This is my presentation from the Cyber Security Summit held in Prague 2015 at the Boscolo Prague Spa Hotel. For the missing slides and further information, contact me directly.
APT or not - does it make a difference if you are compromised?
1. APT or not
Does it make a difference if you are compromised?
Thomas Malmberg
2. Who I am - and why you are listening to me
2
•I work with IT-risk management and IT-
security
•I develop security principles, processes and
architectures for both the corebanking as
well as the netbanking platform
•I develop and maintain auditing principles
and methodologies
•I perform and manage internal IT-audits in
the bank
•I like processes, log management, web-
application firewalls and IAM
- Finlandis themostsparselypopulatedcountryinthe
EuropeanUnion,withonly16 inhabitantsperkm².
-Thereareexactly187,888lakes(largerthan500m²)
and179,584islandswithintheterritoryofFinland.
- Bothareworldrecords.
Source:Google
3. What you need to know about Aktia
3
•Aktia provides individual solutions in banking,
asset management, insurance and real estate
services
•Aktia operates in the Helsinki region, in the
coastal area and in growth centres of Finland
•Operating profit was EUR 68.3 million and the
profit for the year was EUR 55.0 million
•Aktia is renewing its core banking system and
the launch of the new system is planned to
the end of 2015 - the investment cost is
estimated to approx. EUR 40 million
4. Todays topics
1. If phishing works, why bother with APT?
– Finnish stats and stories
2. Easy targets are always targeted first
– APT economics
– Tone at the top
3. Whether it's an attack or a disguise - logs are your
best friends
– Situational (un)awareness
4. How to manage the risks - continuous “auditing”
– How you hook up audits & scans, projects, backlogs, source-
code, people and risk-management together
4
Source:Unknown
6. Situation in Finland 2011-2014
•Financial institutions and companies
are mostly targeted by
– Phishing
– Banking malware & trojans
– Denial of Service
•Criminals have successfully monetized
phishing and malware
•“Ransom demands” have been seen in social media
like Facebook & Twitter during DoS-attacks
– Demands between 10-100BTC
– Monetization success rate probably zero (but not known)
6
Source: EUROPOL Exploring tomorrow’s organised crime
2015
7. How phishing worked best in 2014
•Background
– TUPAS is an 2F authentication method created by the Federation of Finnish Financial
Services over 10 years ago
– TUPAS is based on ebanking authentication – PIN & TAN
– TUPAS is used for almost everything that requires
real and reliable authentication in Finland –
including governmental services
•The modus operandi in 2013 and 2014
– Create a fake service that requires TUPAS to log into
– Acquire PIN & 1 TAN
– Use credentials to get a “payday loan”
• NOTE: Targeted mainly payday loan companies, NOT banks!
7
8. About TUPAS-authentication
8
•Safety
– There are known issues,
but it is not inherently
unsafe
•Market
– It is the de facto standard
– No alternatives
•Sponsorship
– Standard defined by banks
– Implementations owned
by banks
Source: Federation of Finnish Financial Services /
FK
9. Details about the simplicity of the campaign
•1 Estonian person behind the phishing campaign
•The Estonian language is close to Finnish making it easy
to create realistic phishing emails and SMS’s
•The campaign used more than 40 mules and
“associates” and netted between 700k€-800k€
•KISS was a successful paradigm
– Create a rock solid plan to monetize the data you gather
– Use correct and proper language for your communication
– Use psychology – “if you do not immediately … you will face
liability”
– Make it easy for the targets to lose their credentials
9
<100km
Source:Google
11. How this phishingcase evolved
11
Source:HelsinginSanomat
Maximum sentence – 7 years
11 grand frauds in 2014
0,5M€ - 100’s of people
12. Trends for nasty activities (financial sector)
12
2010 2011 2012 2013 2014
APT
Malware & Trojans
Phishing
DoS
This graph shows trends and
relations in an ”apples vs. oranges”
-way. This graph does not show any
actual amounts. It is based on
official reports and other public
information.
