How Advanced Persistent Threats Successfully Breach Large Organizations AND, What To Do About It Robert West Chief Information Security Officer Department of Homeland Security
Top 10 misconceptions about federal IT security 2. 1. 10.FISMA 9. 3. 4. 5. 6.. 8. A Cyberspace New Security We Continuous Consensus The future can could NIST legislation solve cyber nothing Risk easy Audit monitoring everything attack both Management but will and Guidelines a fix paperwork fixes could national the is with are problem be given silver Framework good asset technology trivial equivalent drill bullet enough, and... is a to another. money because too. Keep. If complicated only Pearl these they folks Harbor, in stop will mind 80% be do 9-11, as of the we war zone and the Internet of any must all right or proceed real attacks Katrina be thing use 1. regulated Cyberspace is for both protection a national asset and a war zone and the Internet must be regulated for protection 2. A future cyber attack could be equivalent to another Pearl Harbor, 9-11, or Katrina 3. Security is easy and fixes are trivial... If only folks will do the right thing 4. We can solve everything with technology 5. We could solve everything given enough money 6. Continuous monitoring is a silver bullet. Consensus Audit Guidelines good enough, because they stop 80% of all attacks 8. The NIST Risk Management Framework is too complicated to be of any real use 9. New legislation will fix the problem 10. FISMA is nothing but a paperwork drill
At DHS At DoD Globally The Internet is now essential to our way of life Internet access, to include many public services, is mission essential FEMA relies extensively on Twitter for disaster management DHS maintains a Facebook presence and YouTube channels New telework policies require that users access Intranet from home And our employees want a single user experience for everything, including organizational email and file sharing, access to sensitive information; shared Cyberspace is fundamentally a civilian space a resources like printers; and unfettered Internet access neighborhood, Cyberspace new warfighting a library, domain, a marketplace, much like land, air, sea, a and school space United States Cyber Command headed by a four-star general yard, a workshop Dual-hatted as Director and a of the new, National exciting Security Agency age in All computers and networks in DoD are National Security Systems human experience, DoD strategy: mission exploration assurance through and graceful degradation Moral and welfare concerns mandate that deployed forces be able to access development. the Internet to keep in touch with family and friends. Jane Holl Lute and Bruce McConnell Access to the Internet is now both a business and social imperative Google now offers free email to anyone in the world YouTube allows anyone in the world to upload anything in the world so that anyone else in the world can download anything in the world for any reason in the world Same with FaceBook, MySpace, and other social media applications Businesses and organizations are now leveraging these global collaborative applications as a cost effective way to engage large communities of interest
Threats to U.S. National Security High P O T E N T I A L Nation State 2002 2004 2006 for D A M A G E Low Transnational 2000 Espionage Criminals Source: 1996 DSB Summer Study Probability of occurrence Hackers High
High P O T E N T I A L for D A M A G E A PT 2002 2004 2006 Well-resourced, highly-motivated, aggressive, pervasive, persistent, and purpose-driven actors. There is an intellect Highly behind everything they do. Sophisticated Nation States Actors Organized Crime 2010 Hacktivists Advanced Persistent Threats 2015 2020 Moderately Sophisticated Actors Low Level Actors Low Probability of occurrence High
2 Internet Internet 3 4 5 8 1 Prior to commencing an attack there is extensive footprinting and enumeration of the target by the attacker 8 6 INTRANET 1. Enumeration and Footprinting 2. Targeted Phishing Email 3. User clicks on link to hostile website or opens attachment 4. Infected computer beacons to attacker and waits for commands 5. Attacker takes direct control of remote machine inside encrypted session 6. Attacker gains administrative rights with a root kit. Attacker moves laterally through the network, compromising additional machines while searching for desired information 8. Targeted information is packaged and exfiltrated
All traffic over common ports (25, 80, 443) 9 2 Complex attack infrastructure Internet Internet 3 4 Prior 1 to commencing an attack there is extensive footprinting control and enumeration of the target by the attacker 10 5 8 Unique IPs used for each attack phase control 5 6 control control 8 6 1. Enumeration and Footprinting 2. Targeted Phishing Email INTRANET 3. User clicks on link to hostile website or opens attachment 4. Infected computer beacons to attacker and waits for commands 5. Attacker takes direct control of remote machine inside encrypted session 6. Attacker gains administrative rights with a root kit. Attacker moves laterally through the network, compromising additional machines while searching for desired information 8. Targeted information is packaged and exfiltrated 9. Complex attack infrastructure remains intact 10. Infected machine sits idle and waits for further instructions or attacker removes evidence of intrusion
Key APT attributes They are aggressive, persistent, pervasive, AND purpose driven Regularly exploit weak credentials Single campaign usually involves many discrete events over long periods of time Numerous intrusion paths They know a lot about us Phishing Contractors Facilities Social Media Increasing reliance on Zero-Day Attacks
