eldon sprickerhoff chief security strategist founder sprickerhoff chief security strategist...
TRANSCRIPT
David Bailey Group Head of Marketing and Communications
Eldon SprickerhoffChief Security StrategistFounder
WEDETECTTHECYBERTHREATSTHATOTHERTECHNOLOGIESMISS
Cybercrime:Awake-upcallforPrivateEquity&RealEstatefirms.
Date 27th September,2017
Presenter EldonSprickerhoffChiefSecurityStrategist,[email protected]@TheEldon
C AMBR I DG E | N EW YOR K | LONDON | C O R K
293EMPLOYEES
2001FOUNDED
525+CUSTOMERS
65%YOY GROWTH
97%CUSTOMERRETENTION
$5.3TFIAUMPROTECTED
PROVEN
CYBERSECURITYFORMID-SIZEDENTERPRISE
CYBERCRIMEISBIGBUSINESS
$70Bspentoncybersecurity
THREATACTORS
HACTIVIST NATIONSTATEACTORINSIDERORGANIZEDCRIMECRIMINAL TERRORIST
$375-575Binestimatedlosses
MEANS|MOTIVE|OPPORTUNITY
EasyAccesstoCyberWeaponry
NoNegativeRepercussions
MotivationisHigh
MinimalCyberSkillsRequired
CAMPAIGNSPHISHING
SPOOFINGBOSSTHE
B U S I N E S S E M A I L C O M P R O M I S E ( B E C )
WATERINGHOLES
SYSTEMICVULNERABILITIES
EXPLOITATION
ENGINEERINGSOCIAL
RANSOMWARE
TARGETEDATTACKS
SOPHISTICATEDCYBERATTACKS
WHYAREVCANDPEFIRMSINTERESTINGTOHACKERS?
HIGH VALUE ASSETS PUBLICLY VISIBLE
CONFIDENTIAL & VALUABLE INFORMATION
WELL KNOWN INVESTMENTS
TheAn
atom
yofaTyp
icalAttack
ESTABLISHBEACHHEAD
ESTABLISHC2CHANNEL
Escalation/Extension/Expansion/Penetration
SPEARPHISHING
EXTERNALSCANSVulnerabilities|WeakCredentials|SQLi
PHYSICALUSBDrive|CDR|Laptop|Mobile|WIFI
OPPORTUNISTICDrive-byDownload
EmailAttachment|MaliciousURL
INFILTRATION
ATTACKER
Updates&Instructions
TIME
DATAEXFILTRATION
LateralAnalysisTo‘LearnAboutYou’
LateralAccessTo‘SecretSauce’
ONGOINGEDUCATION
KeyLogging
DOC/Mailbox/TextSearch
PasswordCracking/SAM
User/GroupAccounts
PoorlyProtectedShares
ARPHijack/MITM
PoorlyPatchedSystems
BroadScanning
LOCALMETHODS
NETWORKMETHODS
©2017eSentire,Inc.
SLIDE6
TARGETEDATTACKTARGET
SENT EMAIL WITH INFECTED ATTACHMENT
INFILTRATEFAKE LOG IN
CAPTURED CREDS
EXPANDINFECTED EMAIL SENT FROM
COMPROMISED ACCOUNT
BLOCKEDESENTIRE DETECTED
AND REPORTED ATTACK
©2017eSentire,Inc.
COLD CASESOC ANALYST
DISCOVERED CNC TRAFFIC
FORENSICSTRACKED HACKER
THROUGH CELLPHONE
EVIDENCECOLLECTED
STOLEN DATA
LAWTURNED OVER EVIDENCETO LAW ENFORCEMENTCSI
CYBER
DISCOVEREDCRIMERING
RegulatoryandDueDiligenceCybersecurity FocusQuestions
ASSETSDo you know what data you have?
REGULATORSDo you know what legislationgoverns the data you have?
THREAT ACTORSDo you know what cyber threats are targeting your firm?
PROTECTIONHow are you defending yourfirm from cyber threats?
RISKSDo you know what accessrisks exist?
REPORTINGCan you demonstrate your cybersecurity claims?
