a tale of two breaches · all content belongs to ceelix technologies inc. and nadir belarbi except...

A TALE of TWO

Breaches Cyber Security Context & Some Lessons Learned

Nadir Belarbi Partner & Sr Consultant, Ceelix Technologies

PMP, ITIL, CISSP, CRISC

http://www.ceelix.com Photo Credits: Jev 55 – Vault / FlickR CC license

Agenda

•  Summary

•  Current Security Context

•  The Target Cyber Incident

•  The JPMorgan Cyber Incident

•  The Canadian Privacy Digital Act

•  Takeaways

•  Questions

All content belongs to Ceelix Technologies Inc. and Nadir Belarbi except where indicated.

Content can be reused with the author’s permission.

ere e e e in3

Summary

•  The cyber security landscape is constantly changing. The Number and the complexity of the cyber-attacks are rapidly increasing. Organizations with heterogeneous systems need to manage their risk exposure and vulnerabilities while still delivering the expected service level to the business.

•  The size and the complexity of these architectures associated to an increased exposure to cyber incidents, requires a quasi-permanent elevated alert state among the IT organizations.

•  Cyber risks and vulnerability management, users and authorizations management along with the GRC compliance and the Business continuity processes are essential to reduce any organization exposure to known and unknown threats. In this presentation, we will review key findings of some major cyber incidents and highlight the processes and the controls that could have avoided their occurrence.

--------

•  Le paysage de la cybersécurité est en constante évolution. Le nombre et la complexité des cyberattaques augmentent rapidement. Les organisations avec des systèmes hétérogènes doivent gérer leur exposition au risque et leurs vulnérabilités tout en fournissant à l'entreprise le niveau de service attendu.

•  La taille et la complexité de ces architectures associées à une exposition accrue aux cyberincidents nécessitent un état d'alerte élevé quasi permanent au sein des organisations informatiques.

•  La gestion des risques et des cybervulnérabilités cybernétiques, la gestion des utilisateurs et des autorisations ainsi que la conformité aux GRC et les processus de continuité de l'activité sont des éléments essentiels afin de réduire l’exposition de l'organisation aux menaces connues et inconnues. Dans cette présentation, nous examinerons les résultats clés de certains cyberincidents majeurs et mettrons en évidence les processus et les contrôles qui auraient pu éviter qu’ils ne se produisent.

Co

nt

ex

t

It’s a Vulnerable World

Nadir Belarbi 5

Co

nt

ex

t

It’s a Risky World

Nadir Belarbi 6

Co

nt

ex

t

Everywhere, Evenly

Nadir Belarbi 7

Co

nt

ex

t

For Every Industry

Nadir Belarbi 8

Co

nt

ex

t

Too Many Alerts

Nadir Belarbi 9

Co

nt

ex

t

Dealing with Limits

Nadir Belarbi 10

Co

nt

ex

t

Searching for the Real Threat

Nadir Belarbi 11

Co

nt

ex

t

To Protect the Right Asset

Nadir Belarbi 12

Co

nt

ex

t

Against All Odds

Nadir Belarbi 13

Co

nt

ex

t

Trying to Avoid

Nadir Belarbi 14

Co

nt

ex

t

And their Consequences

Nadir Belarbi 15

Co

nt

ex

t

On All Functions

Nadir Belarbi 16

Co

nt

ex

t

But Mostly on Revenue & Customers

Nadir Belarbi 17

Inc

iden

ts

Nadir Belarbi 18

•  Target is a retail chain in the United States, second after Wal-Mart with a turnover of about 73 billion

dollars in 2015 (NYSE: TGT)

•  In early December 2013, Target announced that 40

million credit cards data had been stolen.

•  The data was stolen from POS terminals (Point of

Sale)

•  Target later upgraded this figure to 70 million credit cards representing 11 Gb of data.

•  It’s the US Department of Justice (DoJ) who

informed Target about the incident, the latter having

not detected it.

