Resiliency: Defense Lessons learned from WannaCry, Petya, Equifax, etc. Delivered at the Vancouver Security Special Interest Group.

1. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Resiliency: Defense Lessons learned
from WannaCry, Petya, Equifax, etc.
Kevin J. Murphy, CISSP, CISM, CGEIT
Vice President Operations
Kevin.murphy@ioactive.com
November 10, 2017

2. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Agenda
A very interactive discussion – We learn
from each other!
• Who is in the room?
• What are the attackers after?
• What is Ransomware
• Cybersecurity Inflection Points
• How to protect your enterprise

3. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Who is in the room?
• Healthcare
• Energy
• Telecom
• Financial
• Manufacturing
• Government / Utilities
• Retail
• Technology
• Transportation
• Services
• Law Enforcement

4. IOActive, Inc. Copyright ©2017. All Rights Reserved.
I am an attacker!
• I attack companies worldwide
– And they pay me to do it
• Why do companies around the world hire me?
– I will find vulnerabilities that your internal teams will miss, why?
– I am not constrained by your system context or organizational
responsibility boundaries
– I provide cross-industry cyber expertise
– Sometimes other industries get hit before yours

5. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Why would I attack your industry?
• What am I after?
– Your IP (Intellectual Property)
– Client PII (Personally identifiable information)
– “Your Employee” PII
– I can sell this info for credit fraud
– To extort money from you (Ransomware)
– To punish your government in a geopolitical
disagreement
– Cyberwar – Economic Disruption

6. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Ransomware?
• Ransomware - Ransomware is a type of malicious
software that threatens to publish the victim's data
or perpetually block access to it unless a ransom is
paid.
• Recovering the files without the decryption key is
an intractable problem
• Digital currencies such as Bitcoin are used for the
ransoms, making tracing and prosecuting difficult.

7. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Ransomware?
• Ransomware attacks are typically a Trojan that is
disguised as a legitimate file to download or
arrives as an email attachment.
• WannaCry worm traveled between unpatched
computers without user interaction.
• March 14, 2017 - Microsoft issued critical security
bulletin MS17-010
• May 12, 2017 - WannaCry launched
“The answer is to patch your systems earlier!”

8. IOActive, Inc. Copyright ©2017. All Rights Reserved.

9. IOActive, Inc. Copyright ©2017. All Rights Reserved.
The real threat from Ransomware
• The bad guys are on your network!
• Your IP or data is at risk of compromise,
publication or deletion
• They can make your network unusable
which puts your business viability at risk
Anything new here?

10. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Who is attacking?
On October 24th, Bad Rabbit targets
Windows machines, impersonating as an
Adobe Flash update. The cyber attack has
seen computers go down in Russia, Ukraine,
Germany and Turkey.

11. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Game Changing Attack Inflection Points
• APT – Nation State espionage
• Stuxnet – Embedded and SCADA systems
attack
• Heartbleed – 3rd party software and network
appliances
• Target – HVAC vendor account compromise
• Ransomware – WannaCry, Petya, notPetya,
BadRabit, .etc.
“What will the next one be?”

12. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Cyber breach at Equifax could affect
143M U.S. consumers
• Occurred from mid-May through July 2017 and
primarily: names, social security numbers, birth dates,
addresses and some driver's license numbers
• Credit card numbers for roughly 209,000 consumers
• Equifax Canada said 100,000 Canadians affected.
– Names, addresses, social insurance numbers (SIN) and,
in limited cases, credit card numbers.
– Equifax Canada has been unable to provide clarity on
who was impacted

13. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Comcast internet outage – Nov 6, 2017

14. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Where are your single points of failure?

15. IOActive, Inc. Copyright ©2017. All Rights Reserved.
End-to-End Attack Vectors
Don’t store your system documentation in clear view
of your attacker. That will be their attack road map!

16. IOActive, Inc. Copyright ©2015. All Rights Reserved.
Lets talk mobile
endpoints:
Chip to User
Biometrics
App
Store
Cloud
ArchitectureSystem
on chipOS
Device
Network

17. IOActive, Inc. Copyright ©2017. All Rights Reserved.
2017 Reality - A cyber-breach is inevitable
• Preparing for your breach
• Plan for it - What you can do now to
recover quickly?

18. IOActive, Inc. Copyright ©2017. All Rights Reserved.

19. Cyber Security Framework Scorecard KPIs
Top 5 Risks

20. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• Identify your Critical Business Information: IP,
Strategic Plans, Financial Data, Customer Data,
Employee Data, etc. Protect it with a defense in
depth strategy
• IT Inventory Mgmt: Know your IT inventory better
than your attacker. They will find the one server or
appliance you didn’t patch.

21. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• Threat Models: View your complete attack
surface in your threat models - Silicon to
applications and supply chain.
– Update Threat Models and your KPIs after a
major attack.
• Supply Chain: Require your supply chain
vendors to disclose what security testing they
have conducted and the results

22. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• Segment your network with firewalls and
enclaves
• Monitor your network and your hosts with
real-time alerting. Monitor your outbound
traffic. Block RAR files .
• Vulnerability mgmt. Scan all your system
components. Keep your security patching up-
to-date. Apply Criticals ASAP.

23. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• Business Continunity Mgmt (BCM): Have a
breach scenario that includes Ransomware.
– Nightly backups
– Have a system recovery plan
• Incident Response Plan: Test it. Run drills.
• Red Team /Pen Test. Use combo of internal
and external skills. Don’t always use the
same people

24. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• End-user Vulnerability Mitigations:
– Institute Pass Phrases
– Multifactor Auth
– IdM attribution
– Training to not click on the link but to copy it in
a browser. (Plan text email verses HTML)

25. IOActive, Inc. Copyright ©2017. All Rights Reserved.
How to Protect your Enterprise
• Use the Cyber Security Framework:
– Use a scorecard to track your progress
• Evaluate your GRC program effectiveness
– Does it allow you to meet your regulatory
requirements?
– Does it truly measure your enterprise risk profile?
– Is it more than “checkbox” security?
– Is it agile and adaptable to new threats?

26. IOActive, Inc. Copyright ©2017. All Rights Reserved.
GDPR
(General Data Protection Regulation) EU
• The US and Canada will have something similar in the
future so plan for it now.
• Heads up: GDPR includes penalties
• https://en.wikipedia.org/wiki/General_Data_Protection_
Regulation#Sanctions

27. IOActive, Inc. Copyright ©2017. All Rights Reserved.
IoT Endpoint Considerations:
• Refrigerators, Washers
• Home & Building Power meters
• Thermostats, HVAC, Cameras
• TVs, Smartphones, iPads
• Cars, Trains, Buses
• Smart Cities
27

28. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Call to Action: Resiliency is about planning
• Use the NIST Cybersecurity framework
• Evaluate your threat models with the latest
attack vectors
• Know your perimeter and endpoints
• Test your BCM plans
• Red team your network and your IdM systems
• Learn from other industries as they might get
hit before yours.

29. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Good Reading

30. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Thank You