FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Similar documents
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cyber Security Incident Response Fighting Fire with Fire

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Building a Resilient Security Posture for Effective Breach Prevention

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RSA NetWitness Suite Respond in Minutes, Not Months

Are we breached? Deloitte's Cyber Threat Hunting

Understanding the Changing Cybersecurity Problem

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Insurance: What is your bank doing to manage risk? presented by

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Transforming Security from Defense in Depth to Comprehensive Security Assurance

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

Internet of Things Toolkit for Small and Medium Businesses

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Cybersecurity in Higher Ed

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

10 FOCUS AREAS FOR BREACH PREVENTION

Critical Hygiene for Preventing Major Breaches

Strategies for a Successful Security and Digital Transformation

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

RSA INCIDENT RESPONSE SERVICES

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

CYBERSECURITY MATURITY ASSESSMENT

RSA INCIDENT RESPONSE SERVICES

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Combating Cyber Risk in the Supply Chain

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

AGILE AND CONTINUOUS THREAT MODELS

Opening Doors to Cyber and Homeland Security Careers

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cyber Resilience. Think18. Felicity March IBM Corporation

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

OA Cyber Security Plan FY 2018 (Abridged)

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

2017 Annual Meeting of Members and Board of Directors Meeting

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

4/13/2018. Certified Analyst Program Infosheet

Must Have Items for Your Cybersecurity or IT Budget in 2018

Defensible and Beyond

RSA Cybersecurity Poverty Index

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cybersecurity The Evolving Landscape

NEXT GENERATION SECURITY OPERATIONS CENTER

Defending Our Digital Density.

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Business continuity management and cyber resiliency

Building a Threat Intelligence Program

CISO as Change Agent: Getting to Yes

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

How Breaches Really Happen

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Cyber-Threats and Countermeasures in Financial Sector

Managing an Active Incident Response Case. Paul Underwood, COO

Incident Response Table Tops

THE EVOLUTION OF SIEM

Introduction to Threat Deception for Modern Cyber Warfare

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Gujarat Forensic Sciences University

California Cybersecurity Integration Center (Cal-CSIC)

What It Takes to be a CISO in 2017

Reducing the Cost of Incident Response

Building Resilience in a Digital Enterprise

AKAMAI CLOUD SECURITY SOLUTIONS

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

falanx Cyber Falanx Phishing: Measure your resilience

Operationalizing the Three Principles of Advanced Threat Detection

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

Designing and Building a Cybersecurity Program

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Security & Phishing

Jeff Wilbur VP Marketing Iconix

CyberArk Privileged Threat Analytics

FOR FINANCIAL SERVICES ORGANIZATIONS

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Triage & Collaboration. Improving a major bank s cyber threat security posture

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity is a Journey and Not a Destination: Developing a risk management culture in your business. Thursday, May 21, 2015

Protect Your Organization from Cyber Attacks

Transcription:

FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1

Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2

2016: Who s a Target Other - 9% Biotechnology & Pharmaceuticals - 2% Education - 3% Construction & Engineering - 3% Energy - 4% Media & Entertainment - 5% Manufacturing - 5% 19% - Financial 13% - Retail & Hospitality Government - 9% Business & Professional Services - 9% 9% - Healthcare 10% - High Tech Other: Telecommunications, Transportation & Logistics, Nonprofit 3

2016: Dwell Time 99 47 Detection vs. Dwell Time DAYS Days Less Than 2015 Internal: 80 External: 107 4

Breach to Discovery Median time from breach to discovery is getting shorter but still remains too long 80 DAYS GLOBAL 35 DAYS AMERICAS 83 DAYS EMEA INTERNAL DISCOVERY 99 DAYS GLOBAL 99 DAYS AMERICAS 106 DAYS EMEA 172 DAYS APAC 107 DAYS GLOBAL 104 DAYS AMERICAS 128 DAYS EMEA EXTERNAL NOTIFICATION 5

M-TRENDS: Median Dwell Time 416 243 229 205 146 99 6

How Breaches Are Detected 53% INTERNAL DISCOVERY OF BREACH 47% EXTERNAL NOTIFICATION OF BREACH 7

M-TRENDS: External Notification vs. Internal Detection 2016 53% 47% 2015 47% 53% 2014 31% 69% 2013 33% 67% 2012 37% 63% 2011 6% 94% Internal notification of breach External discovery of breach 8

The Problem With Statistics Decreasing median dwell time is a good thing right? Time it takes a Mandiant Red Team to gain domain administrator privileges: ~ 3 Days Therefore, median dwell time of 99 days is 96 days too long 9

Attack Trends 10

Attack Trends Financial Crime - prior to 2013: Unsophisticated Loud and straight-forward Opportunistic Rudimentary toolkits (usually) Basic skills Since 2013, sophistication has been steadily increasing 2014 M-Trends: the lines are blurring between run-of-the-mill cyber criminals and advanced state-sponsored attackers Larger infrastructure, better toolsets, increased focus on persistence 11

Attack Trends 2016: The line between the level of sophistication of certain financial attackers and advanced state-sponsored attackers no longer exists Custom backdoors with unique, tailored configurations per target Increased infrastructure resiliency Counter-forensic techniques Increased interest in inter-banking networks & infrastructure ATMs 12

