Port of seattle security presentation david morris

251 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
251
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Key Takeaways CIRC, SOC and SIEM are not always interchangeable terms. In some organizations their responsibilities are different and distinct. ***************************** To address APTs the security organization is faced with some growing and changing responsibilities. First and foremost, the need for a CIRC capability has become evident in many organizations. Responsibilities include the need to be able to identify anomalies, predict attacks and respond to incidents. This drives a need for additional intelligence. Traditional SOC responsibilities have included security help desk capabilities and the day-to-day administration of key technical controls including firewall, VPNs, access controls, AV, etc.. Another key capability includes SIEM. This is where many of the reports and alerts that are so important to the CIRC originate. Click: What does all this mean for you sitting here today? It means different stakeholders may have new and different needs but a unified strategy is needed to deal with new threats. Click: Traditional responsibilities across the board are undergoing review. This more than just updating technical responsibilities and controls. This requires updating our Business and Operations models to deal with new Enterprise dimensions.
  • The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
  • Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
  • The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
  • The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.
  • The first step in this attack was phishing, or more accurately “spear phishing,” meaning that the attack targets specific people .
  • Zero-Day attack in this case was launched when one user opened the email . The zero day then installed a backdoor (variant of the POISON IVY remote access Trojan) which then immediately set about reconnaissance and cultivation. It’s important to note as well that the attacker was creating layers of resilience and was making maximum use of the window of exposure.
  • The zero day then installs a backdoor which then immediately sets about reconnaissance and cultivation. During this time, the attacker can creating layers of resilience and was making maximum use of the window of exposure.
  • The attacker encrypts sensitive files found on the critical server and transfers out via an FTP These attacks are focused and coherent: the timing is choreographed and the attacker moves rapidly and unerringly. They know what to get and the order to get items in. This type of attack can take months or perhaps years of preparation prior to staging the attack itself. It reflects an ability to move with exacting precision.
  • Port of seattle security presentation david morris

    1. 1. Cyber Security Threatsand What you can do
    2. 2. Agenda• Threat History• Current Threats• Breakdown of a Common Attack• What you can do– Incident Response– Resources Available
    3. 3. CTS Security Operations CenterProvides centralized information sharing, monitoring, andanalysis of Washington State security posture while mitigatingrisk and minimizing incident exposure.•Alerting•Risk Analysis•Incident Response•Vulnerability Management•Education and AwarenessAwareness Test:http://www.youtube.com/watch?v=oSQJP40PcGI
    4. 4. Cyber Security in the News
    5. 5. 1999 Threat - Melissa• Sent copies of aninfected WordDocument to up to50 people• No damage tocomputers or files• Overwhelmed MailServershttp://www.cert.org/advisories/CA-1999-04.htm
    6. 6. 2003 Threat – Slammer• SQL Server Stackbuffer overflowvulnerability• Code execution atSystem user levelhttp://www.cert.org/advisories/CA-2003-04.htm
    7. 7. 2008 Threat – Conficker• Windows serverservice vulnerability• Multiple variants• Quickly took overmillions of computers• Disabled windowsservices• Locked out users
    8. 8. Today’s ThreatsPersistent•44% increase in breach incidents 2010-11 across multiple verticals(Source: Poneman Institute, 2011)Sophisticated•Use of advanced techniques and tactics points to growing nation-statesponsorship and resourcingTargeted•Shift to targeting of commercial sectors and government supply-chainproviders•Larger attack plane•Consumerization of IT with pervasive use of social media, mobile devices ,big data and cloud infrastructures
    9. 9. What I see at WA StateReportingPeriod:1Q 2013
    10. 10. What I deal withReporting Period: 3/1/13 – 3/15/13• Web Site Defacement by Turkish Muslim Group• Attempted breach of VPN account• Multiple workstations attempting to communicate to Zeuscommand and control servers• Web server participating in DDoS attack against foreign national• Multiple workstations attempting to communicate to Zero Accesscommand and control servers• Web site content management server software exploited• Anomalous traffic at agency firewall indicating insider threat• Open mail relay detected• Multiple SQL injection attempts of web application• Penetration test erroneously configured causing alerts
    11. 11. AdvancedPersistentThreatsSophisticated attacksand well resourcedadversariesNation StateActorsCyber CriminalsOpen SourceIntelligenceCollectionForeignNationalsBlack MarketsNon-Nation StateSub ContractorsSupply ChainTamperingThird CountriesThe Age of the APT
    12. 12. Phishing emailsA member of your staffreceives a phishing emailwhich may be personalized toattract their interest.Common Attack
    13. 13. Drive-by downloadThe employee clicks on thelink and gets infected byTrojan from drive-bydownload.
    14. 14. Adversary uses machineto gain access to internalnetwork systemsTrojan installs backdoor which allowsreverse connection to infected machineHacker dumps password hash and gainsaccess to a critical server via RDP.RDP
    15. 15. Data ex-filtrationAttacker encrypts sensitive files found onthe critical server and transfers out data
    16. 16. Phishing emailsAttack AnatomyDiscovery of Company email AddressesJigsawCome up with a ScenarioOWA UpgradeSecurity AlertBuild Phishing MessageSave .html file locallyUse a kit such as SETSet up a real temporary domainMonitor effectiveness with scriptsDiscovery of Company email AddressesJigsawCome up with a ScenarioOWA UpgradeSecurity AlertBuild Phishing MessageSave .html file locallyUse a kit such as SETSet up a real temporary domainMonitor effectiveness with scripts
    17. 17. Drive-by downloadPacking utilities / Metasploit /BacktrackAlternately, purchase a SDKand sign the executable so thatit is trustedTest the executable or payload withfree Antivirus packagesMicrosoft Security EssentialsAVGAwait acknowledgement responsefrom machinePacking utilities / Metasploit /BacktrackAlternately, purchase a SDKand sign the executable so thatit is trustedTest the executable or payload withfree Antivirus packagesMicrosoft Security EssentialsAVGAwait acknowledgement responsefrom machine
    18. 18. Adversary uses machineto gain access to internalnetwork systems RDPPasswords enumerated and crackedMapping of other network devicesActive directory queriesAccess attempts with credentialsPasswords enumerated and crackedMapping of other network devicesActive directory queriesAccess attempts with credentials
    19. 19. Data ex-filtrationData is compressedData is encrypted and sentover a common port such as80 or 443Transmission is rate-limitedto avoid detectionData is used for criminalpurposes or to damagereputationData is compressedData is encrypted and sentover a common port such as80 or 443Transmission is rate-limitedto avoid detectionData is used for criminalpurposes or to damagereputation
    20. 20. Recommendations1. Build a strong security foundation2. Have an Incident Response Plan ready3. Know who to call
    21. 21. Build a Security Foundation• SANS Top 20 Controls• Australia DOD Mitigations• NIST Guidelines
    22. 22. Develop Incident Response Mechanisms• Have a plan– NIST 800-61.2• Know the priority of yourassets• Exercise your plan– 15 minute tabletops– Functional exercise every 6months• Recognize that you will notbe able to contain theincident yourself in manycases
    23. 23. Establish Partnerships• MS-ISAC– Forensic Analysis– Log Analysis– Malware reverse engineering and disassembly– Vulnerability Scanning (Application and Host)• FBI Cyber Task Force (CTF)– Incident Response– Threat assessment– Information Sharing• EMD– Significant Cyber Event Response
    24. 24. Questions

    ×