today’s public sector threat landscape€¦ · · 2017-10-19today’s public sector threat...
TRANSCRIPT
1
TODAY’S PUBLIC SECTOR THREAT LANDSCAPEAGENCY CHALLENGES, LESSONS LEARNED, THE PATH FORWARD
BEN SMITH CISSP CRISC FIELD CTO (US EAST) @BEN_SMITH
Agenda
1 2
The four threat actor
categories
43
Additional
resources
Public sector attacks
& impact
*
Things to think about
in your agency
SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)”
https://blogs.rsa.com/hunting-sharks-teeth-iocs/
RSA’s portfolio
Four Categories of Attackers
Cybercriminals
Nation-States
“Hacktivists”
Cyber-Terrorists
Cybercriminals
• Largely financially motivated
• Typically target PII, PCI, financial services, retail
- PII (personally identifiable information); PCI (payment card industry)
• Large attack scale
- Example: thousands of spam emails...and just one enduser click needed
• Cybercrime is a proven business model
- Organized, sophisticated supply chains
- “Affiliate” models
- Ransomware-as-a-service
Nation-States
• Targets
- Government, defense industrial base (DIB), IP-rich organizations
- Decision-making intelligence, other business logic, executive emails
• Well-researched, narrowly-targeted attacks
- Executive spear-phishing
- Watering holes
- “VOHO,” researched & published by RSA FirstWatch
- Expatriates
- “GlassRAT,” researched & published by RSA Research
Will Gragido, “Lions at the watering hole – the “VOHO” affair” [2012]
https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/
Peter Beardmore, “Peering into GlassRAT” [2015]
https://blogs.rsa.com/peering-into-glassrat/
Hacktivists
• Targets
- Political targets of opportunity
- All verticals
• Goals
- Further social and political interests
- Mass disruption, mercenary
• Can be well-researched and/or large-scale
• Largely “doxxing” activity and website defacement
Cyber-Terrorists
• ISIL desires to recruit cyber talent
- Appeals (both overt and covert) to young, tech-savvy individuals
- Mention of a “cyber-caliphate” has been noted in ISIL communications
• Current activities appear to be limited to account takeover, website defacement,
and “doxxing”
• Unsuccessful power grid attacks have been attributed to ISIL by the US
Government
- “Embracing the most convenient attack, rather than the largest or most gruesome one”
- “Low-level attacks of opportunity”
POLITICO’s Joseph Marks, “ISIL aims to launch cyberattacks on U.S.” [December 2015]
http://www.politico.com/story/2015/12/isil-terrorism-cyber-attacks-217179
The CIA Triad
Integrity
Indiana county government shut down by ransomware to pay up; City, streetcar project scammed for $3.2 million; Ransomware Hackers Blackmail U.S. Police Departments; E-mail phishing caused county to lose $566,000; DHS: Over
300 incidents of ransomware on federal networks since June; 756,000 Warned As L.A. County Workers Fall For Phishing Attack; City of Sarasota's system hacked by ransomware, data held hostage; Hackers hit D.C. police closed-
circuit camera network, city officials disclose
Indiana county government shut down by ransomware to pay up; City, streetcar project scammed for $3.2 million; Ransomware Hackers Blackmail U.S. Police Departments; E-mail phishing caused county to lose $566,000; DHS: Over
300 incidents of ransomware on federal networks since June; 756,000 Warned As L.A. County Workers Fall For Phishing Attack; City of Sarasota's system hacked by ransomware, data held hostage; Hackers hit D.C. police closed-
circuit camera network, city officials disclose
2016 Deloitte-NASCIO Cybersecurity Study [32pp]
Hactivists
• “Early last year, hackers launched a cyberattack
against the state of Michigan’s main website to
draw attention to the Flint water crisis. In May,
they targeted North Carolina government
websites to protest a controversial state law
requiring transgender people to use bathrooms
that match the sex on their birth certificate. And
in July, they took aim at the city of Baton
Rouge’s website after the fatal police shooting
of a black man.”
16065
Hacktivist incidents directed against U.S. state and local governments, as tracked by MS-ISAC:
20152016
‘Hacktivists’ Increasingly Target Local and State Government Computers
Nation-States
• “OPM first announced in early June [2015] that the background
investigation records of millions of current, former and
prospective federal employees and contractors had been
stolen in a cyber intrusion that started in early 2014.
