FORENSIC DRIVEN 2019- LEARNINGS...investigator, SISA has successfully investigated several ... when...

SISA TOP 5

FORENSIC DRIVENLEARNINGS

JUNE 2020Forensics Driven Cybersecurity

2019-

2020

ABOUT THE REPORT

With over 14 years of industry presence in cybersecurity, SISA brings vast domain knowledge and experience in conducting over 1,000* engagements, encompassing forensic investigations, compliance audits, security testing, and security operations over the years. As a leading forensic investigator, SISA has successfully investigated several cybersecurity breaches to understand the root cause and contain the breaches to reduce the impact on the organizations.

As technology is evolving, enterprise behaviors are changing, and the world takes on the digital transformation journey, the cybersecurity landscape is becoming more challenging. To add to the current challenges, COVID-19 has made things more complicated, as more organizations embrace work from home solutions and turn to cloud-based tools.

Thus, having observed the pattern of attacks, organization preparedness to defend or prevent these attacks, making systems more secure and protecting businesses from repeat attacks, SISA presents "SISA TOP 5 FORENSIC BASED LEARNINGS" that all organizations must consider. Here are the top reasons why every CXO must read this:

▶ To redefine your cybersecurity approach and make it a priority to evaluate and reduce your attack surface.

▶ An understanding of the HOW and WHY of security attacks.

▶ A few impactful measures that organizations can consider to improve their security posture.

These learnings are primarily based on our forensic investigations, supported by various audits, security testing, incident response, and SOC monitoring performed between April 1, 2019, to March 31, 2020.

Copyright © 2020 SISA TOP 5 FORENSICS BASED LEARNINGS 1

THERE ARE ONLY TWO TYPES OF COMPANIES: THOSE THAT HAVE BEEN HACKED AND THOSE THAT

WILL BE.

– ROBERT MUELLER, FORMER FBI DIRECTOR


INTRODUCTION

Recently, cyber attackers hacked the server of a reputed Indian bank and transferred a huge sum of approximately 12 million USD. ATM cash out is a highly planned and choreographed cyber-attack, where the attacker compromises a payment processor or bank’s payment back end systems to siphon money across various ATMs. In 2018, hackers transferred over 130 million USD from a bank by penetrating its network and injecting a fake response malware script. SISA observed that subsequently, more than 10 global banks became victims of cyberattacks in 12 months, and the attacks were made using the same attack vector.

WHAT DOES THIS MEAN TO THE ORGANIZATIONS?

HOW PREPARED ARE ORGANIZATIONS AGAINST THESE THREATS?

WHAT DOES IT TAKE TO BE PREPARED TO TACKLE THESE ATTACKS?

Security breaches have significantly increased in recent times, and the ingress points for a major number of cyberattacks are through phishing emails. Hackers are continually looking for opportunities to attack, and it is said that organizations must think ahead of time to prevent such attacks. It takes a small, vulnerable system to break into and make lateral movements. Most of these breaches go undetected until the actual breach happens.

Security is essential and always tops the priority list for most organizations. However, during a pandemic situation such as COVID-19, where most businesses have taken drastic measures to invoke Business Continuity Plan (BCP) and have their entire staff working from home, security in such situations takes center stage.

MoreNo ChangeLess

Business Transformation

Security

AI

Cloud

Data Analytics

DC Infrastructure

Collaboration

Mobility

Networking

39%

14%

26%

30%

16%

14%

15%

7%

21%

43%

50%

55%

50%

32%

37%

54%

37%

44%

18%

36%

19%

20%

52%

49%

31%

56%

35%

56About 56% of the CIOs stated that there will be an increase in spend on security.

- CIO India survey on COVID-19’s impact on IT jobs and investmentsSource: IDG

TECH INVESTMENTS AMID COVID-19How do you see funding in the following areas getting impacted by Covid-19?

%


It is highly likely that the focus and spend to secure the systems is going to increase with changing work environments. Because the shift from a secured and less vulnerable infrastructure (where carrying devices like mobiles, tablets, or pen drives was restricted) to unsecured remote working environments, makes the systems more vulnerable . With a vast transformation in mass work from home movements, it is highly likely that the systems have become more vulnerable to threats.

