monthly cyber threat briefing - hitrust · © 2015 hitrust, frisco, tx. all rights reserved. for...

Monthly Cyber Threat Briefing April 2015

2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net

Presenters •  Dennis Palmer - Senior Security Analyst, HITRUST

•  Colby DeRodeff - Chief Strategy Officer, ThreatStream

•  Adam Meyers - VP – Threat Intelligence, CrowdStrike

•  Bob Walder - President & CTO, NSS Labs, Inc.

•   Len Bledsoe. – Cyber Security Analyst , Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human


Agenda •  NSS Labs-Emerging and unknown exploits and product

effectiveness

•  CrowdStrike- Threat Actors Overview •   ThreatStream- Operationalizing and Leveraging CTX

•  Health and Human Services- Current Threat Dissection •  HITRUST- CSF Controls related to ongoing threats

•  DHS/CERT- Trends and uncategorized indicators •  Question and Answer session


Threat Capabilities Report

•  Flash, Java, Silverlight, and Internet Explorer are widely used enterprise applications that were aggressively targeted in March.

•  The Angler exploit kit was the most prevalent exploit kit.

•  CryptoWall activity continued to surge

Data from February 2015 -‐ NSS Labs


Targeted Applications and Operating Systems

Data from March 2015 -‐ NSS Labs

Application/OS Combination Windows 7 SP1 Windows 8 Windows Vista SP1 Windows XP SP3

Adobe Flash Player 11.4 • Adobe Flash Player 13 • • Internet Explorer 10 • • • Internet Explorer 7 • • • Internet Explorer 8 • • • Internet Explorer 9 • • • Java 6 Update 23 • Java 7 • Java 7 Update 2 • Silverlight 4.0.6 • • Silverlight 5 •


Top Command and Control Hosting by Geo

Data from March 2015 - NSS Labs

Country Rank South Korea 1 China 2 United States 3 United Kingdom 4 Hong Kong 5 Russia 6 Germany 7 British Virgin Islands 8 Czech Republic 9 Spain 9


C&C server locations & callback ports 10 commonly used command and control (C&C) server locations in

combination with 10 commonly used callback ports

Data from March 2015 - NSS Labs

Country/Port 25 80 443 2012 8080 1287 5555 2015 1111 7758

China • • • • • • • • • • France • • Germany • • Hong Kong • • • Japan • • Netherlands • • South Korea • Ukraine • • United Kingdom • United States • • •


CAWS: All Threats for March

March 2015 - NSS Labs


CAWS: Top Apps Targeted

March 2015 - NSS Labs


Are you are protected?

CAWS/InSight NGFW Devices: March 2015 - NSS Labs


NGIPS Group Test 6 products (anonymized) and security effectiveness (live threats from CAWS)

NGIPS 2015 - NSS Labs

99.5% 98.5%

74.7%

94.6% 94.6% 100.0%

0%

20%

40%

60%

80%

100%

Live Exploits Blocked


Trends Targeting Healthcare •  Proprietary Medical technology/design information

•  Pharmaceutical Intellectual Property

•  Sensitive information on designated VIP patients

•  Broad collection to facilitate targeting of individuals

•  Monetization of PII


Deep Panda IOCs


Making Intelligence Actionable •   Cyber Threat Exchange for Healthcare •   Enables actionable intelligence

•   Cross Industry Collaboration •   Proactive detection of new threats

•   Security Infrastructure Integration


I want to collaborate, but what do I share? Lets start with what can actually be shared:

Now what use cases? •   What do you see in the SOC?

–   Phishing Campaigns

–   Suspicious / Scanning / Bruteforce Login IPs

–   Logins from Hosting providers

–   Malware outbreaks – File MD5s

You’re Not Alone – Collaboration is a Force Multiplier

Email addresses

File Hashs (MD5 / SHA256

Domain Names URLs

User Agents

EXTERNAL DATA:


Information Sharing and Collaboration Proven benefits •   Provides Situational Awareness and context across

organizational and geographical boundaries •   Force multiplier – leverage your peers •   Data Classifications Rules

–   TLP Protocol

•   Actor / Campaign Details •   Automated distribution •   Platform Agnostic •   Anonymous and Secure

19 hitrustalliance.net/cyber-threat-xchange/


Collaboration in Action

20 hitrustalliance.net/cyber-threat-xchange/


Trending


Trending

0 10000 20000 30000 40000 50000 60000 70000 80000 90000

Feb Mar

Community IOCs

Compromised CredenIals

0

5

10

15

20

Feb

Mar

Threat Intelligence Packages General PlaOorm StaIsIcs



https://hitrustctx.threatstream.com/tip/142


Collaboration in Action •   Threat Intelligence Packages Actively Being Submitted by Community

Premera Breach Details Continued



HHS – Credential Harvesting •   Compromised credentials have potential to be

leveraged in future attacks

•   Uptick in credential harvesting emails received across Enterprise in March

•   ~13700 emails received containing domains of credential harvesting sites

•   Training and educating program implemented

•   Reduction of credential harvesting emails planned via technical solution

Top Credential Harvesting Domains: §   Wix[.]com §   Weebly[.]com §   Jimdo[.]com §   Coffeecup[.]com

Email Subject Lines used: §   IT service DESK §   USER VERIFICATION §   Updating §   OUTLOOK LATEST UPDATE


CSF Controls Related to Threats •   CSF Control for Compromised Credentials

–  Control Reference: 01.d User Password Management

•  Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

•   Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.


CSF Controls Related to Threats •   CSF Control for Compromised Credentials

–  Control Reference: 01.j User Authentication for External Connections

•  Control Text: Appropriate authentication methods shall be used to control access by remote users.

•   Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique


CSF Controls Related to Threats •   CSF Control for Suspicious Domain Registrations

–  Control Reference: 01.i Policy on the Use of Network Services

•  Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

•   Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.


CSF Controls Related to Threats •   CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code

•  Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.


DHS/CERT

•  Trends and uncategorized indicators


Questions and Answers


Additional Information •   Sign up for briefings and alerts

–  www.hitrustalliance.net/cyberupdates/

•   CyberRX 2.0 exercise information, or Spring 2014 exercise findings

–  www.hitrustalliance.net/cyberrx/

•   Cyber Threat Xchange (free subscription)

–  hitrustalliance.net/ctx-registration/


Additional Information •  Additional content available at:

–  https://hitrustalliance.net/content-spotlight/

monthly cyber threat briefing - hitrust · © 2015 hitrust, frisco, tx. all rights reserved. for...

Documents