SECURITY INSIDE THE PERIMETER - THE CALL IS COMING FROM INSIDE THE HOUSE

Transcription

1 SECURITY INSIDE THE PERIMETER - THE CALL IS COMING FROM INSIDE THE HOUSE Event Code: #ILTALSS #LSS17 Date: June 13, 2017 Time: 3:00 PM - 4:00 PM ET Location: Salon I

2 SECURITY INSIDE THE PERIMETER THE CALL IS COMING FROM INSIDE THE HOUSE Arlan McMillan Kirkland & Ellis LLP, CSO Arlan has over 20 years experience in Information Technology and Security and prior to joining Kirkland & Ellis LLP was the CISO for United Airlines. He s led a number of teams evaluating, developing and delivering security services, including as the CISO for the City of Chicago and Director of Global Information Security Operations for ABN AMRO, LaSalle bank. In 2014 Arlan was honored to be voted as the Chicago area CISO of the Year and until joining Kirkland, was a board member of the Aviation Information Sharing and Analysis Center (A-ISAC). Obligatory legal disclaimer. This discussion represents Arlan s personal viewpoint which is not necessarily shared by his employer or the host of the event. 2

3 A different approach to this type of conversation Lots of slides delivered quickly You will walk away with product Dropbox.com This and other presentations for you to reuse Catalog of over 400 operational metrics The CSF diagnostic and reporting templates Other really cool stuff 3

4 SIT BACK AND RELAX 4

5 5

6 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 6

7 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 7

8 DEFENDERS ARE LOSING Its happening more often Over 4 billion records lost in 2016 > record high It costs more $4 million average cost of a data breach > 29% increase since 2013 Humans are the #1 target 93% of all significant breaches began with a phishing 8

9 ATTACKERS ARE OUT-PACING DEFENDERS % WHERE DAYS OR LESS Source: 2016 Data Breach Investigations Report, Verizon 9

10 ATTACKERS GET IN AND REMOVE DATA VERY FAST AVERAGE TIME TO COMPROMISE AND EXFILTRATION Source: 2016 Data Breach Investigations Report, Verizon 10

11 INTERNAL CONTROLS AREN T EFFECTIVELY IMPLEMENTED % OF BREACH DISCOVERY METHODS Source: 2016 Data Breach Investigations Report, Verizon 11

12 BOUNTY ON LAW FIRMS Flashpoint report published in January, 2017 Multiple Firms targeted by Russian handler Domain Admin Access: $50,000 Mail Server Access: $20,000 Access to Office Computer of an Employee: $5,000 12

13 13

14 COMPRESSION 14

15 RAPID PACE OF CHANGE Computer power has doubled every year since the mid-1960 s In 1978, a flight from New York City to Paris cost ~$900 and took 7 hours If airlines accelerated as fast as computer technology.. the same trip would cost less than one cent and take less than one second to complete 15

16 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 16

17 5 THREAT CATEGORIES 17

18 #1: NUISANCE 18

19 #2: HACKTIVISTS 19

20 #3: ORGANIZED CRIME 20

21 #4: ESPIONAGE 21

22 #5: DESTRUCT, DENY, DESTROY 22

23 PLA GENERAL STAFF ORG CHART 23

24 PLA UNIT BASE OF OPERATIONS 12-STORY BUILDING IN A PUBLIC, MIXED-USE AREA IN SHANGHAI 24

25 10 STEP APT DANCE A ADVANCED. SHOULD JUST BE NAMED PT 25

26 10 STEP APT DANCE 26

27 DNC & CLINTON CAMPAIGN COMPROMISES JOHN PODESTA Highly crafted to look like standard Google password change 108 sent, 20 clicked then forwarded to 16 more people of which 4 more clicked Stole passwords on individuals & silently installed malware on target s computer which then allowed attacker to move laterally and infect other nearby computers 27

28 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 28

29 There is significant variability is the number of possible ways that a bad guy can do you harm.. but 90% of the time it happens in just a few different ways. Plan for the 90% and you ll be well on your way for the other rest. (5+7) 29

30 5 CYBER SCENARIOS TO PLAN FOR 1. Malware spread (crypto) 2. Insider data harvesting and exfiltration 3. External breach of client data 4. External breach of non-client data 5. Wide-spread destruction of computer assets 30

