7/31/2013

1

Cyber Risk – What Happens and What To Do When You’re AttackedWhat AEGIS Is Doing For Members

Rick WelshHead of Cyber InsuranceAEGIS London, Lloyd’s Syndicate 1225

Solutions, Not Problems

• AEGIS Detica white paper

• Underwriting: Detica control assessment

• Breach remediation service

• Current coverage

• CyberComplete

What is AEGIS Doing for Members?

7/31/2013

2

Cyber Security: Is the Hype Overblown?

• The Department of Homeland Security's Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) – March, 2013 Report

Weaknesses Do Exist…

• “…the number of cyber threats involving protected critical infrastructure control systems has skyrocketed over the past two years, from 9 reported incidents in 2009 to 198 in 2011.

• “…most of the organizations to which ICS-CERT responded over the time period "were not prepared with adequate detection techniques."

Relevance of Cyber Insurance

• Regulation and litigation creep…

Privacy Law Developments Affect Utilities Too…

• Do Not Call Restriction • Consumer Privacy Bill of Privacy Rights

• CAN-SPAM • PCI-DSS

• Shine The Light • Song-Beverley

• Consumer Records Act • FTC & Wyndham Hotels

• Right to Know Acts • Social Media & Employment

• The Electronic Privacy Information Center (EPIC) – a public interest research center in Washington, D.C. – has created a list of "potential privacy consequences of Smart Grid systems”

Consumer Protection Laws

7/31/2013

3

• Identity theft

• Determine appliance usage

• Identify activities through residual data

• Accidental invasions

• Decisions and actions based on inaccurate data

• Unwanted publicity & embarrassment

• Behavioral tracking (potentialcombination with personal behavioral patterns)

• Identify personal behavioralpatterns

• Perform real-time surveillance

• Targeted home invasions

• Activity censorship

• Profiling

• Renter / leaser behavioraltracking

• Public aggregated searching revealing individual behavior

Relevance of Cyber InsurancePrivacy Law Developments Affect Utilities Too…

Relevance of Cyber Insurance

• The SEC addresses whether data breaches are reportable events

• SEC considers any material development including data security to be a reportable event to be addressed by the board if a breach in security were to be material

• Among the risk factor disclosures to be considered by the registrant is relevant insurance coverage

• The SEC has also continued to promote disclosure to shareholders of data security issues, asking at least six companies to reveal to investors in filings that intruders had breached their computer systems

Privacy Law Developments Affect Utilities Too…

7/31/2013

4

The Relevance of Cyber Insurance

• “…Cyber attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks…”

• May 16, 2013, the Department of Homeland Security testified that it had processed 68% more cyber-incidents involving Federal agencies, critical infrastructure and other selected industrial entities in 2012, than in 2011

• A Northeastern power provider said that it was “under constant cyber attack from cyber criminals including malware and the general threat from the Internet…”

Markey & Waxman ReportIndustry Responses Reveal Security Gaps

The Relevance of Cyber Insurance?

• Sinochem Group, China’s formerly state-owned chemical giant, hired Deutsche Bank AG and Citigroup Inc. in September, 2010 to evaluate moves to disrupt BHP’s bid for Potash Corp., a hostile tactic approved directly by the Chinese government, according to a report at the time by the Financial Times

• …a law firm involved in the deal detected signs of the intrusion the same month, including network disruptions. Analyzing the attack, investigators found that the spyware designed to capture confidential documents – and sent via spoofed e-mails – was compiled on a Chinese-language keyboard and China-based servers were involved in the attack, he said.

Recent Breaches

7/31/2013

5

Threats to Operational Technology

• A number of actors are motivated to use cyber attacks to meet their goals – energy is not always the end target

• The most sophisticated actors have a range of capabilities available, and have been shown to attack the sector

• Advanced attacks tend to exhibit a stable set of behaviors – with a high success rate

In the first half of fiscal year 2013 ICS-CERT has responded to over 200 incidents […] – 53% in the energy sector

• Finding links between attacks enables us to increase the amount of data we can use for attribution of each one

• This graph shows the time that the attacker was active within one of the groups

• Offset to a Chinese time zone we can see the attacker has a typical working day with an additional evening shift

Threat Landscape – Attribution

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24Timestamp UTC +8 hours

7/31/2013

6

Threat Landscape – Known Attacks

Night Dragon

1php

• Widely reported by McAfee

• Range of industries including many large oil & gas firms

• Motivated by pricing and oil field discovery data

• Attackers came in via insecure servers in DMZ

• Familiar to security researchers for many years

• Known domains are monitored by Detica Threat Intelligence

• Recently detected attack against North American oil exploration firm which was active in 2011

