iia st. louis louis/news/chapterdocuments/stliia... · new type of hackers iloveyou virus, botnets...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting © 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
IIA ST. LOUISUNDERSTANDING CYBERSECURITY -PAST AND THE PRESENT
David Stehr, Protiviti
Rob Woltering, Protiviti
April 23, 2020
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHO WE ARE
David Stehr
Director - Security and Privacy
Phone: 636-578-4291
Email: [email protected]
Rob Woltering
Senior Manager - Security and Privacy
Phone: 314-656-1752
Email: [email protected]
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TODAY’S AGENDA:
• Defining Hacking and Understanding the Evolution
of a Hacker
• A look at Different Security Frameworks
• How Hackers Attack – Case Study of a Large Retail
Organization
• Why are we so bad at Detecting Breaches?
• Detecting Malicious Activity - Introduction to Threat
Hunting
• Selecting High-Value Cyber Audits
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
DEFINING HACKING AND UNDERSTANDING THE EVOLUTION OF A HACKER
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
LARGE DATA BREACHES
Source: CNN, NBC, CSO Online
"Some of the more obvious results of IS failures include reputational damage,
placing the organization at a competitive disadvantage, and contractual
noncompliance. These impacts should not be underestimated."
― The IIA Research Foundation
2006 2008 2009 2011
20132014201520162017
AOL: Data on more than 20
million web inquiries, from
more than 650,000 users,
including shopping and
banking data were posted
publicly on a web site.
Wyndham Hotels: Sued by the
U.S. Federal Government after
sensitive customer data, including
credit card numbers and personal
information, allegedly were stolen
three times in less than two years.
Google/other Silicon
Valley companies:
Stolen intellectual
property, including
source code.
Sony's PlayStation Network:
77 million PlayStation Network
accounts hacked; Sony is said to have
lost millions while the system was
down for a month.
Target – 110 million
records breached, including
40 million credit and debit
cards. CEO and CIO
resigned.
Home Depot – 56 million
payment cards breached.
Similar to Target, the attack
relied on stolen vendor
credentials and RAM
scraping.
Equifax – Personal
credit information
including SSN, credit
card numbers, and
credit records for 145+
Million consumers
stolen.
Yahoo Breach – All 3
billion accounts
compromised.
Resulted in a $350
million price drop in
Verizon’s pending
acquisition.
Anthem – 78 million
personal data records
from Anthem and
other Blue Cross
customers breached.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DEFINING HACKING
There is more than
one type of “hacking”
Hacking often refers to the practice of modifying or altering
computer software and hardware to accomplish a goal that is
considered to be outside of the creator’s original objective.
People who engage in computer hacking activities are often
called hackers.
Software
HARDWARE
PEOPLE
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HACKER TYPES
WHITE HATGood Guys; Non-Malicious Intent;
“Ethical Hacker”
BLACK HATBad Guys; Malicious Intent
GREY HATWhite and Black Hat; Notifies
Administrator of Issue
BLUE HATOutside Consulting Firm that Tests a
System Prior or After Launch
01’
02’
03’
04’
SCRIPT KIDDIESLittle Knowledge; Uses Pre-Packaged
Tools05’
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EVOLUTION OF HACKING
First Unix
Vulnerability
Worm Invented
----------------
First Large-Scale
Attacks
Sting Op.
“Sundevil”
The Mitnick
Takedown
Held Four Years
Without Trial
The Movies
Mainstream
Culture
Phone
Phreaking
Once only a hobby for few, quickly turned into a vehicle
for criminal enterprises and garnered the attention
mainstream culture.
1965’ 1970’s 1980’s 1990’ 19951990’s
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EVOLUTION OF HACKING CONTINUED
A new wave of hackers has emerged based not on
financial gain but rather social values.