MostFrequently-SeenCybersecurity Gaps
» DataMapping/Classification/Ownership(DLP/PII)» Evidence/AuditTrails
» Employeeuserid add/delete/change» Throughoutbusinessprocesses/systems
©2017eSentire,Inc.
SLIDE10
eSentireSecurityFramework:CommunityEdition
©2017eSentire,Inc.
SLIDE11
MaturityAssessment&GapAnalysis
©2017eSentire,Inc.
SLIDE12
MostFrequently-SeenCybersecurity Gaps
» DataMapping/Classification/Ownership(DLP/PII)» Evidence/AuditTrails
» Employeeuserid add/delete/change» Throughoutbusinessprocesses/systems
» IncidentResponsePlanning
©2017eSentire,Inc.
SLIDE13
InformationSecurityEventScenarios(aka“TheDirtyDozen”)
» MalwareCompromise» Ransomware Attack
» SocialEngineering» BusinessEmailCompromise
» InfrastructureOutage(Internal)» LocalAccessWithoutAuthorization(Non-
Malware)» RemoteAccessWithoutAuthorization» Lost/StolenDevices» InappropriateBehavior(Internal)» CloudServiceAccessWithoutAuthorization» DataLoss/Extrusion(Internal)» DirectFinancialLoss» DenialofService(External)» PhysicalBreach» Third-PartyBreach
©2017eSentire,Inc.
SLIDE14
“THEMOREYOUSWEATINPEACE,THELESSYOUBLEEDINWAR.”- GeneralGeorgeS.Patton
INCIDENTRESPONSE
PLAN
Legal
LawEnforcement
PRBoard
Regulator
Compliance
IR
SimulationRuns
©2016eSentire,Inc.
SLIDE19
Ransomware
©2016eSentire,Inc.
SLIDE20
Ransomware FailureVectors:Technical,Process/Policy,Training• Thefirm’supstreamemail(SMTP)providerdidnotscanattachmentsformaliciouscontent.• Thefirm’snext-generationfirewalldidnotidentifytheattachmentasmalicious(orquestionable)content.• Thefirm’slocalemailsystem(e.g.MicrosoftExchange)didnotscanattachmentsformaliciouscontent.• Theenduserwasnotsufficientlytrainedtoidentifyaphishingemail(withmaliciouscontent).• Theuser’sworkstation(ormobiledevice)didnotflagthemaliciouscontent(throughanti-virusorother
endpointprotectionmethodology).• IfthedeliveryvectorwasamacrohiddenwithinanOfficedocument(themostcommondelivery
method),macroswereenabledwithinOffice(ortheuserwasenticedtoenablethemmanually).• Theuser’sworkstationdidnothaverestrictionsplacedontheexecutionofdownloadedcontent.• Thefirm’snext-generationfirewalland/orIntrusionPreventionsystemdidnotrecognizeand/orblockthe
command-and-controltraffic(includingkeygeneration)ofthemaliciouscode(particularlyimportantiftheremoteIPaddresseswerepreviouslyknowntobebad).
• Thefirmdidnotdetect(throughfilesystem analysis)thataspecificuserwasmodifyingalargenumberoffilesrapidly.
• Dependingonhowmanyfileswereaffectedbytheinfectedendpoint,itisapossibilitythattheenduserhadmoreaccessthantheynecessarilyneededtoexecutetheirjob.
• Duringtherestoreprocess,somenewerfilesmighthavebeennotbackedupduetoagapinbackuprigor.
MostFrequently-SeenCybersecurity Gaps
» DataMapping/Classification/Ownership(DLP/PII)» Evidence/AuditTrails
» Employeeuserid add/delete/change» Throughoutbusinessprocesses/systems
» IncidentResponsePlanning» RiskAssessment(Maturity/Gap)vs.VulnerabilityAssessmentvs.
PenetrationTesting
©2017eSentire,Inc.
SLIDE21
3
2
1
0 0
1
3
2
PENETRATIONTESTING VULNERABILITYSCANNING
ExternalVulnerabilityAnalysis(nocreds) withattemptstoexploit0
ExternalVulnerabilityAnalysis(nocreds) withattemptstoexploitPhishing/OSINT/Physical
1
PhishingwithActivecontent (notdamaging,butpersistentaccess)
2
“OceansEleven”ActiveexploitationDefinedObjectiveWebAppExploits
3
0
1
2
3
ExternalVulnerabilityAnalysis(withcreds) withoutattemptstoexploit
InternalVulnerabilityAnalysis(withcreds) withoutattemptstoexploit
WirelessVulnerabilityScanning
WebApplicationAnalysis
©2017eSentire,Inc.
