident Response Plan ready 3. Know who to call
- 21. Build a Security Foundation • SANS Top 20 Controls • Australia DOD Mitigations • NIST Guidelines
- 22. Develop Incident Response Mechanisms • Have a plan – NIST 800-61.2 • Know the priority of your assets • Exercise your plan – 15 minute tabletops – Functional exercise every 6 months • Recognize that you will not be able to contain the incident yourself in many cases
- 23. Establish Partnerships • MS-ISAC – Forensic Analysis – Log Analysis – Malware reverse engineering and disassembly – Vulnerability Scanning (Application and Host) • FBI Cyber Task Force (CTF) – Incident Response – Threat assessment – Information Sharing • EMD – Significant Cyber Event Response
- 24. Questions
Editor's Notes
- #12: Key Takeaways CIRC, SOC and SIEM are not always interchangeable terms. In some organizations their responsibilities are different and distinct. ***************************** To address APTs the security organization is faced with some growing and changing responsibilities. First and foremost, the need for a CIRC capability has become evident in many organizations. Responsibilities include the need to be able to identify anomalies, predict attacks and respond to incidents. This drives a need for additional intelligence. Traditional SOC responsibilities have included security help desk capabilities and the day-to-day administration of key technical controls including firewall, VPNs, access controls, AV, etc.. Another key capability includes SIEM. This is where many of the reports and alerts that are so important to the CIRC originate. Click: What does all this mean for you sitting here today? It means different stakeholders may have new and different needs but a unified strategy is needed to deal with new threats. Click: Traditional responsibilities across the board are undergoing review. This more than just updating technical responsibilities and controls. This requires updating our Business and Operations models to deal with new Enterprise dimensions.
- #13: The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
- #14: Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
- #15: The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
- #16: The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.
- #17: The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
- #18: Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
- #19: The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
- #20: The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.