The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
1. Lessons Learned from
Avid Life Media
Rob Davis, CISSP
Founder – Critical Start
CEO – Advanced Threat Analytics
rob.davis@criticalstart.com
214-674-1748
8. Corporate Alignment to Strategy to Mitigate Cybersecurity Risk
People
Money
Time
Business
Impact
Risk
Tolerance
Threat
Landscape
SecCon 01
SecCon 02
SecCon 03
SecCon 04
SecCon 05
9. SecCon
05
SecCon
04
SecCon
03
SecCon
02
SecCon
01
Operational
Operational security –
minimal resources and
budget allocated
Industry Average
Use security practices
that are typical for a
given peer group and
industry. Higher risk
tolerance.
Industry Best Practice
Use security practices
that are best practice
for their industry.
Lower risk tolerance.
Advanced
Goal is to detect and
effectively respond to
sophisticated, targeted
cyber attacks
Compliance
Security is an outcome
of compliance
10. • Stored information in clear readable
text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its network
and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its computer
network or to “conduct security
investigations”
• Did not follow “proper incident
response procedures”
11. • Stored information in clear
readable text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its
network and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its
computer network or to “conduct
security investigations”
• Did not follow “proper incident
response procedures”
FTC Chairwoman Edith Ramirez said in a statement that
the decision “reaffirms the FTC’s authority to hold
companies accountable for failing to safeguard consumer
data. It is not only appropriate, but critical, that the FTC
has the ability to take action on behalf of consumers
when companies fail to take reasonable steps to secure
sensitive consumer information.”
22. Breach Doesn’t Mean Loss of Information
Microsoft has published a
comprehensive whitepaper that
contains mitigations and guidance
called “Mitigating Pass-the-Hash
(PtH) Attacks and Other Credential
Theft Techniques.
NSA has a fantastic document on
Windows Event log collection
including a section on detecting PtH
from log data
LAPS Tool from Microsoft
https://technet.microsoft.com/en-
us/library/security/3062591.aspx
23. Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.
24. Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.
25. Simple Example of Attempting to Trick Users
After the user enables the
macro, the malicious Word
document will display
different content so the user
believes the documents has
been decrypted.
32. ATA Alerts – Breach Detection
• ATA Alerts is a custom branded list of queries
to detect activity consistent with malware
infections, malicious credential usage, and
attackers using credentials to move laterally.
• ATA Query Feed examples shown are:
o Attempts to add user to a system from
the command line
o Attempts to add users to a local group
from the command line
o Instances of SVCHOST running in an
incorrect user context
o Use of Sysinternals Tools
o PSEXEC process on endpoints