2000’s
Rise of the Internet
2010’ 2012+
Large
Commerce
Becomes Major
Target Nieman
Marcus, Home
Depot, Sony,
Target, Anthem
2020+
What’s Next
New Type of Hackers
ILOVEYOU Virus, Botnets
Anonymous, Lulzsec, Wikileaks
USA Presidential
Campaign Hacking
2016
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PII and Credit Card Thieves
EXTERNAL THREAT LANDSCAPE
Ransomware Crooks Wire Transfer Fraudsters
Botnet Herders Hacktivist Nation State Attackers
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HACKER MOTIVATIONS
Reputation
and Notoriety
Hactivism and
Social Rights
Curiosity
and Challenges
Money and
Personal Gain
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
A LOOK AT DIFFERENT SECURITY FRAMEWORKS
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
LAYERED SECURITY MODEL
Physical Security
User Awareness
Firewalls & IDS/IPS
Logical Access
Anti - Virus
Patch Management
Device Configuration
Defense in Depth
Defense in depth is the
coordinated use of multiple
security counter measures to
protect the confidentiality, integrity,
and availability of the information
assets in an enterprise.
If a hacker gains access to a
system, defense in depth
minimizes the adverse impact and
gives administrators and
engineers time to deploy new or
updated counter measures to
prevent recurrence.
Source: http://searchsecurity.techtarget.com/definition/defense-in-depth
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
NIST CYBER SECURITY FRAMEWORK (CSF)
OVERVIEW
Where did the framework originate from?In February 2013, President Barack Obama signed an executive order launching the development of a cybersecurity framework
with the goal of developing a voluntary “how-to” guide for organizations in the United States’ critical infrastructure community to
enhance their cybersecurity postures.
Who developed the framework?Individuals and organizations around the world provided their thoughts on the standards, best practices, and guidelines that
would meaningfully improve critical infrastructure cybersecurity. The Department of Commerce's National Institute of Standards
and Technology (NIST) consolidated the input into the voluntary Cybersecurity Framework announced on February 12th, 2014.
On April 16th, 2018, version 1.1 of the Framework was released.
What is the framework based upon?The Framework leverages and integrates commonly known risk and information security approaches from ISO 2700X, CoBIT,
ISO 31000, ISO 27005 and FISMA (NIST 800-53)..
What is the intended purpose of the framework?The framework is designed to help organizations understand, communicate, and manage their cyber risks. For organizations
that don’t know where to start, the framework provides a roadmap. For organizations with more advanced cybersecurity
programs, the framework offers a way to better communicate their cyber risks internally and externally.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
NIST CYBER SECURITY FRAMEWORK (CSF)
OVERVIEW
● Asset Management
● Business Environment
● Governance
● Risk Assessment
● Risk Management Strategy
● Supply Chain Risk
Management
Identify DetectProtect RecoverRespond
Framework Core
● Access Control
● Awareness and Training
● Data Security
● Information Protection
Processes & Procedures
● Maintenance
● Protective Technology
● Anomalies and Events
● Security Continuous
Monitoring
● Detection Processes
● Response Planning
● Communications
● Analysis
● Mitigation
● Improvements
● Recovery Planning
● Improvements
● Communications
Implementation TiersFour tiers describe the degree to which processes exhibit characteristics defined in the CSF:
Practices are not formalized
or do not exist
Tier 1 - Partial Tier 3 – RepeatableTier 2 - Informed Tier 4 - Adaptive
Practices are in place but
may not be formalized as
policy
Practices are formally
approved and expressed as
policy
Policies and practices are
adapted and continuously
improved and optimized
The NIST CSF v1.1 consists of 5 functions, 23 categories, and 108 subcategories based on
industry best practices including COBIT, ISO/IEC 27001, NIST SP 800-53, and SANS CSC.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ISO 27002 SECURITY FRAMEWORK OVERVIEW
The 2013 publication of ISO 27002 contains 114 controls, including those for:
• Structure
• Security Policies
• Organization of Information Security
• Human Resources Security
• IT Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• Operations Security
• Communications Security
• Information Systems Acquisition,
Development, Maintenance
• Supplier Relationships
• Information Security Incident Management
• Information Security Aspects of Business
Continuity
• Compliance
ISO 27K is an international standard published by the International Standardization
Organization (ISO) describing how to establish and effectively manage an organizations
Information Security Management System (ISMS.)
ISO 27K standard consists of 14 domains (including sections on Information Security
Policies, Organization of Information Security, Asset Management, Access Control, etc.) 35
subdomains, and 114 controls.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CIS CRITICAL SECURITY CONTROLS
In 2008, the Center for Internet Security's Critical Security Controls ("CIS Controls") were
created as a collaboration between representatives from the U.S. government and private
sector security research organizations.
A set of practical defenses specifically targeted toward stopping cyber-attacks, these
proposed defenses were technical in nature and intended to define specific, practical
steps an organization could take to stop the most common cyber threats from
compromising their information systems.
