How Advanced Persistent Threats Successfully Breach Large Organizations AND, What To Do About It

Similar documents
Cyber Security Maturity Model

CloudSOC and Security.cloud for Microsoft Office 365

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

New Guidance on Privacy Controls for the Federal Government

INFORMATION ASSURANCE DIRECTORATE

Risk-Based Cyber Security for the 21 st Century

Understanding the Changing Cybersecurity Problem

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Supporting the Cloud Transformation of Agencies across the Public Sector

Cyber Attacks & Breaches It s not if, it s When

The public sector s cybersecurity imperative

Combating Cyber Risk in the Supply Chain

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Department of Management Services REQUEST FOR INFORMATION

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Twilio cloud communications SECURITY

DHS Cybersecurity: Services for State and Local Officials. February 2017

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Security by Default: Enabling Transformation Through Cyber Resilience

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Information Systems Security Requirements for Federal GIS Initiatives

RSA NetWitness Suite Respond in Minutes, Not Months

Monthly Cyber Threat Briefing

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Governance Ideas Exchange

Building a Resilient Security Posture for Effective Breach Prevention

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

HP Fortify Software Security Center

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Sage Data Security Services Directory

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

INFORMATION ASSURANCE DIRECTORATE

Operationalizing the Three Principles of Advanced Threat Detection

Cyber Risk in the Marine Transportation System

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Cyber Resilience. Think18. Felicity March IBM Corporation

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Compliance vs Competence: Cyber Security Management for Data Centers. Dr. Suku Nair University Distinguished Professor and Chair, SMU

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

An Oracle White Paper April Oracle Technology for Government Cybersecurity

Statement for the Record

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity for the Electric Grid

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Cyber Security Program

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Cybersecurity & Privacy Enhancements

OA Cyber Security Plan FY 2018 (Abridged)

Ensuring System Protection throughout the Operational Lifecycle

ANATOMY OF AN ATTACK!

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

The Perfect Storm Cyber RDT&E

Bad Idea: Creating a U.S. Department of Cybersecurity

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

RSA INCIDENT RESPONSE SERVICES

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

CCISO Blueprint v1. EC-Council

RSA INCIDENT RESPONSE SERVICES

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Port Facility Cyber Security

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

External Supplier Control Obligations. Cyber Security

Cybersecurity and the Board of Directors

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

U.S. Customs and Border Protection Cybersecurity Strategy

Awareness Technologies Systems Security. PHONE: (888)

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

The University of Queensland

Heavy Vehicle Cyber Security Bulletin

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

The Role of the ISACs in Critical Infrastructure Resilience Presented by Steve Lines Executive Director Defense Industrial Base Information Sharing

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Cloud Under Control. HyTrust Two-Man Rule Solution Brief

National Cyber Incident Response - Architectural Concepts

Information Security Continuous Monitoring (ISCM) Program Evaluation

Continuous protection to reduce risk and maintain production availability

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Cyber Security Stress Test SUMMARY REPORT

Management Information Systems. B15. Managing Information Resources and IT Security

SOLUTION BRIEF Virtual CISO

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

The Impact of Cybersecurity, Data Privacy and Social Media

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Best Practices in ICS Security for System Operators

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Transcription:

How Advanced Persistent Threats Successfully Breach Large Organizations AND, What To Do About It Robert West Chief Information Security Officer Department of Homeland Security

Top 10 misconceptions about federal IT security 2. 1. 10.FISMA 9. 3. 4. 5. 6.. 8. A Cyberspace New Security We Continuous Consensus The future can could NIST legislation solve cyber nothing Risk easy Audit monitoring everything attack both Management but will and Guidelines a fix paperwork fixes could national the is with are problem be given silver Framework good asset technology trivial equivalent drill bullet enough, and... is a to another. money because too. Keep. If complicated only Pearl these they folks Harbor, in stop will mind 80% be do 9-11, as of the we war zone and the Internet of any must all right or proceed real attacks Katrina be thing use 1. regulated Cyberspace is for both protection a national asset and a war zone and the Internet must be regulated for protection 2. A future cyber attack could be equivalent to another Pearl Harbor, 9-11, or Katrina 3. Security is easy and fixes are trivial... If only folks will do the right thing 4. We can solve everything with technology 5. We could solve everything given enough money 6. Continuous monitoring is a silver bullet. Consensus Audit Guidelines good enough, because they stop 80% of all attacks 8. The NIST Risk Management Framework is too complicated to be of any real use 9. New legislation will fix the problem 10. FISMA is nothing but a paperwork drill

