2015 amc privacy security conference - nchica€¦ · [ 15] defenses. siem and endpoint failures...

Defending against Cyber Attacks MICHAEL DOCKERY

CHRIS BEAL

PAUL HOWELL

Security & Privacy Track June 24, 2015

2015 AMC Privacy & Security Conference

In the NewsIn the News

© 2015 MCNC – General Use v1.0

Healthcare Data BreachesHealthcare Data Breaches


https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf

April 2015

25% increase in healthcare data breaches in 2014 2% higher than rate across all industries

Majority caused by human error and lost or stolen devices 44% of healthcare breaches due to lost or stolen devices Accidental disclosure due to human error up 11% in 2014

Targeting of patient medical info an increasing issue Breaches resulting from targeted attacks up 82% in 2014 Breaches resulting from insider theft nearly doubled in 2014

Why Are Attackers Interested In Healthcare Targets?Why Are Attackers Interested In Healthcare Targets?


Medical data sets tend to be more complete compared to what can be obtained elsewhere Government ID, bank and credit card info, insurance info, physical

descriptors, health status Can be used for ID theft, financial fraud, prescription fraud,

obtaining passports, visas or other ID

Translates to higher value for attackers Credit card numbers may fetch from $0.50 to $1.00 ID and insurance info worth up to $10 or as high as $50 depending

on completeness of the record


Healthcare Data BreachesHealthcare Data Breaches



April 2015

Why’s It Getting Tougher?Why’s It Getting Tougher?


Threats Have Evolved

Attackers Are Smarter & More Efficient

Users are More Mobile (BYOD)

Data Is More Distributed

Everything is Interconnected

Short Supply

Motivations Are Focused on Near-Term

[ 7 ]

R & E Networks Not Immune

Questions for PanelWhat do you think is the most significant cyber threat facing healthcare today?Outline a strategy for defending against cyber attacks?Determine what his/her organization can do to improve its security posture against cyber attacks?

[ 10 ]

Simple DDoS Attack

[ 11 ]

Man in the Middle Attack

[ 12 ]

Source: Arbor Networks

DDoS Bandwidth Use

[ 13 ]

Source: Coreo Network Security

Multi-Vector and Adaptive

• Watch what’s happening on the network.• Know which systems depend on external Internet access.• Get an alternative to email.• Secure your teleconferences. Send your conference passcode securely,

not in the body of your calendar invite.• Be ready for total shutdown, if necessary.• Ask your ISP about their capabilities.• Consider mitigation such as scrubbing services.• For very large attacks, consider contacting a DDoS mitigation company.

[ 14 ]

Defenses

• US-CERT Alert TA15-120A Securing End to End Communications– Employing multiple network and browser protection methods forces an

attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.

• Use VPNs and HTTPS• Prepare your people for these advanced attacks by educating them on

the dynamics, patterns, samples and frequency of attack methods attempted on other organizations.

[ 15 ]

Defenses

SIEM and Endpoint Failures Due to Inability to Detect Malware

Mine for Windows Codes Indicative of Malware

1. Implement Malware Cheat Sheet Logging Recommendations‐Be prepared for incident and have logs available

2. Focus on codes that are indicative of Malware “See Michael Gough’s tutorials and slide shares”‐Monitor CMD.EXE usage‐Process Create 4688‐File/Registry Auditing 4663‐Service Changed 4070‐User Login Success 4624‐Share Accessed 5140

3. Use analytics where possible to look for indicators of partner compromise.4. Remove admin and ban email usage/internet access using admin credentials

Source ProofpointMalicious Links from Partners

Analytics You May Already Have

Email Malicious Link Sorted for a Year by Partner, Source Proofpoint

Individual Partner Threat Report: Malicious Links, Source Proofpoint

Panel Questions

• What is working right now in Cyber Defense and what is broken?

• What are your “go to” resources which are giving you an edge?

• Any magic bullets?

Where To Begin?Where To Begin?


The Critical Security ControlsThe Critical Security Controls


A ready-made list of the things you should be thinking about and doing to protect your assets This is your map!

