TM
Medical Devices
Medical Insurers
Medical Labs Medical Retail
PharmaceuticalMedical Providers
$200 for Every Record:Cost of the breach,
downtime, reputational damage, litigations,
business loss.
Highest Cost per Stolen Record ( $.50-$1.00)
( Extortion)
Rise in Opportunistic Malware
80% of Cybercrime is from Organized Crime Gangs
#1 Most at Risk Sector
10
• Make a Statement• Because They Can / Test• Disruption• Money• Headlines• Recognition• Espionage• Revenge
Breaches Equifax – 145.5 million – breach of the century Target: 70 million - 2013 Yahoo – 500 million-2014, 1 Billion-2016*
• largest in history Home Depot – 53+ million UC Davis – 15,000 - Phishing
2018 Breaches Identified by ITRC as of: 4/23/2018•Total Breaches: 319 (93 – 29.2%) (2nd behind Business)•Total Records Exposed: 11,285,403 (980,136– 8.7%)
•Business related – 8,414,651– 74.6%•Identity Theft Resource Center Healthcare related•http://www.idtheftcenter.org
- WannaCry- NotPetya-Crytolocker-CryptoWall-CryptoDefense-Torrent Locker-Darkleech-Locky – Sam Sam (HP)
http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
Ethical Short Sell?
Carson Block
Ransomware Worm
1-Day 230,000 Computers, 153 Countries
Exploit of Windows Server Message Block Vulnerability
known as EternalBlueUsed by NSA for offensive purposes
@MalwareTech -Marcus Hutchins
327 payments totaling $130,634.77
National Health ServiceHospitals England and Scotland
700,000 devices
Turn Away Non-Critical Emergencies and Diverted
Ambulances
May-12-2017
*Symantechttps://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know
Ukraine
Thou
sand
s of I
nfec
tions
Symantec
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Malware-Exploit KitsDridex EK Neutrino EKMagnitude EKSweet Orange EKFiesta EKAngler EK
Applications – Java, Flash, WordpressWeb Browsers -- IE, Firefox, ChromeServersOperating Systems
Vulnerability Scanning
Port Scans – Open ports Wordpress, Joomla, Java, Flash, Open SSL Infrastructure Building Automation Industrial Control Systems Programmable Logic Controllers
Zero Day and Other Vulnerabilities OpenSSL/Heartbleed
• Old vulnerability• Allows more data than allowed to be read• Website vulnerability• Banks took rap unfairly
GNU Bash/Shellshock• Old vulnerability 1994• Unix based: Linux, Apple Mac OX• Went public Wednesday 9/24• Exploits and scanning seen almost immediately
Krebs Online 2012-13 Op Ababil Las Vegas – Gaming Industry Op Pharma DD4BC Mirai Botnet – DYN attack
Op FunKill
• Court Notice• Credential Resets• Invoice/Statement• Shipping Themes: DHL,
Fedex, UPS• EZ Pass• Bank Phish – Swift
Transfer
• LinkedIn• eFax• Salesforce• Reward themes • Airlines• WhatsApp – You’ve
got a voicemail
BEC Types• The Bogus Invoice Scheme• CEO Fraud
• Account Compromise• Attorney Impersonation
• Data Theft – (Major Healthcare Concern)• Newest Trend ... Computer intrusion
Malicious linksRemote accessRansomware
$5.3 Billion globally since 2013
-IC3 FBI Report
• Subject lines carry a sense of urgency, requiring immediate action Attempting to coerce the recipient to act quickly
• The top subject lines are:1. Payment (18.9%)2. Urgent (10.3%)3. Request (8.6%)
• Goals of BEC scams:• Financial gain• Exfiltrate sensitive data such as tax information
BEC Scams Succeeding Due to Social Engineering
Source: Internet Security Threat Report: Email Threats 2017
• What is Typosquatting? Domains that look similar to official domain emails they impersonate Often known as ‘cousin’ or ‘lookalike’ domains
• Other Forms Use a different domain Add words to the domain
• Examples: Amce_inc.com instead of acme_inc.com Symanlec.com instead of symantec.com Acme_inc_sales.com instead of acme_inc.com
BEC Scammers Are Using Typosquatting to Trick Users
4,000Typosquatted domains for just 100 customers over 90 days
Source: Internet Security Threat Report: Email Threats 2017
• Malicious emails using social engineering in subject lines & message bodies to trick users
• The top themes are:1. Billing or Invoices2. Package Delivery3. Scanned Documents
• Attackers using downloaders to deliver malware. Why?