ResourcesAvailable
» GuidetoSoundPracticesforCyberSecurity(AIMA)» IllustrativeQuestionnaireforDueDiligenceofVendorCyberSecurity(AITEC)» SEC-OCIE2015Cybersecurity ExaminationInitiative(RiskAlert)» eSentireWrittenInformationSecurityPolicy/IncidentResponseTemplate» eSentireSecurityFramework(CommunityEdition)» eSentireComplianceReadinessWorkbook» eSentireDataFlowSecurityTemplate» eSentire“DirtyDozen”ScenarioListing» eSentireUpdatedRegulatoryCybersecurity Recommendations(v7)» eSentireRansomware DefenseRecommendations
©2017eSentire,Inc.
SLIDE23
“Howcanonedecidewhat’sreasonable?”
©2017eSentire,Inc.
SLIDE24
TheBest(12or13)Cybersecurity QuestionsToAsk
» The6“TopLevel”Questionsfromthebeginningofthispres.» Whoisresponsibleforcybersecurity withinyourfirm?» Howwelldoyouvetyourvendors(AITEC)?» Whatisyourincidentresponseplan(esp.foraransomware attack)?» Whatisyourprotocoltofulfillwiretransferrequests?» Howdoyoueducatethefirm’semployees(esp.seniormanagement)?» Describeyourvulnerabilityassessmentandpenetrationtest
methodologies.» EU-specificDomicileQuestion:HowareyoupreparingforGDPR?
©2017eSentire,Inc.
SLIDE25
CYBERSECURITYMUST-HAVES(e.g.PortfolioFirms)
1 IDENTIFYCOMMONATTACKS1
PATCHSYSTEMSREGULARLY5
ENFORCERIGOROUSPASSWORDPOLICY3MINIMIZEADMINPRIVILEGES4
VALIDATESECURITYSYSTEMSFUNCTIONING6
1 PERFORMREGULARBACKUPS7
VALIDATEPHYSICALSECURITY11
PERFORMVULNERABILITYASSESSMENTS9MONITORNETWORKTRAFFIC10
LOGSYSTEMACCESS8ACCEPTABLEUSEPOLICY(AUP)2
PREPAREFORTHEEVENTUALINCIDENT12
©2017eSentire,Inc.
SLIDE26
24X7 Human Monitoring and
Hunting
Intervention & Response
Detection and Prevention Technology
• Real-time detection and prevention of known attacks
• Signal suspicious network behavior to detect unknown attacks
• Real-time forensics via 24X7 Global SOCs
• Add insights to raw signals• Quickly determine if weird
normal or weird bad
• Contain Threat• Escalate to customer• Remediate
eSentireManagedDetectionandResponse™(eMDR)Service
MANAGEDDETECTION&RESPONSEFocusonthreatdetectionusecases,advancedortargetedattacksthathavebypassedexistingperimetercontrols
©2016eSentire,Inc.
SLIDE28
MDRsupportsorganisations seekingtoimprovetheirthreatdetectionandincidentresponsecapabilities:
• Organisations struggletodeploy,manageanduseaneffectivecombinationofexpertiseandtoolstodetectthreats,especiallytargetedadvancedthreatsandinsiderthreats.
• Agrowingnumberofprovidersareofferingoutcome-basedservicesthatdifferfromtraditionalmanagedsecurityservices(MSSs)offerings,becausetheyarefocusedondetectingpreviouslyundetectedthreatsthathavebreachedanorganization'sperimeterandaremovinglaterallythroughtheITenvironment.
• MDRservicesarenotdeliveredbythemajorityofMSSPstoday,butthisischanging.
• MDRservicesarestillfocusedattheenterpriseandupper-midmarketcustomer,butnewentrantsaretargetingsmallermidsizeorganisations.
David Bailey Group Head of Marketing and Communications
Eldon SprickerhoffChief Security StrategistFounder