security inside the perimeter security i… · security inside the perimeter-the call is coming...

SECURITY INSIDE THE PERIMETER-

THE CALL IS COMING FROM INSIDE THE HOUSE

Event Code: #ILTALSS #LSS17Date: June 13, 2017

Time: 3:00 PM - 4:00 PM ETLocation: Salon I

2

Arlan McMillan

Kirkland & Ellis LLP, CSOarlanmcmillan@gmail.com

Arlan has over 20 years experience in Information Technology and Security and prior to joining Kirkland & Ellis LLP was the CISO for United Airlines.

He’s led a number of teams evaluating, developing and delivering security services, including as the CISO for the City of Chicago and Director of Global Information Security Operations for ABN AMRO, LaSalle bank.

In 2014 Arlan was honored to be voted as the Chicago area CISO of the Year and until joining Kirkland, was a board member of the Aviation Information Sharing and Analysis Center (A-ISAC).

SECURITY INSIDE THE PERIMETERTHE CALL IS COMING FROM INSIDE THE HOUSE

Obligatory legal disclaimer…. This discussion represents Arlan’s personal viewpoint which is not necessarily shared by his employer or the host of the event.

A different approach to this type of conversation…

Lots of slides delivered quicklyYou will walk away with productDropbox.com

http://bit.ly/2r44mHWThis and other presentations for you to reuseCatalog of over 400 operational metricsThe CSF diagnostic and reporting templatesOther really cool stuff

3http://bit.ly/2r44mHW

4http://bit.ly/2r44mHW

SIT BACK AND RELAX

5http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

6http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

7http://bit.ly/2r44mHW

DEFENDERS ARE LOSING

Its happening more often Over 4 billion records lost in 2016

> record high It costs more $4 million average cost of a data breach

> 29% increase since 2013 Humans are the #1 target 93% of all significant breaches began with

a phishing email

8http://bit.ly/2r44mHW

ATTACKERS ARE OUT-PACING DEFENDERS% WHERE “DAYS OR LESS”

9

Source: “2016 Data Breach Investigations Report”, Verizon

http://bit.ly/2r44mHW

ATTACKERS GET IN AND REMOVE DATA VERY FASTAVERAGE TIME TO COMPROMISE AND EXFILTRATION

10

Source: “2016 Data Breach Investigations Report”, Verizon

http://bit.ly/2r44mHW

INTERNAL CONTROLS AREN’T EFFECTIVELY IMPLEMENTED% OF BREACH DISCOVERY METHODS

11

Source: “2016 Data Breach Investigations Report”, Verizon

http://bit.ly/2r44mHW

BOUNTY ON LAW FIRMS

Flashpoint report published in January, 2017

Multiple Firms targeted by Russian handlerDomain Admin Access: $50,000Mail Server Access: $20,000Access to Office Computer of an Employee: $5,000

12http://bit.ly/2r44mHW

13http://bit.ly/2r44mHW

COMPRESSION

14http://bit.ly/2r44mHW

RAPID PACE OF CHANGE

Computer power has doubled every year since the mid-1960’s

In 1978, a flight from New York City to Paris cost ~$900 and took 7 hours

If airlines accelerated as fast as computer technology…..

the same trip would cost less than one cent and take less than one second to complete

15http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

16http://bit.ly/2r44mHW

5 THREAT CATEGORIES

17http://bit.ly/2r44mHW

#1: NUISANCE

18http://bit.ly/2r44mHW

#2: HACKTIVISTS

19http://bit.ly/2r44mHW

#3: ORGANIZED CRIME

20http://bit.ly/2r44mHW

#4: ESPIONAGE

21http://bit.ly/2r44mHW

#5: DESTRUCT, DENY, DESTROY

22http://bit.ly/2r44mHW

PLA GENERAL STAFF ORG CHART

23http://bit.ly/2r44mHW

PLA UNIT 61398 – BASE OF OPERATIONS12-STORY BUILDING IN A PUBLIC, MIXED-USE AREA IN SHANGHAI

24http://bit.ly/2r44mHW

10 STEP APT DANCE“A” “ADVANCED”…. SHOULD JUST BE NAMED “PT”

25http://bit.ly/2r44mHW

10 STEP APT DANCE

26http://bit.ly/2r44mHW

DNC & CLINTON CAMPAIGN COMPROMISES – JOHN PODESTA

Highly crafted to look like standard Google password change email

108 sent, 20 clicked – then forwarded to 16 more people of which 4 more clicked

Stole passwords on individuals & silently installed malware on target’s computer which then allowed attacker to move laterally and infect other nearby computers

27http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

28http://bit.ly/2r44mHW

There is significant variability is the number of possible ways that a bad guy can do you harm….

…. but 90% of the time it happens in just a few different ways.

