the question is not “if” but “when”...• cu employees target of a phishing campaign with...
TRANSCRIPT
THE QUESTION IS NOT “IF” BUT “WHEN”A Look Into the Importance of Cyber Resilience and Incident Response for Financial Institutions
ABOUT THE SPEAKER
• Tom Neclerio, VP of Cyber Consulting Services
• 18 Years Providing Consulting to Regulated Industries
• Advised over 1000 FIs on security/regulatory compliance
• Trainer/speaker to the FFIEC agencies on Security
• Former CISO of SilverSky developed internal controls
• PCI Qualified Security Assessor to large banks, service providers, and merchants
Cyber Professional Services summaryCyber Advisory Services• Full range of consulting services for information security•Review entire security programs or components thereof•Assess against industry standards/best practices•Perform risk assessments, compliance review, gap analysis•Create an improvement plan, provide implementation
Cyber Technical Services•Technically focused “intelligence led” security testing and assessments•Programs where we “think like an adversary”•Cyber Exposure Profiling, Security Testing•Targeted Attack Resistance / Red Teaming• Security architecture and controls assessment and improvement
Cyber Incident Response Services•Complete coverage for the 3 crucial areas of incident response•Planning, Preparing, and Responding •Assessments and Incident Response Plan development• Incident Readiness exercises•Enterprise Incident Response and Management services
AGENDA
• The Financial Threat Landscape
• Case Study: Lesson Learn From Real Attacks
• FFIEC Cyber Resilience Guidance
• How to be Prepared
1
2
3
4
AGENDA
• The Financial Threat Landscape
• Case Study: Lesson Learn From Real Attacks
• FFIEC Cyber Resilience Guidance
• How to be Prepared
1
2
3
4
TARGET OF ATTACKS
RETAIL AND FINANCIAL: TOP TARGETS AGAIN
• Retail and Financial Continue to be Top Targets• Organized Crime w/ focus on monetary gain• Financial: Malware/Web Banking Application• Retail: POS Terminals
THE TARGET
TOXIC DATACommoditized information you are compelled to protect by regulation, statute or contract.
SECRETSSensitive intellectual property whose disclosure would cause strategic harm.
Examples:• Customer PII• Electronic protected health
information (ePHI)• Credit card numbers• Account Numbers
Loss value determined by criminals (de facto) and regulators (de jure).
Examples:• Trade secrets• Strategic plans• Sales forecasts• Company financials
Loss value is intrinsic, tangible or incalculable (reputation).
CYBERCRIME IN FINANCIAL SERVICES INDUSTRY
Two Categories made up approx. 70% of Financial Breaches
Crimeware – Classified into two types• Backdoor: Maintaining persistence and staging advanced attacks • Data Stealing: Capturing and data exfiltration
Web App Attacks• Compromised individual customer accounts • Hacked website or database
PHISHING STATISTICS
For last two years, more than two-thirds of incidents
reported have featured phishing
23% of recipients now open phishing messages
90% success rate on a phishing campaign of 10 or more emails
11% click attachments
50% open e-mails and click on phishing links within the first hour
CRIMEWARE
• Bank Records and Credentials are by far the most targeted data (approx. 90%)
• Opportunistic and financially motivated to establish long term foothold in network
• Less likely to be forensically discovered if not detected early
• Usually starts with a Phishing campaign
ATTACK DIFFICULTY
High
Medium
Low
Very Low
0.2%
22.7%
67.3%
9.8%
DISCOVERY TIMEFRAME
801233.9x
DAYS TO DISCOVER MALICIOUS BREACHES
DAYS TO RESOLVE MALICIOUS BREACHES
HIGHER COST OF CYBER CRIME IF UNDERPROTECED
LESSONS LEARNED SO FAR
• Retail and Financial verticals are the top targets of attack
• Financial Institutions are HIGH VALUE targets for Cyber Crime
• Organized & Funded Criminal Gangs are behind FI Attacks
• 70% of FI breach types are Crimeware and Web Applications
• Phishing is often used to carry out initial hacks
• Phishing is highly successful with a small detection window
• Credentials and backdoor malware are top modes of entry
• Large timeframes exist from initial compromise to discovery
• Criminals are increasingly exploiting third party vendors
AGENDA
• The Financial Threat Landscape
• 2014 Data Breaches – Lessons Learned
• FFIEC Cyber Resilience Guidance
• How to be Prepared
1
2
3
4
CASE STUDY 1: 2014 MAJOR ATTACKS
Third Party Stolen Credentials
Third Party
Vendor BreachRemote Access Hack
CASE STUDY 2: SMALL NORTHEAST CREDIT UNION• Infected with Cryptolocker
Ransomware Trojan
• Most likely source a phishing email attachment.