•  Target and its partner involved in the incident were

PCI certified (Security Standard Regulating Credit

Card Payments)

Target 2013: Summary

Inc

iden

ts

Nadir Belarbi 19

Breach Timeline

Cyphort Dissecting the Target breach – YouTube

Inc

iden

ts

Nadir Belarbi 20

The Cyber Attack

Recognition Phase

•  The attackers used Internet searches (Google)

•  This research determined the partners working with

Target

•  The attackers also discovered a 2011 case study on the

Microsoft website that described how Target used

Microsoft virtualization solutions (probably Hyper-V)

and Microsoft System Center Configuration Manager (SCCM) to deploy its software updates.

•  This case study described in detail the architecture of

the Target infrastructure including Point of Sale

(POS) solutions.

Inc

iden

ts

Nadir Belarbi 21

Weaponization phase

•  Attackers likely targeted Target and its partners with

phishing attacks

•  A Malware called Citadel was probably used.

•  Citadel is based on the Zeus Malware and specifically

targets credentials stored in password managers such

as Keepass, Password Safe, and neXus Personal

Security Client.

•  Zeus is a Trojan that runs on versions of Microsoft

Windows. It is often used to steal banking

information through the "man-in-the-browser"

technique that intercepts keystrokes and form input.

•  Citadel was designed to not be detected by

antiviruses through tests with Scan4You, an

equivalent of VirusTotal but which is totally anonymous and does not share samples downloaded

with antivirus vendors.

W

•

The Cyber Attack

Photo Credits: XyliBox - How the protection of Citadel got cracked - 2013

Inc

iden

ts

Nadir Belarbi 22

Delivery Phase, Act I

•  One of the targeted Target partners was a vendor

(Fazio Mechanical) who was servicing its HVAC

system (Heating, ventilation and air conditioning)

•  An employee of Fazio Mechanical probably received

an email with an attachment or a link to the Citadel

Malware.

•  The Malware stole the employee's credentials while he was connecting to the Target Provider’s Portal.

•  The attackers were then able to access the Target

provider’s portal

The Cyber Attack

Inc

iden

ts

Nadir Belarbi 23

Reconnaissance and Exploitation Act II

•  Target Supplier’s Portal was then used as a hub to

access Target's internal network

•  The attackers certainly used one or several portal’s vulnerabilities to perform lateral movements

•  They then imitated a reconnaissance, probably using

a Backdoor and other vulnerabilities

•  This second reconnaissance phase probably

uncovered a vulnerable Windows domain controller

The Cyber Attack

Photo Credits: M Lobo – Active Directory / FlickR – CC License

Inc

iden

ts

Nadir Belarbi 24

Reconnaissance and Exploitation Act III

•  The Microsoft case study clearly stated that each store

operated autonomously from a computer standpoint

and therefore they certainly had dedicated domain

controllers (except for the centralized authentication and the DNS)

•  Domain controllers certainly allowed access to the

Point of Sales solutions (PoS)

•  Once the first access was gained, another malware

designed specifically for these devices was installed

(BlackPOS / Potato)

•  Given the large number of machines that were infected in short time span, the attackers probably

used Microsoft SCCM to deploy the PoS Malware

•  The PoS malware was undetectable by antivirus.

The Cyber Attack

Photo Credits: Patrick Hoesly - Infinite Target Registers / FlickR – CC License Cyphort Dissecting the Target breach – YouTube

Inc

iden

ts

Nadir Belarbi 25

Access & Exfiltration

•  The Point of Sale (PoS) Malware added itself as a

POSWDS process and read the credit card

information in the memory (RAM) before its

encryption by looking for a process called POS.EXE

•  Saved the information in a .dll file

•  Stored these files on a Windows (SMB) shares via

ports 139, 443 or 80.

•  Attackers also used additional components to send

commands (C2) to the malware across the network

without being detected by the NIDS: An ICMP tunnel

where text messages were embedded in the protocol to move the POS data within the LAN.

•  The Malware exfiltration mechanism was designed to

work only between 10 AM and 5PM.

The Cyber Attack

Cyphort Dissecting the Target breach – YouTube

Inc

iden

ts

Nadir Belarbi 26

Access & Exfiltration

•  The attackers also managed to recover data using

BMC (Performance Assurance for Microsoft Servers),

which used an account with default authentication

information (login & password).

•  The data was then exfiltered and moved via FTP

across several servers around the world.

•  Some of these servers served as drop boxes, allowing attackers to retrieve data (including one in Los

Angeles).