Formally known as the SANS TOP 20
The CIS Controls consists of 149 sub-controls grouped into 20 parent control categories.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Organizations that apply the first five CIS Controls can reduce their risk of cyberattack by
around 85 percent.
CIS CRITICAL SECURITY CONTROLS
Top 5 CIS Controls
✓ CSC 1: Inventory of Authorized and Unauthorized Devices
✓ CSC 2: Inventory of Authorized and Unauthorized Software
✓ CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops,
Workstations and Servers
✓ CSC 4: Continuous Vulnerability Assessment and Remediation
✓ CSC 5: Controlled Use of Administrative Privileges
Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
HOW HACKERS ATTACK
CASE STUDY OF A LARGE RETAIL ORGANIZATION
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CYBER KILL CHAIN
“A kill chain is a systematic process to
target and engage an adversary to create
desired effects.”
“The essence of an intrusion is that the
aggressor must develop a payload to
breach a trusted boundary, establish a
presence inside a trusted environment, and
from that presence, take actions towards
their objectives, be they moving laterally
inside the environment or violating the
confidentiality, integrity, or availability of a
system in the environment.”
-- Lockheed Martin, Intelligence-Driven
Computer Network Defense Informed by
Analysis of Adversary Campaigns and
Intrusion Kill Chains
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: RECONNAISSANCE
Adversary gathers information about the victim
21
➢ GOOGLE SEARCH REVEALS RETAILER’S SUPPLIER PORTAL
• Retailer gave vendors access for electronic billing, contract
submission, and project management purposes
• Publicly available documentation reveals HVAC vendor info;
file metadata may have been used as well.
➢ ADVERSARY IDENTIFIES POTENTIAL TARGET
• HVAC and refrigeration company
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: WEAPONIZATION & DELIVERY
Adversary prepares and delivers a malicious payload to the victim
22
➢ ADVERSARY LAUNCHES PHISHING ATTACK
AGAINST VENDOR
• Vendor received phishing e-mails, likely
containing malicious PDF files, macro-
enabled Microsoft Office files, or
malicious web links, two months prior to
the breach.
➢ MALICIOUS PAYLOAD INSTALLS KEY LOGGER
• Key logger collects vendor employee’s log-in credentials to the
Retailer portal.
➢ VENDOR DID NOT HAVE PROPER SECURITY CONTROLS
• Used free personal edition of anti-virus, which does not provide
real-time protection. It did not detect the malicious key logger.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: EXPLOITATION
Adversary’s payload is executed in the victim’s network
23
➢ ADVERSARY NOW HAS GAINED ACCESS TO THE VENDOR PORTAL
➢ HOW DID THEY PIVOT FROM WEB SERVER TO INTERNAL NETWORK?
• Details have not been disclosed by Retailer.
• Possible that the web service / portal was exploited gain to
command-line access to the underlying OS.
• Possibly a SQL injection.
• Possible that the adversary then escalated their privileges on the
webserver OS.
• Possible that default vendor software credentials were used.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.24
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
-------------------------------------------1
-------------------------------------------2
-------------------------------------------3
-------------------------------------------4
-------------------------------------------5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.25
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
-------------------------------------------2
-------------------------------------------3
-------------------------------------------4
-------------------------------------------5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.26
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
MULTI-FACTOR AUTHENTICATION2
-------------------------------------------3
-------------------------------------------4
-------------------------------------------5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.27
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
MULTI-FACTOR AUTHENTICATION2
WEB APP PENETRATION TESTING3
-------------------------------------------4
-------------------------------------------5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.28
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
MULTI-FACTOR AUTHENTICATION2
WEB APP PENETRATION TESTING3
VULNERABILITY MANAGEMENT4
-------------------------------------------5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.29
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
MULTI-FACTOR AUTHENTICATION2
WEB APP PENETRATION TESTING3
VULNERABILITY MANAGEMENT4
PATCH MANAGEMENT5
-------------------------------------------6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.30
PAUSEThe adversary has now gained access to Retailer’s internal network.
What could have been done to prevent the adversary from getting this far?
