Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

David Klein - Defending Against Nation Sate Attackers & Ransomware

65 views

Published on

Chicago CSNP March 2020

Published in: Technology
  • Be the first to comment

  • Be the first to like this

David Klein - Defending Against Nation Sate Attackers & Ransomware

  1. 1. 1 // Guardicore – Chicago Cybersecurity Not For Profit Defending Against Nation State Attackers & Ransomware Dave Klein Senior Director of Engineering & Architecture Guardicore @cybercaffeinate
  2. 2. 2 // Guardicore – Chicago Cybersecurity Not For Profit Introductions
  3. 3. 3 // Guardicore – Chicago Cybersecurity Not For Profit About me… Dave Klein ▪ 21 plus year veteran in cybersecurity ▪ 4 Years NYC post 911 ▪ 10 Years US Federal ▪ Plenty of Incident Response Work ▪ Twitter @cybercaffeinate Dave Klein Senior Director of Engineering & Architecture Guardicore
  4. 4. 4 // Guardicore – Chicago Cybersecurity Not For Profit About Guardicore… Guardicore Centra Visibility & Software-Defined Segmentation across all platforms seamlessly • Reduces Risk • Ensures Compliance • Reduce Costs Breach Detection & Incident Response • Reputation • Dynamic Deception • Etc.
  5. 5. 5 // Guardicore – Chicago Cybersecurity Not For Profit About Guardicore Labs… Critical Guardicore Researchers • https://www.guardicore.com/labs/
  6. 6. 6 // Guardicore – Chicago Cybersecurity Not For Profit About Guardicore Labs… Guardicore Infection Monkey • Free, Easy, Opensource • Automatic Attack Simulation • Continuous & Safe Assessments • Available for: • vSphere, AWS, Azure, GCP • Windows, Linux, OpenStack, • K8/OpenShift • Actionable Prescriptive Recommendations • https://www.guardicore.com/infectio nmonkey/
  7. 7. 7 // Guardicore – Chicago Cybersecurity Not For Profit What this Talk is About
  8. 8. 8 // Guardicore – Chicago Cybersecurity Not For Profit Goals of Today’s Talk Arming You With What You Need ▪ Despite the fear of Nation State Actors & Ransomware ▪ We have the capabilities at our disposal to defend ourselves, minimize the damage, recover
  9. 9. 9 // Guardicore – Chicago Cybersecurity Not For Profit Goals of Today Arming You With What You Need ▪ Highlight a specific success story ▪ Discuss my research and findings ▪ Prescriptive list of things that will make you successful
  10. 10. 10 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang
  11. 11. 11 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Olympic Public Website Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System 347 Large Screen Displays Thousands of RFID Security Gates 7,400 Display Screens 16,000+ Video Cameras 85 Robots Multiple Press Centers 10,000 PCs 20,000 Mobile Devices 6,300 Wi-Fi routers 2 Data Centers 1 Co-located Data Center 300+ Servers 100+ Servers (Co-located)
  12. 12. 12 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 20:00 February 9, 2016
  13. 13. 13 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Olympic Public Website Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System 347 Large Screen Displays Thousands of RFID Security Gates 7,400 Display Screens 16,000+ Video Cameras 85 Robots Multiple Press Centers 10,000 PCs 20,000 Mobile Devices 6,300 Wi-Fi routers 2 Data Centers 1 Co-located Data Center 300+ Servers 100+ Servers (Co-located) 20:10 February 9, 2016
  14. 14. 14 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Olympic Public Website Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System 347 Large Screen Displays RFID Security Gates 7,400 Display Screens 16,000+ Video Cameras 85 Robots Multiple Press Centers 10,000 PCs 20,000 Mobile Devices 6,300 Wi-Fi routers 2 Data Centers 1 Co-located Data Center 300+ Servers 100+ Servers (Co-located) WIPED OUT!
  15. 15. 15 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Every time the Olympic IT staff try to restore servers they are wiped clean by a yet unknow attacker 21:00 – 23:00
  16. 16. 16 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016
  17. 17. 17 // Guardicore – Chicago Cybersecurity Not For Profit Research
  18. 18. 18 // Guardicore – Chicago Cybersecurity Not For Profit January 2020 Assignment: ▪ Research the most devastating breaches of the last 5 years and write a series of articles about them ▪ Began researching, over 10+ major cases
  19. 19. 19 // Guardicore – Chicago Cybersecurity Not For Profit January 2020 Found Serious Commonalities 1. The attackers generally went after the same ”low hanging fruit” to attack and spread 2. Things that could be addressed relatively easily 3. The victims suffered from a same set of issues a lack of a strategy/game plan
