Cyberattacks against Treasury Operations and Corporate ... · messages sent to employees. •Click...
Transcript of Cyberattacks against Treasury Operations and Corporate ... · messages sent to employees. •Click...
Cyberattacks against Treasury
Operations and Corporate
Enterprise Systems
William B. Nelson
President & CEO
FS-ISAC
September 20, 2017
September 20, 2017 — FS-ISAC Confidential2
Agenda Today
• Threat Landscape
• Countermeasures
• Recent Developments
• FS-ISAC Background
• Conclusions
• Appendix: Threat Profiles and Risk
Mitigation
September 20, 2017 — FS-ISAC Confidential3
Cybercrime Evolution
DILBERT 2005 Scott Adams. Used By permission of UNIVERSAL UCLICK. All rights reserved.
September 20, 2017 — FS-ISAC Confidential4
Malcode Infection Techniques
• Phishing – Widespread email – lots of victims, click on links or attachments
• Spearphishing – Targeted email, click on links or attachments.
• Drive by Download – Unintentional download of malware from an infected reputable site, merely by visiting a page.
• Malvertising – download of malicious software through an infected web ad
• Exploits of Software Vulnerabilities–turn a system flaw into a viable method to attack or breach a system.
• Updates to Software or Security Systems–either from an exploited legitimate vendor a pop-up from a spoofed vendor update.
TLP Green
September 20, 2017 — FS-ISAC Confidential5
Internet Crime: exploiting the www to link
suppliers and users
• Online libraries and advertisements
of stolen data
• Education on how to launch
spamming, phishing, and key
logging attacks
• Advertisements for partners for
complex fraud schemes
• Recruitment
• Detailed info sharing on technical
vulnerabilities of software and
specific financial institutions and
their service providersSOURCE: M-CAT Enterprises, LLC
Source: Trend Micro (Prototype Nation, The Chinese Cybercriminal Underground in 2015)6
Cyber Crime Services
Services Details 2013 Price 2015 Price
Email spamming 20,000 email addresses US $161 US $47
50,000 email addresses US $323 US $95
Hacking Personal email accounts US $48 US $47
Corporate email accounts US $81 US $95
Programming Trojans US $323 – 8,075 US $315 – 7,878
Security software
checking
Makes sure malware are not
detected by security software
US $13 – 19 US $13 – 19
SMS spamming 10,000 text messages US $126
100,000 text messages US $945
September 20, 2017 — FS-ISAC Confidential7
Establishing a Foothold at a Bank or
At a Bank’s Customers
Cyber Criminal
Compromised Web Site
Targeting of organization and
vulnerability assessment
Bank Employee
www.hackedsite.com
Tainted email sent to bank employee
Bank employee clicks on link to
compromised web site, remote admin tool
installed
Additional tools uploaded
Using credentials gained, cyber criminal
works to establish additional foothold to
access network – administrator credentials
compromised
Administrator
September 20, 2017 — FS-ISAC Confidential8
Administrator
Administrator Access--
Wire or ACH $ out of Bank
Logon to ACH or Wire System as
Administrator
Bank Employee
Malware to turn off ACH or wire access
controls and system alerts
Cyber Criminal
September 20, 2017 — FS-ISAC Confidential9
Administrator
Turning off System Controls--
Allow Wires or ACH to Money Mules
Bank Employee
$ wired to Mule for cash out
Money Mule
September 20, 2017 — FS-ISAC Confidential10
BEC – Business Executive Scam
• The e-mail accounts of high-level business executives (CEO, CFO, etc.) are compromised.
• Or, email comes from exec email that looks similar but is not correct, e.g.– “.co” instead of “.com”
• A request for a wire to employee who is responsible for processing payments (Accounts Payable).
