Monthly Cyber Threat Briefing - HITRUST · 2015-10-12 · Dennis Palmer: Senior Security Analyst,...

Monthly Cyber Threat Briefing July 2015

Presenters •  Dennis Palmer: Senior Security Analyst, HITRUST •  Tawfiq Shah: Senior Threat Intelligence Analyst, FireHost

•  Thomas Skybakmoen: Research Vice President, NSS Labs, Inc. •  Aaron Shelmire: Senior Security Researcher, Threatstream

•  Toni Benson: Team Lead, US-CERT

Future Briefings - Announcement •  August MTB cancelled (due to Black hat), monthly report will be released

•  Next MTB scheduled for third Thursday of September •  FireHost will lead future briefings beginning in September •  Content changes

–  Focus on trends in healthcare industry –  Actionable data –  Demonstration of how threat actors operate

Agenda •  FireHost: Procedures used by threat actors

•  NSS Labs: Emerging and unknown exploits and product effectiveness

•  ThreatStream: Emerging Threats

•  US-CERT: Situational update on new products

•  HITRUST: CSF Controls related to ongoing threats

•  Q&A Session

Procedures Used by Threat Actors

Activity on a Sample Medical Company

Cannot be static on your defense attackers are getting more innovative. Without continuous vigilance all companies can be breached eventually.

New Vulnerability Detected: One hour later, activity is noted (IOS Vul)

Companies need to proactively search out Indicators of Compromise (IOCs)

Partnership Relationship Sample Medical Company: Every Avenue is Open to Attack

Your strength is measured by your weakest link. Phishing remains the weakest link in the chain.

Trust relationships between vendors, partners, or contractors can be leveraged to infiltrate a target network.

Domain Squatting (Cybersquatting)

FireHost TRU Recommendation: Establish alerts with your threat intelligences provider/subscription to keep an eye on suspicious domains

Continued Vigilance in the Fight Against Phishing

FireHost TRU Recommendation: Continuously reinforce employee education and run internal Phishing campaigns to test the effectiveness of your employees training.

Targeted Vulnerabilities Related to the Healthcare Sector

Example of APT proactively searched: Chines APT: RasWMI, aka HCDloadermalwarrre, used in recent major health care system breach

Sample: Potentially Vulnerable Server

OS are over million lines of code making is impossible to verify. Keeping up with Patching is an imperative task.

Attack Vectors •   App •   OS

Emerging and Unknown Exploits and Product Effectiveness

NSSLABS

•   NSS observed more than a 200 percent increase in unique callbacks for the month of June, which contrasts with May where the number of unique callbacks declined.

•   As in previous months, exploits and attack campaigns focused on Java, Silverlight, and Internet Explorer. Unlike previous months, attacks on Flash were less prevalent.

•   The TS WebProxy vulnerability (CVE-2015-0016) uses an escalation of privileges to escape the Internet Explorer sandbox and increasingly is being utilized with CVE-2014-6332. This allows remote attackers to execute arbitrary code via a crafted web site in several versions of the Windows operating system.

* Data from June 2015—NSS Labs

Threat Capabilities Report

Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3

Internet Explorer 6 •

Internet Explorer 7 • •

Java 6 Update 22 • • •

Java 6 Update 23 •

Java 6 Update 27 •

Java 7 •

Java 7 Update 2 •

Silverlight 4.0.51204 •

Top Targeted Applications and Operating Systems

Top Origin of Threats

Country Rank

China 1

United States 2

Hong Kong 3

South Korea 4

Netherlands 5

Taiwan 6

Germany 7

France 8

Australia 9

India 9

United Kingdom 9

Top Command and Control Hosting by Geo

10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports

Country/Port 25 80 81 99 3201 173 20008 40008 10086 1691

China • • • • • • •

France •

Germany • •

Hong Kong •

India •

Netherlands • •

South Korea • •

Taiwan •

United Kingdom •

United States • • •

C&C Server Locations & Callback Ports

CAWS: All Threats

CAWS: All Threats (January - June)

CAWS: Origin of Threats (January - June)

CAWS: Applications (January - June)

CAWS: Vendors (January - June)

Emerging Trends

Wekby Threat Actors Tools •   HTTPBrowser •   Xyligan a/k/a TornRAT •   HcdLoader – On Servers •   PlugX – on Win7+ •   PoisonIvy – on WinXP •   9002/NAID

Summary •   RSA Compromise •   Wekby.com •   Mincesur.com •   TG-0416 •   Dynamite Panda •   APT-18

TTPs •   Phishes

–   Wave 1 – Credential Theft –   Later Waves – VPN or

Citrix updates

•   Living off the land •   Long Term persistence •   USB key compromise(s)

–   PoisonIvy Smallfish password.

