Achieve cyber resilience - pwccn.com
Transcript of Achieve cyber resilience - pwccn.com
Achieve cyber resilience in today’s digital world with the HKMA CFI 2.0
Table of contents
Reflection of the 2020
Threat Landscape 01
Key Root Causes Identified from Past
Incident Response and iCAST Exercises02
Summary of HKMA C-RAF 2.0
Requirements03
Enhancing Your Cyber Defense Capability
with TTP-based Cyber Defense Framework04
Reflection of the 2020
Threat Landscape
Human-operated ransomware likely highest threat of 2020
4
Gain initial access and deploy using automated and
opportunistic methods
Phish employees and deploy malware to
workstations
Exploit known vulnerabilities in Internet-
facing services
Compromise privileged accounts by exploiting
common IT/AD hygiene issues
Move laterally and establish footholds using common
offensive security tools
Exfiltrate sensitive data to attacker operated
infrastructure
Deploy ransomware as widely as possible to
maximize impact
Automated and mass scaleKey ‘Human-operated’
Typical path of a human-operated ransomware attack
The number of
ransomware actors
leveraging access
brokers like Emotet has
grown dramatically in
2020, encouraged by the
profits derived from
high-profile attacks
750+ organizations with data
exposed as of September
2020
80%data leakages on leak sites
occurring since April 2020Source: PwC Cyber Security: Responding to the
growing threat of human-operated ransomware
attacks
HKMA Cybersecurity Fortification Initiative 2.0 Webinar
DDoS for Extortion
Notable examples in 2020 include the New
Zealand Stock Exchange, Indian bank YesBank,
Paypal, Worldpay, and other financial institutions
Extortion of financial services
institutions by cybercriminals
claiming to represent Fancy Bear and
Armada Collective prior to attacks
disrupting access to networks and
online services
The rise in phishing events by 4 times is due to the COVID-19 outbreak as more people work and spend their leisure time at home
The results of the unsophisticated but effective campaign
933email deliveries attempted
657delivered
48links clicked
70%success rate
7% click rate
Source: Source: PwC’s FS Mass Phishing Study Data, Round 1: March-April 2019
Hong Kong Security Watch Report, 12 August 2020
Source: https://www.hkcert.org/watch-report/hong-kong-security-watch-report-q2-2020
5HKMA Cybersecurity Fortification Initiative 2.0 Webinar
SolarWinds Supply Chain Compromise
On 13th December 2020, FireEye and Microsoft
revealed that the SolarWinds supply chain had been
compromised with an advanced backdoor called
SUNBURST.
This backdoor will have been installed on any
customers of SolarWind’s Orion IT monitoring and
management software for “all software builds for
versions 2019.4 HF 5 through 2020.2.1, released
between March 2020 and June 2020”.
US authorities have claimed the operation to be “likely
Russian in origin”.
Sectors affected:
Government
Professional Services
Technology
Telecommunications
Education
Manufacturing
Financial Services
Defence
Healthcare
Regions affected:
Americas
Europe
Asia
Middle East
6HKMA Cybersecurity Fortification Initiative 2.0 Webinar
SolarWinds Supply Chain Compromise
Tip of the Iceberg
• Relatively early stage: expect more findings
in the foreseeable future
• Copycats: sophisticated and successful
attacks receiving media attention may inspire
other actors such as ransomware operators to
conduct software supply chain compromises
Multiple Entry Points
• Increase success rate and redundancy: only
one infection vector is unlikely for an espionage
operation of such scale and sophistication
• More supply chain risks: Valid access of
Microsoft cloud software resellers exploited in
at least one case. NSA warned of VMware
exploitation in early Dec.
Exercising Restraint
• Killswitch: deployed to most SolarWinds
customers, focus on second stage payload only
on high-value intended targets
• Intentionally targeted: unlike NotPetya
scenario, were supply chain compromise
resulted in widespread disruption
7HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Key Root Causes
Identified from Past
Incident Response
and iCAST Exercises
Summary of common and recurring issues
We work across
all sectors
From FS to telco to
airline subsids to Hong
Kong-based international
conglomerates
What we have done
End-to-end incident
response cycle, from
containment to threat
hunting to post-incident
security uplift
What we have learnt
Rapid changes in
technologies and remote
working due to COVID-19
increased attack surfaces
and new opportunities
Ransomware
Ransomware incidents
became the most
common and damaging
Evolving tactics
Threat actors are employing more
manual hacking techniques during
intrusion, only deploying ransomware
at the final stages of their computer
network exploitation.