VENDOR MANAGEMENT1
MULTI-FACTOR AUTHENTICATION2
WEB APP PENETRATION TESTING3
VULNERABILITY MANAGEMENT4
PATCH MANAGEMENT5
NETWORK INTRUSION DETECTION SYSTEM6
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: INSTALLATION
Adversary establishes a foothold in the victim’s network
31
➢ ADVERSARY NOW HAS ACCESS TO RETAILER’S INTERNAL NETWORK
➢ ADVERSARY IDENTIFIES POS SYSTEMS AND DEPLOYS MALWARE
• “RAM scrapping” malware available for purchase on black-market
forums for $1,800 - $2,300.
• The malware was then modified to adversary’s needs in attacking
Reatiler.
As soon as a card is swiped, the card
information is temporarily loaded into
RAM in clear-text. The “RAM
scrapping” malware immediately pulls
the data from RAM before it is
processed and erased.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: COMMAND & CONTROL
Adversary establishes remote access to the victim’s network
32
➢ ADVERSARY GAINED PERSISTENT ACCESS
• Details are unknown / undisclosed, but it is believed
persistent access was obtained using Vendor’s credentials, or
other credentials obtained after compromising the web
server.
➢ ADDITIONAL INTERNAL SERVERS WERE COMPROMISED
• The adversary compromised at least two other internal
servers to control and execute the attack
• A “dump” server to which all of the credit card data
scrapped from the POS systems was dumped to.
• An exfiltration server which was used to pull data from
the “dump” server and uploaded it to an external, non-
Retailer server (believed to have been compromised by
the adversary).
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KILL CHAIN PHASE: ACTION ON OBJECTIVES
Adversary exfiltrates data from the victim network
33
1. POS malware writes credit card data to dump server
2. Exfiltration server pulls card data from dump server and sends to
external FTP servers
• Transmissions occur multiple times per day for two weeks
between 10am and 6pm.
3. Data downloaded from FTP sites by a Russian virtual private server
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.34
WHERE DID THE RETAILER GO
WRONG?
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
VENDOR MANAGEMENT
VENDOR MANAGEMENTVendor had a weak security program, and access
to the Retailer network01’
❖ RECON – Publically available information disclosed the Retailer’s
vendors.
❖ WEAPONIZATION – Vendor used inadequate anti-virus without real-
time alerting or defenses.
❖ DELIVERY – Vendor did not detect phishing emails it received, and did
not train its users to recognize and report phishing attempts.
❖ DELIVERY – Retailer did not isolate the its billing system from the rest of
its network, and did not require two-factor authentication.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTRUSION RESPONSE
❖ EXPLOTATION – Retailer had known security vulnerabilities on their
POS systems that went unpatched and unmitigated. These
vulnerabilities were exploited to gain access and install the RAM
scraping malware.
❖ EXPLOTATION – Retailer’s alerting system reported events for each
install of the malware. These alerts were ignored by the Retailer and its
security solution was not configured to automatically delete the
malware when detected.
❖ INSTALLATION – Retailer’s antivirus detected malware on the POS
systems and the exfiltration server. These alerts were also ignored.
INTRUSION RESPONSERetailer failed to respond to automated alerts that
malware was being installed02’
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
NETWORK / SYSTEM ISOLATION
❖ INSTALLATION – It is suspected that the attackers used a common
account and password to move through the network from the third-
party-facing system to the dump server and exfiltration server.
❖ INSTALLATION – Retailer was not running white-listing software on
any of the critical systems, and thus unknown untrusted software
outside of any change control process was allowed to execute on
critical systems.
❖ COMMAND & CONTROL – Retailer’s systems were allowed to
connect outbound to the internet using common data exfiltration
ports that were not required for business purposes.
NETWORK/SYSTEM ISOLATIONAttackers were able to move from less sensitive areas of the
network to more sensitive areas containing customer data03’
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXFILTRATION RESPONSE
❖ ACT ON OBJECTIVES – Credit card data was sent in clear text via FTP.
It was detected by data loss prevention (DLP) technology, and the
generated events were ignored.
❖ ACT ON OBJECTIVES – The exfiltration destination was in Russia.
Presumably, there was not a justified business reason for a server to
initiate outbound connections to Russia, regardless of protocol or data
content.
❖ ACT ON OBJECTIVES – Retailer’s systems reported events of data
exfiltration to known credit card dump locations repeatedly while the
attackers exfiltrated data across a period of two weeks. Retailer ignored
the events.
