Sheryl Hanchar C EH, GCIH, CISSP,CISA

Transcription

1 Sheryl Hanchar C EH, GCIH, CISSP,CISA

2 HIPPA, PCI, SOX, Due Diligence- are all aimed at protection. If you lock the front door, the bad guys will come in through an open window. Are you watching the front door while they come in the back? Policy audit is a requirement don t make it the total focus. Are the Incident Responders aware of the ever changing threat landscape? Dedicated\Tiger Team

3 SPAM \ PHISHING PDF s \ Word \Excel \Exe s. Embedded links\ Redirects Your Secure Gateways limitations. Do you have a place where employees can send suspicious s to be analyzed?

4 February March April May June July August Spam Total Time (Hours) Run in virtual machines\ identify rogue processes\c2 Callbacks Use Gateways to block trends Pull dirty mail out of inboxes before infection.

5 Axis Title Axis Title New Initiatives- 11m in tools. Spam Mailbox INTEL January 2012 to September 2012 Corporate Wide CW BCD CHQ GCSD HCC HCS HITS PSPC RFCD 16 Total T T Trending Analysis Intelligence End User Alerting Program Harvesting Division Trending CHQ GCSD HCC HCS HITS PSPC RFCD Total T T /16/2012

6 HIGH SUCCESS RATE!- No matter how much security awareness training occurs- someone will click! ( wedding invite\ fantasy football\ boss \holiday) Does your end user security awareness campaign educate regarding links, attachments, holiday s, your purchase has shipped )

7 Where are you getting your INTEL? Department of Homeland Security Cyber Report Daily Shows breaches, risks, trends. Use this Intel for your Vulnerabilty Management Program.

8 Fake Amex "Security Verification" Phishing s Doing Rounds: Malicious spam s impersonating American Express have been hitting inboxes in the last few days, trying to make recipients open the file in the attachment. The purports to be a notification about a "Membership Security Verification," and warns the users that a "slight error" has been detected in their AmEx accounts. To make it right - and not lose access to their accounts in the next 48 hours - the victims are urged to download the attached HTML file and open it in a browser. [T]he phishers are looking for every bit of personal and financial information they can get, including the users' name, address, home and work telephone numbers, Social Security number, mother's maiden name and date of birth, users' date of birth, AmEx credit card number, expiry date, card security code, ATM PIN, address and the password for it.

9 How much work is involved in a phish for the company ROI? Enhanced Workflow and Analytics ARTIFICIAL INTELLIGENCE 10/16/2012

10 What does a malicious cost the company? Spear Phishing Taxonomy Use Case Examples Summary of Costs 1 User Infected 300 Users Infected 1 User 300 Users Introduction into the Environment Threat Mitigation 1. Spear Phish Sent 0 0 SOC $ $3, User Receives (Clicks Link/Send to HD/Notifies SOC/Calls HD) IRT $ $8, Service Desk Reviews and Sends it to SOC Support Staff 4. Service Desk Receives Phone Call from User Service Desk $10.29 $3, SOC Analyzes (if links/attachment => Further Action Required) HEMS $32.50 $65.00 Desktop $ $110, Spear Phishing Analysis EAS $32.50 $ SOC Opens a Case Network $1.30 $ SOC Reviews link/attachment on malware station for validity HITS AIM Costs $ $126, SOC Conducts DLM Search End User Customer $3, $939, SOC Conducts WatchGuard Search SOC Creates STRM Rules from Malware Properties Total Cost $3, $1,065, IRT Leverages FireEye to Prevent Future Attacks SOC Creates Remedy Ticket for FW / DNS / Websense Blocks Fixed/Sunk Costs Incremental Costs 13. EAS Support Staff Vets Request and Completes Block Action X = 1 X = SOC Creates Blocking Rules in WatchGuard Threat Mitigation 15. SOC Runs Script to Identify Unique Recipients SOC $ $45.93 $ HEMS Removes Spear Phish from All Users' Inboxes Identified by SOC IRT $ $27.08 $ IRT Conducts Netwitness Traffic Analysis Support Staff EAS $32.50 $0.00 $0.00 Identification of Malware HEMS $32.50 $0.00 $ STRM Beacon from Rule Identifies User Clicked Link or Attachment Service Desk $1.08 $9.21 $ IRT Conducts Further Analysis Desktop $0.00 $ $ IRT User traced back to IP/Machine Network $0.00 $1.30 $ SOC Creates Remedy Ticket to Reimage Users' Machines HITS AIM Costs $ $ $ SOC Creates Remedy Ticket to Block by MAC Address (30% of the time) End User Customer $2.17 $3, $3, SOC Puts User or Machine in Appropriate NO ACCESS OU (10% of the time) Local Desktop Team Tracks Down Machine Total Cost $ $3, $3, Network Team Blocks Machine by MAC (30% of the time) Customer Down Time (2 Days Avg.) Summary (X=User's Infected) 27. Desktop Team Reimages Machine (copy files, decrypt, reimage, encrypt) (5 hr Avg) Formula 28. Desktop Team Returns Machine to User (Ship/Send/Walkover/etc) When X = 0 $ Network Team Releases MAC Block (30% of the time) When X = 1 $ X + $ SOC Releases Machine/User from OU (10% of the time) When X = 300 $ X + $ SOC Closes Case (All Data is Entered and Verified) Increasing the # of infected users dilutes costs by $30.35/inf 32. Continuous Monitoring 0 0 Totals (in Minutes) Total Cost $3, $1,065,411.86

11

12 Advanced Persistent Threats Growing Risks of Advanced Threats APT is on the rise 71% increase in APT attacks over the past 12 months APT targets any industry 83% of US companies have been hit by the APT APT is low profile 46% say it takes 30 days or more to detect APT is targeted 97% of the 140M records compromized through customized malware APT is elusive AV databases are 20-50% effective at detecting new or lowvolume threats

13 Profile of Advanced Persistent Threats

14

15 Consensus Audit Guidelines20 Critical Security Controls

16 The Incident Response part.

17 Scanning nodes for 1 file takes time Tools are not fast even if you know where to look. Machines not on the network can t be scanned. Pulling back data and analysis takes time When you find something doesn t work and you will. (what do you mean THAT server didn t have.)

18 Technical and Administrative Controls- Some cost $ some don t. Logs Logs Logs Logs Logs!- what are you logging? Are they being overwritten? Log tool not licensed properly and dropping data. ( SIEM) Administrator accounts still in use? Password Changes? Entitlement Reviews? Why is the Domain Admin on at 4am? Normal? Wait he is logging in from Korea! Wow Dan got to go to Korea!

19 Do your technical staffs feel safe alerting to an incident? (Monica) Forgotten Servers not being patched or Windows NT boxes? ( How are you notified of new servers added? VM s!) (Vulnerability Scanning\Hardening\What is New on my VLAN?) Security Awareness- How big of a deal does the company make? 5k run? Outdated policy binds controls from being implemented. ( IRC- When was the last time the content filtering system rule list was reviewed?)

20 Who is on your Incident Response team? Dedicated Secondary What happens when an incident occurs? Recreating the crime scene is not easy. Clues and evidence are always missing All of Sr. Mgmt becomes involved Timeline. Practice \Tabletops Don t forget your scribe! Geeks do not take notes! Work all night- not 1 note. Genius\Autistic? (NSA)- Think fast and cant speak The different types of cases- porn\policy violation vs. Exfiltration to Foreign nation.