ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25,...
Transcript of ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25,...
![Page 1: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/1.jpg)
E R I N DAY T O N
W V C Y B E R S E C U R I T Y
C O N F E R E N C E
O C T O B E R 2 5 , 2 0 1 6
![Page 2: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/2.jpg)
MULTI-STATE INFORMATION
SHARING AND ANALYSIS CENTER
The U.S. Department of Homeland Security has designated the MS-ISAC as its key cybersecurity resource for
cyber threat prevention, protection, response and recovery for all U.S. State, Local, Tribal and Territorial (SLTT) governments.
![Page 3: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/3.jpg)
WHO WE SERVE
MS-ISAC Members include:
All 56 US States and Territories
All 78 federally recognized fusion centers
More than 1,000 local governments and tribal nations
State, Local, Tribal, and TerritorialCities, counties, towns, airports, public education,
police departments, ports, transit associations, and more
![Page 4: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/4.jpg)
HOW DO YOU KNOW YOU ARE A TARGET?
Knock, knock…
January 2014
![Page 5: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/5.jpg)
WHY GOVERNMENT?
Criminals look for data......
And governments have a lot of it!
![Page 6: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/6.jpg)
Agencies
State Police
Local Police
K-12 School Districts
Community Colleges
State Universities
Hospitals
Airports
Mass Transit
Port Authorities
AFFECTED ENTITIES
![Page 7: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/7.jpg)
Vulnerabilities
Content Management
Systems
Plug In’s
Server
Web Programming
Language
Phishing
Well Written
Appear Credible
Enticing or
Shocking Subject
Apparent Trusted
Source
![Page 8: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/8.jpg)
TLP: GREEN
CYBER THREAT ACTORS
Nation-states
Cyber Criminals
Hacktivists
Insiders
Terrorists
![Page 9: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/9.jpg)
TLP: GREEN
NATION STATE ACTORS/APT
Intellectual
Capital
Competitive
Insight
Political
Leverage
Cyber
Warfare
![Page 10: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/10.jpg)
TLP: AMBER
APRIL – MAY 2016 NATION-STATE CAMPAIGN
1 Campaign
Targets predominantly ran Follett’s Destiny software (K-12 schools)
Total entities notified: 103
62%
7%
1%
6%
6% 18%
Impacted Entities
K-12 School Local GovernmentLocal Law Enforcement Private SchoolPublic University State Government
![Page 11: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/11.jpg)
TLP: AMBER
Agency Director
Agency Deputy Director
Work related
Expected business need
Expected topic
Unknown person
Government employeeExpected business need
Implied relationship
NATION-STATE SPEAR PHISHING
![Page 12: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/12.jpg)
TLP: WHITE
UKRAINE’S CRITICAL INFRASTRUCTURE
Boryspil International Airport – Kiev, Ukraine
Power Grid Shut Down
80,000 customers lost power for 6 hours
BlackEnergy Malware
IP Attributed to Russia
![Page 13: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/13.jpg)
TLP: GREEN
CYBER CRIMINALS
Varying
Expertise
Financial
Motivation
Locky
Zeus
Upatre/Dyre
Dridex
Vawtrak
Bedep
![Page 14: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/14.jpg)
TLP: WHITE
TECH SUPPORT CALL SCAM
![Page 15: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/15.jpg)
TLP: GREEN
BUSINESS EMAIL COMPROMISE
• From the CEO or Senior Executive
• To someone in the finance department
• Sense of urgency
• Abrupt text normal to an email from a phone
Are you available? Wire transfer needs to go out.Also what is the balance of General Funding Account? Let me know when you are ready.Reply as soon as possible.
Sent from my iPhone
Date: FROM: CEOTO: Finance DepartmentSUBJECT: Question
![Page 16: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/16.jpg)
Hollywood Presbyterian Hospital
“The quickest and most efficient way to restore our system and administrative functions was to pay the ransom and
obtain the decryption key. In the best interest of restoring normal operations, we did this.”