At DHS At DoD Globally The Internet is now essential to our way of life Internet access, to include many public services, is mission essential FEMA relies extensively on Twitter for disaster management DHS maintains a Facebook presence and YouTube channels New telework policies require that users access Intranet from home And our employees want a single user experience for everything, including organizational email and file sharing, access to sensitive information; shared Cyberspace is fundamentally a civilian space a resources like printers; and unfettered Internet access neighborhood, Cyberspace new warfighting a library, domain, a marketplace, much like land, air, sea, a and school space United States Cyber Command headed by a four-star general yard, a workshop Dual-hatted as Director and a of the new, National exciting Security Agency age in All computers and networks in DoD are National Security Systems human experience, DoD strategy: mission exploration assurance through and graceful degradation Moral and welfare concerns mandate that deployed forces be able to access development. the Internet to keep in touch with family and friends. Jane Holl Lute and Bruce McConnell Access to the Internet is now both a business and social imperative Google now offers free email to anyone in the world YouTube allows anyone in the world to upload anything in the world so that anyone else in the world can download anything in the world for any reason in the world Same with FaceBook, MySpace, and other social media applications Businesses and organizations are now leveraging these global collaborative applications as a cost effective way to engage large communities of interest

Threats to U.S. National Security High P O T E N T I A L Nation State 2002 2004 2006 for D A M A G E Low Transnational 2000 Espionage Criminals Source: 1996 DSB Summer Study Probability of occurrence Hackers High

High P O T E N T I A L for D A M A G E A PT 2002 2004 2006 Well-resourced, highly-motivated, aggressive, pervasive, persistent, and purpose-driven actors. There is an intellect Highly behind everything they do. Sophisticated Nation States Actors Organized Crime 2010 Hacktivists Advanced Persistent Threats 2015 2020 Moderately Sophisticated Actors Low Level Actors Low Probability of occurrence High

2 Internet Internet 3 4 5 8 1 Prior to commencing an attack there is extensive footprinting and enumeration of the target by the attacker 8 6 INTRANET 1. Enumeration and Footprinting 2. Targeted Phishing Email 3. User clicks on link to hostile website or opens attachment 4. Infected computer beacons to attacker and waits for commands 5. Attacker takes direct control of remote machine inside encrypted session 6. Attacker gains administrative rights with a root kit. Attacker moves laterally through the network, compromising additional machines while searching for desired information 8. Targeted information is packaged and exfiltrated

All traffic over common ports (25, 80, 443) 9 2 Complex attack infrastructure Internet Internet 3 4 Prior 1 to commencing an attack there is extensive footprinting control and enumeration of the target by the attacker 10 5 8 Unique IPs used for each attack phase control 5 6 control control 8 6 1. Enumeration and Footprinting 2. Targeted Phishing Email INTRANET 3. User clicks on link to hostile website or opens attachment 4. Infected computer beacons to attacker and waits for commands 5. Attacker takes direct control of remote machine inside encrypted session 6. Attacker gains administrative rights with a root kit. Attacker moves laterally through the network, compromising additional machines while searching for desired information 8. Targeted information is packaged and exfiltrated 9. Complex attack infrastructure remains intact 10. Infected machine sits idle and waits for further instructions or attacker removes evidence of intrusion

Key APT attributes They are aggressive, persistent, pervasive, AND purpose driven Regularly exploit weak credentials Single campaign usually involves many discrete events over long periods of time Numerous intrusion paths They know a lot about us Phishing Contractors Facilities Social Media Increasing reliance on Zero-Day Attacks

Lessons-learned from APT Persistent, pervasive, aggressive, and purpose driven There is no single silver bullet Effective response is not trivial, so stop acting like it is APT rely on multiple attack vectors Requires comprehensive security controls framework Persistence with long-term campaigns Lengthy campaigns are easier to detect in the long run, but the trick is detecting early in the campaign lifecycle Requires end-to-end situational awareness Increasingly rely on zero-day attacks Attackers will sometimes be successful at least initially Must monitor for outbound connections and illegitimate cross-platform activity Regularly exploit weak identity controls Must deploy strong internal and external identity layers, including mandatory enterprise identity services They know a lot about us But, they don t know everything Defense-in-depth best chance to break attack chain