•  During the incident, the FireEye CSIRT teams in

India alerted the Target team but no action was taken.

•  The credit card data were then sold on the Darkweb

for $20 - $45 per card.

The Cyber Attack

Photo 1 Credits: Mike Mozart – Target Credit Card / FlickR – CC License

Photo 2 Credits: Cyphort Dissecting the Target breach – YouTube

Inc

iden

ts

Nadir Belarbi 27

•  100 million credit cards stolen.

•  $148 million in costs (Q2 2014)

•  $38 million covered by insurance

•  $ 100 million to upgrade systems (The

FireEye system already costed $1.6

million).

Direct Consequences

Indirect Consequences

•  46% profit loss in Q4 2013

•  Departures of the CEO and CIO (3 months

after the incident)

•  Target Investigation of by the Department of Justice (DoJ), the Federal Trade

Commission (FTC) and the Security

Exchange Commission (SEC)

•  The banks had to pay back almost all the fraudulent purchases and all the credit cards:

$200 million.

•  Significant increase in identity theft during

the first part of 2014

•  140 different trials against Target.

•  Banks' trial against Target PCI auditor: Trustwave

•  Significant decrease in attendance at the

Target stores

Photo Credits : Bobsullivan.net - A credit freeze? Bad advice — and everything else you need to know about Target hack, day 2 – 12/20/2013

Inc

iden

ts

Nadir Belarbi 28

Takeaways

•  A Compliance with the PCI-DSS standard is not a guarantee of absolute

security

•  An organization can be indirectly targeted

through its partners

•  Detecting security events of interest

without taking adequate measures is the

equivalent of detecting nothing

•  Antivirus and NIDS detection mechanisms

can be bypassed

•  "The devil is in the details": A small glitch

such as a missing patch, a broken encryption chain, default authentication

credentials or system and application

vulnerabilities, will make the breach

possible.

Inc

iden

ts

Nadir Belarbi 29

JPMorgan Chase 2014: Summary

•  JPMorgan is the largest US multinational retail bank

with sales of approximately $95 Billions (NYSE:

JPM) and 243,355 employees in 2016.

•  JPMorgan hosts 76 million personal accounts (one

in three Americans) and 7 million small businesses.

•  In September 2014, JPMorgan Chase announced

that 83 million bank account data had been stolen.

Impacted web sites were: Chase.com,

JPMorganOnline, Chase Mobile and JPMorgan Mobile.

•  JPMorgan uncovered the breach because one of its

charity web sites suffered a cyber incident where

logins and passwords were stolen. A company (Hold Security Inc) intervened and realized that there were

also logins and passwords from a corporate site of

JPMorgan (Corporate Challenge).

•  The Data theft was discovered by JPMorgan's cyber

security teams at the end of July 2014 and could

only be stopped by mid-August of the same year.

Photo Credits : 7News – Denver - JPMorgan Chase data breach affects 76 million households and 7 million small businesses 10/2/2014

Inc

iden

ts

Nadir Belarbi 30

JPMorgan Chase 2014: Summary

•  The bank told the SEC (Security and Exchange Commission) that the names, email, postal addresses and telephone numbers associated with the accounts had been stolen but not the

login, passwords or social security numbers.

•  It seems that the stolen information was not constantly encrypted (temporary files)

•  This incident Cyber is considered one of the most important data theft in history.

•  At that time, JPMorgan was spending about $250 million per year on cyber security.

•  JPMorgan had a security team of 1,000 employees vs. 400 for Google at that time.

•  JPMorgan Chase used FireEye, the same solution as Target.

•  JPMorgan was among a group of other banks that were targeted by the same type of

attacks in 2014.

Photo Credits : Thomas Hawk – Chase / FlickR CC License

Inc

iden

ts

Nadir Belarbi 31

The Cyber Attack

Reconnaissance, Weaponization and Exploitation Act I

•  Attackers probably targeted JPMorgan with

Phishing attacks

•  There is no information about the malware (s)

that was used.

•  An employee of JP Morgan probably received

an email with an attachment or a link to the Malware.

•  When the employee connected via VPN to the

bank's network, the attackers were probably

able to steal his credentials and access the company's internal network.

