Monthly Cyber Threat Briefing January 2016 1
Presenters David Link, PM Risk and Vulnerability Assessments, NCATS Ed Cabrera: VP Cybersecurity Strategy, Trend Micro Jason Trost: VP Threat Research, ThreatStream Steve Penn: Sr. Director CSF Education, HITRUST 2
NCCIC/US-CERT: NATIONAL CYBERSECURITY ASSESSMENTS AND TECHNICAL SERVICES CAPABILITY BRIEF 3
NCATS Program Overview Offer Full-Scope Red Team/Penetration Testing Capabilities through two primary programs: Risk and Vulnerability Assessment (RVA) and Cyber Hygiene Focus is on proactive engagements with stakeholders to improve their cybersecurity posture, limit exposure, reduce rates of exploitation Offers a full suite of tailored threat, vulnerability and risk assessment services and penetration testing capabilities to stakeholders Acts as a trusted advisor and provides independent review and recommendations for cybersecurity improvement 4
Objectives and Benefits Provide Enhanced Situational Awareness and Data Visibility to Leadership Types of information: Vulnerabilities Mitigations Operating Systems Applications Trending and Comparison Data Federal, SLTT, PS 5
Stakeholder Groups Federal Civilian Executive Branch State, Local, Tribal, Territorial Government (SLTT) Private Sector (PS) Unclassified / Business Networks FY15 Current Stakeholders Cyber Hygiene Mandatory for Federal Optional for SLTT and PS Service Fed SLTT PS Total RVA 24 10 12 46 Risk and Vulnerability Assessments Optional for Federal, SLTT and PS Cyber Hygiene 126 41 33 200 6
Services and Capabilities Service Description Internal/External to Customer Network Program Vulnerability Scanning Conduct Vulnerability Assessments Both Cyber Hygiene/RVA Penetration Testing Exploit weakness or test responses in systems, applications, network and security controls Both RVA Social Engineering Crafted e-mail at targeted audience to test Security Awareness/Used as an attack vector to internal network External RVA Wireless Discovery & Identification Identify wireless signals (to include identification of rogue wireless devices) and exploit access points Internal RVA Web Application Scanning and Testing Identify web application vulnerabilities Both Cyber Hygiene/RVA Database Scanning Security Scan of database settings and controls Internal RVA Operating System Scanning Security Scan of Operating System to do Compliance Checks (ex. FDCC/USGCB) Internal RVA 7
RVA Process Pre ROE Agency contacted Briefed on NCATS services Service Service is requested Schedule Confirmed ROE Distributed/Agency signs ROE Pre-Assessment Minimum 2 weeks Pre-Assessment Package Distributed Receive Completed Pre-Assessment Package Conduct Pre-Assessment Teleconference Receive Pre-Assessment Artifacts (1 week) Assessment 2 weeks Off-Site Assessment Activities On-Site Assessment Activities Reporting 3 weeks Draft Report Started/Completed Submit Draft Report to Agency Receive Draft Report with Agency Comments Q&A Process Started/Completed Post-Assessment 1 week Final Draft Completed Final Report Delivered to Customer Assessment Out brief 8
Cyber Hygiene Activities Scanning Identify Active hosts, Operating System and Services Vulnerabilities and weaknesses Common configuration errors Improperly signed Domains Expired SSL Certificates Understand how external systems and infrastructure appear to potential attackers Past and Present Use Federal Response to Heartbleed OMB: M-15-01 Identification of publicly available vulnerabilities DHS Binding Operational Directive Individual Stakeholder persistent scans and exposure status 2800+ Reports delivered this Fiscal Year 185 Stakeholders and growing 9
Technical Output: Sample Snapshots 10
Questions? NCATS_INFO@hq.dhs.gov 11
TREND MICRO: DEEP DISCOVERY VARIOUS HEALTH PROVIDER FINDINGS 12
Total Point of Entry Detections: 1 Month Period Health Provider A: 5100 Health Provider B: 1747 Health Provider C: 581 Health Provider D: 1925 Health Provider E: 945510 Health Provider F: 7905 13
Point of Entry Example: Healthcare A Point of Entry 14
Top Malware Detected Example: Healthcare B 15
Multi-Staged Example: Healthcare C 16
Ransomware Example: Healthcare D 17
Malicious Flash Result Example: Healthcare E 18
Trend Micro Threat Connect Trend Micro Threat Connect assisted with the removal of this and many other forms of malware. 19