OPM Hack: Government Finally Starts Notifying 21.5 Million Victims; Inside the Cyberattack That Shocked the US Government
In mid-June, the agency disclosed a second larger attack that targeted information for
millions more Americans who applied for security clearances.”
Have You Thought About…
1. Third-party accounts & access to your network
2. Personal email accounts associated with your executives
3. Risks associated with traveling laptops, phones, personnel
- While away from the agency, after returning to the agency
4. States/provinces and localities with selective purchasing legislation
- Targets for hacktivists, foreign entities, “patriotic hackers”
5. What type(s) of visibility do you have within your own agency?
Situational Awareness is not an “Easy Button”
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation [241pp]
• Comprehensive visibility must include full packet capture
• Reactive behavior vs. proactive hunting for adversaries
Additional Public Sector Resources
Local Government Cyber Security: Getting Started (A Non-Technical Guide) [16pp]
Additional Public Sector Resources
Cybersecurity Guide for State and Local Law Enforcement [61pp]
Additional Public Sector Resources
ICMA Survey Research: Cybersecurity 2016 Survey [12pp]
Additional Public Sector Resources
2016 Deloitte-NASCIO Cybersecurity Study [32pp]; 2014 Deloitte-NASCIO Cybersecurity Study [32pp]; 2012 Deloitte-NASCIO Cybersecurity Study [40pp]
Additional Public Sector Resources
State of the States on Cybersecurity [42pp]
Additional Public Sector Resources
State Cybersecurity Resource Guide [60pp]
Weekly WebEx “Lunch and Learn”
session
Statewide cyber exercises for
locals, tribes and private sector
Kids Cyber Awareness Poster contest
“CyberGirlz” workshops to prepare middle- and
high-school girls for careers in cybersecurity
Food For Thought: Cyber Security
Awareness Food Truck Rally
“Ask a Hacker” video series
Publicize Cyber Security Awareness Month on
highway billboards
Disabled Veteran Cyber Apprenticeship Program
“Spot the Security Gap” Game
Additional Public Sector Resources
• A recent one-hour panel covered…
- Budget constraints associated with maintaining a
cyber framework
- Evaluating cybersecurity vendors
- Artificial intelligence’s role in cybersecurity
- Cultivating cyber talent
Federal News Radio: In Focus: Threat intelligence in the private and public sectors
• Ron Carback, Defense Intelligence Officer for Cyber at the Defense Intelligence Agency
• Tim Ruland, Chief Information Security Officer at the U.S. Census Bureau
• Shaun Khalfan, Chief Information Security Officer at U.S. Customs and Border Protection
• Dr. Zully Ramzan, Chief Technology Officer at RSA
Defend Yourself…Wisely!
Visibility
Identity
Risk
Fraud
Triple the impact of your existing security team
NETW I TNESS
SUI TE
Accelerate business while mitigating identity risk
SECURI D
SUI TE
Know which risk is worth takingARCHER
SUI TE
Take command of your evolving security posture
RI SK &
CYBER SECURI TY
PRACTI CE
Act faster than the speed of fraudFRAUD & RISK
INTELLIGENCE SUITE
The RSA Portfolio
Incident ResponseRetainer, Incident Discovery, Incident Response, IR Hunting
Services, Breach Management
Advanced SOC Design & ImplementationFuture State Design, Technology Acquisition, Advanced SOC
Implementation, Residencies, Education Services
Incident Management Program DevelopmentIncident Management Lifecycle Development, Threat
Detection, Use Case Development, Metrics and KPI Modeling
Cyber Threat IntelligenceProgram Development, Portal Implementation &
Customization, Threat Research
Security Readiness and StrategyCurrent State & Gap Analysis, Maturity Modeling, NIST CSF
Roadmap Development
Advanced Cyber Defense (ACD)
Archer
SecurID
NetWitness
Take command of your evolving security posture
RI SK &
CYBER SECURI TY
PRACTI CE
Fraud & Risk Intelligence
The RSA Portfolio
Secure your Infrastructure
Endpoint
Data
Security
Network
NSX
Data
Isolated
Recovery
Improve your Response
Done With YouDo It Yourself
Translate to
Business Risk
All RiskCloud
DELL TECHNOLOGIES: SECURITY TRANSFORMATION
BEN SMITH CISSP CRISC RSA FIELD CTO (US EAST) @BEN_SMITH