Comment Crew

Malware Hosting

• Familiar to security researchers since at least 2003

• Signature command and control protocol relies on placing hidden comments in third party web sties

• Bloomberg identified to affected US energy companies in 2012

• Detica Threat Intelligence identified an oil & gas company website being used to host a targeted zero-day attack

• Attacker was likely targeting other companies in the sector

Shamoon

JPEG ASP

• Recent attack against Saudi Aramco

• Reused stolen third party components

• Delivered high impact payload which leaves infected machines inoperable

• Related to comment crew attacks

• Command and control channels subject to monitoring by Detica Threat Intelligence

• Identified compromise of two government networks in countries bordering south china sea

Chinese intelligence Russian state Others

• Industrial scale intelligence gathering operation

• A number of hacking teams are used to conduct operations

• Some sectors or organizations are subject to standing tasks whereas others are only attacked on an ad-hoc basis

• Operational security is low which makes it relatively easy for attacks to be tracked by the security community

• Trend toward using more low profile mechanisms for command and control such as modified JPEGs

• Shamoon incident highlights the potential for small, local groups to launch effective attacks

• Increasing knowledge of advanced attack techniques and tools in the public domain makes it easier for small groups to develop their own attack

• Many other states are investing heavily in cyber capability. In response to Stuxnet and Flame countries such as Iran increasingly feel the need to have attack options.

• Countries may include: Georgia, India, Iran, Israel, Syria and Ukraine

• Appears to be focused on smaller number of strategic concerns (including European energy market) due to long-term reliance on natural resources and paranoia over economic interests

• Better operational security

• Tend to use compromised third party sites for infrastructure which makes it harder to spot links

• Very low profile first piece of malware which is then used to introduce “throw away” tools for command and control

• Trend toward performing very quick intrusions to steal credentials for use with legitimate remote access (eg VPN)

• Some evidence of low-level (BIOS) level capability

Threat Landscape – Actor Characteristics

7/31/2013

7

Threat Landscape – Advanced Techniques

2011Technology

Technology

Defense

NGO

Technology

Defense

Defense

Technology

Oil & Gas

2013 NGO

Government

NGO

Financial Services

Technology

Aerospace

Financial Services

Financial Services

Government

Technology

Oil & Gas

Change in watering hole attack frequency for one attack group Detica covertly monitors• 2011: 4 attacks• 2013: 16 attacks

Pre

pare

Mon

itor

Res

pond

Pro

tect

Bus

ines

s Im

pact

Likelihood of Occurrence

Defensive Strategies –Trading Against Likelihood of Occurring

Limited impact on business as intelligence would be gained by other routes if not via a cyber attack. Monitoring gives potential to

regain upper hand in negotiations.

Could impact bottom line depending on the importance of what’s taken. Need to have

ability to respond to monitoring alerts to block the more serious attacks before they impact.

Has the potential to cause significant damage and threaten the entire business. Segregation

of the most important assets is required to keep them protected from attack.

7/31/2013

8

Reducing Losses Today – Control Assessment

• Report with actionable recommendations to improve security and reduce the likelihood of a loss

012345

Managementand policy

Staff workingprocedures

CorporateSystems

ControlSystems

Operationsand continuity

Complianceand audit

Review of five key areas of operational technology security to be covered by policy

• Management and policy

• Staff working procedures

• Corporate systems• Control systems• Compliance and audit

• Focused discovery questionnaire & clarification calls

Review ReportDiscovery

Confirm

Capture

Expose

Remediate

Resume

• Confirm how the attack was detected & known facts• Understand or verify network and systems architecture• Take immediate action to protect critical resources

• Capture key logs, and infected systems • Focus on assets known to be infected first• Consider deployment of increased monitoring

• Forensic analysis to understand attack• Develop intelligence• Contact partners or other agencies

• Safely inhibit the attack• Secure the network• Minimise business impact

• Confirm remediation success• Capture lessons learnt• Update threat intelligence

Defensive Strategies – Incident Handling

7/31/2013

9

Advanced Attacks – On Energy

Attack Duration (9 Months)

03 Aug – 02 Dec

• Additional malware introduced via original tool

02 Aug

• Beaconing to 3 malicious domains seen

• Assumed that 4th domain z15consult[d]com was also beaconed too at this time

01 Aug

• Email sent from wi****.kitto@gmail.com to internal employee containing ‘fax.pdf’. Forwarded to an additional employee

