monthly cyber threat briefing - hitrust · © 2015 hitrust, frisco, tx. all rights reserved. for...

Monthly Cyber Threat Briefing April 2015

2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Presenters •  Dennis Palmer - Senior Security Analyst, HITRUST

•  Colby DeRodeff - Chief Strategy Officer, ThreatStream

•  Adam Meyers - VP – Threat Intelligence, CrowdStrike

•  Bob Walder - President & CTO, NSS Labs, Inc.

•   Len Bledsoe. – Cyber Security Analyst , Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human

3 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Agenda •  NSS Labs-Emerging and unknown exploits and product

effectiveness

•  CrowdStrike- Threat Actors Overview •   ThreatStream- Operationalizing and Leveraging CTX

•  Health and Human Services- Current Threat Dissection •  HITRUST- CSF Controls related to ongoing threats

•  DHS/CERT- Trends and uncategorized indicators •  Question and Answer session

4 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Threat Capabilities Report

•  Flash, Java, Silverlight, and Internet Explorer are widely used enterprise applications that were aggressively targeted in March.

•  The Angler exploit kit was the most prevalent exploit kit.

•  CryptoWall activity continued to surge

Data  from  February  2015  -­‐  NSS  Labs    

5 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Targeted Applications and Operating Systems

Data  from  March  2015  -­‐  NSS  Labs    

Application/OS Combination Windows 7 SP1 Windows 8 Windows Vista SP1 Windows XP SP3

Adobe Flash Player 11.4 • Adobe Flash Player 13 • • Internet Explorer 10 • • • Internet Explorer 7 • • • Internet Explorer 8 • • • Internet Explorer 9 • • • Java 6 Update 23 • Java 7 • Java 7 Update 2 • Silverlight 4.0.6 • • Silverlight 5 •

6 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Top Command and Control Hosting by Geo

Data from March 2015 - NSS Labs

Country Rank South Korea 1 China 2 United States 3 United Kingdom 4 Hong Kong 5 Russia 6 Germany 7 British Virgin Islands 8 Czech Republic 9 Spain 9

7 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

C&C server locations & callback ports 10 commonly used command and control (C&C) server locations in

combination with 10 commonly used callback ports

Data from March 2015 - NSS Labs

Country/Port 25 80 443 2012 8080 1287 5555 2015 1111 7758

China • • • • • • • • • • France • • Germany • • Hong Kong • • • Japan • • Netherlands • • South Korea • Ukraine • • United Kingdom • United States • • •

8 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CAWS: All Threats for March

March 2015 - NSS Labs

9 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CAWS: Top Apps Targeted

March 2015 - NSS Labs

10 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Are you are protected?

CAWS/InSight NGFW Devices: March 2015 - NSS Labs

11 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

NGIPS Group Test 6 products (anonymized) and security effectiveness (live threats from CAWS)

NGIPS 2015 - NSS Labs

99.5%   98.5%  

74.7%  

94.6%   94.6%   100.0%  

0%  

20%  

40%  

60%  

80%  

100%  

Live  Exploits  Blocked  

12 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

13 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

14 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Trends Targeting Healthcare •  Proprietary Medical technology/design information

•  Pharmaceutical Intellectual Property

•  Sensitive information on designated VIP patients

•  Broad collection to facilitate targeting of individuals

•  Monetization of PII

15 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Deep Panda IOCs

16 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Deep Panda IOCs

17 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Making Intelligence Actionable •   Cyber Threat Exchange for Healthcare •   Enables actionable intelligence

•   Cross Industry Collaboration •   Proactive detection of new threats

•   Security Infrastructure Integration

18 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

I want to collaborate, but what do I share? Lets start with what can actually be shared:

Now what use cases? •   What do you see in the SOC?

–   Phishing Campaigns

–   Suspicious / Scanning / Bruteforce Login IPs

–   Logins from Hosting providers

–   Malware outbreaks – File MD5s

You’re Not Alone – Collaboration is a Force Multiplier

Email addresses

File Hashs (MD5 / SHA256

Domain Names URLs

User Agents

EXTERNAL DATA:

19 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Information Sharing and Collaboration Proven benefits •   Provides Situational Awareness and context across

organizational and geographical boundaries •   Force multiplier – leverage your peers •   Data Classifications Rules

–   TLP Protocol

•   Actor / Campaign Details •   Automated distribution •   Platform Agnostic •   Anonymous and Secure

19 hitrustalliance.net/cyber-threat-xchange/

20 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Collaboration in Action

20 hitrustalliance.net/cyber-threat-xchange/

21 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Trending

22 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Trending

0  10000  20000  30000  40000  50000  60000  70000  80000  90000  

Feb   Mar  

Community  IOCs  

Compromised  CredenIals  

0  

5  

10  

15  

20  

Feb  

Mar  

Threat  Intelligence  Packages  General  PlaOorm  StaIsIcs  

23 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Collaboration in Action

https://hitrustctx.threatstream.com/tip/142

24 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Collaboration in Action •   Threat Intelligence Packages Actively Being Submitted by Community

Premera Breach Details Continued

https://hitrustctx.threatstream.com/tip/179

25 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Collaboration in Action

https://hitrustctx.threatstream.com/tip/184

26 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

HHS – Credential Harvesting •   Compromised credentials have potential to be

leveraged in future attacks

•   Uptick in credential harvesting emails received across Enterprise in March

•   ~13700 emails received containing domains of credential harvesting sites

•   Training and educating program implemented

•   Reduction of credential harvesting emails planned via technical solution

Top Credential Harvesting Domains: §   Wix[.]com §   Weebly[.]com §   Jimdo[.]com §   Coffeecup[.]com

Email Subject Lines used: §   IT service DESK §   USER VERIFICATION §   Updating §   OUTLOOK LATEST UPDATE

27 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CSF Controls Related to Threats •   CSF Control for Compromised Credentials

–  Control Reference: 01.d User Password Management

•  Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

•   Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.

28 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CSF Controls Related to Threats •   CSF Control for Compromised Credentials

–  Control Reference: 01.j User Authentication for External Connections

•  Control Text: Appropriate authentication methods shall be used to control access by remote users.

•   Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique

29 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CSF Controls Related to Threats •   CSF Control for Suspicious Domain Registrations

–  Control Reference: 01.i Policy on the Use of Network Services

•  Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

•   Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.

30 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

CSF Controls Related to Threats •   CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code

•  Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.

31 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

DHS/CERT

•  Trends and uncategorized indicators

32 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Questions and Answers

33 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Additional Information •   Sign up for briefings and alerts

–  www.hitrustalliance.net/cyberupdates/

•   CyberRX 2.0 exercise information, or Spring 2014 exercise findings

–  www.hitrustalliance.net/cyberrx/

•   Cyber Threat Xchange (free subscription)

–  hitrustalliance.net/ctx-registration/

34 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Additional Information •  Additional content available at:

–  https://hitrustalliance.net/content-spotlight/