• In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”
September 20, 2017 — FS-ISAC Confidential11
BEC Fraudulent Payment
• A business is asked to wire funds for
invoice payment to an alternate,
fraudulent account
• The request may be made via
telephone, facsimile or e-mail:
If an e-mail is received, the subject
will spoof the e-mail request so it
appears very similar to a legitimate
account and would take very close
scrutiny to determine it was
fraudulent
If a facsimile or telephone call is
received, it will closely mimic a
legitimate requestODFI RDFI
FED ACH or TCH
September 20, 2017 — FS-ISAC Confidential12
Mid-sized Belgian bank loses
$75 million to BEC Scammers
• Mid-sized Belgian bank targeted in January 2016, losing over 70
million euros (around $75.8 million).
• Theft perpetrated by cybercriminals and discovered by internal
audit.
• Belgian newspapers report the bank was a victim of CEO fraud (or
BEC scam – Business Email Compromise).
• The BEC order usually comes with a reason why it should be
executed immediately and kept quiet from other employees in the
department and organization.
• FS-ISAC, law enforcement, and security companies around the
world have been warning businesses about BEC scams for over
three years, but companies and some FIs are still falling for it.
Source: Help Net Security, posted 1/26/2016
September 20, 2017 — FS-ISAC Confidential13
Risk Mitigation from
Malcode Infection
Techniques
TLP Green
September 20, 2017 — FS-ISAC Confidential14
Human Phishing Defense Systems
• Simulated real-life phishing
messages sent to employees.
• Click on link or attachment based
messages.
• Personalized social engineering
based on knowledge gained of
employee and position.
• Employees tested to detect actual
phishing messages.
• Training opportunity to increase
staff awareness of cyber security
and risk prevention.
September 20, 2017 — FS-ISAC Confidential15
Email Filtering
• System to filter all incoming emails
so malicious emails are blocked
and are not received by employees.
• Information received from threat
intel providers, information sharing
organizations such as FS-ISAC.
• Emails blocked based on the
following information:
• Attacking IP addresses
• Email subject lines
• URL links
• Executable file names
September 20, 2017 — FS-ISAC Confidential16
Drive by Download
TLP Green
September 20, 2017 — FS-ISAC Confidential17
Drive By Download Defenses
• Staff training to not click on links
and to not surf on company
computers.
• Restrict device access to the
Internet.
• Sandboxing of critical systems on
the corporate network, ex.,
payment systems.
• Whitelisting of safe websites.
18 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC18
WannaCry Ransomware Attacks
• Exploit of file-sharing vulnerability in
Windows
• Uses TCP port 445 to scan for victims
• Connects to vulnerable machines,
downloads and installs ransomware.
• Microsoft patched this flaw in March 2017
so only systems that were not patched
were infected with the malware.
TLP Green
19 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC19
WannaCry Ransomware Attacks
• Recommendation:
– Keep systems patched and updated.
– Ensure SMB ports are locked down from
externally accessible hosts.
TLP Green
September 20, 2017 — FS-ISAC Confidential20
Detection, Prevention and
Response
Countermeasures
TLP Green
September 20, 2017 — FS-ISAC Confidential21
Malcode Infection Countermeasures
• Desktop machines and web servers
updated with security patches and
anti-virus software.
• Intrusion detection software across
entire enterprise network.
• Intrusion prevention software.
• Systems to detect when a
customers’ computers and mobile
devices are compromised.
• Information sharing to identify
threat indicators to identify malcode
from originating IPs/URLs, social
engineered emails and exe. files
that may be on your network.
September 20, 2017 — FS-ISAC Confidential22
Multi-factor Authentication
• Hardware and software tokens for
corporate and consumer online
banking applications.
• Tokens on smart phones.
• One time PINs via SMS.
• Calling customers back to verify
wires and ACH originated online.
• SMS and/or email alerts on all
wires and ACH transactions, with
or with out SMS back to block.
• Knowledge Based Authentication-
verify customer devices.
September 20, 2017 — FS-ISAC Confidential23
Detection
• Anomaly Detection
• Anomaly detection at log in.