”MUCH”
”NOT SO MUCH”
19. Can we agree on what an APT is NOT!
•It is not an APT
– If you leave the front door open, someone
walks in and steals all your data – and
repeats this every workday for a month
– If your customers are targeted using
phishing emails for several weeks
– If your network - which is lacking firewalls,
antivirus-solutions and content-proxies – is
infiltrated with malware - for months
– If your customers are infested by banking-
trojans (Zeus etc.)
•A single piece of malware, a single
exploit or vuln is NOT an APT.
19
Source:GraphicsbyISACA
20. What they need to do and what you can lose
20
Source:GraphicsbyISACA
What they need to do
ISACA Survey in the US in 2013
What you are scared to lose
21. Analyze your ”adversary landscape”
21
The only relevant threat in the table
seems to be criminal groups.
- What are their actual capabilities?
- What are their motives?
The Snowden-Greenwald –revelations
have taught us that the best APT-
capabilities are held here.
Source:GraphicsbyISACA
We aim to avoid PR-disasters that could
trigger such a level of badwill that
someone in these categories might want
to target me. We adhere to money
laundering rules and maintain a high
ethical level.
”Threat Agent”
22. The financial anatomy of an APT
22
•The criminal
– The criminal does not know the financial outcome or gain
beforehand
– The research phase will require a significant amount of
investment in time
– The penetration requires costly tools
• 0-days or “near-zero” can cost between 5k-100k
• You probably need other tools or social engineering & bribes
– The (financial) outcome has to outweigh the investment
•You
– Protection (licenses + appliances) can cost many 100k€
– A forensics project costs around 100k€-150k€
Input: 100k€
Output: ?€
Input: 3k€
Output: 50k€
24. Don’t be an easy target
24
•Every risk can be quantified as a business
risk
•Don’t let salespersons fool you into false
security with silver bullets – not on any level
•IT-security (security appliances and
software) is only one component in the IT-
risk landscape
•Also – “cyber security” is hidden somewhere
in those boxes…
•Use your money wisely
Business risk
IT risk
IT security
IT
26. Create a culture of security awareness
26
•Management has to be involved
•All incentive programs should have a security awareness and/or
security incentive built in – including those at the C-level
•All of us – act accordingly
“Well, once again,
we’ve saved civilization as we know it.”
Captain James T. Kirk
28. ”But we are so secure already”
28
Source:MicrosfotSecurityIntelligenceReport
29. A small banks perspective
29
Source:ISACA
•I have a limited budget
•I want to spend my money against
– Things I understand and
– Things I can measure
• Because I cannot reasonably motivate
spending if I am not able to
– Make my management understand
– Show my management figures
30. Who cares?
30
• “Industry analysts have inferred that
shareholders are numb to news of data
breaches”
• “Since consumers don’t have sufficient tools to
measure the impact of breaches themselves, they are
at the mercy of companies to disclose the impacts of
their own corporate data breaches”
• “New, more stringent regulations on
when to disclose data breaches and more
sophisticated technologies […] may contribute
to more shareholder reaction to these types of
incidents down the road. “
32. All your logs are belong to us
32
•Nobody has ”all the logs”
•Case Gemalto
Source:GemaltoPressRelease
33. Logs are just a bunch of huge files
33
•Gathering logs can be is a tough job
•Who knows what the logs actually contain and
which logs are important?
•You can easily kill your efforts by choosing too
simple sources which
– are high volume
– add very little value on their own
– cost a lot to store
– create only a limited ”buzz” in your organization
?
34. Logs are DevOps!
34
•Leverage your dev’s!
– They know the application logs
– They SHOULD know the application logs
– They can enhance and add to the logs – given the motive
•Leverage your ops!
– They know the infrastructure logs
– They SHOULD know the infrastructure logs
– They can configure the logs – given the motive
•Leverage yourself!