• Critical systems infected through multiple attacks.
• BOD personal computers infected
• Multiple rebuilding of systems, reputational damage, lost productivity
CASE STUDY 3: MEDIUM CU NORTHEAST• BAE/SilverSky SOC noticed suspicious activity outbound to several known C&C
services in Ukraine
• Large volumes of traffic was originating outbound to the C&C servers from several computers in the CU environment.
• CU employees target of a phishing campaign with malware attachments. Over 50% of employees opened emails and attachments.
• Volume of outbound activity from malware grinded the network to a halt.
• SOC was able to block all outbound traffic to C&C servers while IR team was deployed to helped clean network from malware infestation.
AGENDA
• The Financial Threat Landscape
• Case Study: Lesson Learn From Real Attacks
• FFIEC Cyber Resilience Guidance
• How to be Prepared
1
2
3
4
REGULATION: EXECUTIVE ORDER 13636
Definition of Critical Infrastructure: • Systems/assets so vital to the US that the incapacity or destruction of such
systems/assets would have a debilitating impact on security, national economy, national public health or safety, or any combination thereof
Executive Order 13636
2/2013
• The Cyber threat to critical infrastructure…represents one of the most serious national security challenges… to the national and economic security of the US.
• Goal - Enhance the security and resilience of the nation’s critical infrastructure
FFIEC CYBER SECURITY ASSESSMENTS
• NIST to lead the development of a framework to reduce cyber risk to critical infrastructure (the “Cybersecurity Framework”)
Identify
Protect
DetectRespond
Recover
Measure Risk and Develop a program
Implement controls to mitigate risk
Implement process to detect events
The Ability to respond/
communicate
The Ability to recover and improve
FFIEC CYBER SECURITY ASSESSMENTS
• Summer of 2014, FFIEC piloted new cyber security assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cyber risks
• Integrated into regular IT Examination process• Cyber Risk Management (IDENTIFY)• Cyber Security Controls (PROTECT/DETECT)• Threat Intelligence and Collaboration (DETECT)• Cyber Resilience (RESPOND/RECOVER)• External Dependency Management (VENDOR MGMT)
Executive Order 13636
2/2013
FFIEC Cyber Assessments
6/2014
FFIEC CYBER SECURITY ASSESSMENTS
OBSERVATIONS AND RECOMMENDATIONS
Cyber Risk Management
• Set a “tone from the top”
• BOD and management discussions
• Ongoing employee training/testing including Social Engineering
• Include BOD in training
Cyber Security Controls
• Deploy preventive, detective, and corrective procedures
• Patching, encryption, limit user access
• Intrusion detection/prevention, firewall alerting
• Formal audit program with regular findings
Cyber Resilience
• Formal Incident response programs
• Includes key phases of prepare, test and recover
• Senior management and board incident reporting
• Increase Information Sharing (FS-ISAC)
FFIEC CYBER-RESILIENCE GUIDELINES
FFIEC added appendix to its Business Continuity Booklet"Strengthening the Resilience of Outsourced Technology Services"
Cyber-Resilience - an organization's ability to withstand and recover from a cyber attack by minimizing the disruption or impact that attack has on its ability to conduct business
Term was added to illustrate the changing threats and vulnerabilities financial institutions face
Executive Order 13636
2/2013
FFIEC Cyber Assessments
6/2014
FFIEC Cyber Resilience
3/2015
FFIEC CYBER-RESILIENCE GUIDELINES
Incident Response
Financial institutions and their service providers should anticipate potential cyber incidents and develop a framework to respond to these incidents.
The financial institution and its TSPs should periodically update and test their incident response plan to ensure that it functions as intended, given the rapidly changing threat landscape.
The financial institution and TSP should consider identifying and making advance arrangements for third-party forensic and incident management services.
NIST FRAMEWORK AND INCIDENT RESPONSE
Identify
Protect
DetectRespond
Recover
• Most FI’s have large gaps in their ability to respond and recover from events
• IR Today is what DR was in 2011
• Most FIs have a DR plan but are missing any IR process
• A recent study of financial institutions 83% were not prepared to handle an incident
THE FUTURE OF FFIEC EXAMINATIONS (WHAT TO EXPECT)
Increased Board and C-Suite Involvement
Participation in information-sharing group(s)
Reviews of incident preparedness and response process
Cyber security scenario testing w/ employees and BOD
Increased oversight of third party service providers
AGENDA
• The Financial Threat Landscape
• Case Study: Lesson Learn From Real Attacks
• FFIEC Cyber Resilience Guidance
• How to be Prepared
1
2
3
4
NOT “IF”…BUT “WHEN”?
