“The East / West Problem” !

Dwight Koop, COO at CohesiveFT !Tweet: @dwightkoop #cloudcamp

#cloudcamp @CloudCamp_CHI

Sponsored by

Hosted by

The East / West Problem

Chicago Cloud Camp Chalk Talk

November 3, 2014 Dwight Koop

No CohesvieFT Logo Here!

UNCLASSIFIED//FOUO

fbi fbi flash

TLP:GREEN

TLP:GREEN

fbi liaison alert system #a-000042-mw

The following information was obtained through FBI investigations and is provided in accordance with

the FBI's mission and policies to prevent and protect against federal crimes and threats to the national

security.

This FLASH has been released TLP:GREEN: The information in this product is useful for the awareness of all

participating organizations as well as with peers within the broader community or sector. Recipients may share

this information with peers and partner organizations within their sector or community, but not via publicly

accessible channels.

There is no additional information available on this topic at this time.

SUMMARY

The FBI is providing the following information with HIGH confidence:

The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely

steal high value information from US commercial and government networks through cyber espionage. These

state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit

61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013.

This Chinese Government affiliated group previously documented by private sector reports referencing

Operation Deputy Dog, Operation Snowman, Operation Ephemeral Hydra, Hidden Lynx, and APT17, as well as

Bit9 and Google security alerts has heavily targeted the high tech information technology industry including

microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple

countries and multinational corporations. These actors have deployed at least four zero-day exploits in the

attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group

detected on a network should be considered an indication of a compromise requiring extensive mitigation and

contact with law enforcement.

TECHINICAL DETAILS

The FBI is providing the following information with HIGH confidence:

This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH,

and given highest priority for enhanced mitigation. The presence of such tools is typically part of a

comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data. The custom tools

used by this group are as follows:

Axiom Threat Group

October 15, 2014

Chinese Government Hackers

Sophistication moving “LATERALLY’’

once inside … they go undetected

SEC OCIE Softball Office of Compliance Inspections and Examinations

Cybersecurity Exam Question 10 - Networks

Unauthorized Lateral Movement

Business Function Isolation

Separate Dev/Test/Prod/DR

INcident Response Logs

Let’ Just Assume They’re Inside Already

JPMC - 2 Monyhs Neiman Marcus - 5 Months Home Depot - 5 Months Goodwill - 18 Months

Wall Street Secirity Gaps New York Times 10/21/2014

SAAB - No Comment Mexico President’s Office - 2 years

Source…

Walls vs. Windows

Network

Hardware

Virtualization

VM VM VM VM

Network

NIC NIC NIC NIC

VMware’s View

CISCO’s View

“VMs sure talk a Lot”

WEST EASTNORTH

SOUTH

80% of DataCenterTraffic Is

E-W, Martìn Casado, VMW

80% of Security Spend Is

N-S. Martìn Casado, VMW

Not just a bunch of VMs

WEB Tier

APP Tier

DB Tier

APIs

Mes. Q’s

ETLs

Currencies

WEB Tier

APP Tier

DB Tier

APIs

Mes. Q’s

ETLs

BONDS

Who Knows Each App Best?

Who Knows Each App Best?

DevOps - Meet - DevSec