lessons learned from avid life media€¦ · 19/11/2015 · seccon 02 seccon 03 seccon 04 seccon...
TRANSCRIPT
![Page 1: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/1.jpg)
Lessons Learned from
Avid Life Media
Rob Davis, CISSP
Founder – Critical Start
CEO – Advanced Threat Analytics
214-674-1748
![Page 2: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/2.jpg)
4© 2015 Advanced Threat Analytics LLC
• Attacks are up
• Defense is down
• There’s more vulnerabilities every year than the year before
• We’re still getting breached
• The media loves to talk about
• We’re tired of them talking about it
Things we all know already… but I am gonna say anyways
![Page 3: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/3.jpg)
5© 2015 Advanced Threat Analytics LLC
The normal response to this information…
![Page 4: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/4.jpg)
6© 2015 Advanced Threat Analytics LLC
This slide is intentionally blank
Vendors that provide a bullet-proof solution…
![Page 5: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/5.jpg)
No such thing
![Page 6: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/6.jpg)
![Page 7: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/7.jpg)
9© 2015 Advanced Threat Analytics LLC
The Elephant in the Room
![Page 8: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/8.jpg)
Corporate Alignment to Strategy to Mitigate Cybersecurity Risk
�People
�Money
�Time
Bu
sin
ess
Imp
act
Ris
k
Tole
ran
ce
Th
rea
t
Lan
dsc
ap
e
SecCon 01
SecCon 02
SecCon 03
SecCon 04
SecCon 05
![Page 9: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/9.jpg)
SecCon05
SecCon04
SecCon03
SecCon02
SecCon01
Operational
Operational security –
minimal resources and
budget allocated
Industry Average
Use security practices
that are typical for a
given peer group and
industry. Higher risk
tolerance.
Industry Best Practice
Use security practices
that are best practice
for their industry.
Lower risk tolerance.
Advanced
Goal is to detect and
effectively respond to
sophisticated, targeted
cyber attacks
Compliance
Security is an outcome
of compliance
![Page 10: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/10.jpg)
• Stored information in clear readable
text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its network
and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its computer
network or to “conduct security
investigations”
• Did not follow “proper incident
response procedures”
![Page 11: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/11.jpg)
• Stored information in clear
readable text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its
network and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its
computer network or to “conduct
security investigations”
• Did not follow “proper incident
response procedures”
FTC Chairwoman Edith Ramirez said in a statement that
the decision “reaffirms the FTC’s authority to hold
companies accountable for failing to safeguard consumer
data. It is not only appropriate, but critical, that the FTC
has the ability to take action on behalf of consumers
when companies fail to take reasonable steps to secure
sensitive consumer information.”
![Page 13: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/13.jpg)
15© 2015 Advanced Threat Analytics LLC
Avid Life Media - Key Metric Summary (All Properties)
Metric 2013 2014 Change
Visits 700,871,661 2,333,210,131 +233%
Unique Visitors 519,543,630 1,878,447,802 +271%
Signups 7,146,172 9,726,537 +36%
Purchasing
Members
1,913,521 2,562,425 +34%
Credits Used 120,284,398 173,226,994 +44%
Metric (US $’000,000) 2013 2014 Change
Revenue (GAAP) $78 $114 +46%
EBITDA (Cash) $34 $55 +61%
$-
$2,000,000
$4,000,000
$6,000,000
$8,000,000
$10,000,000
$12,000,000
6/1
/01
4/1
/02
2/1
/03
12
/1/0
3
10
/1/0
4
8/1
/05
6/1
/06
4/1
/07
2/1
/08
12
/1/0
8
10
/1/0
9
8/1
/10
6/1
/11
4/1
/12
2/1
/13
12
/1/1
3
10
/1/1
4
Monthly Bookings
![Page 14: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/14.jpg)
16© 2015 Advanced Threat Analytics LLC
• Legal/Compliance
– A programming bug or oversight leading us to lose our regulatory compliance status (storing sensitive authentication
data, storing unencrypted credit card number, divulging PII)
– A data leak resulting in a class action lawsuit against us.
• Data leak/theft issues
– Internal users being infected with malware/viruses allowing hackers access to our user data.
– web app remote code exploit in our codebase resulting in a man-in-the-middle attack where a hacker gains access to
our customer's billing/credit card information.
• System integrity
– web app SQL injection resulting in alteration of user data
– Application code bug exploited to alter code and introduce malicious payload delivered to our customers
• Disclosure
– Bad actor creating accounts on our sites, crawling search results and finding a method of correlating our users to their
private lives (facial recognition, image metadata location coordinates, etc…)
– Internal bad actor stealing customer data and exposing it in social media/blackmailing
– Internal bad actor using a known/shared password to access customer data
– A hacker/bad actor at New Relic gaining access to our customer data.