• Anomaly detection at transaction level.
• Systems to detect when customers’
mobile devices are compromised.
• ACH debit block and/or positive pay
type of systems for ACH.
• Wire and ACH white list systems.
• IP/URL filtering.
• Bank-hosted security software to protect
online sessions/browser security.
Prevention
24
• Education of staff on combatting
social engineering.
• Customer education about current
threats, vulnerabilities, incidents and
best practices.
• Encryption of all data including data
at rest.
• Services to test employees’
responses to fake phishing
messages.
• Information Sharing to learn and
contribute to community’s knowledge
of hacker tactics, techniques and
procedures.
• Turning off unused payment
services.
Response
25
• Take down services.
• Information Sharing to contribute
to community’s knowledge of new
threats and prevent future
infection.
• Software to clean malware off of
customers’ devices.
• Establish new credentials.
• Account repair and transition.
Source: Liquidmatrix, 2009
September 20, 2017 — FS-ISAC Confidential26
Risk Mitigation Trends Among Banks
RTP Countermeasure
Endpoint malware detection
Dark web threat monitoring
Client education/training
Web session/device monitoring
Voice biometrics
Dual control for origination
Out-of-band authentication
Transaction risk modeling/risk
engine
1
2
3
4
5
• Emerging capabilities
place a heavy emphasis
on applying cognitive
analytics and machine
learning to extremely
broad and deep
quantities of interaction
data
September 20, 2017 — FS-ISAC Confidential27
Risk Mitigation Recommendations
for Companies
• Suggest that businesses adopt internal controls similar to
banks.
➢ Dual control for origination
➢ Out-of-band authentication within the business.
➢ Out-of-band authentication with vendors to verify
when payment instructions are changed.
• Determine patterns for fraudulent wires.
➢ Add data to wire anomaly detection systems.
• Provide payment scheduling information to the bank for
wire and ACH review queues and approval processes.
• Share information with the bank who will, in turn, share
the info anonymously within FS-ISAC.
September 20, 2017 — FS-ISAC Confidential28
Recent Developments
September 20, 2017 — FS-ISAC Confidential29
Equifax Cyberattack
● Equifax, the credit reporting agency, discovered the intrusion on July 29, 2017.
− From mid-May to July, hackers gained access to company data potentially comprising sensitive information for 143 million American consumers.
− September 14– reports that CIO and CISO have left the company
− The attack represents one of the largest risks to personal sensitive information in recent years.
● > 50% chances that consumers with a credit report are affected.
● In addition to Social Security numbers, an unspecified number of driver’s licenses, birth dates, home addresses and other material, hackers also stole:
− Credit card numbers for 209,000 consumers
− Credit dispute documents for 182,000 others
− Far more personal information – the keys that unlock consumers’ medical histories, bank accounts and employee accounts
● Congressional, regulatory and possibly law enforcement action expected.
September 20, 2017 — FS-ISAC Confidential30
Equifax Ranks 3rd Largest Data Breach
September 20, 2017 — FS-ISAC Confidential31
Future ACH Posting Dilemma
with Faster Payments
• Receiving FIs to post same day ACH credits by 5 p.m.
• Funds in the account at 5 p.m. can be withdrawn same day or wired out of the account (6:30 p.m. wire deadline).
• This creates an opportunity for cyber criminals to achieve greater success with BEC or account takeover schemes.
BEC Fraudulent Payment: Claw back of the funds
ODFI RDFI
Company
discovers fraud
and asks ODFI
for $ back
If funds not
withdrawn, RDFI
may return $ ODFI asks
RDFI for $
back
September 20, 2017 — FS-ISAC Confidential33
Key Question: Will the fraud be discovered before money mules have withdrawn the funds?
Race against time
September 20, 2017 — FS-ISAC Confidential34
Bank of Bangladesh Account Takeover. $81 M successful theft via international wire transfers
• Account takeover• Plus specialized malware that altered data on the SWIFT MT950
statement so that the fraudulent transactions and resulting balances were not reflected.