31 7 BCM SCENARIOS TO PLAN FOR 31

32 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning and testing d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 32

33 GET READY NOW 1. When a big one hits, you will need outside help from a forensics firm. 2. Don t wait to setup the paperwork. Do it now. It will cost nothing and save you bundles. 3. The FF should be hired by the GC Office with the goal of providing legal advice. Privilege! 4. Limit who gets the report. pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2 33

34 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 34

35 35

36 36

37 4 PRO TIPS 1. Tactical focus = Patching, Web & 2. IS is Risk Management, not Cyber IT 3. Authoritative Controls 4. Tabletops 37

38 TACTICAL FOCUS = PATCHING, WEB & Not much to say here get really good on these three first. We can talk about all the really cool tools, techniques and PowerShell Kung fu you can bring to bear against an adversary but a strong patching process is the by far the most powerful. 38

39 IS = RM, NOT CYBER IT How you communicate and build support for your program is the best cyber-defense! Information Security is Risk Management current risk posture vs target risk posture 5 Questions 1. Are there any material risks to the Firm and if so, what are their potential costs and likelihoods of occurrence? 2. Is my security program aligned to the organization s desired risk profile? 3. Is my organization more or less secure than last year? 4. Am I spending the right amount of money? 5. How do I compare against my peers? 39

40 IS is RISK MANAGEMENT 2 1 Functional Requirements 3 40

41 AUTHORITATIVE CONTROLS YOU HAVE A ROADMAP 41

42 TABLETOPS Train how you fight Tests readiness A clear signal to leadership and others that cyber is a priority A great way to improve visibility and generate conversation Part of a CISO s job is sales you need to sell people on why they need to do one thing over another 42

43 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 43

44 INCIDENT TIMELINE ref event comment 01 AV cleans MIMIKATZ & triggers alert in SOC Bad guy forgot to disable AV no password on AV 02 SecOps investigates & sees login with a shared TECH ID from nearby workstation 03 Investigate workstation login from unusual user 04 Investigate user doesn t typically even use a computer + weak password Abuse of shared admin ID used by techs for break-fix Patient Zero unknown but most likely the user #03 by way of a phishing victim 05 Setup alerts for all suspicious IDs Hackers going lateral 07 See user s ID connect to company SSL VPN published desktop and then touch several other internal workstations No 2FA No segmentation 08 Source IP = VPN in China Bad guy obfuscating true location could be originating from anywhere in the world 44

45 INCIDENT TIMELINE CONT. ref event comment 09 Observed an IP from Shanghai accidentally connect for 30sec before disconnecting and then a new connection over VPN being est. immediately Bad OpSec!! We now know where you re really coming from! 10 Setup alerts for any connections from that VPN Only fire 9-5 local time in Shanghai except on Chinese holidays 11 See multiple connections using multiple IDs Result of ID harvesting 12 Monitor connections and video record desktop sessions 13 Observe bad guy using MIMIKATZ to pull any cached creds they just do this over and over 14 Observe for ~20 days & prepare We now have training videos! C team following script to build dbs of our IDs and Pswds 15 Over three nights 2FA for VPN, password resets for over 40K users, patch all systems to current, deploy AEPP to 90% of all workstation and server assets 16 Bad guys kicked out. kind of 45

46 INCIDENT TIMELINE CONT. ref event comment 17 AEPP alerts on PlugX RAT on insignificant, irrelevant and forgotten system B team will have a back-door. Be ready & make sure asset inventory is up to date! 18 Immediately shut down & analyze system No way we would have seen the PlugX w/o Falcon 19 Deploy Forensic software to many servers 20 ID use of Service Account to go lateral Disable interactive and network login for all Svc Accts. 21 Continue to close doors w/ new visibility and authority to implement changes at will 22 Remove common tech ID on all workstations Makes going lateral much more difficult All said an done, this was about 60 days of all hands working in 24x7 shifts to address and then another 90 to clean up. While no data was lost, its still very expensive. 46

47 1. Train How You Fight a. Numbers from the battlefield b. Know your enemy c. Scenario planning (5+7) d. Paperwork now! 2. Pro Tips 3. Real Life Example 4. War Stories from the Audience 47

48 Share your war story or 48