Malware (including ransomware) and account compromises are stated to have increased with new work environments.

The average cost of a data breach has reached to $3.92 million, which is an alarming number for any organization. In this situation, taking proactive security steps, and following security best practices can protect organizations from the dreadful cyber attacks.

Due to COVID-19 and work from home mandates, organizations are heavily investing in cloud-based tools. We may also see a surge in digital transformation, leading to the adoption of cutting-edge technologies such as Artificial Intelligence, workplace collaboration tools, mobility, etc. As organizations gear up for rapid digital transformation, it is pertinent that they also adopt a holistic security approach that takes care of all endpoints and infrastructures with no loose ends. It only takes a small loophole for an attacker to ingress into a corporate network.

For instance, in the wake of the COVID-19 situation, SISA warns organizations of online skimming. The nature of these attacks is dangerous and hard to detect. Threat actors use various ways to inject malicious JavaScript into the target websites and is triggered when the victim submits payments on the website.

The foundation of any organization building a relationship with its customers is trust. When security is compromised, then the foundation of trust becomes weak. Loss of business is a high price that most organizations pay for a security breach. There are multiple overarching reasons why organizations fail to detect or respond to cybersecurity attacks.

INTRODUCTION

MULTI-LEVEL TRAINING

Extensive training programs for employees, starting with the basics of cybersecurity to best practices, is a mandate. As much as external threats are happening, internal mistakes could be equally dangerous.

AVOID MAGIC BOX SYNDROME

Investing in a security product alone does not ensure an organization's security. An adequate understanding of the environment and implementing it rightly to meet the needs of your organization is pertinent.

RIGHT SKILLSET

Security skill is in short supply, and often, getting the right skill set is a challenge. Proactively forming experts' team or relying on external experts can be considered.

THREE ESSENTIAL STEPS ORGANIZATIONS NEED TO TAKE:

THIS DOCUMENT IS THE ESSENCE OF OUR UNDERSTANDING OF THE ATTACK PATTERNS, THE EVOLVING SITUATIONS,

AND THE POTENTIAL NEW NORMAL THAT THE FUTURE HOLDS FOR MOST ORGANIZATIONS.

Observations

Organizations are concerned about downtime or other dependency factors. Thus most organizations tend to delay the installation of patch upgrades. However, what they don't realize is that with every delay, the window of opportunity for hackers is increasing. Organizations must plan for these updates to be conducted swiftly and regularly for minimal disruptions. SISA observed that typically

organizations have a patch cycle of three to six

months, depending on the scale of the

organizations. Also, the observations showed that

organizations tend to ignore the cloud

infrastructure for patch management. When organizations enable work from home and usage of cloud solutions, virtual machines must also get patched. Delay in security patching has become more relevant, especially during COVID-19 situations where most organizations' employees are working from home for longer durations. Often organizations perceive that security is the primary responsibility of the cloud service provider; however, the end-user organization holds an obligation towards security patching as one of the key responsibilities.

What it is?

Application releases constitute new updates and upgrades both from application functionality and security. Application security updates are highly critical for organizations. Most often, updating security patches has multiple dependency factors such as reconfiguration of infrastructure, downtime, proper testing, etc. Fearing business impact, most organizations tend to delay updating the security patches, which leads to security systems becoming more vulnerable to threats. Holistic and increased security infrastructure is essential with the technical evolution and prevalence of cloud applications.

Frequent Patching

1


Mitigations

Most organizations adopt a differentiated approach, where patches on mission-critical applications take place promptly, but there exists a lesser priority on non-mission critical applications. However, paying attention to all non-mission critical applications and ensuring quarterly patches at the minimum is essential to avoid security lapses, as often these applications become the primary ingress points into corporate networks for attackers.

Frequent patch management is essential to safeguard systems or applications. Benchmarking against CIS (Center for Internet Security) provides necessary guidance to ensure that infrastructure is on par with the latest security norms.

With the increased usage of cloud applications, the environment is now gone beyond Data centers. Organizations must adopt holistic security that goes beyond traditional datacenters and operating systems. But the approach must include network devices, OEMs, Hyper-Vs, 3rd party applications, etc.

