Anatomy of a

Understanding how the bad guys break into your network and wreak havoc

Created by Mark SilverBringing Fortune 20 experience to you

Cyber Attack

Why should you care?Cyber criminals and some State-sponsored agencies want your information assets as a shortcut to creating wealth

Who is this presentation for?

Boards of directors

Executive Management

Professionals interested in understanding cyber crime

Agenda

Overview of “Anatomy of a Cyber Attack”

Insight to each major step of the attack

Principles of security that you can apply

References

About the author

Attack Overview

5 Steps

1. Reconnaissance

2. Infiltration, intrusion and advanced attacks

3. Malware deployment

4. Data extraction

5. Cleanup

Reconnaissance

Attacker will focus on “who”, or the network:

“Who” will likely focus on privileged individuals (either for system access, or access to confidential data

“Network” will focus on architecture and layout; tools, devices and protocols; and critical infrastructure

It’s like a military operation: attackers want to understand their target, it’s operations, processes and flaws.

Infiltration — The TargetsWho are the board members and executives?

Can the individual access company secrets that have commercial value?

Where do they work?

What information and systems do they have access to?

Where do they hang out?

Are they on the speaking circuit, or an occasional panelist?

Typical Case Study Attackers will focus on high-value targets and their activities. They will want to know if executives have access to company strategies, legal strategies, or high-value intellectual property, or critical company systems.

Then they will focus on where can the target be accessed? For example, some executives are regular members of certain business or country clubs, providing motivated attackers with physical access to the target. Objectives can range from befriending them to start a relationship, to a sales call with a free market report on a USB drive that also contents malware (quite feasible), to an abduction for ransom (rarer, and depends on country).

USB drives with malware, or simply an email with the attacker’s URL that also contains malware, are particularly dangerous as such malware can be custom-written, thus not being detected by today’s antivirus software. With this custom malware implemented, attackers now have access to the corporate network in a way that is difficult to detect or correct.

Infiltration — The Network

Attackers want to know the trust relationships in the network, and then how to exploit them

Who can make changes (system administrators) to critical business applications? Think CRM, ERP, HR

What is the security like? Which tools are in use? How often? On which systems? How to compromise trust?

Preparing the attackOnce people and networks have been researched, the attacker prepares custom malware

Attackers use software development life cycles to develop custom code to achieve objectives undetected

Attackers test, refine, retest etc to make sure attack is long-lasting, undetected, effective and efficient

It’s naive to assume attackers are disaffected teens. Crime syndicates pay hackers better than corporations do. Attackers are well resourced, funded and highly organized.

There is now evidence of a sophisticated hacker economy.

Malware testingAttackers know corporations deploy security software that scans for known malware

So they download known malware, change it by adding new code or changing existing code

Attackers create virtual copies or the target environment and test their malware to see if it escapes company security software

Year on year, malware threat alerts grew by 14%

Malware deploymentSecurity experts say 80% of malware is uniquely present in one company (i.e. 20% of malware uses known “signatures”; 80% is custom malware)

99% of mobile malware targets Android smartphones

Java comprises 90% of all web-based threats

Watering hole traps being used to target vertical industry sectors

ExtractionOnce malware deployed, evidence for many corporations shows

99% of corporations are not aware of malware communication

99% of corporations did not detect malware on their own

Malware now targets critical information assets (business strategies, IP, patents, emails, legal strategies, product design, customer lists etc.) encrypts the content and sends it outside the network

Cleanup

Once the attacker has the information they want, they may consider cleaning up evidence of their presence (log files, accounts, permissions etc)

However, in many cases, attacks are persistent, avoiding attention and detection and remain on the network for years, continuing to siphon valuable data.

Effective security strategiesStrong focus on risk management. As risk to the business increases, more rigor around consistent application of process and policy should be implemented.

Information Security leadership needs business savvy, strong risk understanding, and ability to communicate across organizational boundaries to build trust, understanding and consensus with business partners.

Information Security requires executive management focus, funding and support. Information Security should not be “buried” in the organization, but understood by the board and senior management.

Information Security processes should be embedded in all IT and business processes (not regarded as an afterthought).

Security strategies (2)Rigorously document the network, servers, applications, protocols, endpoints and trusts.

Assume a breach will occur, but build a program for steady state operations, during the attack, and post-attack activity.

Principles of least trust for accounts (trust users and systems enough to do their work, but no more).

Continue with the basics: patching and correct configuration of networked devices

Security strategies (3)Defense in depth using information security infrastructures critical. Attributes include:

Implement tools that provide integrated solutions, not point of activity analysis Rigorous validation of network trust relationships Typical components include: antivirus, firewalls, intrusion detection systems (IDS), intrusion protection system (IPS), encryption, automated patch management, mobile device management, strong user authentication, and end-user security training Big data analytics to catch and aggregate multiple separate security events for correlation and meaningful analysis

BenefitsSecure product brings commercial advantage

Demonstrating security as part of supply chain brings commercial advantage

Limits risk to the organization, it’s business partners and its employees

It’s more cost effective to protect information than to litigate after its compromise. (Once the horse is bolted..

ReferenceIn preparing this presentation, I used my own 20 years of IT experience, security work and the following as reference material. I’ve provided dates when I secured the documentation, and web addresses when I had them:

The 7 best habits of effective security pros, CSO Online, Jan 9, 2014, http://www.csoonline.com/article/print/745655

Anatomy of a Cyber Attack, The Strategies and Tools of Cyber Criminals and how to stop them, Dell Software, January 8, 2014 at 12:57 PM, http://resources.idgenterprise.com/original/AST-0100349_EB_Anatomy_of_a_CyberAttack.pdf

Four Keys to Effective 'Next-Generation' Security, October 17, 2013 at 4:35 PM, Source Fire web publication

InfoSec Defense in Depth, CDW.com, Jan 8, 2014, http://resources.idgenterprise.com/original/AST-0104557_NC_DefenseInDepth_0508.pdf

Nine Critical Threats Against Mobile Workers, Marble, December 19, 2013 at 5:01 PM, http://resources.idgenterprise.com/original/AST-0105397_MS_Nine_Threats_2013_0212.pdf

NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations

Predictions and Protection Capabilities to Consider While Preparing for Advanced Malware in 2014

Securing Executives and Highly Sensitive Documents of Corporations Globally, December 6, 2013 at 11:23 PM, http://f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/securing-executives-highly-sensitive-documents-corporations-globally-pdf-w-871.pdf

Taking a Proactive Approach to Today’s Cyber Threats - Deloitte CIO - WSJ, http://deloitte.wsj.com/cio/2013/05/14/taking-a-proactive-approach-to-todays-cyber-threats/

The author: Mark SilverMark is an international business executive who understands business, process, and using technology to drive business value while managing risk. Mark holds a Master of Business degree from the Queensland University of Technology, from Queensland Australia. He has worked in 16 countries (much of Europe, Americas, AsiaPac) and speaks two languages (English and German). Having worked for a Fortune 20 company, governments, and medium sized businesses, Mark's focus for the past 30 years has been on building profitable business processes leveraging enterprise IT systems and infrastructure as both a CIO, CISO, Compliance Officer and Privacy Officer.

Mark can be contacted through Linked In at www.linkedin.com/in/markasilver/ and is happy to provide executive briefings and discuss managing risk as either a keynote speaker or panelist.