TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014,...
Transcript of TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014,...
![Page 1: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/1.jpg)
TODAY’S THREAT SCENARIOS
NSM NORCERT
30.10.2014, Espen Busman
Coordinator
Contact: [email protected] (admin) 02497 or [email protected] (incidents)
NORWEGIAN NATIONAL SECURITY AUTHORITY SLIDE 1
![Page 2: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/2.jpg)
AGENDA
NSM NorCERT – a quick whois lookup (LLS)
Threats and trends
What’s the problem?
Some examples
Incident response
Countermeasures
SLIDE 2 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 3: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/3.jpg)
NSM NorCERT- whois?
SLIDE 3
Detection, 24/7 Operations Centre, Analysis, Exercises, outreach.
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 4: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/4.jpg)
NorCERT NORWEGIAN COMPUTER EMERGENCY RESPONSE TEAM
Is Norway’s national CERT and centre for handling ICT-attacks on important national infrastructure.
TTOC 24/7
Alerts on attacks, threats and vulnerabilities
National PoC
National and international co-operation
Runs the sensor network (VDI)
SLIDE 4 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 5: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/5.jpg)
5
DETECTION (VDI)
TECHNOLOGY INFRASTRUCTURE DATA COLLECTION
DATA CORRELATION
INCIDENT HANDLING 24/7 MONITORING CO-ORDINATING
ESCALATION
NETWORKS- AND SYSTEMS ANALYSIS MALWARE ANALYSIS
FORENSICS
NorCERT
TECHNICAL ANALYSIS
TECHNICAL THREATS
OPERATIONS CENTRE
HOW NSM NORCERT WORKS
Handle Detect Analyse
OUTREACH
Reach out
CO-OPERATION REPORTING
PRESENTATIONS EXERCISES
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 6: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/6.jpg)
What do we see?
SLIDE 6
Threats and trends
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 7: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/7.jpg)
SLIDE 7 NORWEGIAN NATIONAL SECURITY AUTHORITY
62
![Page 8: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/8.jpg)
THREAT SCALE
Espionage Sabotage
Financial crime
Pranks
Crisis / War
Political protests
8
Society in general
National security
Chaotic actors
Advanced Persistent Threats
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 9: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/9.jpg)
SLIDE 9
THIS HAS A GOOD CHANCE OF WORKING
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 10: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/10.jpg)
SLIDE 10 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 11: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/11.jpg)
What’s happening?
SLIDE 11
DDoS, waterholing, digital espionage.
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 12: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/12.jpg)
TRENDS
DDoS on the increase
Login credentials
Increased number of serious vulnerabilities
Waterholing / strategic web compromise
Increased use of compromised e-mail accounts in spearphishing
SLIDE 12 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 13: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/13.jpg)
DDoS SUMMER 2014
DDoS attacks against multiple NorCERT-members on July 8
Affected companies handled it themselves together with their ISPs
IRC-chatting with TTOC at NorCERT
DDoS-technique used was “wordpress pingback reflection”
NorCERT TTOC issued an alert, including possible mitigation techniques: • Filter out requests that include wordpress-references • Block foreign source addresses • Block/filter upstream/ISP
FinansCERT issued a situation update, including tech specs and recommendations, as well as a template for filing the case with the police
SLIDE 13 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 14: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/14.jpg)
DDoS: PROTOCOLS
Open DNS resolvers used for DDoS-attacks
Several CHARGEN - cases
Notable increase in DDoS-attacks by exploiting NTP-servers earlier this year • UDP port 123 • cmd “monlist” returns a list of the last 600 clients that connected to the server • Potential amplification in excess of 5000 times!
Thousands of Norwegian servers vulnerable • Norwegian IPs used in several attacks • Alerted the ISPs
SLIDE 14 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 15: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/15.jpg)
DIGITAL ESPIONAGE: MIRAGE
Several spearphishing campaigns against Norwegian authorities • E-mail with BAD attachements • Several appear to be FWed
Threat actor possibly also interested in financial institutions • IOCs shared with FinansCERT
and finance sector
Threat actor uses compromised e-mail accounts • Accessed via webmail with stolen
credentials
SLIDE 15 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 16: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/16.jpg)
DIGITAL ESPIONAGE: TURLA/SNAKE/UROBUROS
Sophisticated malware linked to Agent.BTZ
Several reports • G Data: Uroburos • BAE Systems: Snake campaign • Symantec/Kaspersky: Turla
NSM NorCERT has been following this threat • Close co-operation with potential
targets • No compromises uncovered to date • Multiple strategic web compromises /
waterhole attacks detected
SLIDE 16 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 17: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/17.jpg)
WATERHOLE ATTACK AGAINST NORWEGIAN COMPANY
Company websites compromised • Visitors redirected to site controlled by threat actor • Visitors were profiled (Javascript) • No comprises uncovered • Redirect discovered in VDI
Technical analysis indicates similarities with a previous spearphishing campaign against VDI-member • Compromised company is a supplier to the VDI-member • Runs an application for contact administration etc
NorCERT assisted on-site • Rapid sensor set up
SLIDE 17 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 18: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/18.jpg)
WATERHOLE ATTACK AGAINST NORWEGIAN COMPANY
Threat actor accessed IT-infrastructure via stolen VPN-credentials • One of which had domain admin rights
RDP/SMB access to all clients on internal network
1338 e-mails exfiltrated • Including details on the incident response (in Norwegian) • Threat actor changes tactics • OP SEC!
