2015 amc privacy security conference - nchica€¦ · [ 15] defenses. siem and endpoint failures...
TRANSCRIPT
Defending against Cyber Attacks MICHAEL DOCKERY
CHRIS BEAL
PAUL HOWELL
Security & Privacy Track June 24, 2015
2015 AMC Privacy & Security Conference
In the NewsIn the News
© 2015 MCNC – General Use v1.0
Healthcare Data BreachesHealthcare Data Breaches
© 2015 MCNC – General Use v1.0
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf
April 2015
25% increase in healthcare data breaches in 2014 2% higher than rate across all industries
Majority caused by human error and lost or stolen devices 44% of healthcare breaches due to lost or stolen devices Accidental disclosure due to human error up 11% in 2014
Targeting of patient medical info an increasing issue Breaches resulting from targeted attacks up 82% in 2014 Breaches resulting from insider theft nearly doubled in 2014
Why Are Attackers Interested In Healthcare Targets?Why Are Attackers Interested In Healthcare Targets?
© 2015 MCNC – General Use v1.0
Medical data sets tend to be more complete compared to what can be obtained elsewhere Government ID, bank and credit card info, insurance info, physical
descriptors, health status Can be used for ID theft, financial fraud, prescription fraud,
obtaining passports, visas or other ID
Translates to higher value for attackers Credit card numbers may fetch from $0.50 to $1.00 ID and insurance info worth up to $10 or as high as $50 depending
on completeness of the record
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf
Healthcare Data BreachesHealthcare Data Breaches
© 2015 MCNC – General Use v1.0
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf
April 2015
Why’s It Getting Tougher?Why’s It Getting Tougher?
© 2015 MCNC – General Use v1.0
Threats Have Evolved
Attackers Are Smarter & More Efficient
Users are More Mobile (BYOD)
Data Is More Distributed
Everything is Interconnected
Short Supply
Motivations Are Focused on Near-Term
[ 7 ]
R & E Networks Not Immune
[ 8 ]
Questions for PanelWhat do you think is the most significant cyber threat facing healthcare today?Outline a strategy for defending against cyber attacks?Determine what his/her organization can do to improve its security posture against cyber attacks?
[ 10 ]
Simple DDoS Attack
[ 11 ]
Man in the Middle Attack
[ 12 ]
Source: Arbor Networks
DDoS Bandwidth Use
[ 13 ]
Source: Coreo Network Security
Multi-Vector and Adaptive
• Watch what’s happening on the network.• Know which systems depend on external Internet access.• Get an alternative to email.• Secure your teleconferences. Send your conference passcode securely,
not in the body of your calendar invite.• Be ready for total shutdown, if necessary.• Ask your ISP about their capabilities.• Consider mitigation such as scrubbing services.• For very large attacks, consider contacting a DDoS mitigation company.
[ 14 ]
Defenses
• US-CERT Alert TA15-120A Securing End to End Communications– Employing multiple network and browser protection methods forces an
attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.
• Use VPNs and HTTPS• Prepare your people for these advanced attacks by educating them on
the dynamics, patterns, samples and frequency of attack methods attempted on other organizations.
[ 15 ]
Defenses
SIEM and Endpoint Failures Due to Inability to Detect Malware
Mine for Windows Codes Indicative of Malware
1. Implement Malware Cheat Sheet Logging Recommendations‐Be prepared for incident and have logs available
2. Focus on codes that are indicative of Malware “See Michael Gough’s tutorials and slide shares”‐Monitor CMD.EXE usage‐Process Create 4688‐File/Registry Auditing 4663‐Service Changed 4070‐User Login Success 4624‐Share Accessed 5140
3. Use analytics where possible to look for indicators of partner compromise.4. Remove admin and ban email usage/internet access using admin credentials
Source ProofpointMalicious Links from Partners
Analytics You May Already Have
Email Malicious Link Sorted for a Year by Partner, Source Proofpoint
Individual Partner Threat Report: Malicious Links, Source Proofpoint
Panel Questions
• What is working right now in Cyber Defense and what is broken?
• What are your “go to” resources which are giving you an edge?
• Any magic bullets?
Where To Begin?Where To Begin?