• Malware installed on the system, achieving persistence

02 Aug

• Beaconing to 3 malicious domains seen

• Assumed that 4th domain z15consult[d]com was also beaconed too at this time

01-02 Aug

• Machine information sent out

24 Nov

• One connection to new domain seen from user J16517 partial logs

28 Mar

• Last connection seen to the malicious domains known about in the selected logs

• Government agencies

• Suppliers• Senior

management• Affected

employees

Confirm

Capture

Expose

Remediate

Resume

• Client organization made aware of attack by government agency • Positive confirmation of compromise from initial triage of logs• Engagement with government and relevant internal stakeholders

• Identification of relevant log data and potentially compromised machines

• Seizure of assets for forensic analysis • Deployment of network probes to monitor threat activity

• Forensic analysis and reverse engineering to understand attack

• Developed attack signatures and fine-tuned monitoring• Notification of intelligence to third parties

• Containment of malware spread• Deployment of patches to prevent reinfection• Reconfiguration of monitoring

• Business analysis of potential data lost • Full operational recovery

Defensive Strategies – Incident Handling

7/31/2013

10

Advanced Attacks – On Energy

• Evidence suggests Russian state sponsored – Gazprom being the likely beneficiary

• Compile times of the malware

• E-mail +4hr timestamp in adjacent attacks witnessed elsewhere

• In both attacks there have been stories of oil pricing and deals between the victim organization and Gazprom at the time of infection

• Malware behaviour

Doing What Technology Can’t

David WhiteChief Knowledge OfficerAxio Global

7/31/2013

11

The Magnitude of Cyber Risk

Cyber-attacks and cyber-espionage pose a greater potential danger to U.S. national security than Al Qaeda and other militants that have dominated America's global focus since Sept. 11, 2001.

It's hard to overemphasize its significance, these capabilities put all sectors of our country at risk—from government and private networks to critical infrastructures.

James Clapper, the Director of National Intelligence, April 2013

The Ubiquity of Cyber Risk

There are only two types of companies, those that have been hacked and those that will be.

Robert Mueller, Head of the Federal Bureau of Investigation, February 2013 at RSA Conference

7/31/2013

12

When We Say “Cyber Risk” What Do We Mean?

• Personal information and intellectual property losses mean material financial and reputational damage

• However, Stuxnet was a game changer – it proved that physical property losses are possible through cyber means

The Telegraph, 30 Nov 2010

The Current Mode of Defense

• Numerous technologies in the battlefield

• Chaos and confusion as to how to solve the problem

• Technology is important, but not the panacea

• Companies need to sit “in the press box” and understand the threats and the risk

Like Gladiators in the Colosseum

7/31/2013

13

“Doing What Technology Can’t”

“Doing What Technology Can’t: The Role of Risk Transfer in Effectively Managing Cybersecurity”

Catastrophic Cyber Risk Transfer

Ris

k

Cybersecurity Capability

• Law of diminishing returns with technology

• For low cybersecuritycapability, small investments yield large reductions in risk

“Doing What Technology Can’t”

“Doing What Technology Can’t: The Role of Risk Transfer in Effectively Managing Cybersecurity”

Catastrophic Cyber Risk Transfer

As the risk reduction curve flattens, investments in risk transfer will have a greater risk reduction impact

Ris

k

Cybersecurity Capability

Invest in technology

Invest in risk transfer

7/31/2013

14

Ris

k

Cybersecurity Capability

“Doing What Technology Can’t”

“Doing What Technology Can’t: The Role of Risk Transfer in Effectively Managing Cybersecurity”

Catastrophic Cyber Risk Transfer

Impact of catastrophic cyber risk transfer capacity is to lower the curve overall

Invest in technology

Invest in risk transfer

Role of the Risk Manager

• Risk managers have a pivotal role in helping the organization rethink cyber risk

• Collaboration between risk managers and cybersecurity executives (CSOs, CIOs, CTOs, or CISOs) is imperative

• Comprehensive coverage for catastrophic cyber damage is the newest tool in the organization’s kit to manage these exposures

7/31/2013

15

Cyber Insurance Product Evolution

Baseline Cyber Insurance

Loss Control Assessment White Paper

Policy Holder Remediation

Service

Cyber Resilience

PolicyCyberComplete

Cyber insurance products tailored to meet the individual needs of AEGIS’ policyholders

AEGIS

2013 Policyholders’ Conference

Baltimore, MarylandJuly 29 – August 1