Organizations must follow top business imperatives for successful patching like regular system rebooting to address patch updates. Define SLAs on patch update with third party vendors incase of dependent applications, embrace automation to better manage the voluminous data and IT assets. Vulnerability assessment must be carried out frequently to ensure security.

ALMOST HALF OF RESPONDENTS (48%) REPORT THAT THEIR ORGANIZATIONS FACED ONE OR MORE

DATA BREACHES IN THE PAST TWO YEARS. 60% OF THESE RESPONDENTS SAY THESE BREACHES

COULD HAVE OCCURRED BECAUSE A PATCH WAS AVAILABLE FOR A KNOWN VULNERABILITY BUT NOT

APPLIED.

– PONEMON INSTITUTE LLC, COSTS AND CONSEQUENCES OF GAPS IN VULNERABILITY RESPONSE


1. FREQUENT PATCHING


Observations

SISA’s forensic investigations conclude that

application security vulnerabilities are one of the

top contributors to breaches. Also, SISA observed

that Application Vulnerabilities resulted in most

common exploits, including SQL injection,

command injection, and insecure cryptographic

storage. Open source components and their usage are prevailing in the industry. When codes are loosely used without vetting for proper security, then the possibility of opening the application with security loopholes is far higher. While DevOps has created noise in the industry for its agility and faster releases, it also comes with its set of challenges of ignored security. Considering the nature of DevOps, organizations tend to make more frequent and faster releases. With various release pressures, security is often ignored, or not channelized, through proper testing mechanisms. Besides, frequent application changes, including new features and opening APIs, SOAP requests, lead to the exploitation of hosted application libraries. Security is not just about technology; it is also the culture. Oftentimes, security does not come as a practice. Resources are more focused on feature-based development of applications and pay less attention to security practices leading to the development of vulnerable apps. Security flaws are often discovered at grass root levels and must be rectified at the development stage. Lack of trained resources on secure coding is a great contributor to issues in applications.

Overview

Often as an initial intrusion point, most hackers tend to target vulnerable applications like HRMS systems, CRM, etc. Hacking one of these applications is not the end game; hackers leverage these ingress points to make lateral movements, to access more confidential and sensitive IT assets/ data. Hence, paying utmost importance to security, starting from inception to deployment is highly critical and often, takes back seat during rushed release cycles of an application. While solutions like Web Application Firewall (WAF) can be used to counter application security issues, addressing the root cause via its development code is still an essential and unavoidable aspect to make an application secure.

Address Application Vulnerabilities

2


2. ADDRESS APPLICATION VULNERABILITIES

Mitigations

Security by design is often neglected. Most applications are tested for security during the testing phase. Imbibing best practices like 3Ds – secure by design, secure by development, and secure by deployment is highly critical.

The change in the mindset of developers play a significant role, as developers are more focused on features. While it is an essential aspect of application development, but security goes on a back burner. However, paying attention to security right from design plays an important role. A developer’s mindset must change to embed security right from inception.

Thorough vetting of open source codes and not a mere copy-pasting is essential.

It is suggested for application developers and penetration testers to follow the OWASP testing guide that helps in testing web applications and web services.

As part of DevOps, Continuous Integration (CI) and Continuous Delivery (CD) must embed security from the beginning of the development cycle, thereby following DevSecOps’ best practices. Proper testing mechanisms using automation would help speed up processes, ensure security, and employee productivity.

Following the process of continuous testing by including security best practices such as Red Team Exercise, Black Box Penetration Testing Activities, etc. would help organizations in taking that additional measure towards securing their applications. Including all web interfaces, respective roles, and web services as part of application security testing is also essential.

Web interfaces and web services must be included as part of web application security testing. Similarly, a Web Application Firewall (WAF) must be configured to monitor all web interfaces and services.

Security testing is usually conducted in the UAT (User Acceptance Test) environment to ensure the smooth functioning of production systems. However, fixes discovered in the UAT environment must be replicated in the production environment and is a highly critical measure to ensure application security.