•  The VPN remote server did not use a second

authentication factor mechanism (apparently an oversight), a login + password was thus

sufficient to connect.

Inc

iden

ts

Nadir Belarbi 32

The Cyber Attack

Reconnaissance and Weaponization Act II

•  It then appears that a series of Malware were used

to exploit vulnerabilities and pass several layers of

security.

•  The attackers managed to control more than 90

servers due to zero-day vulnerabilities.

•  The data was exfiltered for several months to

avoid detection.

•  The attackers managed to cover their steps by

erasing a large number of logs.

•  According to other sources (Wired), the attackers also used several other types of attacks within

the network (Brute force, Social Engineering

(with Etrade and Scotrade): so much for the

stealth!

Photo Credits : Roland Buulolo – Hacking Visualized / FlickR CC License

Inc

iden

ts

Nadir Belarbi 33

Direct consequences

•  4 people charged in November 2015 with information theft in multiple incidents. These people created several screen companies

with false identities and fake passports, and also operated a stock

price manipulation, online betting sites and a Bitcoin exchange.

•  According to the investigation, the defendants wanted to use the stolen information to create a broker on the Merrill Lynch model.

•  It seems that not all of the culprits were identified as the

investigation revealed that the attackers from a dozen countries

(Bloomberg).

•  No striking public changes in the organization (CEO, CIO, CTO,

CISO, etc.)

•  No significant impact on share price or financial results.

Inc

iden

ts

Nadir Belarbi 34

Indirect consequences

•  A precise mapping of all applications used by JPMorgan (and therefore their vulnerabilities)

•  The departure of a large number of employees working at

JPMorgan's Cyber Security service

•  JPMorgan said it doubled its security budget, spending about $500

millions a year in 2016 on Cyber Security initiatives (twice as many

as in 2014).

Photo Credits: World News

Reg

ulat

ion

s

Nadir Belarbi 35

The Canadian Digital Privacy Act

•  Baseline: The Personal Information Protection and Electronic Documents Act (PIPEDA) sets the rules for the collection, use and disclosure of personal

information by organizations covered by the Act in the course of commercial

activities.

•  Establishes basic legal requirements that private-sector organizations must respect so that Canadians trust that their privacy is protected when their personal

information is in the hands of businesses.

•  The Digital Privacy Act (also known as Bill S-4 - received Royal Assent June 18,

2015 modifies the PIPEDA. Should become applicable by end of 2017.

•  Among other changes, the Digital Privacy Act is the establishment of mandatory

data breach reporting requirements.


Reg

ulat

ion

s

Nadir Belarbi 36

The Canadian Digital Privacy Act

•  The new data breach reporting requirements in PIPEDA apply to any “breach of security safeguards”.

•  PIPEDA defines a “breach of security safeguards” as: “The loss of, unauthorized

access to or unauthorized disclosure of personal information resulting from a

breach of an organization’s security safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

This definition is intended to include two elements:

•  The first being that personal information is lost, or accessed by an unauthorized individual (either through theft or wrongful disclosure),

•  Second, that the loss or unauthorized access is the result of someone violating the

organization’s security safeguards (or is the result of the organization failing to

establish such safeguards).


Co

nt

ex

t

Inherent Complexity

Nadir Belarbi 37

Inc

iden

ts

Nadir Belarbi 38

Key Takeaways

A systematic and process oriented approach is mandatory to regularly:

•  Evaluate the organization’s risk

•  Update its critical assets

•  Keep assets inventory and criticality up to date

•  Uncover, patch or mitigate vulnerabilities

•  Audit accounts and authorizations

•  Review current and new components additions to the IT system

architecture

•  Sustain a threat intelligence activity

•  Dedicate enough resources

•  Raise security awareness among all the organization

•  Comply with legal regulations requirements.

Inc

iden

ts

Nadir Belarbi 39

Key Takeaways

The size and the diversity of any IT organization architecture induces an inherent complexity.

•  Complexity is the enemy of security, at least for humans.

•  Automation and AI- assisted decision making processes and solutions offset this complexity allowing us to focus on what matters.

Photo Credits : Atomic Taco / FlickR CC License

Questions

Stay Cyber Safe in the Next IT