  20. 20. 20 // Guardicore – Chicago Cybersecurity Not For Profit January 2020 Led to a series of articles, blog posts and interviews Found Serious Commonalities
  21. 21. 21 // Guardicore – Chicago Cybersecurity Not For Profit Concerns Concern over “Reverse Survivor Bias”
  22. 22. 22 // Guardicore – Chicago Cybersecurity Not For Profit What is Survivor Bias? Abraham Wald Operational Research Statistical Research Group (SRG) at Columbia University WWII
  23. 23. 23 // Guardicore – Chicago Cybersecurity Not For Profit To Ensure No “Reverse Survival Bias” What About Those Who Succeeded?
  24. 24. 24 // Guardicore – Chicago Cybersecurity Not For Profit What About Those Who Succeeded? Data was more difficult to accrue: Combination of research into the success stories I found ▪ Interviewing CISOs ▪ Customers and other industry professionals ▪ Some documented success stories
  25. 25. 25 // Guardicore – Chicago Cybersecurity Not For Profit Full Data Set Achieved Winners and Losers – What Did We Find?
  26. 26. 26 // Guardicore – Chicago Cybersecurity Not For Profit ▪ Attack Targets the Same ▪ Known vulnerabilities ▪ Weak passwords, no dual factor authentication ▪ Machines running with unnecessary elevated privileges ▪ Systems with poor account control/expiration procedures ▪ Certificate monitoring errors ▪ Utilizing poor DNS security, Remote Access and other critical services ▪ Poor Segmentation Practices Findings Same for Winners & Losers
  27. 27. 27 // Guardicore – Chicago Cybersecurity Not For Profit Findings Different for Winners & Losers #1 Indicator of Success or Failure ▪ Winners - Incident Response Plan ▪ Sets expectations that you will be breached ▪ Well thought out ▪ Includes non-technical staff – legal, business owners and even board members ▪ Well practiced
  28. 28. 28 // Guardicore – Chicago Cybersecurity Not For Profit Findings Different for Winners & Losers ▪ Winners have begun to address the list of attack targets ▪ Not complete by any means ▪ At worst becomes an early warning alert that prevents long dwell time #2 Indicator of Success or Failure
  29. 29. 29 // Guardicore – Chicago Cybersecurity Not For Profit Findings Different for Winners & Losers #2 Indicator of Success or Failure ▪ Progress Made… ▪ Vulnerability Scanning and Patching ▪ Strong password enforcement combined with dual factor authentication ▪ Run without elevated privileges ▪ Account control/expiration procedures ▪ Certificate management practices ▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services ▪ Segmentation (most often in Software Defined Segmentation)
  30. 30. 30 // Guardicore – Chicago Cybersecurity Not For Profit Findings Different for Winners & Losers #3 Indicator of Success or Failure ▪ Acknowledgement that DevOps had accelerated provisioning and management ▪ This could be an accelerant for either success or failure ▪ Incorporation of DevOps playbooks methods to accelerate, automate and simplify security
  31. 31. 31 // Guardicore – Chicago Cybersecurity Not For Profit Findings DevOps Role in the Modern Enterprise Speed Innovation Business Demands ✓ Accelerated Delivery ✓ Essential Competitive Differentiation ✓ Efficiencies & Savings ✓ Integrations & Access IT Delivers Through DevOps/Cloud Model ✓ Simplification via Solutions that are Platform & OS Agnostic ✓ Playbooks/Scripting ✓ Provisioning ✓ Automation/Autoscaling ✓ Cloud Models* * Even companies only on-premises
  32. 32. 32 // Guardicore – Chicago Cybersecurity Not For Profit Findings DevOps Role in the Modern Enterprise Speed Innovation What about security?
  33. 33. 33 // Guardicore – Chicago Cybersecurity Not For Profit Findings ▪ Strategy - Security at the Speed of DevOps Speed Innovation Security Security Solutions ✓ Simplification via Solutions that are Platform & OS Agnostic ✓ Speed ✓ DevOps Friendly – playbook/scriptable ✓ Automatable ✓ Visibility & Granular Enforcement ✓ Done Once – Done Right Penrose Triangle “Impossible Triangle” Tricia Howard
  34. 34. 34 // Guardicore – Chicago Cybersecurity Not For Profit Findings ▪ Automate updates, checks and remediation ▪ Provides protection while you to go after these in a sane, easy manner ▪ Vulnerability Scanning and Patching ▪ Strong password enforcement combined with dual factor authentication ▪ Run without elevated privileges ▪ Account control/expiration procedures ▪ Certificate management practices ▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services DevOps Example - Playbooks: Chef, Puppet, Ansible Etc.