Recurring Threats
Business email
compromise
remains a threat
due to lack of
interpersonal
communications
9HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Heatmap of MITRE ATT&CK techniques observed
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection
Command
and ControlExfiltration Impact
Drive-by
CompromiseCommand
and
Scripting
Interpreter
Account
Manipulation
Abuse Elevation
Control
Mechanism
Abuse
Elevation
Control
Mechanism
Brute
Force
Account
Discovery
Exploitation of
Remote
Services
Archive
Collected
Data
Application
Layer
Protocol
Automated
Exfiltration
Account
Access
Removal
Exploit
Public-
Facing
Application
Exploitation for
Client
Execution
BITS Jobs Access Token
Manipulation
Access Token
Manipulation
Credentials from
Password
Stores
Application
Window
Discovery
Internal
Spearphishing
Audio Capture Communication
Through
Removable
Media
Data Transfer
Size LimitsData
Destruction
External
Remote
Services
Inter-Process
Communication
Boot or Logon
Autostart
Execution
Boot or Logon
Autostart
Execution
BITS Jobs Exploitation
for
Credential
Access
Browser
Bookmark
Discovery
Lateral
Tool
Transfer
Automated
Collection
Data Encoding Exfiltration Over
Alternative
Protocol
Data
Encrypted
for Impact
Hardware
Additions
Native API Boot or Logon
Initialization
Scripts
Boot or Logon
Initialization
Scripts
Deobfuscate/
Decode Files
or Information
Forced
Authentication
Cloud Service
Dashboard
Remote Service
Session
Hijacking
Clipboard Data Data
ObfuscationExfiltration
Over C2
Channel
Data
Manipulation
Phishing Scheduled
Task/Job
Browser
ExtensionsCreate or
Modify
System
Process
Direct Volume
Access
Input Capture Cloud Service
DiscoveryRemote
Services
Data from Cloud
Storage Object
Dynamic
Resolution
Exfiltration Over
Other Network
Medium
Defacement
Replication
Through
Removable
Media
Shared
Modules
Compromise
Client Software
Binary
Event Triggered
Execution
Execution
Guardrails
Man-in-the-
Middle
Domain Trust
Discovery
Replication
Through
Removable
Media
Data from
Information
Repositories
Encrypted
Channel
Exfiltration Over
Physical
Medium
Disk Wipe
Supply Chain
Compromise
Software
Deployment
Tools
Create Account Exploitation for
Privilege
Escalation
Exploitation
for Defense
Evasion
Modify
Authentication
Process
File and
Directory
Discovery
Software
Deployment
Tools
Data from
Local
System
Fallback
ChannelsExfiltration
Over Web
Service
Endpoint Denial
of Service
Trusted
Relationship
System
Services
Create or Modify
System ProcessGroup
Policy
Modification
File and
Directory
Permissions
Modification
Network Sniffing Network Service
Scanning
Taint Shared
ContentData from
Network
Shared
Drive
Ingress Tool
Transfer
Scheduled
Transfer
Firmware
Corruption
Valid
Accounts
User
Execution
Event Triggered
Execution
Hijack Execution
FlowGroup
Policy
Modificatio
n
OS
Credential
Dumping
Network
Share
Discovery
Use Alternate
Authentication
Material
Data from
Removable
Media
Multi-Stage
ChannelsTransfer
Data to
Cloud
Account
Inhibit
System
Recovery
Windows
Management
Instrumentation
External Remote
ServicesProcess
Injection
Hide Artifacts Steal
Application
Access Token
Network Sniffing Data Staged Non-Application
Layer Protocol
Network Denial
of Service
Hijack Execution
Flow
Scheduled
Task/Job
Hijack
Execution
Flow
Steal or Forge
Kerberos
Tickets
Password Policy
Discovery
Email Collection Non-Standard
Port
Resource
Hijacking
Implant Container
ImageValid
Accounts
Impair
Defenses
Steal Web
Session Cookie
Peripheral
Device
Discovery
Input Capture Protocol
Tunneling
Service
Stop
Office Application
Startup
Indicator
Removal on
Host
2FA Interception Permission
Groups
Discovery
Man in the
Browser
Proxy System
Shutdown/Rebo
ot
Pre-OS Boot Indirect
Command
Execution
Unsecured
Credentials
Process
Discovery
Man-in-the-
Middle
Remote Access
Software
Scheduled
Task/Job
Masquerading Query Registry Screen Capture Traffic Signaling
Server Software
Component
Modify
Authentication
Process
Remote System
Discovery
Video Capture Web Service
Traffic Signaling Modify Cloud
Compute
Infrastructure
Software
Discovery
Valid
Accounts
Modify
Registry
System
Information
Discovery
Valid
Accounts
System Network
Configuration
Discovery
10HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Observed frequency
Occasionally
Sometimes
Common
Frequently
We observed similar, recurring techniques and issues from
iCAST 1.0
dsdsaasa
Privileged
account
credentials not
managed
properly
Inadequate
controls to block
malicious
activities on
endpoint
Excessive
privileges
granted to
service
accounts
Unprotected
storage of
confidential
information
Commonly used
passwords for
high-privileged
accounts
Insufficient
network
segregation
Unpatched
workstations or
applications with
exploitable
vulnerabilities
Inadequate
protection
against memory
retrieval and
pass-the-hash
attacks
Inconsistent
SMB or RDP
restrictions in
OA network
11HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Lessons Learnt – What are the Recurring Patterns?
