Sheryl Hanchar C|EH, GCIH, CISSP ,CISA Document… · •HIPPA, PCI, SOX, Due Diligence- are all...
Transcript of Sheryl Hanchar C|EH, GCIH, CISSP ,CISA Document… · •HIPPA, PCI, SOX, Due Diligence- are all...
Sheryl Hanchar C|EH, GCIH, CISSP ,CISA
•HIPPA, PCI, SOX, Due Diligence- are all aimed at
protection.
•If you lock the front door, the bad guys will come in
through an open window.
•Are you watching the front door while they come in the
back?
•Policy audit is a requirement don’t make it the total focus.
•Are the Incident Responders aware of the ever changing
threat landscape? Dedicated\Tiger Team
SPAM \ PHISHING •PDF’s \ Word \Excel \Exe’s. •Embedded links\ Redirects •Your Secure Email Gateways limitations. •Do you have a place where employees can send suspicious emails to be analyzed?
February March April May June July August
Spam 2015 2667 1798 974 823 1485 1145
Total Time (Hours) 100.50 91.18 60.60 41.38 26.56 42.27 42.78
Run in virtual machines\ identify rogue processes\C2 Callbacks
Use Email Gateways to block trends
Pull “dirty mail” out of inboxes before infection.
10/16/2012
Spam Mailbox INTEL
January 2012 to September 2012
New Initiatives- 11m in tools….
CW BCD CHQ GCSD HCC HCS HITS PSPC RFCD
Total 89 10 3 14 9 1 7 1 10
T1 20 3 0 4 4 0 2 1 8
T3 69 7 3 10 5 1 5 0 2
0102030405060708090
100
Axi
s Ti
tle
Corporate Wide
CHQ GCSD HCC HCS HITS PSPC RFCD
Total 3 14 9 1 7 1 10
T1 0 4 4 0 2 1 8
T3 3 10 5 1 5 0 2
0
2
4
6
8
10
12
14
16
Axi
s Ti
tle
Division Trending
•Trending Analysis
•Intelligence
•End User Alerting
•Program Harvesting
•HIGH SUCCESS RATE!- No matter how much security awareness training occurs- someone will click! ( wedding invite\ fantasy football\ boss email\holiday) •Does your end user security awareness campaign educate regarding links, attachments, holiday emails, “your purchase has shipped”)
•Where are you getting your INTEL? •Department of Homeland Security – Cyber Report Daily – Shows breaches, risks, trends.
•Use this Intel for your Vulnerabilty Management Program.
Fake Amex "Security Verification" Phishing Emails Doing
Rounds: Malicious spam emails impersonating American Express
have been hitting inboxes in the last few days, trying to make
recipients open the file in the attachment. The email purports to
be a notification about a "Membership Security Verification," and
warns the users that a "slight error" has been detected in their
AmEx accounts. To make it right - and not lose access to their
accounts in the next 48 hours - the victims are urged to download
the attached HTML file and open it in a browser. [T]he phishers
are looking for every bit of personal and financial information
they can get, including the users' name, address, home and work
telephone numbers, Social Security number, mother's maiden
name and date of birth, users' date of birth, AmEx credit card
number, expiry date, card security code, ATM PIN, email address
and the password for it.
10/16/2012
Enhanced Workflow and Analytics
ARTIFICIAL INTELLIGENCE
How much work is involved in a phish for the
company – ROI?
What does a malicious email cost the company…?