– Third party billing partner getting hacked, exposing our customer list.
Internal Document Around Areas of Concern
1
2
3
![Page 15: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/15.jpg)
![Page 16: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/16.jpg)
![Page 17: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/17.jpg)
Administrative Passwords to Production Domain
![Page 18: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/18.jpg)
20© 2015 Advanced Threat Analytics LLC
Passwords to Production Domain
![Page 19: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/19.jpg)
21© 2015 Advanced Threat Analytics LLC
Passwords to Employee Domain
![Page 20: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/20.jpg)
22© 2015 Advanced Threat Analytics LLC
Passwords to Employee Domain
![Page 21: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/21.jpg)
23© 2015 Advanced Threat Analytics LLC
Beware of QA Systems, Default Passwords
![Page 22: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/22.jpg)
Breach Doesn’t Mean Loss of Information
Microsoft has published a
comprehensive whitepaper that
contains mitigations and guidance
called “Mitigating Pass-the-Hash
(PtH) Attacks and Other Credential
Theft Techniques.
NSA has a fantastic document on
Windows Event log collection
including a section on detecting PtH
from log data
LAPS Tool from Microsoft
https://technet.microsoft.com/en-
us/library/security/3062591.aspx
![Page 23: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/23.jpg)
Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.
![Page 24: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/24.jpg)
Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.
![Page 25: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/25.jpg)
Simple Example of Attempting to Trick Users
After the user enables the
macro, the malicious Word
document will display
different content so the user
believes the documents has
been decrypted.
![Page 26: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/26.jpg)
Alert via iPhone App, Email, or SMS Text
![Page 27: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/27.jpg)
From Alert to Investigation
![Page 28: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/28.jpg)
30© 2015 Advanced Threat Analytics LLC
Incident Response – Isolate Host Immediately
![Page 29: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/29.jpg)
Incident Response – Real Time Investigation
The responder has
a real time window
into the isolated
host – both on and
off the corporate
network.
![Page 30: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/30.jpg)
Investigation of Host
![Page 31: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/31.jpg)
Secondary Download – Uncategorized Traffice
http://anacornel.com/images/desene/united.exe
![Page 32: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/32.jpg)
ATA Alerts – Breach Detection
• ATA Alerts is a custom branded list of queries
to detect activity consistent with malware
infections, malicious credential usage, and
attackers using credentials to move laterally.
• ATA Query Feed examples shown are:
o Attempts to add user to a system from
the command line
o Attempts to add users to a local group
from the command line
o Instances of SVCHOST running in an
incorrect user context
o Use of Sysinternals Tools
o PSEXEC process on endpoints
![Page 33: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/33.jpg)
35© 2015 Advanced Threat Analytics LLC
Tracking All Unsigned Process with NW Connections
• Constant tuning is required for any proactive security system to reduce false positives. ATA Security Analysts
constantly tune queries using custom analytics and processes.
• In this example, whitelisted executables are posted using Threat Analytics Search Extension to analysis process.
• After analysis, this whitelist information is sent to Carbon Black server as a feed and also to analytics system.
![Page 34: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/34.jpg)
36© 2015 Advanced Threat Analytics LLC
• Configuration and good security practices are critical for Active Directory security– Use proper segmentation and privileged account control
– Don’t mix regular and administrative accounts
– Disable or protect local administrative accounts – log privileged account success/failures
• Initial breach is still overwhelming caused by exploits and malware missed by anti-virus –AV is dead, so don’t depend on it to protect against malware
• Don’t depend on IDS/IPS/Firewall to detect a breach – use next generation tools that use machine learning/statistics to detect breaches
• DO NOT USE PASSWORDS FOR REMOTE ACCESS
• From the FTC Lawsuit Against Wyndham, these items increase your liability:– Easily guessed passwords
– Did not limit access between networks
– Unable to identify the source of cybersecurity attack
– Failure to adequately restrict access of third-party vendors to network and servers
– Failed to employ “reasonable measures to detect and prevent unauthorized access”
– Did not follow “proper incident response procedures”
Lessons Learned from Avid Life Media
![Page 35: Lessons Learned from Avid Life Media€¦ · 19/11/2015 · SecCon 02 SecCon 03 SecCon 04 SecCon 05. SecCon 05 SecCon 04 SecCon 03 ... Avid Life Media -Key Metric Summary (All Properties)](https://reader033.vdocument.in/reader033/viewer/2022051912/6002c7916c5642011e4e7f31/html5/thumbnails/35.jpg)
www.advancedthreatanalytics.com
6860 North Dallas Pkwy, Suite 200 | Plano, TX | 75024