Wekby 30 June Campaign •  Modified HTTPBrowser

–  DNS C2 to it-desktop.com and get2go.com –  ROP Chain Obfuscation

•  Evasive Maneuvers by the Wekby group with Custom ROP packing and DNS Covert Channels

–  https://hitrustctx.threatstream.com/tip/1135

ROP Chain Obfuscation

•  Modify Stack for Execution flow •  Pushes values for the subsequent functions onto the stack, when the subroutine exits, EIP is popped from the stack and becomes the next function.

•   In this case the subroutine at 0x40F62E

Investigation and Protection

•  DNS C2 complicates simple searches for indicators. •  dnscmd /enumrecords it-desktop.com /type TXT •  Global Query Block List Active Directory https://technet.microsoft.com/en-us/library/cc794902(WS.10).aspx

•  Bind block via zone –  “it-desktop.com" { type master; file “blockfile"; };

Evasive Maneuvers by the Wekby group with Custom ROP-Packing and DNS Covert Channels

https://hitrustctx.threatstream.com/tip/1135

Situational Update on New Products

CSF Controls Related to Ongoing Threats

CSF Controls Related to Threats •  CSF Control for Phishing

–  Control Reference: 01.f Password Use •  Control Text: Users shall be made aware of their responsibilities for

maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment

•   Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.

CSF Controls Related to Threats •   CSF Control for Suspicious Domain Registrations (Cybersquatting)

–  Control Reference: 01.i Policy on the Use of Network Services

•  Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

•   Implementation requirement: The organization shall specify the networks and network services to which users are authorized access.

CSF Controls Related to Threats •   CSF Control for Vendor Security

–  Control Reference: 01.j User Authentication for External Connections

•  Control Text: Appropriate authentication methods shall be used to control access by remote users.

•   Implementation requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique.

CSF Controls Related to Threats •   CSF Control for Vulnerability Patching

–   Control Reference: *10.m Control of technical vulnerabilities

•   Control Text:Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

•   Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.

CSF Controls Related to Threats •   CSF Control for Dropper tools dropping basic Backdoors / RATs

–  Control Reference: 09.j Controls Against Malicious Code

•  Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

•   Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.

Q&A SESSION

Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Monthly Cyber Threat Briefing - HITRUST · 2015-10-12 · Dennis Palmer: Senior Security Analyst,...

Documents

Monthly Cyber Threat Briefing - HITRUST Alliance · 1 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. Monthly Cyber Threat Briefing October 2015

OVERVIEW - HITRUST · • Worst Case: A breach • Malware detection and response? • Delayed access to threat observables from industry breaches? • Inaccurate Intelligence? CTX

Quarterly Cyber Threat Briefing - hitrustalliance.net · Briefing April 2018. 2 855.HITRUST ... NIST, and Microsoft for guidance on ... virtual-care platform the answer to the clamor

HITRUST CyberAid Security Program - HITRUST Alliance · © 2017 HITRUST Alliance. HITRUST CyberAid Security Program ... © 2017 HITRUST Alliance. REFERENCE SLIDES © 2017 HITRUST

Monthly Cyber Threat Briefing - HITRUST€¦ · management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems)

HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and Incident Coordination ... HITRUST Cyber Threat Intelligence and Incident Coordination Center

Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Cyber Threat Briefing - HITRUST...Iranian Hacking Group Defaces U.S. Municipal Websites Iranian Ministry’s Negotiations with Google Could Signal New Tactic in Internet Policy Iranians

HITRUST Report - U.S. Healthcare Data Breach Trendshitrustalliance.net/content/uploads/2014/05/HITRUST-Report-U.S... · piece!or!HITRUST,!please!contact!info@ ... Trends" Aretrospective"analysis"of"U.S."healthcare"data"breaches

Peace of Mind: HITRUST Penetration Testing

Monthly Cyber Threat Briefing - HITRUST · 2015-10-12 · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 8 Top Command and Control Hosting by Geo Country/Port

The Business Use Case for Cyber Threat Intelligence (CTI) 201… · Attach risk scores to threat indicators, ... alerts as high priority • Allow SIEM or analyst to query the threat

Monthly Cyber Threat Briefing - HITRUST Alliance · Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit, Antiy Labs CVE-2016-2208 9.4/10.0 ... • Security Awareness:

HITRUST CSF Risk FactorsTypical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition [emphasis added]. 16 NIST defines a predisposing condition

UoF - HITRUST & Risk Analysis v1

HITRUST CSF Assurance Program Requirements

Monthly Cyber Threat Briefing - HITRUST · © 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit 6 Top Command and Control Hosting by Geo

Introduction to the HITRUST CSF · • State security requirements (e.g., Nevada, Massachusetts, and Texas) • Experiences and best practices of HITRUST participants The HITRUST

HITRUST risk management frameworks

How HITRUST Uses Automated Verification ... - HITRUST Alliance