© 2015 MCNC – General Use v1.0
The Critical Security ControlsThe Critical Security Controls
© 2015 MCNC – General Use v1.0
A ready-made list of the things you should be thinking about and doing to protect your assets This is your map!
While not a replacement for a formal Risk Management program or framework, you can consider the controls as a “foundational risk assessment” A starting point for immediate, high-value action that is demonstrably consistent with
formal risk assessment frameworks
Not a on-size-fits-all solution. You still need to understand what’s important to your business, your specific threat environment, and develop a plan for assessment, implementation, and ongoing management.
What Are They?
5 Critical Tenets5 Critical Tenets
© 2015 MCNC – General Use v1.0
① Offense Informs DefenseUse knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
② PrioritizationInvest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
③ MetricsEstablish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
④ Continuous Diagnosis and MitigationCarry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps.
⑤ AutomationAutomate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
Of an Effective Cyber Defense System
The Critical Security ControlsThe Critical Security Controls
© 2015 MCNC – General Use v1.0
Example – CSC 5Example – CSC 5
© 2015 MCNC – General Use v1.0
What? Control the installation, spread, and execution of malicious code at
multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
Why? Malware is pervasive and used in the majority of modern attacks
and data breaches, in order to compromise systems and account credentials
Malware Defenses
Example – CSC 5Example – CSC 5
© 2015 MCNC – General Use v1.0
Malware DefensesID # Description Category
CSC 5-1 Use automated tools such as anti-virus, anti-spyware, host-based firewalls, and host-based IPS to continuously monitor systems for indicators of malware. Quick Win
CSC 5-2 Use anti-malware software that offers remote, cloud-based centralized management infrastructure to share intelligence and update managed systems. Quick Win
CSC 5-3 Disable “auto-run” feature for removable media and network shares. Quick Win
CSC 5-4 Automatically scan removable media for malware upon connection to a system. Quick Win
CSC 5-5 Scan all email and block messages containing malicious content. Quick Win
CSC 5-6 Enable features such as DEP, ASLR, containerization, etc. Quick Win
CSC 5-7 Limit use of external devices to only where it is required. Quick Win
CSC 5-8 Ensure that automated monitoring tools use behavior-based anomaly detection in addition to signature based detection. Visibility
CSC 5-9 Use network-based malware scanning tools to detect and filter network traffic. Visibility
CSC 5-10
Implement IR process to collect malware samples found to be running that were not caught by existing malware defenses. Advanced
CSC 5-11 Enable DNS query logging to detect lookups for known bad sites. Advanced
First Five Quick WinsFirst Five Quick Wins
© 2015 MCNC – General Use v1.0
① Application WhitelistingCSC2
② Use of Standard, Secure System ConfigurationsCSC 3
③ Patch Application Software Within 48 HoursCSC 4
④ Patch System Software Within 48 HoursCSC4
⑤ Reduce Number of Users With Administrative PrivilegesCSC 3, CSC 12
The Top 4 StrategiesThe Top 4 Strategies
© 2015 MCNC – General Use v1.0
① Application WhitelistingExplicitly define the applications that are allowed to run on a system
② Patch ApplicationsKeep applications updated
③ Patch the Operating SystemKeep the OS and core components updated
④ Minimize Administrative PrivilegesLimit the power that users have on systems and what they are allowed to change
http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
Resources
• http://www.cisecurity.org/documents/CSC-MASTER-VER5.1-10.7.2014.pdf
• Spotting the Adversary Windows Event Log Monitoring TSA‐13‐1004‐SG
NSA/CSS Information Assurance Servicehttps://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_l
og_monitoring.pdf
• Windows Logging Cheat Sheethttp://www.slideshare.net/Hackerhurricane/windows‐logging‐cheat‐sheet‐v11?related=4
• Michael Gough’s Logging Slides, Slideshare• Episode #388 Paul’s Security Weekly
Thank You
Michael DockeryInformation Security OfficerCincinnati Insurance [email protected]
Chris BealChief Security Architect | [email protected]@mcncsecurity on Twitter
2015 AMC Privacy & Security Conference
Paul HowellInternet2Chief Cyberinfrastructure Security [email protected]
Disclaimer: The author’s affiliation with The Cincinnati Insurance Companies is provided for identification purposes only, and is not intended to convey or imply Cincinnati Insurance’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.