THE HIGHEST SECURITY RISKS TO THE ORGANIZATION CAME FROM A CUSTOMER-FACING WEB

APPLICATION (49%) FOLLOWED BY INTERNAL BUSINESS APPLICATIONS AT 22% AND THE REST FROM

MOBILE APPLICATIONS AND EMBEDDED DEVICES (IOT).

– RSA


Observations

Any organization posed with a threat has a small window of opportunity to tackle the threat. SISA

observed that, on an average, an intruder resides in

the company network for about 180 days. While 180 days may seem like much time, it is not a simple task to detect intruders unless the organization has robust threat monitoring systems. One of the key contributing factors to security threats are heterogeneous environments. With a workforce spread across the globe, increased use of devices, both personal and professional, BYOD policies, and increased adoption of cloud technology, the extent of monitoring has significantly expanded. Are organizations prepared to handle such an extensive network of devices?

Most organizations have log monitoring based on simple rules and basic automation. Adoption of AI-driven intelligent threat monitoring helps organizations be more proactive than reactive to threats. The advancement in technology can now help organizations in threat hunting to identify attacks based on TTP (Tactics, Techniques, and Procedures).

What it is?

With every action on the system, a log gets recorded. These logs are monitored to detect security threats. When the logs are not effectively monitored, then the systems are more susceptible to breaches. With specific pre-defined rules in place, the logs are continuously monitored for any potential threats. However, as technology is evolving the monitoring of activities has become more intelligent. AI-driven monitoring, or in other words, intelligent monitoring, is gaining traction and goes beyond basic automation and can monitor even unstructured data, including user behavior.

Intelligent Monitoring

3


3. INTELLIGENT MONITORING

Mitigations

As technology becomes sophisticated and endpoints increase in numbers, the system becomes more vulnerable to threats. Hence, basic rule-based automation will not suffice to fine-comb all threats. Adoption of AI and moving towards intelligent threat monitoring solutions like Managed Detection and Response (MDR), takes organizations to meet larger goals of monitoring and go deeper.

Alert fatigue is a result of extensive log monitoring and frequent alerts. By continuous revisiting and refining of rules to manage and meet the changing needs of an organization, helps to improve the process as well as potentially decrease the alert fatigue.

Organizations must conduct a holistic tagging and logging of all devices in their infrastructure and not just their critical systems. It is one of the crucial steps to detect attacks and to ensure all devices are under the radar of monitoring.

Monitoring should not be just reviewing of reactive correlation alerts from SIEM soutions. SISA

recommends proactive threat hunting as a mandatory component in the organizations’s SOC monitoring process.

BY 2022, 50% OF ALL SOCS WILL TRANSFORM INTO MODERN SOCS WITH INTEGRATED INCIDENT RESPONSE, THREAT INTELLIGENCE, AND THREAT-HUNTING CAPABILITIES, UP FROM LESS THAN 10% IN 2015.

– GARTNER


Observations

Lack of clear definition of access privileges and scenarios based on which a user is granted access has led to a series of breaches and is one of the most significant contributors. SISA observed that the

other common reason leading to breaches is the

use of poor passwords or careless management of

passwords. Weak passwords, like using birthdate, company name, home numbers, etc. that one can easily guess leading to hackers gaining access to critical applications. Other critical initiatives that organizations do not follow actively are monitoring and reviewing access logs periodically and implementing Two Factor Authentication.

What it is?

Access management to applications is compromised when an attacker gets hold of access credentials by brute forcing or other means. Shared user IDs, service accounts that are outside the scope of password policies, and privileged user accounts are typical targets for breaches. Knowing these threats and diligent definitions of access privileges can help an organization reduce its cybersecurity risks.

Diligent Access Management

4


4. DILIGENT ACCESS MANAGEMENT

Mitigations

Multifactor authentication is a critical mitigation factor to avoid breaches.

Implementing robust authentication mechanisms between application and database using proper key management and encrypting database string is necessary.

Organizations procure software and often have shared users. Repeated usage of access credentials can lead to weakening of the system security, and hence, organizations must avoid shared user access.

Privileged access management solution must be implemented that provisions temporary access on a need basis and for finite or defined duration.