Flying under the radar
• Lack of security monitoring or blind spots:
unattended network segment, legacy systems
without logging, e.g. Linux servers
• Leverage remote access tools : backdooring
servers with common remote control software
e.g. Anydesk
• Command and control : use data sharing
platform for exfiltration to blend into normal IT
operations
Abusing low-hanging fruits
• Over-privileged accounts: compromise of
users with excessive administrative rights
• Network segmentation: lateral movement
across network segments with little restriction
• Legacy systems: out-of-date systems that lack
proper protection and detection mechanisms
(Windows Server 2003!)
Breaking in via the front door
• External vulnerability: Leaked credentials via
vulnerability (e.g. Fortinet CVE-2018-13379,
Pulse Secure CVE-2019-11510)
• Exposed administrative ports: Password
brute-force attack from the Internet against open
RDP, SSH services
• Weak or leaked credentials: Takeover of
accounts by spraying common, or previously
leaked credentials
12HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Lessons Learnt – How Do We Tackle This Problem?
• How does my attack surface look like?
• Where are my crown-jewels?
• What technology is the business using, and
what are their associated risks?
• Who are my business partners, and how well
are they protecting themselves?
• What is our oldest application in use?
• Are there blind spots in detection?
• Are the VIPs and privileged accounts
being monitored?
• What is the degree of technical debt over
legacy systems?
• Any prior leaked credentials, or known
vulnerabilities?
• Do we have the right roles filled in security
team, both governance and operations?
• What appliances are there to detect suspicious
activities in my network, host, cloud? What are
their coverages?
• How good is our backup strategy?
• What is our vulnerability assessment and
patching frequency?
• How fast can our security team react to an
active threat?
• How fast can we get the patch window for
our systems?
• What are the compensation controls for
the legacy systems that cannot be
patched soon?
• How are we monitoring for abuse of the web
traffic e.g. to cloud data sharing platform?
• Do we have enough licenses for our
security appliances?
13HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Know your business
Know your controls
Know your weaknesses
Know your limitations
Summary of HKMA
C-RAF 2.0
Requirements
Detection
Maturity
Assessment
7 Key
Domains
04
~180
106
We embedded the lessons learnt from
incident response as well as the
learnings from iCAST 1.0 into the
C-RAF Maturity Assessment
new or revised Control
Principles, out of 482
totally new Control Principles
How to use C-RAF to prepare for advanced attacks
15HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Overview of Highlighted Changes and Good
Practices Observed
Detection
Maturity
Assessment
7 Key
Domains
04
• Independence of CISO and Head of TRM
• Role-based training by SMEs
• Cyber defense enterprise architecture
01
• Threat modeling
02
• Intelligence-led vulnerability management
• Password strength checker
03• 24x7 detection and response SOC/MDR
• EDR to detect behavioral-based attacks
• Orchestration of cyber defense tools
• Purple team to identify/eliminate blind spots
04
• Drills extending to management and business
• Properly test security controls and failover
mechanism
• Clear KPIs / metrics to benchmark improvement
• Auto/self-healing
05
• Digital footprint intelligence
06
• Extend guiding principles to partners
• Involvement in security assessment to
validate effectiveness of controls
07
16HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Recap on new requirements in iCAST 2.0
Threat-focused
Reference MITRE ATT&CK TTPs
New TI Specialist role
Intelligent SOC & Cyber Defense
Uplift Blue Team effectiveness in defense
orchestration, incident response, cyber forensics,
and remediation through 360 Degree Replay
Workshop
Cyber resilience
Extending to response and recovery
Involve broader ecosystem if needed,
e.g., partners
How to use iCAST to prepare for advanced attacks
Do it iteratively and
collaborate through
Purple Team
Be threat-focused and
reference latest MITRE
TTPs
Cover holistically — the
7 C-RAF domains
Validate the fixes and
demonstrate impact
Prioritize implementing
quick-win fixes
17HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Enhancing Your Cyber
Defense Capability with
TTP-based Cyber
Defense Framework
Learning from Red Team exercisesCommon challenges – Recap
Driving appropriate remediationGetting more out of Red Team exercises
Abusing low-hanging fruits
• Insufficient clean up of low-hanging fruits
• Lack of processes / technology to prevent
low-hanging fruits
Flying under the radar
• Lack of tools to provide telemetry for detection
• Lack of resources / expertise to identify and
recognise the TTPs
Know your crown jewels
Considering remediation depth
• Is the fix comprehensive?