  35. 35. 35 // Guardicore – Chicago Cybersecurity Not For Profit Findings ▪ Software-Defined Segmentation ▪ Provides visibility ▪ Decoupled from the underlying platforms and OS ▪ DevOps: Playbook friendly ▪ Granular ▪ User, Process and FQDN ▪ Can be deployed in minutes versus months ▪ Provides protection while you to go after these in a sane, easy manner ▪ Vulnerability Scanning and Patching ▪ Strong password enforcement combined with dual factor authentication ▪ Run without elevated privileges ▪ Account control/expiration procedures ▪ Certificate management practices ▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services DevOps Modeled - Software-Defined Segmentation Example
  36. 36. 36 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang
  37. 37. 37 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Olympic Public Website Official Olympic App with Schedules, Reservation, Mapping, Help & Ticketing System 347 Large Screen Displays RFID Security Gates 7,400 Display Screens 16,000+ Video Cameras 85 Robots Multiple Press Centers 10,000 PCs 20,000 Mobile Devices 6,300 Wi-Fi routers 2 Data Centers 1 Co-located Data Center 300+ Servers 100+ Servers (Co-located) WIPED OUT!
  38. 38. 38 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Olympic Staff • Had very well-developed incident response plans that included everyone including industry partners and government entities (domestic and foreign) • These were well practiced repeatedly VITAL! Well developed and rehearsed incident response plans!
  39. 39. 39 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 From the start everyone knew exactly what to do • Ticket takers – moved to printed books to validate tickets • LTE hotspots were distributed throughout the Olympic facilities to temporarily restore some capabilities and for the press • Ahn Labs and others already on standby given notification 20:10
  40. 40. 40 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Critical decision to take the entire Olympic network off the Internet. 23:30
  41. 41. 41 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Ahn Labs provides patch for winlogin.exe05:00
  42. 42. 42 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Reset Laptops, Active Directory Services 0630
  43. 43. 43 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 Reimage every server from backup, restart all services accelerated by automated scripting 0755
  44. 44. 44 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 The first event starts…0900
  45. 45. 45 // Guardicore – Chicago Cybersecurity Not For Profit Olympic Games Pyeongyang 2016 The first event starts…0900 SUCCESS!!
  46. 46. 46 // Guardicore – Chicago Cybersecurity Not For Profit Investigation
  47. 47. 47 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues Two Years Prior • Spearfishing • Word Doc – List of VIP Guests • Opens looking like it had been corrupted • “Click here to fix” • Launches Word Macro that uses the users’ rights to elevate privileges via powershell and load malware
  48. 48. 48 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues Spreads Throughout Olympic Network • Active Directory poisoning • Wiper program hidden on each machine
  49. 49. 49 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues Who was it?
  50. 50. 50 // Guardicore – Chicago Cybersecurity Not For Profit The North Koreans Main Motivation: “Foreign money generation” Secondary Motivation: “Attacking political opponents” Maximum Production $100 Million a Year?
  51. 51. 51 // Guardicore – Chicago Cybersecurity Not For Profit The North Koreans Reconnaissance General Bureau (RGB) • Establishes Electronic Espionage Program • Lab 110 in North Korean Army
  52. 52. 52 // Guardicore – Chicago Cybersecurity Not For Profit The North Koreans Lazarus Group APT38 • Main group. • Very effective. • Primary goal foreign money generation • Secondary goal – political defacement attack Ricochet Chollima Group APT37 • What is a Chollima??? • A mythical flying horse • Travel 1000 miles in a day • Name of a “fast forward”, economic plan in North Korea after the Korean War • Toolkits that enable microphones, trackers, very effective • Good deal of coordination with other APT
  53. 53. 53 // Guardicore – Chicago Cybersecurity Not For Profit The North Koreans Lazarus Group APT38 / Ricochet Chollima APT37 • 2008-2013 DDoS to “Dark Seoul Wiper” Victim South Korean Government Sites • 2014 Sony (Seth Brogan Movie) Breach File Wipers, Embarrassing releases, Movie Fury Released • 2015 – Current • Bank Heists = 1 Billion Dollars • (Mexico, Vietnam, Ecuador, Philippians, Poland etc.) • Crypto Currency Exchange Heists = 1 Billion Dollars • Attempts on Lockheed Martin DoD Contractor • WannaCry Ransomware • Used Eternal Blue • 2018 4 Day Rampage • Generated +-1 Billion Dollars