EXFILTRATION RESPONSERetailer failed to respond to automated alerts that systems were
communicating outbound with known data exfiltration IP addresses04’
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Retailer was PCI-DSS Compliant
Warranting the question:
Do your cybersecurity program and 3rd line of defense audits
just check the box…
… Or do they strive to enable the business to proactively
find and respond to indicators of compromise before the
breach?
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY ARE WE SO BAD AT DETECTING BREACHES?
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HOW AND WHEN ORGANIZATIONS NOTICE
BREACHES
From a recent Mandiant report:
• Nearly 70% of breached organizations
were notified they were breached by an
outside party.
• A median of 205 days passed before an
organization was notified that
it was breached or it noticed
itself.
Other industry reports, such as the Verizon
DBIR, and Protiviti’s own experience with
incident response, shows a similar pattern.
Conclusion: Organizations are not good at
self-detecting breaches in a timely
manner.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HOW MOST DETECTION TECHNOLOGY WORKS:
KNOWN BAD
Most attacker-detection technology works on
detecting either known bad signatures or known
suspicious behavior that have been known to be
associated with attackers.
Cybersecurity isn’t hard, just look for this
guy in the break room.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KNOWN BAD SIGNATURES
Similar to TSA looking for guns, knives,
and explosive residue during screening.
• IP addresses associated with bad actors.
• Contents of communications used by
previous malware.
• Strings in previous malware used or file
hashes of those files.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BENEFITS OF LOOKING FOR KNOWN BAD
SIGNATURES
Easy Cheap Accurate
TSA Approach
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DISADVANTAGES OF LOOKING FOR KNOWN BAD
SIGNATURES
Outdated
Quickly
Less Effective
for Individual
Attackers
Known By
Attackers
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT IS AN ALTERNATIVE?
KNOWN SUSPICIOUS BEHAVIORS
1One computer on a network connecting to many other computers in quick succession.
2An executable file that attempts to reach out to the Internet when it is launched.
3Multiple incorrect password attempts on a user account over a short period of time.
Similar to TSA flagging passengers that
purchased using cash, bought a one-way ticket,
or have traveled to certain countries.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BENEFITS OF LOOKING
FOR KNOWN SUSPICIOUS BEHAVIORS
1 Somewhat Automatable
2 Earlier Detection
3 Stays Relevant Longer
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CHALLENGES IN LOOKING FOR
KNOWN SUSPICIOUS BEHAVIORS
1Difficult to Balance False Positives and False Negatives.
2 Expensive.
3 Known By Attackers.
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
DETECTING MALICIOUS ACTIVITY
AN INTRO TO THREAT HUNTING
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HUNTING: SEARCHING FOR ATTACKERS
Proactively searching
for attackers that would
not be detected using
in-place technologies,
processes, and
information.
Hunting helps answer the question “are we
currently breached and just don’t know it?”
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Hunting is not standardized in the
industry, but often includes:
HUNTING AREAS
Broad review of processes running on systems for anomalies and
detailed examination of key systems, often involving forensic
investigation such as examining memory and disk captures.Systems Review
High-level statistical review of Internet and other key network
destinations and activity over time, along with a “deep dive” into
network traffic captures for a shorter duration.Network Review
High-level statistical review of user activity to identify anomalies,
with particular focus on privileged administrator, application service
accounts and remote access.User Activity Review
Looking at historic alerts from anti-virus and other detection
mechanisms to look for cases where alerts were more serious than
first thought or look more serious given current information.Historic Alerts Review
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HUNTING: THE IMPORTANCE OF THE HUNTER
• While introducing additional “known bad”
information can provide value and identify
undiscovered threats, skilled hunters must be
employed to identify “unknown bad” threats.
• This is key to turning the tables on attackers ---
using intelligent, creative analysts as opposed to
just relying on detection technology attackers know
about.
Effective hunting cannot be achieved through technology
alone.
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
SELECTING HIGH VALUE CYBERSECURITY AUDITS
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OVERVIEW
High Value IT audits typically fall into the following categories:
High value audits are designed to provide the audit committee with relevant and pragmatic
insights into the technology risks and related recommendations in the audit area.
Audits that have the potential for a
high return on investment
Audits that address very critical and
high-risk activities/functions
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
THE ART OF WAR
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
LET’S GET TO KNOW OURSELVES
Easier Questions
What does our network look like (systems, network, users)?