• Can this be consistently applied and maintained?
• Does it solve the root issue?
Look at other relevant vectors
• How far does the fix covers other possible
relevant techniques?
Depth
Breath
19HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Driving remediation from red team resultsCausing most pain for your attacker
Red Team results drives remediation against
Tactics, Techniques and Procedures (“TTPs”)
TTPs based Indicators of Compromise
• The detection / protection fix should aim to
work against the TTPs used
Source: David J Bianco “Pyramid of Pain”
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Indicator of
Compromises
(“IOCs”) with
increasing
pain for
attackers
TTPs
Tools
Network/
Host Artifacts
Domain Names
IP Addresses
Hash Values
Tough!
Challenging
Annoying
Simple
Easy
Trivial
20HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Driving remediation from red team resultsCausing most pain for your attacker
Red Team: Successful execution of malicious macros TTPs:
• Execution of call-back agent through Macro-based
Document
• Use of Living-off-the-Land binaries
: Denotes a shortcut that may be used to gain access to continue testing
: Denotes the step that achieved an Objective
Campaign 2 – Excel
Spread Sheet
Macro Document with
tailored malware
Campaign 1 –
Word Macro
Document
Simulated
external
attacker
XLS
DOC
User may
report; SOC
responded
User Laptop
Enumerate
domain
Privilege
Escalation on
Server
Domain
Admin
Passwords
Cracked
Password
Hashes
Database
Admin
Database
Server
SQL
Staging
Server
STG
Collect target
information on
SharePoint
Targeted
Server
Target
Modification
privileges on
Database
Server
Enumerate
publicly
available email
addresses
21HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Driving remediation from red team resultsA typical red team situation
Source: David J Bianco “Pyramid of Pain”
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Red Team: Successful execution of
malicious macros
TTPs:
• Execution of call-back agent through
Macro-based Document
• Use of Living-off-the-Land binaries
TTPs
Tools
Network/
Host Artifacts
Domain Names
IP Addresses
Hash Values
Tough!
Challenging
Annoying
Simple
Easy
Trivial
Blocking hash of the
excel file?
Blocking of the IP
addresses and domains?
Artefacts created by the call-back?
22HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Driving remediation from red team resultsA typical red team situation
Source: David J Bianco “Pyramid of Pain”
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Red Team: Successful execution of
malicious macros
TTPs
Tools
Network/
Host Artifacts
Domain Names
IP Addresses
Hash Values
Tough!
