DWP Cyber Resilience Centre

Technology | Cyber Resilience Centre

Cyber Resilience Centre


Agenda

• Why are DWP a target?• Is it Cyber Crime or Cyber-Enabled?• Who are the Threat Actors?• Understanding the Threat Actors:

– Hostile Foreign Intelligence Services– Organised Crime Groups– Hackers/Hackivists/Script– Insider

• Cyber Attack Vectors• Cybercrime Community• Defence• Detection• Questions


Why are DWP a Target?• Financial - £170billion in benefits per

annum - £650million each working day

• Data – We hold millions of customer records.

• Employees – 84,000 staff

• Locations – Over 900 sites, with 720 Job Centres

• IT – We have:– over 100,000 endpoints– 1000+ applications– 3,500+ servers


Why are DWP a Target?


Why are DWP a Target?

Means tested benefit for people of working age who are on a low income:

• Income Support• Income-based Jobseekers Allowance• Income-related Employment and Support Allowance• Housing Benefit• Child Tax Credit• Working Tax Credit

https://en.wikipedia.org/wiki/File:Universal_Credit.svg


Cyber Crime vs Cyber-Enabled

Traditional crimes augmented in some way by using computers.

Cybercrime Cyber-enabled Crime

Hacking Fraud

ID theft

Child Abuse

Malware

Denial of Service

Crimes where computers are an integral part of the offence


Who are the Threat Actors?

Threat Actors Motivation

Insiders All the above

Hacker/HacktivistScript Kiddie/Motivated Kudos

Hostile ForeignIntelligence Services Information

Organised CriminalGangs Money

Influence


Understanding the Threat ActorHFIS – Advanced Persistent Threat (APT)• State Sponsored

• Advanced Techniques:– Coordinated– Mission Orientated

• Persistent

• Greatest Threat:– Intent – Opportunity– Capability


Understanding the Threat ActorAdvanced Persistent Threat (APT) – Kill Chain

Tools only as advanced as they need to be

Spear Phishing one of the primary delivery methods


Understanding the Threat ActorOrganised Crime Groups (OCGs)• Financially motivated

• Generally target large blocks of people rather than individuals

• Malicious Software (MALWARE) used to target credentials, banking details, other finance based information, ransomware, etc.

• Structured like a business with various functions and suppliers:

– Coders– Infrastructure – Spam mailers– Help desks


Understanding the Threat ActorHackivist• Ideologically Motivated – Cyber Protest

• Highly capable individuals

• Hive mindset

• Anonymous, Lulzsec

• Attack types:– DDOS– Data theft– Website defacement

• Reputational damage

• Open to influence from external sources


Understanding the Threat ActorScript Kiddie• Motivated by:

– Impressing friends– Gaining credibility on forums

• Doesn’t have the skills to create tools and script, so uses premade ones

• Can download and use a tool, but may not know how it works or the full implications of its use

• Very little or no infrastructure

• Todays Script Kiddie tomorrows L33T Hacker?


Understanding the Threat ActorInsider

Motivators• Personal advancement• Profit• Accidents• Blackmail• Coercion• Espionage• Resentment• Disenfranchisement• Activism

Unwitting /Unintentional

Deliberate Insider

Volunteer / Self-initiated Insider

Recruited / Exploited Insider

Ex-employee

Threat Types

• CPNI: Many past cases have involved opportunistic exploitation (no intent)

• Many are volunteers

• Rarely single motivation• Combination of factors• Often not most obvious


Understanding the Threat ActorInsider

Jailed for5 years

Facilitating Access – Exploited Insider

Deliberate Insider

Volunteer

Jailed for30 years

Jailed for4 years, 4 months

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjE_8D9hK7JAhXJvRoKHT68DZYQjRwIBw&url=http://hk.jobsdb.com/HK/en/Search/FindJobs?JSRV=1&Key=%22Sumitomo+Mitsui+Banking+Corporation%22&KeyOpt=COMPLEX&SearchFields=Companies&JSSRC=JDFT&bvm=bv.108194040,d.d24&psig=AFQjCNHwh9QEeRQmZX4xtTzTrepO6ww6Ow&ust=1448625568195589


IP address

BotSpear phishing Phishing

SpamTrojan

Malware

Cross site scriptingSQL Injection

Bot Herder

BotnetCyber Crime

Watering hole

VirusTOR

Dark WebDNS

HackerDDoS

Hidden Internet

Anonymous

Hacktivist RansomwareAVC

Zero day

Cyber Threat Vectors


Cyber Threat Vectors• Too many to cover in a 30 minute

presentation

• New vulnerabilities discovered all the time.– Zero Days (No patch available)– If public then assigned a CVE– Exploit-db.com

• Focus on 3 of the common attack vectors.– Phishing / Spear Phishing / Whaling– Injection attacks– DDoS



• Commonly delivered in email, but other messaging and social media platforms can be used.