Securing the passwords by using password vaults and using strong password credentials is essential.

Creation of Access Control Matrix, mapping all users and their privileges helps the organizations to track and monitor the access privileges, continuously.

Ensure that access audits are in place and are conducted periodically. Also, it is necessary to review access privileges to meet changing needs.

THE AVERAGE NUMBER OF PRIVILEGED ACCESS POLICY VIOLATIONS FOR A YEAR IS 3.2, AND THE AVERAGE COST TO THE ORGANIZATION TO RESPOND AND REMEDIATE THE POLICY VIOLATION IS $5,580.

– ENTERPRISE MANAGEMENT ASSOCIATES (EMA) SURVEY


Observations

The objective of incident response is to detect threats and handle the situation in a way, which limits damage and reduces recovery time and costs. Most companies tend to pause their Incident Response activities, once they detect and contain a threat. However, SISA observed that preliminary forensics

is required for organizations to understand the

pattern of attacks and prevent future attacks.

Because, once the intruder has got a firm

understanding of the environment, then the

likelihood of this intruder penetrating the systems

again are high. Organizations conducting forensics, possess a better understanding on the nature of an attack, identifying the intruder, understanding the source, contributing factors, and potentially avoid a relapse.

What it is?

There are two kinds of organizations, one that has been breached and the other one that does not know about the intruder residing in their systems. Hence, organizations either detect or respond to the cyber attacks. Incident response is an organized approach to addressing and managing the aftermaths of an IT incident, computer incident or security incident. However, the question is, are organizations prepared to tackle and respond to such attacks? It is pertinent for organizations, to adopt the right approach and have a proper response mechanism in place, and most importantly, to execute this without causing any major disruptions and responding promptly.

Proper Incident Response & Forensics

5


5. PROPER INCIDENT RESPONSE & FORENSICS

Mitigations

Organizations must follow an incident response plan, encompassing four critical phases, preparation, detection and analysis, containment, eradication, and recovery and post-event activity (ref: NIST).

An organization’s incident response plan must be tested and documented. Further, conducting cybersecurity drills, at least once a year, Tabletop Testings about once a month, etc. should be mapped with Business Continuity Plans (BCP).

Running forensics in third-party managed infrastructure can be challenging due to high dependency on the infrastructure providers and could potentially delay the response time. Thus, organizations must have defined agreements with these providers for necessary support during the forensics activity.

Security is a very niche skill. Most often, finding the right skill set to address the security threats is due to lack of proper skills within an organization. Finding the right talent or engaging with cybersecurity experts on a retention basis would be essential.

OF THE SEVERAL FORENSIC AUDITS CONDUCTED, SISA OBSERVES THAT 9 OUT OF THE 10 COMPANIES DO NOT HAVE A DEFINED GAME PLAN TO DEAL WITH SUSPECTED COMPROMISE IN THE ENVIRONMENT.

– SISA

CONCLUSION

Securing your organization is not about introducing complicated and expensive infrastructures or solutions. It is a myth that deploying a security solution will solve security challenges. An organization's security is defined on the basis of process, people, and technology. It is not a one-time solution but rather a continuous commitment of learning, self-assessing, planning actions, and revisiting the plans frequently to ensure that it continues to meet organizational needs. The five learnings can act as a foundational metrics for an organization's security posture. We recommend you to assess your organization’s security stance against the five learnings and deploy necessary action items immediately.

SELF-ASSESSMENT

Understanding and assessing your organization's security infrastructure against these five learnings

▶ Frequent Patching

▶ Application vulnerabilities

▶ Intelligent Monitoring

▶ Access Management

▶ Incident Response and Forensics

ACTIONING

Upon identifying areas of improvement, draw an action plan to implement security best practices and solution to strengthen organization's security and mitigate threats

▶ One thing to continue

▶ One thing to stop

▶ One thing to start

REVISITING

Revisiting your security action plans frequently to ensure the continuity and alignment with the oranizational needs and goals

Frequent communication of these security plans and educating people about them on a consistent basis