Questions? 20
Backup Slide 21
THREATSTREAM: EXTORTION TRENDS IN CYBER 22
Cyber Extortion Cyber - of, relating to, or involving computers or computer networks (as the Internet). Merriam-Webster Extortion - The crime of getting money from someone by the use of force or threats. Merriam-Webster 23
Ransomware 24
Mitigating Ransomware Traditional Antivirus Network IDS / IPS Web Filtering Workstation Restrictions Policy Employee Education 25
DDoS Extortion Initial Ransom Email Brief DDoS Attack Follow-up Ransom Email [Example DDoS Extortion Events] Additional DoS Activity 26
Mitigating DDoS Extortion Traditional DoS Mitigation Strategies Identifying potential threat emails Public web monitoring 27
Extortion With Breach Data Targeting Organizations Targeting Individuals 28
Mitigating Extortion With Breach Data Policy Employee Education Review public breach data 29
Monetizing 30
HITRUST: THREAT CORRELATION REPORT 31
CSF Controls Related to Threats CSF Control for Suspicious IP addresses, Command and Control, Infection Vectors Control Reference: *01.i Policy on the Use of Network Services Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment. Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access. 32
CSF Controls Related to Threats CSF Control for Employee Education Control Reference: *02.e Information Security Awareness, Education and Training Control Text: All employees of the organization and contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. Implementation Requirement: Awareness training shall commence with a formal induction process designed to introduce the organization's security and privacy policies, state and federal laws, and expectations before access to information or services is granted and no later than 60 days after the date the employee is hired. Ongoing training shall include security and privacy requirements (e.g., objective, scope, roles and responsibilities, coordination, compliance, legal responsibilities and business controls) 33
CSF Controls Related to Threats CSF Control for Monitoring System Use (network monitoring) Control Reference: *09.ab Monitoring System Use Control Text: Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. Implementation Requirement: The organization shall employ automated tools to support near real-time analysis of events and maintain an audit log to track prohibited sources and services. Inbound and outbound communications shall be monitored at an organization-defined frequency for unusual or unauthorized activities or conditions. 34
CSF Controls Related to Threats CSF Control for Network Security Management (network monitoring) Control Reference: *09.m Network Controls Control Text: Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. Implementation Requirement: Technical controls shall be implemented to safeguard the confidentiality and integrity of covered information passing over the organization's network and to/from public networks. Technical tools and solutions shall be implemented and used to identify the vulnerabilities and mitigate the threats, including intrusion detection system (IDS), and vulnerability scanning. The organization shall employ tools and techniques, such as an IDS, to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system. 35
CSF Controls Related to Threats CSF Control for malicious attachments Control Reference: *09.j Controls Against Malicious Code Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. 36
CSF Controls Related to Threats CSF Control for Removable Media Control Reference: *09.o Management of Removable Media Control Text: Formal procedures shall be documented and implemented for the management of removable media. Implementation Requirement: The organization shall formally establish and enforce controls for the management of removable media and laptops including restrictions on the type of media and usage, and registration of certain types of media including laptops. (disable autorun, sanitize media before connecting) 37
CSF Controls Related to Threats CSF Control for Vulnerability Patching (Top Exploits) Control Reference: *10.m Control of technical vulnerabilities Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. 38
QUESTIONS? 39
Visit for more information To view our latest documents, visit the Content Spotlight 40