![Page 17: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/17.jpg)
W-2 Phishing Campaign
Targets States in Early-2016
![Page 18: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/18.jpg)
TLP: GREEN
CREDENTIAL HARVESTING PHISHING EMAILS
Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE
Credential Harvesting
Website
Spoofed email that appears as ESSW2@[targeted domain]
![Page 19: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/19.jpg)
TLP: GREEN
MS-ISAC INVESTIGATION
Opportunistic compromise of webpages running out-of-date versions of PHP
Created mirrors of SLTT human resource web pages These mirrored webpages URIs ended with
“esslogin.htm”
If a user follows the link in the phishing email, the user is directed to the compromised webpage and is prompted to log in
Analysis of HTTP POST traffic indicates credentials entered (valid or not) are sent via Perl script to a hxxp://formbuddy.com account
After the credentials have been submitted, the user is redirected to the legitimate targeted state website
![Page 20: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/20.jpg)
HACKTIVISTS
Targeted
Opportunistic
Social, Political & Ideological
AgendaDDoS
Attacks
Doxing
System
Compromise
Web
Defacements
![Page 21: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/21.jpg)
TLP: GREEN
PERSONALITIES
Business Man:– lone hacker– range of skills, TTPs – programmer, hacker-for-hire, botmaster
Business:– Organized criminals, nation-states– financial gain, espionageactors
soldiers
owners
Home user/ Student:– script kiddies, lone hackers, hacktivists– range of skills, TTPs and skills– in it for the “lulz,” fame, maybe financial gain
![Page 22: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/22.jpg)
TLP: GREEN
COMMON MOTIVES AGAINST SLTTS
Alleged Use of Excessive Force by LEO
Perceived Injustice
Alleged Animal Cruelty by LEO
Alleged Offensive Comments
Anti-Government
Opportunistic
Unknown
![Page 23: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/23.jpg)
TLP: GREEN
COMMON CTA TTPS
DDoS Attack
Doxing
Claimed SQLi
Website Defacement
Data Release
Claimed XSS
Compromised Computer/Server
Account Compromise
Spear Phishing
Phone Bomb
Scanning Activity
![Page 24: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/24.jpg)
TLP: GREEN
INSIDERS
Power &
Control
Varying
Expertise
Financial
Motivation
Accidental
Revenge
Guests
Former Employees
Trusted 3rd
parties
![Page 25: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/25.jpg)
TLP: WHITE
EMPLOYEE MISTAKES
SSID: markoPassword: w3Lc0m3!HERE
![Page 26: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/26.jpg)
TLP: WHITE
EVERYONE MAKES MISTAKES…
The trick is to learn from them!
![Page 27: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/27.jpg)
![Page 28: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/28.jpg)
24 X 7 SECURITY OPERATIONS CENTER
Support: Network Monitoring Services Research and Analysis
Analysis and Monitoring: Threats Vulnerabilities Attacks
Reporting: Cyber Alerts & Advisories Web Defacements Account Compromises Hacktivist Notifications
Central location to report any cybersecurity incident
To report an incident or
request assistance:
Phone: 1-866-787-4722
Email: [email protected]
![Page 29: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/29.jpg)
MONITORING OF IP RANGE & DOMAIN SPACE
IPs connecting to malicious C&Cs
Compromised IPs
Indicators of compromise from the MS-ISAC network monitoring (Albert)
Notifications from Spamhaus
IP Monitoring Domain Monitoring Notifications on
compromised user credentials, open source and third party information
Vulnerability Management Program (VMP)
Any SLTT
Send domains, IP ranges, and contact info to:
![Page 30: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/30.jpg)
VULNERABILITY MANAGEMENT PROGRAM
What Data Are We Collecting?
Server type and version (IIS, Apache, etc.)
Web programming language and version
(PHP, ASP, etc.)
Content Management System and version
(WordPress, Joomla, Drupal, etc.)