Verify that an incident occurred
Maintain or Restore Business Continuity
Reduce the incident impact
Determine the root cause of the incident
Prevent future attacks or incidents
Improve security and incident response
8 GOALS OF INCIDENT RESPONSE
Prosecute illegal activity
Keep key stakeholders informed of the situation
1
2
3
4
5
6
7
8
SIX STEPS OF INCIDENT RESPONSE
Practice
Train
Test
Preparation
Identification and Scoping
Response and Containment
Eradication and Remediation
Recovery
Review and Update
PREPARATION
DEVELOPING AN INCIDENT RESPONSE PLAN
A comprehensive Incident Response plan should:
• Assess the nature and severity of the event
• Identify the potential impact of the event
• Establish roles and responsibilities
• Establish lines of communications regarding the event
• Help you identify response team(s) to handle the event
• Act as a launching point to initiate other plans (DR/BCP, Evacuation, etc.)
IDENTIFICATION AND SCOPING
INCIDENTS COME IN ALL SHAPES AND SIZESConfidentiality – Employee emails confidential data file to the wrong person; Loss of information confidentiality (data theft)
Integrity – A file is detected to have unauthorized changes
Theft – An employee’s work computer is stolen from their house
Physical – A computer hard drive is destroyed in a fire
Availability – An attack on the FI’s ebanking application leaves it unavailable for 24 hours; Misuse of services, information, or assets
Malware – A system containing customer information is infected with crimeware
Hack – An unauthorized criminal gains access to the internal network and systems
INCIDENT INDICATORS
Tip-off from CERT
Customer complaints
Targeted phishing email
Systems off-line
Email with demands
Alerts from monitoring tools
Unexplained transaction
Assumed insider
Account lockouts
Website defacement
Data leaked on Internet
Cyber espionage
Cyber-enabled
Fraud
Insider Cyber extortion
Hacktivist
RESPONSE, REMEDIATION, RECOVERY
INCIDENT RESPONSE PRINCIPLES
Integrate with the business
Communication through every department
Everyone knows how to report incidents in a timely manner
Maximize your preparation
The first time you are seeing the event should not be in a real
scenario
Keep pace with threatsThe groups behind cyber attacks are
constantly evolving so incident response procedures need to be regularly reviewed and updated
Don’t make things worse, avoid:
Alarming stakeholders
Being noticed by the attacker
Causing further disruption
Right first time
Minimize the change for mistakes by using common protocols, scenario-based procedures, templates, and
checklists
Confirm remediation success
It’s critical to confirm that remediation has been successful
and has met agreed criteria
REVIEW AND UPDATE
REVIEW AND MAINTENANCE
Post Incident Reviews
• Should be performed after any incident• Any lessons learned should be discussed• Plan improvements should be documented and
incorporated into the next plan revision
Plan Update Reviews
• Plan owners should schedule periodic reviews to ensure that the document is up to date, and any improvements to ensure that the plan remains relevant (e.g., audits) should also be scheduled
MAINTENANCE:PRACTICE, TRAIN, TEST!
Plan TestingCritical to ensure that the Incident Response Plan is current and ready
Periodic testing is advised to validate:
1. The steps in the plan are relevant 2. Team members are properly trained 3. Team members understand their roles and responsibilities4. That all the participants, including senior management, can
work together effectively under pressure5. That there is a reduced risk of a counterproductive response
during the incident6. Involve any outsourced first responders in testing
WHY PRACTICE YOUR PLAN?
TYPES OF INCIDENT TESTING
GROUP WALK THROUGH
Periodic reviews to ensure that the document is up to date and any improvements to ensure that the plan remains relevant (e.g. audits) should also be scheduled.
TABLE TOP TESTS
Key plan stakeholders gather to discuss a given scenario or simulated event. Focus on how the group would respond to the event as the scenario develops.
WAR GAMESUsually performed in conjunction with a penetration test or other simulated hacking event. Real-life testing to determine how teams respond to realistic scenarios.
SIX STEPS OF INCIDENT RESPONSE
Practice
Train
Test
Preparation
Identification and Scoping
Response and Containment
Eradication and Remediation
Recovery
Review and Update
QUESTIONS?
Tom NeclerioVice President Cyber ConsultingBAE Systems Applied Intelligence
M: +1 954..873.6823 E: [email protected]