• Result: $81M was successfully wired from their account at the NY Fed to the Philippines and cashed out at a casino.
• Key point: Wire transfers move fast. A lot of money can be stolen in a short time.
September 20, 2017 — FS-ISAC Confidential35
Risk Mitigation Recommendations
for Companies
• Suggest that businesses adopt internal controls similar to
banks.
➢ Dual control for origination
➢ Out-of-band authentication within the business.
➢ Out-of-band authentication with vendors to verify
when payment instructions are changed.
• Determine patterns for fraudulent wires.
➢ Add data to wire anomaly detection systems.
• Provide payment scheduling information to the bank for
wire and ACH review queues and approval processes.
• Share information with the bank who will, in turn, share
the info anonymously within FS-ISAC.
36 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC36
About FS-ISAC
TLP Green
37 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC37
What FS-ISAC Delivers to Members
Info Sharing Analysis Exercises &
Products
Education &
Training
Summits &
Workshops
500,000+ indicators
tracked
10,000 threat
repository
requests/day
420 major
advisories/month
Bi-weekly threat calls
500+ attendees each
Full time ISAC
analysis team (IAT)
3 Security
Operations Centers (Virginia, Poland,
Singapore)
Staff embedded at
NCCIC
(US National
Cybersecurity and
Communications
Integration Center)
Cyber Attack against
Payment Systems
(CAPS)
All-Hazards Crisis
Response Playbooks
Threat advisories w/
FBI/USSS/ Others
Mitigation strategies
Hamilton Series of
exercises
Cyber Threat
Training Courses
New Expert Webinar
Series
New Learning
Management
System
Topic-specific
briefings, webinars (Struts, DDoS,
destructive malware,
payment systems,
business email
compromise
Four Major Summits
• Singapore
• Orlando
• Baltimore
• London
Cross sector
summits
CISO Congress
20+ Workshops
worldwide
TLP Green
September 20, 2017 — FS-ISAC Confidential38
FS-ISAC Ecosystem
Information
Security
Physical
Security
Business
Continuity/
Disaster
Response
Fraud
Investigations
Payments/
Risk
Member
CommunicationsCERTs
FS Regulators
Law
Enforcement
Other Intel
Agencies
Information Sources
Cross Sector
(other ISACS)
Open Sources
(Hundreds)
GO
VE
RN
ME
NT
SO
UR
CE
S
CR
OS
S S
EC
TO
R
SO
UR
CE
S
FS-ISAC 24x7
Security Operations Center
Alerts
Member Submissions
Threat Intelligence
Providers
Vulnerability
Alerting
Malware
Forensics
PS Incidents &
Analysis
After hours IAT
support
PR
IVA
TE
SO
UR
CE
S
September 20, 2017 — FS-ISAC Confidential39
Cyber Intel TIC
ETSC
ATSC
STIG
BRC
CBCCICCUC
SIRG
IRC
PRC
PPISC
CAC
CHEF
Circles of Trust
» Cyber Intelligence Mail List» Threat Intelligence Committee (TIC)» European Threat & Strategy
Committee (ETSC)» APAC Threat & Strategy Committee (ATSC)» Singapore Threat Intelligence Group (STIG)» Business Resiliency Committee (BRC)» Community Bank Council (CBC)» Community Institution Council (CIC)» Credit Union Council (CUC)» Securities Industry Risk Group (SIRG)» Insurance Risk Council (IRC)» Payments Risk Council (PRC)» Payment Processor Information Sharing Council
(PPISC)» Compliance and Audit Council (CAC)
» Clearing House and Exchange Forum (CHEF)
TLP Green
40 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC40
• Microsoft partnered with FS-ISAC to
take civil litigation actions against
botnet infrastructures.
• Microsoft able to clean up over
5,000,000 infected machines in 2013-
2015 (Citadel take-down).