Attack Trends (cont.) Email has always been a major target 2016 showed an increase in interesting ways to access email Attackers were seen compromising accounts with multi-factor credentials 13

Attack Trends (cont.) Financial attackers tailor phishing email to specific client, location or employee Call victims to help them 14

Defensive and Emerging Trends 15

Adapting Foundational Defenses for the New Normal Increased focus and interest on advanced capabilities (Automation, Cyber Threat Intelligence, Threat Hunting) Difficult to apply advanced capabilities if the basics are not addressed Understanding what systems, applications, and data are critical to the business Complete infrastructure visibility. Network, endpoint, events Credential and privilege management / Multi-factor authentication everywhere and always Network segmentation & data segregation Foundational fundamentals should be re-evaluated regularly 16

Adapting Foundational Defenses for the New Normal Consequences of weak cyber security foundation: Alert overload Difficulty prioritizing threats Inadequate engineering support for new technology deployments Difficulty stopping or slowing attackers once they have a foothold These consequences lead to inefficient investments, lack of infrastructure control, and eventually compromise, data loss, and operational outages 17

Adapting Foundational Defenses for the New Normal Not everyone is failing at detection and response In 2016 multiple clients were successful at detecting and responding to Mandiant Red Teams The best time so far against a Mandiant Red is 12 minutes Common themes Small external threat surface Robust endpoint controls Skilled & empowered detection & response teams Defined and tested detection and response playbooks 18

Intelligence Led Security Threat Intelligence drives operations and decisions Mature from reactive defense to proactive threat hunting Continuously assessing, training, and integrating enables the Intelligence program to stay aligned and remain ahead of the next threat Threat Modeling Defensive Planning Threat Profile Automated Workflows Tactical Prioritization Schemes Response Efficiency Hunt Planning 19

Intelligence Led Security Cyber Threat Intelligence-led security programs have quickly moved from a bleeding edge practice embraced by a few to a capability sought by organizations of all sizes Tips for creating an intelligence led security program Design a strategy with threat landscape awareness Consider capability level of your program and the individuals charged with executing it Expose your resources to the realities they are likely to face in their daily jobs Update strategic plans to align with overall realities By creating such an innovative environment, you can stay ahead of the threat 20

State and Local Intelligence 21

State and Local Government Targeting Nation-state threat groups steal data, abuse assets Criminals access infrastructure or steal data ü Track 7 advanced threat groups that target state and local governments ü Penetrate networks to steal personally identifiable information (PII) or use infrastructure to attack other targets ü Steal tax return and bank account numbers for sale in underground criminal forums Hacktivists try to gain publicity for their cause ü Use hacking as a way to protest policy and embarrass governments 22

Observed Targeting Targeted Sectors City and Township Government Organizations Police Departments Departments of Transportation Departments of Finance/Tax/Revenue Targeted Assets Payroll Organization Directories Legal Documents Corporate Governance & Standard Operation Procedures Equipment Maintenance Records and Spec Financial/Tax Records

Case Study: Likely FIN1 Targets State and Local Governments Targeted a state s Department of Revenue Enterprise cyber criminal group that we track as FIN1 Group sent targeted spear-phishing emails to multiple state employees Actors compromised 44 systems through password dumping and lateral movement with compromised credentials Some of the stolen data included: ~75 GB of network data Millions unencrypted bank account numbers Millions tax returns SSNs for Millions dependents

Case Study: Intelligence in Action on FIN1 WHO ARE THEY? Financial Motivated Group 1 (FIN1) Tactic: Send targeted emails and password dumping tools Target: Department of Revenue Impact: Attackers accessed 44 systems and stole millions of tax records and bank account information REPORT PUBLISHED ON FIREEYE INTELLIGENCE CENTER Clients warned of operation via the FireEye Intelligence Center HOW DID WE FIND IT? State hires Mandiant for IR investigation Similar activity, methodology, and malware to previous FIN1 incidents INFORMS PRODUCT DETECTION Deployed IOC across all host-based systems IR INTELLIGENCE Gathered intelligence informs log analysis (e.g., terms, IPs, etc.) Additional intelligence cycled back into products 25

State and Local Governments Top 5

Leverage FireEye Threat Intelligence Tools / Malware Attacker Industry Cybersecurity and the State Tax Threat Environment

What Can You Do? 28

What you as directors/commissioners can do: What worked and didn t work? What can I do better? Communicate With you security team on a regular basis. Establish metrics for measurement. Learn Prevent What has been impacted? How do I recover Notification Respond Detect Evaluate what preventative measures you need for your data Customize for your controls (based on risk) IRS 1075 is just a start When something unusual happens Intelligence notification 29

What you as directors/commissioners can do: 1. Assign security to a team member (CISO or security director) 2. Establish a governance team (technical and business team members) for direction 3. Assess preventative controls 4. Evaluate detection and response capability capability 5. Test everything on a regular basis 30

Thank You Tim Hastings Director, Consulting Services Mobile: 1 (801) 580.4505 Email: tim.hastings@fireeye.com Web: http://www.mandiant.com 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback