Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Perspectives on Cyber Security Strategies & Tactics
Joshua Schmookler, Passaic County NJ MIS Department
Security Administrator
Micah Hassinger, Bergen County NJ Communications
Director of Information Technology
Detect – Respond – Recover - Protect
• Who are the actors?
• What motivates them?
• The anatomy of an attack (What methodology do they use?)
• What is at stake?
Detect – Respond – Recover – ProtectWho are the actors?
• Nation-states
• China, US, Iran, Russia, etc.
• Cybercriminals
• Vladimir Tsastsin, EST Domains Inc.
• Lewys Martin
• Hacktivists
• Anonymous
• Terrorists
Detect – Respond – Recover – ProtectWhat motivates them? – Nation-States
• Generally motivated by national interests
• Generally interested in stealing information from others to benefit their nation
• Sometimes interested in spying
• Flame
• Sometimes will become more aggressive, destroying information or other assets in a way that benefits national interests
• Stuxnet
Detect – Respond – Recover – ProtectWhat motivates them? – Cybercriminals
• Mostly motivated by profit.
• Cryptolocker
• Click Fraud
• Infostealing
• Some people just want to watch the world burn
• Wiper Viruses
Detect – Respond – Recover – ProtectWhat motivates them? – Hacktivists
• Want to make a point
• Deface websites
• Denial of Service
• Steal embarrassing information
Detect – Respond – Recover – ProtectWhat motivates them? – Terrorists
• Similar to hacktivists in many ways
• Generally want to cause damage
• May be more sinister, wish to cause loss of life
• May be nation-state funded and motivated
Detect – Respond – Recover – ProtectTypes of Attacks
• Malware
• Rootkits, Infostealers, Worms, Botnets, Trojans
• Man-in-the-Middle
• Man-in-the-Browser
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
• Password Dictionary & Brute Force
• Phishing & Social Engineering
Detect – Respond – Recover – ProtectWhat is at stake?
• Deletion of data
• Wiper/Cryptolocker
• Destruction of assets
• Batchwiper
• Stuxnet
• System failures – Denial of Service
• Spying
• Flame
Detect – Respond – Recover – ProtectWhat is at stake? - Wiper
• Wiper was so effective, we know very little
• Wiper was so effective, it wiped itself out
• There is (still) some debate as to whether or not wiper even existed
• Was targeted at Iranian PC’s, specifically affecting the energy sector
• Destroys nearly all data, leaving no traces
• Reports indicate Wiper destroyed over 30,000 Iranian PC’s
Detect – Respond – Recover – ProtectWhat is at stake? - Stuxnet
• Specifically targets Siemens Step7 software
• Utilized an unprecedented four zero-day attacks simultaneously
• If Siemens Step7 is not detected, stuxnet does nothing
• When centrifuges are controlled by an infected machine, Stuxnet destroys the centrifuge
• It is estimated that Stuxnet destroyed nearly one fifth of Iranian centrifuges
• Flame and Duqu spawned from the same code base
Detect – Respond – Recover – ProtectWhat is at stake? – Flame/Duqu
• Targeted malware directed at the middle east
• Designed to unobtrusively spy
• Capable of recording audio, screenshots, keyboard activity, network traffic, and webcam information
• Capable of turning PC into a Bluetooth beacon to record cell phone data
• Also capable of accessing documents on PC
• Supports “kill” command to wipe all traces from the affected PC
• Affected well over 1,000 machines
• 65% located in Middle East
• Huge majority in Iran
Detect – Respond – Recover – ProtectWhat is at stake? – Cryptolocker
• Indiscriminate targeting
• Malware infects PC silently
• Encrypts files using an RSA-2048 key (Unbreakable)
• Holds files ransom for 10 days waiting for user to pay
• If user does not pay, the key is deleted, and files are lost forever
Threat Assessment / Hazard Identification
• What information needs protecting?
• Personally Identifiable Information (PII)
• Critical Infrastructure / Key Resources (CI/KR)
• LEO Networks
• 28 CFR Requirements
• Sensitive Information
• Networks / Systems
What is to be gained?
Don’t let your network wear a red shirt!
Security Lifecycle
Detect – