“The East / West Problem” !
Dwight Koop, COO at CohesiveFT !Tweet: @dwightkoop #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
The East / West Problem
Chicago Cloud Camp Chalk Talk
November 3, 2014 Dwight Koop
No CohesvieFT Logo Here!
UNCLASSIFIED//FOUO
fbi fbi flash
TLP:GREEN
TLP:GREEN
fbi liaison alert system #a-000042-mw
The following information was obtained through FBI investigations and is provided in accordance with
the FBI's mission and policies to prevent and protect against federal crimes and threats to the national
security.
This FLASH has been released TLP:GREEN: The information in this product is useful for the awareness of all
participating organizations as well as with peers within the broader community or sector. Recipients may share
this information with peers and partner organizations within their sector or community, but not via publicly
accessible channels.
There is no additional information available on this topic at this time.
SUMMARY
The FBI is providing the following information with HIGH confidence:
The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely
steal high value information from US commercial and government networks through cyber espionage. These
state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit
61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013.
This Chinese Government affiliated group previously documented by private sector reports referencing
Operation Deputy Dog, Operation Snowman, Operation Ephemeral Hydra, Hidden Lynx, and APT17, as well as
Bit9 and Google security alerts has heavily targeted the high tech information technology industry including
microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple
countries and multinational corporations. These actors have deployed at least four zero-day exploits in the
attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group
detected on a network should be considered an indication of a compromise requiring extensive mitigation and
contact with law enforcement.
TECHINICAL DETAILS
The FBI is providing the following information with HIGH confidence:
This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH,
and given highest priority for enhanced mitigation. The presence of such tools is typically part of a
comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data. The custom tools
used by this group are as follows:
Axiom Threat Group
October 15, 2014
Chinese Government Hackers
Sophistication moving “LATERALLY’’
once inside … they go undetected
SEC OCIE Softball Office of Compliance Inspections and Examinations
Cybersecurity Exam Question 10 - Networks
Unauthorized Lateral Movement
Business Function Isolation
Separate Dev/Test/Prod/DR
INcident Response Logs
Let’ Just Assume They’re Inside Already
JPMC - 2 Monyhs Neiman Marcus - 5 Months Home Depot - 5 Months Goodwill - 18 Months
Wall Street Secirity Gaps New York Times 10/21/2014
SAAB - No Comment Mexico President’s Office - 2 years
Source…
Walls vs. Windows
Network
Hardware
Virtualization
VM VM VM VM
Network
NIC NIC NIC NIC
VMware’s View
CISCO’s View
“VMs sure talk a Lot”
WEST EASTNORTH
SOUTH
80% of DataCenterTraffic Is
E-W, Martìn Casado, VMW
80% of Security Spend Is
N-S. Martìn Casado, VMW
Not just a bunch of VMs
WEB Tier
APP Tier
DB Tier
APIs
Mes. Q’s
ETLs
Currencies
WEB Tier
APP Tier
DB Tier
APIs
Mes. Q’s
ETLs
BONDS
Who Knows Each App Best?
Who Knows Each App Best?
DevOps - Meet - DevSec