monthly cyber threat briefing - hitrust · 2015-10-12 · © 2015 hitrust, frisco, tx. all rights...
TRANSCRIPT
Monthly Cyber Threat Briefing February 2015
2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Revised Format • Based on Feedback • Goal is to make the information more useful and usable • Purpose:
– Provide situational awareness of current and emerging cyber threats relevant to healthcare organizations
– Provide insights into threat actors including motives and methods – Provide insights into information security product effectiveness – Sharing metrics on the effectiveness of information sharing across the
industry and compared to other industries – Share lessons learned and best practices
3 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Revised Format • Situational awareness
– Emerging cyber threats and associated vulnerabilities
– Information security product effectiveness
– Threat actors and their motives
• Retrospective review
– What cyber threats are being seen in healthcare
– How effectively are we information sharing in industry and across industries
4 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Revised Format • Information Security Controls
– What CSF controls relate to current and emerging cyber risks
• Education
– Best practices
– Lessons learned
– CISO perspectives
• Need feedback
5 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Presenters • Daniel Nutkis - CEO, HITRUST • Dennis Palmer - Senior Security Analyst, HITRUST • Colby DeRodeff - Chief Strategy Officer, ThreatStream • Adam Meyers - VP – Threat Intelligence, CrowdStrike • Bob Walder - President & CTO, NSS Labs, Inc.
• Mike Backherms – Senior Analyst, US CERT / Department of Homeland Security
• Wesley Snell Jr. - Director, Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human
6 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Capabilities Report Flash, Silverlight, and Internet Explorer are widely used applications that were targeted in February 2015 as seen by NSS Labs
– exploit techniques discovered in November 2014 made it considerably easier to write exploits against them
– Source code and backend data for Rig exploit kit was leaked online during the month of February
Data from February 2015 -‐ NSS Labs
7 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Targeted Applications and Operating Systems App/OS Combination Windows 7 Windows 7
SP1 Windows 8 Windows 8.1
Windows Vista SP1
Windows XP SP3
Adobe Flash Player 11.4 •
Adobe Flash Player 13 • Internet Explorer 10
• Internet Explorer 11 • Internet Explorer 6
• Internet Explorer 7 • • Internet Explorer 8 • • • Internet Explorer 9 • • • Silverlight 4.0.6
• Silverlight 5 • !
Data from February 2015 -‐ NSS Labs
8 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Top Command and Control Hosting by Geo
Country/Port 80 81 2014 3204 8888 5555 5895 5682 1113 6311
China • • • • • • Hong Kong • • • Poland • Taiwan • United States • • • • •
!
Commonly used command and control server locations in combination with 10 commonly used callback ports
Data from February 2015 - NSS Labs
9 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Rig Exploit Kit Exploit Capabilities • Java • Silverlight • Internet Explorer • Flash
Successful Exploits Per Operating System
Exploit Count Operating System % Distribution
2729 Windows 7 39.7%
1483 Windows 8.1 21.6%
891 Unknown 12.9%
857 Windows XP 12.5%
549 Windows Vista 8.0%
169 Windows 8 2.5%
93 Windows Server 2003 1.4%
90 Windows 2000 1.3%
20 Windows 98 0.3%
NSS Labs
10 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Rig Exploit Kit Exploits by Browser
Exploit Count Browser % Distribution
2988 MSIE 11.0 43.5%
1198 MSIE 8.0 17.4%
795 Unknown 11.6%
766 MSIE 9.0 11.1%
656 MSIE 7.0 9.5%
430 MSIE 10.0 6.3%
40 MSIE 6.0 0.6%
Exploits by Country
Exploit Count CountryCode % Distribution
3849 IT 55.9%
2118 US 30.8%
211 XX 3.1%
131 SG 1.9%
81 CA 1.2%
49 CZ 0.7%
39 AU 0.6%
37 FR 0.5% NSS Labs
11 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
Compromised Credentials – Currently Tracking 1.12 Million – Action:
• Customized alerting • Forcing password changes • Monitoring access
12 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
Suspicious Domain Registrations – Currently Tracking 226 new in last 3 weeks – Action:
• Blocking at Proxy / Firewall • Takedown • Sinkhole for research purposes
Dropper tools dropping basic Backdoors / RATs – PlugX, Poison Ivy
13 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Example Suspicious Domain Registrations (company)real.netRegistrant Name: Kenji HiraiwaRegistrant Organization: GMO DigiRock, Inc.Registrant Street1: 3-1 Ofuka-cho
(company)solutions.comRegistrant Name: Registration PrivateRegistrant Organization: Domains By Proxy, LLCRegistrant Street: DomainsByProxy.com
(company)401k.comRegistrant Name: Jeremy RettichRegistrant Street: 2111 Allendale PlaceRegistrant City: Nolensville
14 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Anatomy Mapping to the Cyber Kill Chain
15 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Anatomy—Current Example Weaponization and Delivery
– Fake site setup like myhealthcareee.com or Citrix remote management style
– Site looks legit
16 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Anatomy—Current Example Delivery
