monthly cyber threat briefing - hitrust · © 2015 hitrust, frisco, tx. all rights reserved. for...
TRANSCRIPT
Monthly Cyber Threat Briefing April 2015
2 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Presenters • Dennis Palmer - Senior Security Analyst, HITRUST
• Colby DeRodeff - Chief Strategy Officer, ThreatStream
• Adam Meyers - VP – Threat Intelligence, CrowdStrike
• Bob Walder - President & CTO, NSS Labs, Inc.
• Len Bledsoe. – Cyber Security Analyst , Computer Security Incident Response Center (CSIRC), U.S. Department of Health and Human
3 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Agenda • NSS Labs-Emerging and unknown exploits and product
effectiveness
• CrowdStrike- Threat Actors Overview • ThreatStream- Operationalizing and Leveraging CTX
• Health and Human Services- Current Threat Dissection • HITRUST- CSF Controls related to ongoing threats
• DHS/CERT- Trends and uncategorized indicators • Question and Answer session
4 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Threat Capabilities Report
• Flash, Java, Silverlight, and Internet Explorer are widely used enterprise applications that were aggressively targeted in March.
• The Angler exploit kit was the most prevalent exploit kit.
• CryptoWall activity continued to surge
Data from February 2015 -‐ NSS Labs
5 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Targeted Applications and Operating Systems
Data from March 2015 -‐ NSS Labs
Application/OS Combination Windows 7 SP1 Windows 8 Windows Vista SP1 Windows XP SP3
Adobe Flash Player 11.4 • Adobe Flash Player 13 • • Internet Explorer 10 • • • Internet Explorer 7 • • • Internet Explorer 8 • • • Internet Explorer 9 • • • Java 6 Update 23 • Java 7 • Java 7 Update 2 • Silverlight 4.0.6 • • Silverlight 5 •
6 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Top Command and Control Hosting by Geo
Data from March 2015 - NSS Labs
Country Rank South Korea 1 China 2 United States 3 United Kingdom 4 Hong Kong 5 Russia 6 Germany 7 British Virgin Islands 8 Czech Republic 9 Spain 9
7 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
C&C server locations & callback ports 10 commonly used command and control (C&C) server locations in
combination with 10 commonly used callback ports
Data from March 2015 - NSS Labs
Country/Port 25 80 443 2012 8080 1287 5555 2015 1111 7758
China • • • • • • • • • • France • • Germany • • Hong Kong • • • Japan • • Netherlands • • South Korea • Ukraine • • United Kingdom • United States • • •
8 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CAWS: All Threats for March
March 2015 - NSS Labs
9 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CAWS: Top Apps Targeted
March 2015 - NSS Labs
10 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Are you are protected?
CAWS/InSight NGFW Devices: March 2015 - NSS Labs
11 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
NGIPS Group Test 6 products (anonymized) and security effectiveness (live threats from CAWS)
NGIPS 2015 - NSS Labs
99.5% 98.5%
74.7%
94.6% 94.6% 100.0%
0%
20%
40%
60%
80%
100%
Live Exploits Blocked
12 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
13 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
14 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trends Targeting Healthcare • Proprietary Medical technology/design information
• Pharmaceutical Intellectual Property
• Sensitive information on designated VIP patients
• Broad collection to facilitate targeting of individuals
• Monetization of PII
15 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Deep Panda IOCs
16 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Deep Panda IOCs
17 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Making Intelligence Actionable • Cyber Threat Exchange for Healthcare • Enables actionable intelligence
• Cross Industry Collaboration • Proactive detection of new threats
• Security Infrastructure Integration
18 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
I want to collaborate, but what do I share? Lets start with what can actually be shared:
Now what use cases? • What do you see in the SOC?
– Phishing Campaigns
– Suspicious / Scanning / Bruteforce Login IPs
– Logins from Hosting providers
– Malware outbreaks – File MD5s
You’re Not Alone – Collaboration is a Force Multiplier
Email addresses
File Hashs (MD5 / SHA256
Domain Names URLs
User Agents
EXTERNAL DATA:
19 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Information Sharing and Collaboration Proven benefits • Provides Situational Awareness and context across
organizational and geographical boundaries • Force multiplier – leverage your peers • Data Classifications Rules
– TLP Protocol
• Actor / Campaign Details • Automated distribution • Platform Agnostic • Anonymous and Secure
19 hitrustalliance.net/cyber-threat-xchange/
20 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
20 hitrustalliance.net/cyber-threat-xchange/
21 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
22 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Trending
0 10000 20000 30000 40000 50000 60000 70000 80000 90000
Feb Mar
Community IOCs
Compromised CredenIals
0
5
10
15
20
Feb
Mar
Threat Intelligence Packages General PlaOorm StaIsIcs
23 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/142
24 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action • Threat Intelligence Packages Actively Being Submitted by Community
Premera Breach Details Continued
https://hitrustctx.threatstream.com/tip/179
25 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Collaboration in Action
https://hitrustctx.threatstream.com/tip/184
26 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
HHS – Credential Harvesting • Compromised credentials have potential to be
leveraged in future attacks
• Uptick in credential harvesting emails received across Enterprise in March
• ~13700 emails received containing domains of credential harvesting sites
• Training and educating program implemented
• Reduction of credential harvesting emails planned via technical solution
Top Credential Harvesting Domains: § Wix[.]com § Weebly[.]com § Jimdo[.]com § Coffeecup[.]com
Email Subject Lines used: § IT service DESK § USER VERIFICATION § Updating § OUTLOOK LATEST UPDATE
27 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Compromised Credentials
– Control Reference: 01.d User Password Management
• Control Text: All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.
• Implementation requirement: Passwords should be confidential, passwords should be changed under indication of compromise, passwords should not be reused, passwords should not be shared or provided to anyone.
28 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Compromised Credentials
– Control Reference: 01.j User Authentication for External Connections
• Control Text: Appropriate authentication methods shall be used to control access by remote users.
• Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique
29 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Suspicious Domain Registrations
– Control Reference: 01.i Policy on the Use of Network Services
• Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.
• Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.
30 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
CSF Controls Related to Threats • CSF Control for Dropper tools dropping basic Backdoors / RATs
– Control Reference: 09.j Controls Against Malicious Code
• Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
31 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
DHS/CERT
• Trends and uncategorized indicators
32 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Questions and Answers
33 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Sign up for briefings and alerts
– www.hitrustalliance.net/cyberupdates/
• CyberRX 2.0 exercise information, or Spring 2014 exercise findings
– www.hitrustalliance.net/cyberrx/
• Cyber Threat Xchange (free subscription)
– hitrustalliance.net/ctx-registration/
34 © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
Additional Information • Additional content available at:
– https://hitrustalliance.net/content-spotlight/