DHS IT Security Strategy Dynamic framework for IT security DHS Information Security Strategic Plan 2010-2014 Management Directive 4300 series (IT Security Policies) Defense-in-Depth Security Architecture Framework Based on NIST Risk Management Framework Aggressive compliance activities All aspects of framework regularly updated based on lessons-learned Governance through DHS CISO Council Mission Assurance through Defense-in-Depth Hardened infrastructure based on lessons-learned from APT Improved situational awareness for Security Operations Shared enterprise security controls for all enterprise capabilities Communications on multiple fronts User awareness training Role-based training State of Cybersecurity reports Classified cyber-threat briefings PAO Fast Breaks Team Security SharePoint portal Cybersecurity Information Center (on DHS Connect)

Strong Enterprise IT Governance Essential Enterprise Governance Accountability Mission Assurance requires strong IT governance Security fully integrated into IT Governance Framework Multi-layered risk mitigation strategy Defense In Depth Comprehensive Security Architecture Perimeter Network Systems End Point Information & Data Security Operations Identity Management Training & Awareness Information Security Controls Shared responsibility through Inheritance Comprehensive controls based on NIST Risk Management Framework Management controls Operational controls Technical controls Ensures shared accountability for implementing comprehensive security architecture

Mission Assurance through multiple security layers Identity Management Services Trust Zone A PEP TIC Trust Zone B PEP DHS Wide Area Network SMTP PEP Security Operations Trust Zone C C O N T R O L Internet L A Y E R S TICs PEPs C&A Automated Patching Control Examples

NIST Risk Management Framework The NIST Risk Management Framework provides comprehensive roadmap for implementing sound security practices NIST Special Publication 800-53: Articulates 168 managerial, operational, and technical controls Tailoring can require up to 692 controls, depending on security categorization DHS has 683 IT systems of record (General Support Systems and Major Applications) System 1. System 2 System 3..... System 683 168 Controls 168 Controls 168 Controls 168 Controls You do the math!!! Difficult to implement all controls at the system or device level Inheritance allows for reliance on enterprise controls that are found elsewhere in the architecture 1. Requires comprehensive security architecture that is strictly enforced 2. Maintaining controls becomes a shared responsibility

Enterprise Controls Framework IT Security Program Management Trusted Internet Connections Enterprise Security Operations Enterprise Identity Services Enterprise Datacenters Policy Enforcement Points Component Continuous Monitoring of End Point Devices Component Unique Trust Zones System Specific Controls DHS CISO Accountability ITSO Accountability DHS SOC Accountability ICAM PMO Accountability ITSO Accountabiity OneNet Accountability Component SOC Accountability Component CISO Accountability System Owner Accountability Shared Accountability = Distributed Workload

Top 10 misconceptions about federal IT security Top 10 Truths about Federal IT security 1. 2. 10.FISMA 3. 6.. 5. 4. 8. 9. Cyberspace A Security Continuous Consensus We The New future could can NIST legislation solve nothing cyber Risk easy Audit monitoring everything attack both Management but will and Guidelines a a paperwork fixes could national the is with are a problem given be silver Framework good trivial technology asset drill the bullet equivalent enough,. and.. is a war zone of. because money too.. another If complicated and only they must folks Pearl stop be will Harbor, regulated 80% be do of the of 9-11, any all right for attacks real or protection thing Katrina use 1. Cyberspace is fundamentally a civilian space, one where we must all share responsibility within a participatory framework and where rules of behavior are clear, practical, and enforceable 2. Attacks manifest as lengthy campaigns vice single events 3. Security isn t trivial, and we must stop acting like it is 4. In addition to technology controls, we must also ensure effective controls for facilities, management, operations, etc 5. Assume attackers will be successful at least some of the time 6. Continuous monitoring only one element of defense-in-depth. Simply put, the top 20% of threats, the APT, pose all the risk 8. Risk Management Framework sound, but requires comprehensive security architecture and accountability at all levels 9. As with FISMA I, implementation of FISMA 2 will remain key 10. Some limited paperwork is required to ensure accountability

Questions? Robert West Chief Information Security Officer U.S. Department of Homeland Security Office of the CIO 131 M Street, NE Washington, DC 20528 (202) 35-6110 robert.west@dhs.gov Homeland Security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback