T h e T h r e a t & W h a t t o d o A b o u t I t

Michael Bachmann, Ph.D. Department of Criminal Justice

Texas Christian University

m.bachmann@tcu.edu

T h a n k Yo u !

• For inviting me to speak today!

• Thank you for attending

• This presentation is geared towards your needs

– I am completely flexible in what we discuss

– Please feel free to ask any question at any time

O u t l i n e

• The Changing Landscape of Cybercrime:

– Threat intelligence

• Current threat trends

• Types of common attacks and damages caused

– Why cyber security & defenses are critical

– Basic steps to plan ahead

• Development of cyber defense plan

• Technical solutions, employee training, risk management

Case Example: Del Rio Jan 2019

Case Example: Baltimore

C y b e r c r i m e M y t h s

• What are some common ideas about hackers?

– All hackers are nefarious

– Attackers are a small number of extremely skilled computer whizzes who hack out of parents’ basement. Ugly, destructive, “dirty”

• Leads to great underestimation of risk

• How does a typical hacking attack look?

– Hacking attacks are always a mission impossible type scenario

Cybercrime Myths Debunked

• Reality check:

– Most breaches conducted in simplest way possible

– Wide variety of different hackers (skills, motivation)

– Thriving global online shadow economy with highly organized structures, hierarchies, and roles

– Similar to the international drug trade

• How large is cybercrime economy?

– Caution with numbers you are about to see.

– Underreporting huge (motives against reporting?)

The Global Underground Economy

• CC cost approx. $2 trillion per year on average through 2021 (Juniper Research)

• Avg. incident recovery cost globally $4M!

US companies: much higher!

• Global damages: on par with revenue from drug trafficking

• FBI: CCs fastest growing crime (and have been for at least 15 years)

The Global Underground Economy

The Global Underground Economy

Live Global Attack Map

• Cybercrime as it is happening right now…

Summary: Trends 2019

• 2018 marked by extraordinary attacks (multi-million dollar virtual bank heists, some of the biggest DDoS attacks on record – this time powered by a botnet of IoT devices (routers, cams)!)

• Resurgence of simple attacks (“living off the land,” use of

OS features (e.g. PowerShell & macros, off-the-shelf tools, cloud services, social engineering, spear phishing, hiding in plain sight…)

• Software supply chain attacks (SW upgrades, e.g. Petya)

• Resurgence of Email as favorite attack channel (1 in 131 emails malicious, highest rate in 5 years)

• Ransomware has become a commodity Coin-mining attacks exploded in 2018 (8,500% increase) rise in crypto $ increasingly (600% up) IoT devices targeted 2019 decline on high levels

Big Numbers: Web Attacks

Big Numbers: Jacking Attacks

Big Numbers: Ransom/Supply Chain

Big Numbers: Email/Groups

“Living off the Land” Example

Shamoon spread by “Timberworm” (responsible for many attacks in the Middle East) 1. sent spear-phishing emails to individuals at targeted organizations (Word, Excel attachments, malicious links which downloaded similar files) 2. When opened ran a PowerShell script, gain remote access, basic reconnaissance of target 3. If interesting, malware (backdoor) installed 4. Cornucopia of legitimate admin and pentesting tools, including:

PsExec, a tool for executing processes on other systems from Microsoft Sysinternals PAExec, a free reimplementation of PsExec from Poweradmin Netscan, a multipurpose IPv4/IPv6 network scanner Samdump, a hacking tool that dumps Windows password hashes Mimikatz (Hacktool.Mimikatz), a hacking tool used to harvest credentials TightVNC, an open-source remote desktop access application Plink, a command line network connection tool supporting encrypted communications Rar, archiving utility for compressing files before exfiltration

Big Numbers: Email Scams

Big Numbers: Email Cont’

Typical Email Infection

BEC Scams

Business Email Compromise (BEC) Scams

(aka: CEO fraud or “whaling”)

Spoofed emails pretend to be from CEO,

Request large money transfers

Example: 2016 large Austrian aerospace co fired its CEO after $50M to BEC scammers

Avg in 2018: 400 organizations targeted daily!

BEC Scams

Snowshoe & Hailstorm Tactics

New Challenges: Cloud

What Can You Do? 5 Best Practices

1. Emphasize multiple, overlapping, and mutually supportive defensive systems guard against single-point failures D e p l o y : - regularly updated firewalls, - gateway/email server antivirus/antimalware, - intrusion detection/protection systems (IPS, IDS) - use a data loss prevention system (DLP) D e p l o y : - website vulnerability & malware protection, - web security gateway solutions t h r o u g h o u t t h e n e t w o r k !

What Can You Do? 5 Best Practices

2. Exploitation of vulnerabilities is a commonly used tactic by targeted attack groups. Receive alerts for new vulnerabilities and threats across vendor platforms and patch known vulnerabilities asap!

At least turn on auto-update on all software!

What Can You Do? 5 Best Practices

3. Implement and enforce a security policy that sensitive data is encrypted at rest & in transit. Ensure that customer data is encrypted.

This helps to mitigate the damage of potential data leaks from within your organization.

What Can You Do? 5 Best Practices

4. Attackers often use stolen or default credentials: Ensure passwords are strong! Never use same passwords for multiple accts. Encourage use of password managers Never allow users to share passwords

Delete unused credentials and profiles Limit the number of administrative-level profiles to only the absolutely necessary!

Believe it or not…

Speaking of which: what makes a strong password?

What system are you using?

What Can You Do? 5 Best Practices

5. Educate employees on the dangers posed by spear-phishing emails and fraudulent URLs

Include exercising caution around emails from unfamiliar sources and Opening attachments that haven’t been solicited.

Many different training solutions available

Best Email Practices

• Implement “full protection stack” on servers and endpoints!

• Forward suspicious mail to CISO and delete

• Extreme caution with: MSO, JS, PDF attachm.!

• Reply to address from address book instead of hitting “reply”

• Never use links in email, or use a validation service

Ransomware: Best Practices

New ransomware variants appear on a regular basis! • Always keep your sw, esp. security software up to date • Software updates frequently include patches for new

vulnerabilities that are exploited by ransomware attackers.

• Email is THE # 1 infection method! • Be extremely wary of: Microsoft Office email

attachment that advises you to enable macros to view its content. NEVER ENABLE MACROS unless you are absolutely sure that this is a genuine email

• Backing up important data is single most effective protection!

• Cloud services can mitigate ransomware infection. • Install ransomware protection

Consequences of Victimization

• Damages to organization:

– Loss of reputation, bad press

– Loss of trust

– Financial damages

– Increasingly: threat of negligence litigation

• Damages to responsible individuals:

– Job loss

What Can You Do?

• Expect to be attacked!

The question isn’t “if” but “when!”

• Provide human and technical resources:

– Technical solutions

– Threat intelligence

– Risk management

• Combination will help not only reveal who is being targeted but also how and why

• Resources for Local Governments

• DHS CISA SLTT Resources

Technical Solutions

Solves only part of the problem

• 1. Employ defense in-depth strategies

• 2. Monitor for network intrusion attempts, vulnerabilities, and name abuse

• 3. Antivirus on endpoints is not enough

• 4. Employ data loss prevention (DLP) solutions (prevent most data from being exfiltrated, even if attackers succeed in penetrating the network)

• 5. Employ capability to deflect DDoS attacks

• 6. Invest in physical security to prevent theft

Technical Solutions in Depth

• Costs for firewall & IPS systems: – Vary greatly. My favorite one PFSense: can be free!

• Free open source gateway, firewall, & IPS software

• Complete and “easy” to configure firewall

• Complete and free intrusion detection suite Snort: does a fantastic job in keeping attackers out! … I run it at home…

• Costs for website security & vulnerability tests: – Between $15-40 per month (dependent on what’s

included – DDoS deflection, malware removal, cloud-based web firewall, PCI compliance testing (for CC’s). Google website security solutions

– (I don’t want to endorse specific company)

Technical Solutions in Depth

Employ data loss prevention (DLP) solutions

• Implement a DLP solution that can discover

– where sensitive data resides

– monitor its use

– protect it from loss

• Monitor the flow of information as it leaves the organization over the network

• Monitor traffic to external devices or websites

• DLP buying guide

• Price for entire organization ~ $1,000/year

Threat Intelligence

• THE buzzword since 2015

• Now a vital component for any organization

• Understand potential threats against networks

– Critical component of security mix

– Changes the security model from reactive to proactive

– if you understand your adversaries you can develop tactics to combat current attacks and plan better for future threats

– Shrink the security alert problem that is overwhelming most security teams

– Drive better, more informed responses to security incidents

Risk Management

• If possible hire CISO – have dedicated person responsible for cyber security – invaluable!

• Conduct regular “pen tests” with different security consultants (good hackers)

• Ensure all devices allowed on company networks have adequate security protections

– Solve BYOD issue, especially for phones

– My tip: don’t allow BYOD on network

Risk Management

Be aggressive in your updating and patching:

• Update, patch, and migrate from outdated and insecure browsers, applications, and browser plug-ins

• This also applies to operating systems, not just across computers, but mobile, network, and IoT devices as well

• Keep virus and intrusion prevention definitions at the latest available versions using vendors’ automatic update mechanisms

Risk Management

Enforce an effective password policy:

• Ensure passwords are strong

– at least 8-10 characters long and include a mixture of letters and numbers

• Encourage users to avoid re-using the same passwords on multiple websites (use free password managers, e.g. Keepass)

• Forbid sharing of passwords with others

• Passwords should be allowed to expire

Risk Management

Restrict email attachments

• Configure mail servers to block email that contains commonly abused file attachments:

– .VBS, .BAT, .EXE, .PIF, and .SCR files.

• Investigate policies for .PDFs that are allowed to be included as email attachments

• Ensure that mail servers are adequately protected by security software and that email is thoroughly scanned

Risk Management

Ensure regular backups are available!

• Create and maintain regular backups

– of critical systems, as well as endpoints

• In the event of a security or data emergency, backups should be easily accessible

– minimize downtime of services and productivity

• Use dedicated server mirrors or NAS systems

– Ensure RAID capability and multi-location redundancy

– Ensure systems aren’t accessible to ransomware

Risk Management

• Ensure you have infection and incident response procedures in place!

• Keep your security vendor contact information handy – know who you will call and what steps to take

• Ensure that a backup-and-restore solution is in place – restore lost or compromised data in the event of successful attack

or catastrophic data loss;

• Make use of post-infection detection capabilities – from web gateway, endpoint security solutions and firewalls to

identify infected systems (keep logs…)

• Isolate infected computers – to prevent the risk of further infection within the organization,

and restore using trusted backup media

• If network services are exploited – disable or block access to those services until a patch is applied.

Risk Management

Educate users on basic security protocols

Absolutely critical!

• Do not open attachments unless they are expected & from a known and trusted source

• Do not execute software that is downloaded from the Internet (if such actions are permitted – they shouldn’t) unless the download has been scanned for viruses

• Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends

Risk Management

Educate users continued:

• Deploy web browser URL reputation plug-in solutions that prevent opening of infected sites

• Only download software (if allowed) from internal shares or directly from the vendor website

• If Windows users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (scareware: fake antivirus infections), educate users to close or quit the browser using Alt-F4, CTRL+W or the task manager.

Checklist of Critical Controls

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware & Software on Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defense

6. Application Software Security

7. Wireless Device Control

8. Data Recovery Capability

9. Security Skills Assessment and Appropriate Training to Fill Gaps

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Checklist of Critical Controls

11.Limitation and Control of Network Ports, Protocols, and Services

12.Controlled Use of Administrative Privileges 13.Boundary Defense 14.Maintenance, Monitoring, and Analysis of

Security Audit Logs 15.Controlled Access Based on the Need to Know 16.Account Monitoring and Control 17.Data Loss Prevention 18.Incident Response Management 19.Secure Network Engineering 20.Penetration Tests and Red Team Exercises

Thank You!

• Questions?

• Comments?

Thank You!

• Questions?

• Comments?