• The goal is to get the victim to take the bait, whether it be:– Open an attached document.– Click on a link– Respond with your personal details

• Difference between the 3:– Phishing: Cast the net far and wide– Spear Phishing: Targeting just a few fish– Whaling: Targeting the big fish (Board Level)

• Verizon 2013: 95% of State affiliated cyber espionage used spear-phishing to accomplish the initial compromise

Phishing / Spear Phishing / Whaling


Cyber Threat VectorsPhishing / Spear Phishing / Whaling - Examples



• Injection attacks occur when an attacker adds additional text to data that gets passed to an application, which then treats the additional data as a further instruction.

• Most common type of web application security risk for the last 6 years– OWASP (Open Web Application Security Project)

• SQL Injection most common type of injection attack.– Structured Query Language

• Can lead to:– Unauthorised access– Direct access to the data stored on a database– Access to the Database Management System (DBMS)– Access to the underlying Operating System

Injection Attacks


Cyber Threat VectorsInjection Attacks – How Does It Work?


Cyber Threat VectorsInjection Attacks – SQL Injection Made Easy?• As with most attacks, there are tools that will do the work for you


Cyber Threat VectorsInjection Attacks – SQL Injection Made Easy?• As with most attacks, there are tools that will do the work for you• If you need help to run the tool, look it up on YouTube


Cyber Threat VectorsDenial of Service (DoS) Attack

• Basic Principle: throw more data at the web server than it can handle and it will stop responding.

• Lots of different flavours– syn floods– http floods

• collateral damage


Cyber Threat VectorsDistributed Denial of Service (DDoS) Attack

• Reflective and amplification attacks.

• Abusing features of legitimate protocols and applications.– DNS– NTP

• Many protocols can return more data than the original request. – 60 Bytes to 4000+ Bytes for DNS

• Spamhaus attack– 350gbps


Cybercrime Community

• Numerous forums to support cybercrime

• Facilitating the buying and selling of:– Credit card details– Personal information– Malware– Exploits– Phishing kits– Login details

• Use of the TOR network

• Often by invitation only.


Defence

• You can deploy:– Firewalls– WAFs– IDS / IPS– Antivirus– AD Group Policy– etc

HOWEVER• Don’t forget the weakest link in the chain

– It’s really hard to defend against the ‘bad day at the office’

• Educate, educate, and educate again– Spear phishing targets are picked for a reason

Defence in Depth


Detection

• Numerous log types:– Proxy logs– Firewall– DNS– Many more

HOWEVER

• Need to be effectively monitored– SIEM

• How long?

WHY?

• Average number of days from breach to detection: 205• Victims notified by an external entity: 69%

Detecting the Attacks


DetectionRecovery - Reputational

18th Oct 8th Nov 21st Nov 2008 2009 2010 2011 2012 2013 2014 20152007

Reputational Damage

Time

8th Nov: HMRC Senior Management Informed

18th Nov: Scotland Yard takes full control

Staff member sends unencrypted CDs in post. Not received.

20th Nov: Chairman Resigns

21st Nov: PM issues public apology

14th Nov: Met informed after HMRC fail to find CDs

19th Nov: Banks informed

15th Nov: ICO & SOCA informed

9th Nov 2015: Director GCHQ cites HMRC loss as key example of on-going negative perception as a result of data breaches

The reputational impact of a data breach can be highly damaging and take a long time to fix

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiwuqn1i67JAhWBhBoKHYnJAqcQjRwIBw&url=http://www.scottishfinancialnews.com/5603/hmrc-targets-airbnb-owners-and-ebayers/&psig=AFQjCNGDsmyoulnpfrVU2rBA8xb86UbUNA&ust=1448627428837690






















DetectionRecovery – Understanding What Happened

December January February March April May June July

20152014Time

4m 19.7m

Initial estimates from OPM indicated that 4m people were affected

9th Jul: OPM investigation concludes that 19.7m affected

Large scale data breach happens

Apr: OPM detects breach 12th Jun: OPM

detects second breach

16th Jun: OPM Director appears before the House, stating 4.2m may be affected. Calls for Director and CISO to step down

The data breach remained undetected for at least 4 months

18m

23rd Jun: FBI Estimate

4th Jun: OPM Estimate

9th Jul: Final OPM Impacted

OPM Data Breach: Timeline of events

The initial estimate of the impact of the breach was vastly underestimated. It took a month to reach the actual figure

Identifying, sizing and quantifying the impact of a data breach can take a significant amount of time


Questions

Business

DWP Cyber Resilience Centre