Plan for the 90% and you’ll be well on your way for the other rest. (5+7)

29http://bit.ly/2r44mHW

5 CYBER SCENARIOS TO PLAN FOR

1. Malware spread (crypto)2. Insider data harvesting and exfiltration3. External breach of client data4. External breach of non-client data5. Wide-spread destruction of computer assets

30http://bit.ly/2r44mHW

7 BCM SCENARIOS TO PLAN FOR

31http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning and testingd. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

32http://bit.ly/2r44mHW

GET READY NOW

1. When a big one hits, you will need outside help from a forensics firm.

2. Don’t wait to setup the paperwork. Do it now. It will cost nothing and save you bundles.

3. The FF should be hired by the GC Office with the goal of providing legal advice. Privilege!

4. Limit who gets the report.

https://sites-shb.vuture.net/42/214/may-2017/5.22.2017---pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2

33http://bit.ly/2r44mHW

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

34http://bit.ly/2r44mHW

35http://bit.ly/2r44mHW

36http://bit.ly/2r44mHW

4 PRO TIPS

1. Tactical focus = Patching, Web & Email2. IS is Risk Management, not Cyber IT3. Authoritative Controls4. Tabletops

37http://bit.ly/2r44mHW

TACTICAL FOCUS = PATCHING, WEB & EMAIL

Not much to say here… get really good on these three first.

We can talk about all the really cool tools, techniques and PowerShell Kung fu you can bring to bear against an adversary but a strong patching process is the by far the most powerful.

38http://bit.ly/2r44mHW

IS = RM, NOT CYBER IT How you communicate and build support for your

program is the best cyber-defense! Information Security is Risk Management “current risk posture” vs “target risk posture” 5 Questions

1. Are there any material risks to the Firm and if so, what are their potential costs and likelihoods of occurrence?

2. Is my security program aligned to the organization’s desired risk profile?

3. Is my organization more or less secure than last year?

4. Am I spending the right amount of money?

5. How do I compare against my peers?

39http://bit.ly/2r44mHW

40

IS is RISK MANAGEMENT

Functional Requirements

1

2

3

http://bit.ly/2r44mHW

AUTHORITATIVE CONTROLSYOU HAVE A ROADMAP

41http://bit.ly/2r44mHW

TABLETOPS

42http://bit.ly/2r44mHW

Train how you fight Tests readiness A clear signal to leadership and others that cyber is a

priority A great way to improve visibility and generate

conversation Part of a CISO’s job is sales – you need to sell people on

why they need to do one thing over another

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

43http://bit.ly/2r44mHW

INCIDENT TIMELINE

44http://bit.ly/2r44mHW

ref event comment01 AV cleans MIMIKATZ & triggers alert in SOC Bad guy forgot to disable AV – no

password on AV

02 SecOps investigates & sees login with a shared TECH ID from nearby workstation

Abuse of shared admin ID used by techs for break-fix

03 Investigate workstation – login from unusual user

04 Investigate user – doesn’t typically even use a computer + weak password

Patient Zero unknown but most likely the user #03 by way of a phishing victim

05 Setup alerts for all suspicious IDs Hackers going lateral

07 See user’s ID connect to company SSL VPN “published desktop” and then touch several other internal workstations

No 2FA – No segmentation

08 Source IP = VPN in China Bad guy obfuscating true location – could be originating from anywhere in the world

INCIDENT TIMELINE CONT.

45http://bit.ly/2r44mHW

ref event comment09 Observed an IP from Shanghai “accidentally”

connect for 30sec before disconnecting and then a new connection over VPN being est. immediately

Bad OpSec!! We now know where you’re really coming from!

10 Setup alerts for any connections from that VPN Only fire 9-5 local time in Shanghai except on Chinese holidays

11 See multiple connections using multiple IDs Result of ID harvesting

12 Monitor connections and video record desktop sessions

We now have training videos!

13 Observe bad guy using MIMIKATZ to pull any cached creds – they just do this over and over

“C” team following script to build dbs of our IDs and Pswds

14 Observe for ~20 days & prepare

15 Over three nights – 2FA for VPN, password resets for over 40K users, patch all systems to current, deploy AEPP to 90% of all workstation and server assets

16 Bad guys kicked out…. kind of

46http://bit.ly/2r44mHW

ref event comment17 AEPP alerts on PlugX RAT on insignificant, irrelevant

and forgotten system“B” team will have a back-door. Be ready & make sure asset inventory is up to date!

18 Immediately shut down & analyze system No way we would have seen the PlugX w/o Falcon

19 Deploy Forensic software to many servers

20 ID use of Service Account to go lateral Disable interactive and network login for all Svc Accts.

21 Continue to close doors w/ new visibility and authority to implement changes at will

22 Remove common tech ID on all workstations Makes going lateral much more difficult

INCIDENT TIMELINE CONT.

All said an done, this was about 60 days of all hands working in 24x7 shifts to address and then another 90 to clean up.

While no data was lost, its still very expensive.

1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!

2. Pro Tips3. Real Life Example4. War Stories from the Audience

47http://bit.ly/2r44mHW

48http://bit.ly/2r44mHW

Share your war story or…