Where is our sensitive data?
What are our weaknesses?
Harder Questions
What programs should be running on our systems?
What type of traffic is “normal” for us?
What user activity is normal?
What’s the Risk?
Not knowing what you have makes it hard to know what to protect.
Not knowing your weaknesses makes it hard to know where you will
be hit.
Not knowing what is normal makes it hard to know what is
abnormal.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
A PENETRATION TEST IS NOT ENOUGH
Internal audit plans frequently include a penetration test, and only a penetration test, as a cyber security-
related audit. The increased risk environment necessitates that internal audit look beyond penetration tests
and increase the number of cyber security audits.
Limits of Penetration Testing
A penetration test does not always provide an
accurate or comprehensive assessment of
cyber security risk. The goal of a penetration
test is to simulate a single attack, not to
uncover all possible attack scenarios. It is also
usually very time-constrained, lasting weeks
instead of the months that actual attackers
have.
NIS
T C
yb
ers
ecu
rity
Fra
mew
ork
Function Category
Identify
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Protect
Access Control
Awareness & Training
Data Security
Information Protection Processes & Procedures
Maintenance
Protective Technology
Detect
Anomalies & Events
Security Continuous Monitoring
Detection Processes
Respond
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover
Recovery Planning
Improvements
Communications
Internal audit departments need to rebalance
their plans to cover more cyber security areas.
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SELECTING THE RIGHT CYBER SECURITY AUDITS
An internal audit plan focused on cyber risk should be based on the organization’s risk profile and the
external threat landscape. Security audits are generally categorized into four areas (as described below), and
then specific projects can be selected based on the corresponding maturity level.
Breach Detection and
Response
Assessing an organization’s
ability to identify and properly
respond to a security incident
Technical Attack
Assessments
Traditional and emerging
attack vectors an attacker
may use to access your
network and information
Program/Governance
Understanding and
assessing the overall
security posture of the
environment
Applications and
Infrastructure
Focused assessments to identify
and evaluate risks associated with applications, supporting
infrastructure and emerging
technology, such as Cloud and
IoT
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Blue Team Coordination and Incident Response
Review to comprehensively assess incident response
program
Pre-Breach Assessment to perform threat hunting
using tools to identify indicators of an existing
compromise
• Dedicated resources
• Formal
policies/procedures
• Meaningful security
reporting
• “Active” security risk
management
• Do we have the
resources to identify and
detect a compromise?
• Can we respond
efficiently and quickly to
a breach?
• Lack of a formal budget
• No (or minimal)
dedicated resources
• Lack of
policies/procedures
• Limited security risk
management capabilities
• Do we have regulations
to comply with?
• Are we already
breached?
More Mature
Red Team exercises to perform unannounced testing
of controls using “out of the box” techniques
Social Engineering or Mobile Security Reviews to
assess attacks specific to these channels
External/Internal Penetration testing to assess
threats on the network
Vulnerability Program assessment to understand
how threats and vulns are being identified and
addressed
Technical Attack Assessments
Secure SDLC review to assess security controls that
support the development process including
static/dynamic code
Identity and Access Management review to assess
identity risks, including privileged access
Technical Configuration reviews to understand if
systems and emerging technologies are configured
securely
Cyber Security Framework Assessment to
understand & benchmark current/future capabilities
against a standard framework
Data Security review to assess controls to identify,
inventory and protect sensitive data
Third-Party Risk Assessment to understand how the
organization is identifying and addressing risk in this
channel
Regulatory and Data Privacy reviews to understand
risks and issues around the protection and handling of
personally identifiable information
Cyber Risk Assessment to help understand and
prioritize risks
Cyber Kill Chain to assess technical capabilities using
a standard approach
Program/Governance
InfrastructureBreach Detection/Response
Customized Pen Testing Scenarios to specifically
target controls such as segmentation, data exfil.
protection, priv. accounts
Less Mature
SELECTING THE RIGHT AUDITS
Indicators and
Questions to Ask
Cyber Defense Review to assess monitoring and
response capabilities
© 2020 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial
statements or offer attestation services. All registered trademarks are the property of their respective owners.
QUESTIONS?
© 2020 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not
licensed or registered as a public accounting firm and does not issue opinions on financial statements
or offer attestation services. All registered trademarks are the property of their respective owners.