Downloading a payload separately helps evade email security
C&C server can send localized or no payloads Easy to change the final payload in case of detection
Attackers Distributing Malicious Attachments Via Email
74%Of malicious emails contained attachments
53%Of attachments were scripts or Office files with macros
Source: Internet Security Threat Report: Email Threats 2017
Copyright 2017, Symantec Corporation
Building Malicious Email: Social Engineering
2017 Internet Security Threat Report | Volume 22 32
Business Email Compromise Scams Are Preying on Users
Difficult to Block
Low volume emails with generic content
and no malicious code or links
Large Financial Losses
Belgian Bank lost $76M due to Business
Email Compromise
Simple Concept
Email sent from CEO requesting large money
transfer or sensitive data
Source: FBI Public Service Announcement, I-050417-PSA (May 4, 2017)
2400% Increase in BEC attacks since 2015
Anatomy of a Business Email Compromise Scam
From: [email protected]: Finance, Accounting or HR userSubject Line: RequestI need you to process a wire transfer today. Please confirm so that I can forward you the instructions.
RegardsJoe CEOChief Executive Officer
Sent from my iPad
Impersonated User
Simple Subject LineUrgent Request
Social Engineering
Impersonated DomainTargeted User
No Attachment or Link
Real World Example
35
Anatomy of a Targeted Phishing Attack
o The branding looks consistent (Google logo, shield logo)
o The email is addressed to the recipient (not “Dear Sir”)
o The English is not broken
36
http://bitly.com/gblgook
myaccount.google.com-securitysettingpage.tk
37
Anatomy of a Targeted Phishing Attack
Anatomy of a Targeted Phishing Attack
o The login page looks identical to the actual login page (HTML was cloned)
o Once the user submits the username/password combination, it doesn’t matter what happens next
- Typically, the phishing page redirects users back to Google.com
38
Anatomy of a Targeted Phishing Attack
39
John needs to change his password immediately, and ensure that two-factor authentication is turned on his account.
He can go to this link: https://myaccount.google.com/security to do both. It is absolutely imperative that this be done ASAP.
This is a legitimate email.
TLP: WHITE
• From CEO or Senior Executive…by name
• To someone in finance department… by name
• Advanced Social Engineering• Sense of urgency• Abrupt text normal for
an email from a phone• Proper language for
entity being emailed
BEC: CEO Compromise
Are you available? Wire transfer needs to go out.Also what is the balance of General Funding Account? Let me know when you are ready.Reply as soon as possible.
Sent from my iPhone
Date: FROM: CEOTO: Finance DepartmentSUBJECT: Question
BEC Scenario
• It’s Friday late afternoon and you receive an urgent email from the C-Suite
It looks like this…..
Your organization Has Been Hit By BEC!
• The Controller immediately prepares a payment to be made via wire transfer. The CEO has urgently asked for the payment and the Controller is eager to please…..
• $500,000 is wired to an account in China.
What Do You Do?
Who do you call?....Options for recovery of the wire?
Would you stand up a crisis management team after BEC occurs?
Who is on the team?
If BEC does happen…do you report it? Even if it is a failed attempt?
If you do report it, where do you go to do this? FBI, IC3, etc.
Internally – Legal, Public Relations?
If you are a part of NH-ISAC, do you report it to NH-ISAC?
Will cyber insurance cover this situation?
Key Questions - What Are Your Next Steps?
Do you have somewhere to send suspicious emails for research?
Do you keep log data…with timestamps? External email notification system (specific
name?) Actually let LE send money to capture account
data Do you have a third party provider….retainer?
Key Questions - Forensics
When the press gets a hold of the story, what do you do?
When do you tell your constituents/clients?
Staff?
Do you do any kind of awareness training for BEC?
Spoofing email addresses
Phishing training
Exercises?
Who do you feel is liable/held accountable when BEC occurs?
Key Questions - Communications
• Use strong email security to block email impersonation attempts• Train your users to recognize BEC attacks through awareness & education• Register and protect your email domains as well as typosquatted domains
Leverage sender authentication typosquatted domains. Prohibit emails that use these domains via SPF hardfail and DMARC reject policies
• Flag external messages Drawbacks: When every message is being flagged, users may stop paying
attention to these alerts• Use two-factor authentication for initiating wire transfers – or data• Leverage DLP capabilities to prevent sensitive data from being shared over
email with unauthorized users (i.e. W2 information sent to scammers)
Best Practices for IT & IT Security
Question any emails requesting actions that seem unusual…not normal procedures
Do not reply to emails that seem suspicious.Obtain sender’s address from corporate address
book and ask them about the message…verbal? Report suspicious or obviously bogus emails to proper
authorities
Best Practices for Users
Wrap-Up Considerations - Prevention• AV updated/firewall updated/email filtering • Social Engineering Detection Training• Contacts with Law Enforcement bank/financial institutions• Flag external emails with a warning banner• Policy for verifying and issuing transfers of data or monies• Policy for reporting attempts• Ask your cyber insurance provider
You are a target !
Edward Brennan – Operations [email protected]