SLIDE 18 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 19: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/19.jpg)
NORWEGIAN COMPANY COMPROMISED
Company discovered it themselves and contacted NSM NorCERT
Exchange-server filled to the brim with data ready for exfiltration
NSM NorCERT assisted with forensics and log analysis
A vulnerability in ColdFusion enabled threat actor to install a web shell called “China chopper”
SLIDE 19 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 20: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/20.jpg)
And what can we do?
SLIDE 20
What’s the problem?
NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 21: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/21.jpg)
HANDLING DIGITAL ESPIONAGE?
Know your assets!
Common reaction to incidents:
“We don’t have anything of value”
“We don’t understand why this happened to us”
SLIDE 21 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 22: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/22.jpg)
PROACTIVE SERVICES FROM NSM NORCERT
NorCERT Domain Name Server • DNS-service w/ “blacklisting” • Launches in November
Vulnerability scanning • SHODAN, usikkert.no and Dagbladet have done it • Multiple initiatives within IT-security, such as Shadowserver/Underworld • Demands some legal clarifications • Launches in November
SLIDE 22 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 23: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/23.jpg)
4 EFFICIENT COUNTERMEASURES
Update soft- and hardware
Install security updates as quickly as possible
Be conscientious about admin rights • End users hardly need them
Block non-authorized programs
HOT TIP – DEP, SEHOP, ASLR and EMET enhance your protection against unknown vulnerabilites and 0-days
SLIDE 23 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 24: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/24.jpg)
DETECTING DIGITAL ESPIONAGE
Traffic logs • Web traffic logs • Proxy logs w/ SSL-inspection • Netflow • DNS logging / Passive DNS • Web access logs on your own web
servers
Authentication logs
Administration logs
Security logs
E-mail logs
SLIDE 24 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 25: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/25.jpg)
WHAT DO WE NEED TO HELP?
Quick summary and timeline of the incident • Assessment, how serious is the incident?
Suspicious e-mails: • Copy of the e-mail including headers and attachments • Attachments zipped and password protected, or PGP-encrypted
End user clicked on suspicious link: • Copy of web traffic logs (proxy logs) • DNS/PassivDNS-logs • FireWall logs
End user visited an infected website: • Copy of web traffic logs (proxy logs) • Copy of downloaded malware
Overview of possibly compromised equipment • Secure memory and harddrive before turning unit off or beginning
investigation
SLIDE 25 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 26: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/26.jpg)
CLEAN UP AFTER BREACH
Plan and execute clean ups in a controlled fashion! • Hire a MSSP if you lack the necessary know-how
Isolate compromised systems from the network
Secure memory dump and disc image of compromised systems
Reinstall clean back ups
Change all passwords!
SLIDE 26 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 27: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/27.jpg)
MORE ON OUR WEBSITE: nsm.stat.no/publikasjoner
SLIDE 27 NORWEGIAN NATIONAL SECURITY AUTHORITY
![Page 28: TODAY’S THREAT SCENARIOS · 2016. 5. 31. · TODAY’S THREAT SCENARIOS NSM NORCERT 30.10.2014, Espen Busman . Coordinator . Contact: post@cert.no (admin) 02497 or norcert@cert.no](https://reader036.fdocuments.in/reader036/viewer/2022071511/612fb74a1ecc51586943a10d/html5/thumbnails/28.jpg)
NASJONAL SIKKERHETSMYNDIGHET – SIKRE SAMFUNNSVERDIER 28
NorCERT, Nasjonal sikkerhetsmyndighet (NSM) www.cert.no, www.nsm.stat.no Incidents: [email protected] Admin: [email protected]
Thank you!
@NorCERT