  54. 54. 54 // Guardicore – Chicago Cybersecurity Not For Profit The North Koreans Lazarus Group APT38 / Ricochet Chollima APT37 • Chosun Expo Joint Venture • FBI Wanted List as of 2018 Park Jin Hyok
  55. 55. 55 // Guardicore – Chicago Cybersecurity Not For Profit The Chinese “The most pervasive with the broadest coverage Main Motivation: “Economic domination through espionage” Secondary Motivation: “Military technology theft to accelerate PRC ability to deter attack on China. Emphasis on US and allies” Secondary Motivations: “Control over political dissidents and those who oppose China” Secondary Motivation: “Revenue generation for the world’s largest, most corrupt envelope economy”
  56. 56. 56 // Guardicore – Chicago Cybersecurity Not For Profit The Chinese “The most pervasive with the broadest coverage PLA Unit 61398 (also known as APT1) PLA Unit 61486 (also known as APT2) Buckeye (also known as APT3 Red Apollo (also known as APT10) Codoso Team (also known as APT19) Wocao (also known as APT20) PLA Unit 78020 (also known as APT30) Periscope Group (also known as APT40) Double Dragon (also known as APT41)
  57. 57. 57 // Guardicore – Chicago Cybersecurity Not For Profit The Russians “The most frightening capabilities” Main Motivation: “Destabilize democratic countries. Divert eyes. Socio- political.” Secondary Motivation: “Military technology theft”
  58. 58. 58 // Guardicore – Chicago Cybersecurity Not For Profit The Russians “The most frightening capabilities” Fancy Bear (also known as APT28) Cozy Bear (also known as APT29) Voodoo Bear: government, aerospace, NGO, defense, cryptology and education sectors Venomous Bear: Ukrainian targets
  59. 59. 59 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues At first seemed to be North Korea • Header info, language and techniques seemed to be like Lazarus Group APT 38
  60. 60. 60 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues But Part of Preparation was a Great Deal of Diplomacy • North invited to the games • North and South would come out as a unified Korea at the opening of the games • The North & South women’s hockey team would play together • Kim John-Ung sends his sister to attend
  61. 61. 61 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues At first seemed to be North Korea • Header info, language and techniques seemed to be like Lazarus Group APT 38
  62. 62. 62 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Ensues Then a major discovery occurs: • The infected Word document technique was found to have been used before in multiple attacks on the Ukraine • Programmer meta data names from both are identical • Techniques as well • We were experiencing an excellent false flag attack
  63. 63. 63 // Guardicore – Chicago Cybersecurity Not For Profit Investigation Concludes It was Russia
  64. 64. 64 // Guardicore – Chicago Cybersecurity Not For Profit Summary ▪ Have an Incident Response Plan ▪ Sets expectations that you will be breached ▪ Well thought out ▪ Includes non-technical staff – legal, business owners and even board members ▪ Well practiced
  65. 65. 65 // Guardicore – Chicago Cybersecurity Not For Profit Summary ▪ Make Progress On The Common Targets: ▪ Vulnerability Scanning and Patching ▪ Strong password enforcement combined with dual factor authentication ▪ Run without elevated privileges ▪ Account control/expiration procedures ▪ Certificate management practices ▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services ▪ Segmentation (most often in Software Defined Segmentation)
  66. 66. 66 // Guardicore – Chicago Cybersecurity Not For Profit Summary ▪ Make Progress On The Common Targets: ▪ Vulnerability Scanning and Patching ▪ Strong password enforcement combined with dual factor authentication ▪ Run without elevated privileges ▪ Account control/expiration procedures ▪ Certificate management practices ▪ Control of enterprise services like DNS, Remote Access (SSH/RDP), AD and other critical services ▪ Segmentation (most often in Software Defined Segmentation)
  67. 67. 67 // Guardicore – Chicago Cybersecurity Not For Profit Summary ▪ Incorporate DevOps ▪ Automate updates, checks and remediation ▪ In selecting new cybersecurity solutions ▪ Use software-defined segmentation
  68. 68. 68 // Guardicore – Chicago Cybersecurity Not For Profit Thank You

×