• Microsoft and Symantec released a
remedy to clean and restore infected
computers' defenses automatically.
• Other takedowns included: Ramnit
(2015), Shylock (2014), Zeus (2012)
Sharing in Action: Civil Litigation against
Botnet Infrastructures
TLP Green
September 20, 2017 — FS-ISAC Confidential41
Trustwave’s List of
7 Deadly Employee Sins
1) Pathetic Passwords: The most common corporate password is "Password1" because it
meets the minimum complexity requirements. 15% of physical security tests, written
passwords were found on and around user workstations.
2) Peeping ROM: 71% of workers sneak a peek at a co-workers or stranger's workstation. One
in three workers leaves their computers logged on when they are away from their desk.
3) USB Stick Up: 60% of users who find random USB sticks in a parking lot will plug them into
their computers; add those sticks that includes a company logo and the number increases to
90%.
4) Phish Biting: 69% of phishing messages past spam filters; 27% of IT organizations have
users who have fallen for malicious e-mail attacks.
5) Reckless Abandon: 70% of users do not password-protect their smartphones, and 89% of
people who find lost cell phones rummage through the digital contents.
6) Hooking up with Another Man's WiFi: By 2015, the number of WiFi hotspot deployments
will increase 350%, but currently, only 18% of users use a VPN tool when accessing public
WiFi.
7) A Little Too Social: 67% of young workers think corporate social media policies are
outdated, and 70% regularly ignore IT policies. Just over half (52%) of enterprises have seen
an increase of malware infections due to employees' use of social media.
September 20, 2017 — FS-ISAC Confidential
September 20, 2017 — FS-ISAC Confidential42
September 20, 2017 — FS-ISAC Confidential44
Appendix:
Threat Profiles and
Risk Mitigation
TLP Green
September 20, 2017 — FS-ISAC Confidential45
Threat Profile: Account Takeover
Overview TTPs
▪ Banking Trojans include key
logging, IM of tokens
▪ Malware infection
predominately through spear
phishing with links or
attachments
▪ DDoS of sending bank’s
online banking systems to
conceal disbursement of
fraudulent wires or ACH
▪ Additional customized
malware to prevent display of
confirmations or statements
Mitigation
▪ Stand-alone computers for
payment origination
▪ Dual control
▪ Anomaly detection
▪ 2F & OOB authentication
▪ Malicious website blocking
▪ Perimeter email filtering
▪ Outgoing activity monitoring
▪ Remote secure browser
▪ Patch management
▪ Staff cybersecurity training
▪ Intrusion prevention systems
▪ Information sharing of IOCs
▪ Positive pay for ACH, wires
See FS-ISAC portal
▪ Online hijacking of accounts
to create fraudulent
electronic payments
▪ Account Takeover first seen
in 2007, proliferated in 2009
▪ Over $110M in US banking
losses in 2010
▪ Lawsuits by business
customers against their
banks (Corps 4, Banks 2)
▪ 2016- Interbank transfers
using SWIFT, $81M loss by
one bank alone
TLP Green
September 20, 2017 — FS-ISAC Confidential46
Business E-mail Compromise
• Business E-mail Compromise (BEC) is a scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.
• The BEC is a global scam with subjects and victims in many countries. BEC complaint data has been received victims in every U.S. state and has hit over 100 countries.
• Losses are estimated at over $1.2 billion in the last year.
TLP Green
September 20, 2017 — FS-ISAC Confidential47
Threat Profile: Business Email Compromise
Overview TTPs
▪ Often compromise CEO or
CFO email, wait until execs
are traveling or on vacation
▪ Often compromise
vendor/supplier email and
attempt to modify their bank
accounts
▪ Utilize social engineering &
malware to gain access
▪ Conduct substantial
reconnaissance after
compromise
▪ Spoof email accounts
▪ Utilize wire transfers
Mitigation
▪ Verify changes in payment
instructions with verbal
confirmation
▪ Limit employees that can
authorize wire transfers
▪ Use out of band
authentication for executive
approvals (PIN, phone call)
▪ Require dual approval of wire
transfers exceeding set
criteria
▪ Share information with other
financial entities
More info: https://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf
▪ BEC is payment fraud
where legitimate business
e-mail accounts are
compromised & used to
conduct an unauthorized
wire transfer.