Any SLTT
Email notifications are sent with 2 attachments containing
information on out-of-date and up-to-date systems:
• Out-of-Date systems should be patched/updated and
could potentially have a vulnerability associated with it
• Up-to-Date systems have the most current patches
![Page 31: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/31.jpg)
SOLTRA EDGE
Machine-to-Machine indicator transfer
To gain an account contact:
MS-ISAC Membership
![Page 32: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/32.jpg)
MALICIOUS CODE ANALYSIS PLATFORM
A web based service that enables members to submit and analyze suspicious files in a
controlled and non-public fashion
Executables
DLLs
Documents
Quarantine files
Archives
To gain an account contact:
MS-ISAC Membership
![Page 33: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/33.jpg)
COMPUTER EMERGENCY RESPONSE TEAM (CERT)
Incident Response (includes on-site assistance)
Network & Web Application Vulnerability
Assessments
Malware Analysis
Computer & Network Forensics
Log Analysis
Statistical Data Analysis
Penetration Testing
To report an incident or request assistance:
Phone: 1-866-787-4722Email: [email protected]
Any SLTT
![Page 34: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/34.jpg)
MS-ISAC ADVISORIES
Public Information
![Page 35: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/35.jpg)
MONTHLY NEWSLETTER
Distributed in template form to allow for re-branding and redistribution by your
agency
Public Information
![Page 36: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/36.jpg)
NATIONAL WEBCASTS
Prioritize Your NIST CSF Implementation with the CIS Critical Security Controls (June)
Internet of Things (April)
2016 Predictions from the MS-ISAC (February)
Cybersecurity Year in Review and 2016 Preview (December 2015)
National Cybersecurity Awareness Month: Tips for Staying Safe Online (October 2015)
https://msisac.cisecurity.org/webcast/
a collaborative effort between DHS and MS-ISAC to provide timely and relevant cybersecurity
education and information
Public Information
![Page 37: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/37.jpg)
WEEKLY MALWARE IPS AND DOMAINS
MS-ISAC Membership
![Page 38: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/38.jpg)
MS-ISAC CYBER ALERTS
MS-ISAC Membership
![Page 39: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/39.jpg)
MS-ISAC INTEL PAPERS
MS-ISAC Membership
![Page 40: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/40.jpg)
FEE BASED SERVICES
Network Monitoring (Albert)
Managed Security Services (MSS)
Web application vulnerability assessments
Network vulnerability assessments
Penetration testing
Phishing engagements
Security assessments
Fee Based Services
For more info on any of these contact:
![Page 41: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/41.jpg)
MS-ISAC ANNUAL MEETING
2016 Location…
San Antonio, TX!
![Page 42: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/42.jpg)
TLP: WHITE
WHAT CAN YOU DO?
Low Hanging Fruit!
1. PATCH!
2. Use defensive software
3. Back-up
4. Train users
5. Enforce strong, complex, unique passwords
Critical Security Controls1. Identify authorized and unauthorized devices2. Inventory authorized and unauthorized software3. Secure configurations for hardware and software4. Continuous vulnerability assessment and remediation5. Controlled use of admin privileges
![Page 43: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/43.jpg)
TLP: WHITE
IDENTIFY MALICIOUS ACTIVITY
Antivirus Firewalls IDS/IPS Logs (90 days!) Places to Look
Pastebin, Ghostbin, Zerobin Twitter Facebook Google SHODAN
Things to Look For: Announcements Hashtags Doxings
Hacktivist DDoS Claim
![Page 44: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/44.jpg)
SHARE INFORMATION
Be prepared
Learn from others’ best practices
Gather intel to help you be proactive
Be willing to ask for help
Identify other resources to augment what you are doing
Be a part of the solution
Take part in information sharing
![Page 45: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/45.jpg)
TLP: WHITE
WHO DO I CALL?
Security Operations Center (SOC)
[email protected] - 1-866-787-472231 Tech Valley Dr., East Greenbush, NY 12061-4134
www.cisecurity.org
to join or get more information:https://msisac.cisecurity.org/memb
ers/index.cfm
![Page 46: ERIN DAYTON WV CYBER SECURITY CONFERENCE OCTOBER 25, 2016technology.wv.gov/security/Presentation... · APRIL –MAY 2016 NATION-STATE CAMPAIGN 1 Campaign ... (WordPress, Joomla, Drupal,](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f1ab8ae67074a0dd515cc5f/html5/thumbnails/46.jpg)
MS-ISAC CONTACT NUMBERS
Security Operations Center
24/7 Phone Number
1-866-787-4722
MS-ISAC HQ
Front Desk
518-266-3460
Thank You!
Erin [email protected]