Spear Phishing Taxonomy Use Case Examples Summary of Costs
1 User Infected 300 Users Infected 1 User 300 Users
Introduction into the Environment Threat Mitigation
1. Spear Phish Email Sent 0 0 SOC $155.35 $3,777.69
2. User Receives Email (Clicks Link/Send Email to HD/Notifies SOC/Calls HD) 10 3000 IRT $211.25 $8,309.17
3. Service Desk Reviews Email and Sends it to SOC 1 300 Support Staff
4. Service Desk Receives Phone Call from User 8.5 2550 Service Desk $10.29 $3,087.50
5. SOC Analyzes Email (if links/attachment => Further Action Required) 1 100 HEMS $32.50 $65.00
Desktop $368.33 $110,500.00
Spear Phishing Analysis EAS $32.50 $32.50
6. SOC Opens a Case 10 15 Network $1.30 $390.00
7. SOC Reviews link/attachment on malware station for validity 20 20 HITS AIM Costs $811.53 $126,161.86
8. SOC Conducts DLM Search 10 30 End User Customer $3,130.83 $939,250.00
9. SOC Conducts WatchGuard Search 10 30
10. SOC Creates STRM Rules from Malware Properties 10 10 Total Cost $3,942.36 $1,065,411.86
11. IRT Leverages FireEye to Prevent Future Attacks 10 10
12. SOC Creates Remedy Ticket for FW / DNS / Websense Blocks 20 20 Fixed/Sunk Costs
Incremental Costs
13. EAS Support Staff Vets Request and Completes Block Action 30 30 X = 1 X = 300
14. SOC Creates Blocking Rules in WatchGuard 10 10 Threat Mitigation
15. SOC Runs Script to Identify Unique Email Recipients 10 10 SOC $109.42 $45.93 $12.23
16. HEMS Removes Spear Phish Email from All Users' Inboxes Identified by SOC 30 60 IRT $184.17 $27.08 $27.08
17. IRT Conducts Netwitness Traffic Analysis 40 40 Support Staff
EAS $32.50 $0.00 $0.00
Identification of Malware HEMS $32.50 $0.00 $0.11
18. STRM Beacon from Rule Identifies User Clicked Link or Attachment 5 1500 Service Desk $1.08 $9.21 $10.29
19. IRT Conducts Further Analysis 120 120 Desktop $0.00 $368.33 $368.33
20. IRT User traced back to IP/Machine 25 7500 Network $0.00 $1.30 $1.30
21. SOC Creates Remedy Ticket to Reimage Users' Machines 5 1200 HITS AIM Costs $359.67 $451.86 $419.34
22. SOC Creates Remedy Ticket to Block by MAC Address (30% of the time) 0.9 2.1 End User Customer $2.17 $3,128.67 $3,130.83
23. SOC Puts User or Machine in Appropriate NO ACCESS OU (10% of the time) 0.5 150
24. Local Desktop Team Tracks Down Machine 20 6000 Total Cost $361.83 $3,580.53 $3,550.17
25. Network Team Blocks Machine by MAC (30% of the time) 0.6 180
26. Customer Down Time (2 Days Avg.) 2880 864000 Summary (X=User's Infected)
27. Desktop Team Reimages Machine (copy files, decrypt, reimage, encrypt) (5 hr Avg) 300 90000 Formula
28. Desktop Team Returns Machine to User (Ship/Send/Walkover/etc) 20 6000 When X = 0 $361.83
29. Network Team Releases MAC Block (30% of the time) 0.6 180 When X = 1 $3580.53X + $361.83
30. SOC Releases Machine/User from OU (10% of the time) 1 300 When X = 300 $3550.17X + $361.83
31. SOC Closes Case (All Data is Entered and Verified) 30 90 Increasing the # of infected users dilutes costs by $30.35/inf
32. Continuous Monitoring 0 0
Totals (in Minutes) 3639.1 983457.1
Total Cost $3,942.36 $1,065,411.86
Advanced Persistent Threats
Growing Risks of Advanced Threats
•APT is on the rise…
–71% increase in APT attacks over the past 12 months
•APT targets any industry
–83% of US companies have been hit by the APT
•APT is low profile…
–46% say it takes 30 days or more to detect
•APT is targeted …
–97% of the 140M records compromized through customized
malware
•APT is elusive
–AV databases are 20-50% effective at detecting new or low-
volume threats
Profile of Advanced Persistent Threats
Consensus Audit Guidelines20 Critical Security Controls
The Incident Response part….
• Scanning nodes for 1 file takes time
• Tools are not fast even if you know where to
look.
• Machines not on the network can’t be scanned.
• Pulling back data and analysis takes time
• When you find something doesn’t work…and
you will. (what do you mean THAT server didn’t
have….)
Technical and Administrative Controls- Some cost $ some don’t.
•Logs Logs Logs Logs Logs!- what are you logging? Are they being overwritten?
•Log tool not licensed properly and dropping data. ( SIEM)
•Administrator accounts still in use? Password Changes? Entitlement Reviews? •Why is the Domain Admin on at 4am? Normal? Wait – he is logging in from Korea! Wow Dan got to go to Korea!
•Do your technical staffs feel safe alerting to an incident? (Monica)
•Forgotten Servers not being patched or Windows NT boxes? ( How are you notified of new servers added? VM’s!) (Vulnerability Scanning\Hardening\What is New on my VLAN?)
•Security Awareness- How big of a deal does the company make? 5k run?
•Outdated policy binds controls from being implemented. ( IRC- When was the last time the content filtering system rule list was reviewed?)
Who is on your Incident Response team?
• Dedicated
• Secondary
What happens when an incident occurs?
•Recreating the crime scene is not easy. Clues and evidence
are always missing
•All of Sr. Mgmt becomes involved…Timeline.
•Practice \Tabletops
Don’t forget your scribe!
•Geeks do not take notes! Work all night- not 1 note.
•Genius\Autistic? (NSA)- Think fast and cant speak
•The different types of cases- porn\policy violation vs. Exfiltration
to Foreign nation.