▪ After a business e-mail
account is compromised,
actors use the compromised
account or a spoofed
account to send wire
transfer instructions.
▪ The funds can be sent all
over the world
TLP Green
September 20, 2017 — FS-ISAC Confidential48
Threat Profile: POS/Card Payment Systems
Overview TTPs
▪ Unauthorized access via
remote access
▪ Exploiting commercial
application vulnerabilities
▪ Email phishing
▪ Unsafe web browsing from
computer systems used to
collect, process, store or
transmit customer information
Mitigation
▪ Strong password
management including
regular changes
▪ Disable group accounts and
passwords
▪ Add multi-factor
authentication
▪ Require vendors to use multi-
factor authentication
▪ Monitor remote user accounts
▪ Segment pqyment systems
from other systems
▪ Patch systems often
▪ Many retailers use
customized card payment
processing systems
▪ System providers have
remote access to these
systems to support them
▪ Criminals exploit databases
and payment systems via
remote access tools
▪ Employees with remote
access are targeted (e.g.
stealing VPN credentials)
More info at: https://www.fsisac.com/sites/default/files/news/Alert%20--
%20Securing%20Merchant%20Terminals%20Remote%20Access%20FINAL%207%20July%
202015.pdf
TLP Green
September 20, 2017 — FS-ISAC Confidential49
DDoS Attack
TLP Green
September 20, 2017 — FS-ISAC Confidential50
Threat Profile: DDoS Attack
Overview TTPs
▪ Actors leverage botnets and
other resources to increase
traffic to sites and services to
such a point that these “jam”
and legitimate users can’t
immediately access them.
▪ While hacktivists use DDoS,
many recent attacks have
been criminals using DDoS,
such as DirtJumper, to
obscure account takeovers.
▪ Criminals use malware to
originate unauthorized wire
transfers and ACH.
Mitigation
▪ Anomaly detection.
▪ Rapid information sharing
within the community when
DDoS indicators are spotted.
▪ Work with Internet Service
Providers to identify proactive
solutions and also have a
clear escalation path if a
DDoS attack hits.
▪ Communication and training
for customers to recognize
compromised accounts.
▪ A Distributed Denial of
Service (DDoS) attack is a
malicious attempt to disrupt
access to or performance of
critical systems, networks or
servers.
▪ Malicious actors often use
DDoS attacks to distract
their targets and disguise
other activities and attacks
such as account takeovers.
TLP Green
September 20, 2017 — FS-ISAC Confidential51
Ransomware
• Ransomware is a type of malware that infects a computer(s) or networks & restricts users’ access to affected computer(s).
• Cybercriminals then attempt to extort money from victims by displaying an on-screen alert.“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
• An increasing number of attacks where victim businesses receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom.
TLP Green
52 September 20, 2017 — FS-ISAC Confidential. © 2016 FS-ISAC52
Ransomware Statistics
• The number of ransomware
attacks in 2016 were 2.7 times
higher than 2015. Its target was
shifted from individuals to
institutions.
• It takes only one employee to
click one attachment in the
phishing mail to get an entire
system locked by ransomware.
• C-level executives open phishing
attachments at a higher rate than
employees (20.8% versus12.8%).