Lessons-learned from APT Persistent, pervasive, aggressive, and purpose driven There is no single silver bullet Effective response is not trivial, so stop acting like it is APT rely on multiple attack vectors Requires comprehensive security controls framework Persistence with long-term campaigns Lengthy campaigns are easier to detect in the long run, but the trick is detecting early in the campaign lifecycle Requires end-to-end situational awareness Increasingly rely on zero-day attacks Attackers will sometimes be successful at least initially Must monitor for outbound connections and illegitimate cross-platform activity Regularly exploit weak identity controls Must deploy strong internal and external identity layers, including mandatory enterprise identity services They know a lot about us But, they don t know everything Defense-in-depth best chance to break attack chain
DHS IT Security Strategy Dynamic framework for IT security DHS Information Security Strategic Plan 2010-2014 Management Directive 4300 series (IT Security Policies) Defense-in-Depth Security Architecture Framework Based on NIST Risk Management Framework Aggressive compliance activities All aspects of framework regularly updated based on lessons-learned Governance through DHS CISO Council Mission Assurance through Defense-in-Depth Hardened infrastructure based on lessons-learned from APT Improved situational awareness for Security Operations Shared enterprise security controls for all enterprise capabilities Communications on multiple fronts User awareness training Role-based training State of Cybersecurity reports Classified cyber-threat briefings PAO Fast Breaks Team Security SharePoint portal Cybersecurity Information Center (on DHS Connect)
Strong Enterprise IT Governance Essential Enterprise Governance Accountability Mission Assurance requires strong IT governance Security fully integrated into IT Governance Framework Multi-layered risk mitigation strategy Defense In Depth Comprehensive Security Architecture Perimeter Network Systems End Point Information & Data Security Operations Identity Management Training & Awareness Information Security Controls Shared responsibility through Inheritance Comprehensive controls based on NIST Risk Management Framework Management controls Operational controls Technical controls Ensures shared accountability for implementing comprehensive security architecture
Mission Assurance through multiple security layers Identity Management Services Trust Zone A PEP TIC Trust Zone B PEP DHS Wide Area Network SMTP PEP Security Operations Trust Zone C C O N T R O L Internet L A Y E R S TICs PEPs C&A Automated Patching Control Examples
NIST Risk Management Framework The NIST Risk Management Framework provides comprehensive roadmap for implementing sound security practices NIST Special Publication 800-53: Articulates 168 managerial, operational, and technical controls Tailoring can require up to 692 controls, depending on security categorization DHS has 683 IT systems of record (General Support Systems and Major Applications) System 1. System 2 System 3..... System 683 168 Controls 168 Controls 168 Controls 168 Controls You do the math!!! Difficult to implement all controls at the system or device level Inheritance allows for reliance on enterprise controls that are found elsewhere in the architecture 1. Requires comprehensive security architecture that is strictly enforced 2. Maintaining controls becomes a shared responsibility
Enterprise Controls Framework IT Security Program Management Trusted Internet Connections Enterprise Security Operations Enterprise Identity Services Enterprise Datacenters Policy Enforcement Points Component Continuous Monitoring of End Point Devices Component Unique Trust Zones System Specific Controls DHS CISO Accountability ITSO Accountability DHS SOC Accountability ICAM PMO Accountability ITSO Accountabiity OneNet Accountability Component SOC Accountability Component CISO Accountability System Owner Accountability Shared Accountability = Distributed Workload
Top 10 misconceptions about federal IT security Top 10 Truths about Federal IT security 1. 2. 10.FISMA 3. 6.. 5. 4. 8. 9. Cyberspace A Security Continuous Consensus We The New future could can NIST legislation solve nothing cyber Risk easy Audit monitoring everything attack both Management but will and Guidelines a a paperwork fixes could national the is with are a problem given be silver Framework good trivial technology asset drill the bullet equivalent enough,. and.. is a war zone of. because money too.. another If complicated and only they must folks Pearl stop be will Harbor, regulated 80% be do of the of 9-11, any all right for attacks real or protection thing Katrina use 1. Cyberspace is fundamentally a civilian space, one where we must all share responsibility within a participatory framework and where rules of behavior are clear, practical, and enforceable 2. Attacks manifest as lengthy campaigns vice single events 3. Security isn t trivial, and we must stop acting like it is 4. In addition to technology controls, we must also ensure effective controls for facilities, management, operations, etc 5. Assume attackers will be successful at least some of the time 6. Continuous monitoring only one element of defense-in-depth. Simply put, the top 20% of threats, the APT, pose all the risk 8. Risk Management Framework sound, but requires comprehensive security architecture and accountability at all levels 9. As with FISMA I, implementation of FISMA 2 will remain key 10. Some limited paperwork is required to ensure accountability
Questions? Robert West Chief Information Security Officer U.S. Department of Homeland Security Office of the CIO 131 M Street, NE Washington, DC 20528 (202) 35-6110 robert.west@dhs.gov Homeland Security