SISA’S RECOMMENDED SECURITY APPROACH FOR TOP 5 LEARNINGS


STRATEGIC ADVISORY

1. Risk Assessment [Enterprise, Functional and Technical Risk Assessment]

2. Cloud Security Assessment 3. ISO 27001 4. Privacy [GDPR, CCPA, etc]

SECURITY BEST PRACTICES TRAINING

1. CPISI 2. CPISI-D 3. CIDR 4. CPISI-PIN 5. Payment Security Awareness [PSA] 6. CISRA

AUDIT AND ASSURANCE

1. PCI DSS [Includes FSAQ] 2. PCI PIN 3. PCI 3DS 4. Pay Sec [SSF] 5. P2PE 6. Regulatory Compliance [UIDAI, RBI PSS, SAR Audits]

MANAGED DETECTION AND RESPONSE [S-SOC]

1. Synergistic SOC Monitoring 2. Brand Monitoring

SECURITY TESTING - TSS LABS

1. Red Team 2. Application Security Testing 3. Network Pen Testing 4. Vulnerability Assessment 5. Vulnerability Management 6. Secure Code Review

CYBER SECURITY PRODUCTS

1. Tipper [Data Discovery and Privacy Ops Tool] 2. Hunter (Beta) 3. RA [Formal Risk Assessment Tool] 4. Monitor (Beta) 5. Eagle Eye (Alpha)

SECURITY INCIDENT RESPONSE AND FORENSICS - SIRF

1. Payment Forensic Investigations 2. Internal Forensic Investigations 3. Fast Incident Response 4. SIRF Retention Agreement

As a PCI Security Standards Council accredited forensic investigator, we leverage our deep forensics intelligence in our goal to 10X our customer security posture in every engagement. We at SISA, strive to deliver this through true security, on-time delivery, and fanatic support brand promises in each of our 7 different offerings:

▶ Strategic Advisory

▶ Audit and Assurance

▶ Security Testing [TSS Labs]

▶ Security Best Practices Training

▶ Managed Detection and Response [S-SOC]

▶ Cyber Security Products

▶ Security Incident Response and Forensics [SIRF]

ALL THE ABOVE STREAM OF OFFERINGS PERIODICALLY INCORPORATE OUR LEARNINGS FROM FORENSIC INVESTIGATIONS. THIS HELPS US

STRENGTHEN OUR CUSTOMER SECURITY POSTURE, THEREBY REDUCING THE BREACH EXPOSURE OF OUR CUSTOMERS DRAMATICALLY.

SISA IS A FORENSICS-DRIVEN CYBERSECURITY COMPANY WITH CLIENTELE ACROSS 55 COUNTRIES.

OUR OFFERINGS

AMERICAS

SISA Information Security Inc.

Las Colinas The Urban Towers, 222 West Las Colinas Boulevard, Suite 1650, Irving, Texas 75039, USA.

EUROPE

SISA Information Security Ltd.

81 Bellegrove Road, Welling, Kent - DA16 3PG, United Kingdom.

ASIA PACIFIC

SISA Information Security Pte. Ltd.

101 Cecil Street, #17-09, Tong Eng Building, Singapore (069533).

UAE

SISA Information Security FZE

P.O.Box 37495, Ras Al Khaimah, United Arab Emirates.

KSA

SISA Information Security

Novotel Business Park, Tower 2, 1st Floor, Unit No. 43, 32232-6140, Dammam, Saudi Arabia.

SAARC

SISA Information Security Pvt. Ltd.

No. 3029, 13th Main Road, HAL II Stage, Indiranagar, Bangalore - 560008, India.

BAHRAIN & AFRICA

SISA Information Security WLL.

Gulf Business Center, Suite # 1119 at Al Salam tower, 11th Floor, Building 722, Road 1708, Block 317, Kingdom of Bahrain.

AUSTRALIA

SISA Information Security Pty. Ltd.

'9A' , 139 Minjungbal Drive, Tweed Heads South, NSW 2486, Australia.

GLOBAL PRESENCE

FORENSIC DRIVEN 2019- LEARNINGS...investigator, SISA has successfully investigated several ... when...

Documents

Transcript of FORENSIC DRIVEN 2019- LEARNINGS...investigator, SISA has successfully investigated several ... when...