TLP Green
September 20, 2017 — FS-ISAC Confidential53
Threat Profile: Ransomware
Overview TTPs
▪ Phishing Emails
▪ Embedded Links
▪ Attachments
▪ Drive-by Downloads
▪ Exploit Software
Vulnerabilities
▪ Malvertising
Mitigation
▪ Build a strong security
awareness training program
▪ Up-to-date Vendor Security
Software Protection
▪ Wiping/Re-imaging
▪ Review/update corporate
data backup/ retention/
recovery policies
▪ Ensure business critical data
is identified and included
▪ Test data recovery
procedures PRIOR to an
incident
▪ Malware that encrypts
files/folders and demands a
ransom in order to decrypt.
▪ If payment is not received
by a stated date/time, files
can be deleted or
decryption key can be
deleted.
▪ Examples:
▪ Locky
▪ TeslaCrypt
▪ CryptoWall
▪ CTB-Locker
▪ Jigsaw
TLP Green
September 20, 2017 — FS-ISAC Confidential54
Destructive Malware Threat
Name
South
Korean
Banks
Saudi
Aramco &
RasGas
RansomwareSands
Casino SONY
Korea Hydro &
Nuclear Power
Company
Date 4/2011, 3/2013 8/2012 9/2013 2/2014 11/2014 12/2014
Alleged Threat
ActorNorth Korea Iran
Organized
CrimeIran North Korea North Korea
Primary
MotivationGeopolitical Geopolitical
Financial
GainGeopolitical Geopolitical Geopolitical
Destructive
Malware
Wiper
DarkSeoul
Wiper
Shamoon
CryptoLocker,
CryptoWall,
TeslaCrypt
Wiper Wiper DestFallen
Delivery
MechanismNetwork Intrusion Network Intrusion
Exploit Kits,
GameOver Zeus,
MalSpam
Network
IntrusionNetwork Intrusion Spear Phishing
Propagation
Vector
Patch
Management
Server
Network Shares N/A Unknown Network SharesDid not attempt
to propagate
TLP Green
September 20, 2017 — FS-ISAC Confidential55
Threat Profile: Destructive Malware
Overview TTPs
▪ Actors use a variety of
methods, including phishing
and social engineering, and
drive-by downloads to infect
systems with destructive
malware
Mitigation
▪ Build a strong security
awareness training program
▪ Perform consistent and
ongoing security monitoring,
prevention and risk mitigation
▪ Participate in industry
information sharing forums
▪ Ensure you have a strong
and well known reporting
procedure for social
engineering attacks
▪ Use application based
controls requiring active
verification as a control
against data integrity attacks
▪ A destructive malware
attack is a unique threat in
that it is both infrequent and
yet potentially catastrophic.
▪ Presents a significant threat
to an organization’s daily
operations and business
continuity; it impacts
confidentiality, integrity and
availability of data, and can
thwart an organization’s
ability to recover from an
attack (e.g., Las Vegas
Sands, SONY
Entertainment)
TLP Green
September 20, 2017 — FS-ISAC Confidential56
Destructive Malware/Data Integrity
TF White Paper
• 13 November 2015: FS-ISAC posted TLP
Green version of the paper to the FS-ISAC
Portal
• 23 November 2015: FS-ISAC distributes TLP
White version of the paper and press release
• https://www.fsisac.com/sites/default/files/news/
Destructive%20Malware%20Paper%20TLP%2
0White%20VersionFINAL2.pdf
TLP Green
57 September 20, 2017 — FS-ISAC Confidential57
Corporate Espionage Objectives
Corporate Strategy
• New market entrants• Strategic partnerships• Services, products used by
company or government
Trade Secrets
• Pending mergers and acquisitions
• Foreign investments
Financial Strategy
• Competitor bidding• Foreign subcontractors /
outsourcing arrangements• Critical infrastructure contracts• Bids on government contracts
Intellectual Property
• Research and development advancement
• New product launches
TLP Green
September 20, 2017 — FS-ISAC Confidential58
Information Sharing
ONE ORGANIZATION’S INCIDENT BECOMES
THE INDUSTRY RESPONSE
September 20, 2017 — FS-ISAC Confidential TLP Green