Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SINTEF  ICT
The  Honeynet Project  Workshop  2015
1
Marie  Moe,  Ph.  D.,  Researcher  at  SINTEF
Incident  handling  of  ...
SINTEF  ICT
• Threats  and  trends
• Case  studies  with  examples  from  real  incidents
• Incident  handling
2
Agenda
SINTEF  ICT 3
About  me
§ Research  scientist  at  SINTEF
§ Associate  Professor  II  at  HiG (20%)
§ MSc  in  Mathemat...
SINTEF  ICT
Espionage
Sabotage
Financial  crime
Pranks
Crisis /  War
Political protests
4
Society in  general
National  se...
SINTEF  ICT 5
Espionage  trends
• Modern  espionage  is  most  effectively  
conducted  through  network  
operations
• Si...
SINTEF  ICT
How  do  they  compromise  our  systems?
6
• Spear  phishing
• Often  contains  predictable  elements
• Target...
SINTEF  ICT
How  do  they  compromise  our  systems?
SINTEF  ICTSINTEF  ICT
Case  A:  Industrial  espionage
SINTEF  ICTSINTEF  ICT 9
https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-­‐china-­‐chopper-­‐report.pdf
SINTEF  ICT
• NorCERT was  contacted  by  a  company  that  discovered  that  they  were  compromised
• Detected  at  the ...
SINTEF  ICTSINTEF  ICT
Case  B:  Spear  phishing  against  the  energy  sector
12
http://www.scmagazineuk.com/hundreds-­‐of-­‐norwegian-­‐energy-­‐companies-­‐hit-­‐by-­‐cyber-­‐attacks/article/368539/
SINTEF  ICTSINTEF  ICT
Case  C:  APT  C&C  proxy  server  in  Norway
17
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
SINTEF  ICT
HTRAN  report  (Aug.  2011)
http://www.secureworks.com/research/threats/htran
SINTEF  ICT 19
SINTEF  ICT
Incident  Handling  of  cyber  espionage
• Know your assets!
• Common reaction to  incidents:
“We  don’t  have...
SINTEF  ICT
The  incident  response  lifecycle
NIST SP 800-61, Revision 2
SINTEF  ICT
Preparation
IT  Operations/maintenance
Clear  understanding of network and  systems
Access  control and  segme...
SINTEF  ICT
Detection  and  Analysis
Your  IDS  needs  to  be  constantly  updated  with  the  latest  threat  intel!
Logg...
SINTEF  ICT
Containment,  Eradication  and  Recovery
You  detected  or  got  informed  that  you  have  been  a  victim  o...
SINTEF  ICT
Clean  up  after  compromise
• Plan  and  execute clean ups in  a  controlled fashion!  
– Hire  a  MSSP  if y...
SINTEF  ICT
The  ”Cyber  Kill  Chain”
• Lockheed  Martin:  7  stages/states of an  ”APT-­‐style”  incident
• If  the attac...
SINTEF  ICT
Guidelines  for  incident  handling
• NSM  has  published  a  guide  for  
incident  handling  of  cyber  
esp...
SINTEF  ICTSINTEF  ICT
Thank  you!
marie.moe@sintef.no
@MarieGMoe
@SINTEF_Infosec
Incident handling of cyber espionage
Incident handling of cyber espionage
Incident handling of cyber espionage
Upcoming SlideShare
Loading in …5
×

Incident handling of cyber espionage

1,545 views

Published on

Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?

Published in: Government & Nonprofit
  • Be the first to comment

Incident handling of cyber espionage

  1. 1. SINTEF  ICT The  Honeynet Project  Workshop  2015 1 Marie  Moe,  Ph.  D.,  Researcher  at  SINTEF Incident  handling  of  cyber  espionage
  2. 2. SINTEF  ICT • Threats  and  trends • Case  studies  with  examples  from  real  incidents • Incident  handling 2 Agenda
  3. 3. SINTEF  ICT 3 About  me § Research  scientist  at  SINTEF § Associate  Professor  II  at  HiG (20%) § MSc  in  Mathematics   § PhD  in  Information  Security § GIAC  certified  Incident  Handler § Previously  working  for  NSM  NorCERT PHOTO:  ROBERT  MCPHERSON,  Aftenposten
  4. 4. SINTEF  ICT Espionage Sabotage Financial  crime Pranks Crisis /  War Political protests 4 Society in  general National  security Chaotic actors Advanced  Persistent  Threats
  5. 5. SINTEF  ICT 5 Espionage  trends • Modern  espionage  is  most  effectively   conducted  through  network   operations • Significant  amounts  of  information   stolen • Russia  and  China  are  the  most  active   nation  states  behind  network   operations  against  Norway Source:   https://forsvaret.no/ForsvaretDocuments/FOKUS2 015-­‐endelig.pdf
  6. 6. SINTEF  ICT How  do  they  compromise  our  systems? 6 • Spear  phishing • Often  contains  predictable  elements • Targeting  information  often  available  online • Watering  hole/strategic  web  compromise • User  profiling  and  whitelisting  of  targets • Harder  to  detect  and  more  difficult  to  handle  than  spear  phishing • Credentials  harvesting • Using  compromised  accounts  for  new  spear  phishing • Direct  access  to  mail  and  systems  without  leaving  traces • Known  vulnerabilities • Zero-­‐days  may  be  used  against  high  priority  targets • Physical  delivery  rarely  used
  7. 7. SINTEF  ICT How  do  they  compromise  our  systems?
  8. 8. SINTEF  ICTSINTEF  ICT Case  A:  Industrial  espionage
  9. 9. SINTEF  ICTSINTEF  ICT 9 https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-­‐china-­‐chopper-­‐report.pdf
  10. 10. SINTEF  ICT • NorCERT was  contacted  by  a  company  that  discovered  that  they  were  compromised • Detected  at  the  exfiltration  stage • Data  ready  for  exfil was  filling  up  the  disk  on  the  Exchange  server! • Large  files  that appeared to  be  image  files  (.jpg),  but these were in  fact password protected RAR-­‐files • The  exfiltration was carried out via  HTTP  GET-­‐requests • NorCERT coordinated incident response with the victim and  performed forensic analysis • The  initial  attack vector was found to  be  a  vulnerability in  ColdFusion which gave  the attackers the ability to  upload a  ”China  chopper”  webshell   • The  password for  the RAR-­‐files  was eventually found and  the company could get a  clear idea of the amount of intellectual property that was lost..
  11. 11. SINTEF  ICTSINTEF  ICT Case  B:  Spear  phishing  against  the  energy  sector
  12. 12. 12 http://www.scmagazineuk.com/hundreds-­‐of-­‐norwegian-­‐energy-­‐companies-­‐hit-­‐by-­‐cyber-­‐attacks/article/368539/
  13. 13. SINTEF  ICTSINTEF  ICT Case  C:  APT  C&C  proxy  server  in  Norway
  14. 14. 17 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  15. 15. SINTEF  ICT HTRAN  report  (Aug.  2011) http://www.secureworks.com/research/threats/htran
  16. 16. SINTEF  ICT 19
  17. 17. SINTEF  ICT Incident  Handling  of  cyber  espionage • Know your assets! • Common reaction to  incidents: “We  don’t  have  anything  of  value” “We  don’t  understand  why  this  happened  to  us”
  18. 18. SINTEF  ICT The  incident  response  lifecycle NIST SP 800-61, Revision 2
  19. 19. SINTEF  ICT Preparation IT  Operations/maintenance Clear  understanding of network and  systems Access  control and  segmentation Quick updating and  patching What about cloud services?  Are  you in  control? IT  Security Control  and  monitor  network  traffic Detection  team that look for  intruders and  abnormalities Threat intelligence Contingency  planning Clear  areas  of  responsibility Escalation  routines,  contact  information Guidelines for  incident  handling The  contingency plan  should be  rehearsed!
  20. 20. SINTEF  ICT Detection  and  Analysis Your  IDS  needs  to  be  constantly  updated  with  the  latest  threat  intel! Logging  enables  detection  and  scoping  of  an  incident! • Traffic  logs   – Web  traffic  logs – Proxy  logs  w/  SSL-­‐inspection – Netflow – DNS  logging  /  Passive  DNS – Web  access  logs  on  your  own  web  servers • Authentication  logs • Administration  logs • Security  logs • E-­‐mail  logs
  21. 21. SINTEF  ICT Containment,  Eradication  and  Recovery You  detected  or  got  informed  that  you  have  been  a  victim  of  cyber  espionage… What  to  do  now? Selection  of  strategy: • Protect  and  forget • Watchful  waiting,  possible  honeypot   operation?
  22. 22. SINTEF  ICT Clean  up  after  compromise • Plan  and  execute clean ups in  a  controlled fashion!   – Hire  a  MSSP  if you lack the necessary know-­‐how • Establish necessary logging   and  monitoring/IDS • Isolate compromised systems  from  the network • Secure memory dump  and  disc image  of compromised systems   • Reinstall clean back  ups • Change all  passwords! • Evaluation  of the incident handling – Identification of lessons learned – Update  contingency plans – Case  studies  are very useful for  training
  23. 23. SINTEF  ICT The  ”Cyber  Kill  Chain” • Lockheed  Martin:  7  stages/states of an  ”APT-­‐style”  incident • If  the attacker fails in  one of the stages  the compromise will not  succeed! • Detection and  response should be  implemented for  each stage ● What can the organization handle  themselves? ● Where is  collaboration or  outsourcing required? ● Risks  and  costs increase for  each stage ● Timeline:  hours or  days from  successful exploitation http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf Recon Weaponize Deliver Exploit Install C2 Action
  24. 24. SINTEF  ICT Guidelines  for  incident  handling • NSM  has  published  a  guide  for   incident  handling  of  cyber   espionage – Can  be  downloaded  at   https://www.nsm.stat.no/globalas sets/dokumenter/temahefter/apt _2014.pdf (only  in  Norwegian) • Overview  of  logging  that   should  be  in  place   • What  information  to  submit  to   NorCERT if  you  want  their   assistance  
  25. 25. SINTEF  ICTSINTEF  ICT Thank  you! marie.moe@sintef.no @MarieGMoe @SINTEF_Infosec

×