– Add security as a viewpoint
35. Put a SOC in it
35
•You can outsource everything – and make your
life easy – but...
– You can not outsource understanding
– You should not outsource understanding
– You can not outsource responsibility
•An outsourced SOC can
– do a lot of the hard work
– leverage special skills
•The information and data should be yours, not
just a quarterly report and some (hopefully)
occasional alerts Delivered as ordered?
36. Add external information and tools to the brew
36
•HAVARO
– An IDS-IPS –like tool developed by CERT-FI (NCSC-FI) and the National Emergency
Supply Agency in 2011
– Targeted primarily for Finnish companies that have some kind of statutory duties
in a national emergency situation
•Does NOT compete with commercial solutions – is not meant to be
the only security solution
•Creates security awareness within Finland and within specific
industries
•Governed by Finnish laws – safe for companies
37. Add people and communications to the brew
37
•In Finland, exchange of critical information is good
Public mailinglists
Closed mailinglists
Personal contacts & first name basis
Interest groups
International cooperation
Federation of Finnish
Financial Services /
Security
National
Emergency
Supply Agency
National
Bureau of
Investigation
NCSC-FI
Europol
Banks
38. Create Awareness
38
•Enable critical logs
•Gather and SECURE logs
•Understand log relevance
•Understand volume
relevance
•Correlate
•Visualize
Show Off !
40. How to manage the risks–
continuous security auditing
continuous monitoring
continuous risk assessment
continuous excellence
continuous risk monitoring
41. Definition of continuos <activity>
41
•“Continuous auditing has been defined as a methodology or framework
that enables auditors to provide written results on the subject matter
using one or a series of reports issued simultaneously”
•“Continuous monitoring allows an organization to observe the
performance of one or many processes, systems or types of data“
•“Continuous risk monitoring and assessment is used to dynamically
measure risk and provide input for audit planning”
Source: ISACA & Wikipedia
42. Our implementation of continuos auditing
42
•The definitions are not really optimal
•We do a best of breed combining
– continuous (technical and process) auditing,
– continous monitoring (of logs and events) and
– continuous (security) risk monitoring and assessment
•I call this continuous auditing to make it
sound simple (enough)
– Hopefully it isn’t simplifying this matter too much
While you plan for next years audit, I hack away.
Source: Juha Strandman
43. How we link things together
43
•Processes
– Regular pentests (3rd party, external & internal)
– Weekly security scans
– Systems security audits and process analysis
– Log analysis and monitoring
– Most important critical business processes
•Dogmas and paradigms
– Ticket everything
– Track everything
– Analyze everything
44. What hinders progress
44
•Management commitment and ”tone”
– ”We want more powerpoints”
– ”We want more email attachments”
•Separate tools with nonexistent integration
– A bad stack doesn’t make it easy enough to
integrate the security efforts into the process
•Resistance
– ”A valid pentest report is only valid if it looks
exactly like this.”
•No DevOps
– Dev’s love agile, Ops hate it
45. What enables progress
45
•Link to the real activities, goals and
people
– Our security organization is small
– Written reports and formal bureaucracy
would cripple us
•Projects use agile methodologies
– Teams are used to managing tickets
– Projects are agileboard-driven
•Tools that work together
– Link tickets, reports, sourcecode, releases,
deliverables, configurations, backlogs, sprints
and documentation
47. Credits & thanks
• Images and pictures are
• created by the author
• sourced as noted in the
presentation
• from freeimages.com
• Thanks to everyone who gave
insight and comments during the
creation of this presentation
• Thanks for the pig!
Wrapup
• Do your homework and spend your money
wisely
• Share information - internally and
externally
• The ”tone at the top” is a decisive factor
• Keep focus on the real threats
• Good is not good enough (only good enough is!)
linkedin.com/in/thomasmalmberg
@tsmalmbe
malmberg@iki.fi