– Internal users targeted • LinkedIn is a powerful tool • Phishing emails sent
17 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Anatomy—Current Example Exploit / Installation • Drop tools on website – collect logins • Credentials compromised / User machine compromised • Can now interact to drop additional targeted code
18 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Anatomy—Current Example Command and Control • Admin tools to hide
• Domain credentials • Inter Recon
• Lateral movement to medical records
Actions • Data exfiltration
• Common methods – SCP, FTP, SFTP HTTP Upload
19 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Actor Analysis - Deep Panda
• Discussion on motives and methods
20 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CozyCar Malware Activity • Public sector targeting with activity
dating to mid-2014 • Spear-phishing used as primary
means of delivery • Malware improvements most likely to
overcome detection – even use of Twitter for additional commands
• Message lures change in each campaign—most recently focus on finance and economics
Malicious Websites: § fese[]eu § doa.la[]gov § europeanissuers[]eu § diplomacy[]pl § frontrage360[]com § courtnotify.elpasotexas[]gov § sanjosemaristas[]com
Source: HHS
21 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Compromised Credentials
– Control Reference: 01.d User Password Management
• Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.
• Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.
– Control Reference: 01.j User Authentication for External Connections
• Control Text: Appropriate authentication methods shall be used to control access by remote users.
• Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique
22 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Suspicious Domain Registrations
– Control Reference: 01.i Policy on the Use of Network Services
• Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.
• Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.
– Control Reference: 01.m Segregation in Networks
• Control Text: Groups of information services, users, and information systems should be segregated on networks
• Implementation Requirement: Security gateways (e.g. a firewall) shall be used between the internal network, external networks (Internet and 3rd party networks), and any demilitarized zone (DMZ).
23 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Dropper tools dropping basic Backdoors / RATs
– Control Reference: 09.j Controls Against Malicious Code
• Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
24 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Making Intelligence Actionable • Cyber Threat Exchange for Healthcare • Enables actionable intelligence • Cross Industry Collaboration • Proactive detection of new threats
25 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Components of a Collaboration Platform
Threat Team
Threat Intel Collected
Manual Analysis
Upload to internal site
Retrieval of Threat
Intel
Manual load to SIEM
Analysis and feedback to Threat Team
Threat Team Threat Team OPS Team OPS Team OPS Team
Data: Pre-Process / Format
Threat Team
Automated Process
Threat Intel Collected
Upload to OPTIC
Threat Team
Pre Process, Aggregate, Analyze,
Analyst Feedback and Collaboration
Alert Analysis
Security Infrastructure
Legacy Process
48% cite reduction in incidents through early prevention due to CTI −SANS CTI Survey
26 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Information Sharing and Collaboration • Provides Situational Awareness and context across organizational
and geographical boundaries
• Force multiplier – leverage your peers
• Data Classifications Rules
• TLP Protocol
• Automated distribution
• Platform Agnostic
27 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
I want to collaborate, but what do I share? Lets start with what can actually be shared:
Now what use cases? • What do you see in the SOC?
– Phishing Campaigns
– Suspicious / Scanning / Bruteforce Login IPs
– Logins from Hosting providers
– Malware outbreaks – File MD5s
You’re Not Alone – Collaboration is a Force Multiplier
Email addresses
File Hashs (MD5 / SHA256
Domain Names URLs
User Agents
EXTERNAL DATA:
28 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Evolving research—not just IOCs Research /
Author Community
Review
Publish / Distribute
SIEM / Alerting
Data Classification Applied
Feedback, Collaboration, Validation
29 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
https://hitrustctx.threatstream.com/tip/8
Collaboration in Action • Threat Intelligence Packages Actively Being Submitted by Community
(86 Public or Trusted Community Submissions
30 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/17
31 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/24
32 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Sign up for briefings and alerts
– www.hitrustalliance.net/cyberupdates/
• CyberRX 2.0 exercise information, or Spring 2014 exercise findings
– www.hitrustalliance.net/cyberrx/
• Cyber Threat Xchange (free subscription)
– hitrustalliance.net/ctx-registration/
33 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Additional content available at:
– https://hitrustalliance.net/content-spotlight/