Challenging
Annoying
Simple
Easy
Trivial
APP
Excel spawning a new application process
23HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection
Command
and ControlExfiltration Impact
Drive-by
Compromise
Command and
Scripting
Interpreter
Account
Manipulation
Abuse Elevation
Control
Mechanism
Abuse Elevation
Control
Mechanism
Brute Force Account
Discovery
Exploitation of
Remote
Services
Archive
Collected Data
Application
Layer Protocol
Automated
Exfiltration
Account Access
Removal
Exploit Public-
Facing
Application
Exploitation for
Client Execution
BITS Jobs Access Token
Manipulation
Access Token
Manipulation
Credentials from
Password
Stores
Application
Window
Discovery
Internal
Spearphishing
Audio Capture Communication
Through
Removable
Media
Data Transfer
Size Limits
Data
Destruction
External
Remote
Services
Inter-Process
Communication
Boot or Logon
Autostart
Execution
Boot or Logon
Autostart
Execution
BITS Jobs Exploitation for
Credential
Access
Browser
Bookmark
Discovery
Lateral Tool
Transfer
Automated
Collection
Data Encoding Exfiltration Over
Alternative
Protocol
Data Encrypted
for Impact
Hardware
Additions
Native API Boot or Logon
Initialization
Scripts
Boot or Logon
Initialization
Scripts
Deobfuscate/De
code Files or
Information
Forced
Authentication
Cloud Service
Dashboard
Remote Service
Session
Hijacking
Clipboard Data Data
Obfuscation
Exfiltration Over
C2 Channel
Data
Manipulation
Phishing Scheduled
Task/Job
Browser
Extensions
Create or Modify
System Process
Direct Volume
Access
Input Capture Cloud Service
Discovery
Remote
Services
Data from Cloud
Storage Object
Dynamic
Resolution
Exfiltration Over
Other Network
Medium
Defacement
Replication
Through
Removable
Media
Shared Modules Compromise
Client Software
Binary
Event Triggered
Execution
Execution
Guardrails
Man-in-the-
Middle
Domain Trust
Discovery
Replication
Through
Removable
Media
Data from
Information
Repositories
Encrypted
Channel
Exfiltration Over
Physical
Medium
Disk Wipe
Supply Chain
Compromise
Software
Deployment
Tools
Create Account Exploitation for
Privilege
Escalation
Exploitation for
Defense
Evasion
Modify
Authentication
Process
File and
Directory
Discovery
Software
Deployment
Tools
Data from Local
System
Fallback
Channels
Exfiltration Over
Web Service
Endpoint Denial
of Service
Trusted
Relationship
System
Services
Create or Modify
System Process
Group Policy
Modification
File and
Directory
Permissions
Modification
Network Sniffing Network Service
Scanning
Taint Shared
Content
Data from
Network Shared
Drive
Ingress Tool
Transfer
Scheduled
Transfer
Firmware
Corruption
Valid Accounts User Execution Event Triggered
Execution
Hijack Execution
Flow
Group Policy
Modification
OS Credential
Dumping
Network Share
Discovery
Use Alternate
Authentication
Material
Data from
Removable
Media
Multi-Stage
Channels
Transfer Data to
Cloud Account
Inhibit System
Recovery
Windows
Management
Instrumentation
External
Remote
Services
Process
Injection
Hide Artifacts Steal
Application
Access Token
Network Sniffing Data Staged Non-Application
Layer Protocol
Network Denial
of Service
Hijack Execution
Flow
Scheduled
Task/Job
Hijack Execution
Flow
Steal or Forge
Kerberos
Tickets
Password Policy
Discovery
Email Collection Non-Standard
Port
Resource
Hijacking
Implant
Container Image
Valid Accounts Impair Defenses Steal Web
Session Cookie
Peripheral
Device
Discovery
Input Capture Protocol
Tunneling
Service Stop
Office
Application
Startup
Indicator
Removal on
Host
2FA Interception Permission
Groups
Discovery
Man in the
Browser
Proxy System
Shutdown/Rebo
ot
Pre-OS Boot Indirect
Command
Execution
Unsecured
Credentials
Process
Discovery
Man-in-the-
Middle
Remote Access
Software
Scheduled
Task/Job
Masquerading Query Registry Screen Capture Traffic Signaling
Server Software
Component
Modify
Authentication
Process
Remote System
Discovery
Video Capture Web Service
Traffic Signaling Modify Cloud
Compute
Infrastructure
Software
Discovery
Valid Accounts Modify Registry System
Information
Discovery
Valid Accounts System Network
Configuration
Discovery
How about depth?Interpreting your red team results
A typical TTPs coverage from a red team exercise
How to gain more?
• 360 Workshop – Get more first hand information from
red teamers
• Purple Teaming – Extend to more TTPs within
MITRE ATT&CK
24HKMA Cybersecurity Fortification Initiative 2.0 Webinar
How to continuous improve your defencesInterpreting your red team results
Red Team Results – Remediation against
Simulated TTPs
Use the 360 Replay Workshop to get more
depth and breath!
Continual improvement exercises
Use Purple Team to target more TTPs to add
Threat Intelligence
Understand TTPs from Threat Intelligence
Holistic
Cyber
Defence
25HKMA Cybersecurity Fortification Initiative 2.0 Webinar
Get in touch with us
Kenneth Wong
Cybersecurity and Privacy Leader, Risk Assurance,
Asia Pacific and Mainland China/Hong Kong
+852 2289 2719
Felix Kan
Partner
+852 2289 1970
Jenius Shieh
Senior Manager
+852 2289 2086
Luca Berni
Manager
+852 2289 2938
Jason Lee
Manager
+852 2289 2084
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2021 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.