While not a replacement for a formal Risk Management program or framework, you can consider the controls as a “foundational risk assessment” A starting point for immediate, high-value action that is demonstrably consistent with

formal risk assessment frameworks

Not a on-size-fits-all solution. You still need to understand what’s important to your business, your specific threat environment, and develop a plan for assessment, implementation, and ongoing management.

What Are They?

5 Critical Tenets5 Critical Tenets


① Offense Informs DefenseUse knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

② PrioritizationInvest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.

③ MetricsEstablish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

④ Continuous Diagnosis and MitigationCarry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps.

⑤ AutomationAutomate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

Of an Effective Cyber Defense System

The Critical Security ControlsThe Critical Security Controls


Example – CSC 5Example – CSC 5


What? Control the installation, spread, and execution of malicious code at

multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Why? Malware is pervasive and used in the majority of modern attacks

and data breaches, in order to compromise systems and account credentials

Malware Defenses

Example – CSC 5Example – CSC 5


Malware DefensesID # Description Category

CSC 5-1 Use automated tools such as anti-virus, anti-spyware, host-based firewalls, and host-based IPS to continuously monitor systems for indicators of malware. Quick Win

CSC 5-2 Use anti-malware software that offers remote, cloud-based centralized management infrastructure to share intelligence and update managed systems. Quick Win

CSC 5-3 Disable “auto-run” feature for removable media and network shares. Quick Win

CSC 5-4 Automatically scan removable media for malware upon connection to a system. Quick Win

CSC 5-5 Scan all email and block messages containing malicious content. Quick Win

CSC 5-6 Enable features such as DEP, ASLR, containerization, etc. Quick Win

CSC 5-7 Limit use of external devices to only where it is required. Quick Win

CSC 5-8 Ensure that automated monitoring tools use behavior-based anomaly detection in addition to signature based detection. Visibility

CSC 5-9 Use network-based malware scanning tools to detect and filter network traffic. Visibility

CSC 5-10

Implement IR process to collect malware samples found to be running that were not caught by existing malware defenses. Advanced

CSC 5-11 Enable DNS query logging to detect lookups for known bad sites. Advanced

First Five Quick WinsFirst Five Quick Wins


① Application WhitelistingCSC2

② Use of Standard, Secure System ConfigurationsCSC 3

③ Patch Application Software Within 48 HoursCSC 4

④ Patch System Software Within 48 HoursCSC4

⑤ Reduce Number of Users With Administrative PrivilegesCSC 3, CSC 12

The Top 4 StrategiesThe Top 4 Strategies


① Application WhitelistingExplicitly define the applications that are allowed to run on a system

② Patch ApplicationsKeep applications updated

③ Patch the Operating SystemKeep the OS and core components updated

④ Minimize Administrative PrivilegesLimit the power that users have on systems and what they are allowed to change

http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm

Resources

• http://www.cisecurity.org/documents/CSC-MASTER-VER5.1-10.7.2014.pdf

• Spotting the Adversary Windows Event Log Monitoring TSA‐13‐1004‐SG

NSA/CSS Information Assurance Servicehttps://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_l

og_monitoring.pdf

• Windows Logging Cheat Sheethttp://www.slideshare.net/Hackerhurricane/windows‐logging‐cheat‐sheet‐v11?related=4

• Michael Gough’s Logging Slides, Slideshare• Episode #388 Paul’s Security Weekly

Thank You

Michael DockeryInformation Security OfficerCincinnati Insurance [email protected]

Chris BealChief Security Architect | [email protected]@mcncsecurity on Twitter

2015 AMC Privacy & Security Conference

Paul HowellInternet2Chief Cyberinfrastructure Security [email protected]

Disclaimer: The author’s affiliation with The Cincinnati Insurance Companies is provided for identification purposes only, and is not intended to convey or imply Cincinnati Insurance’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.

2015 amc privacy security conference - nchica€¦ · [ 15] defenses. siem and endpoint failures...

Documents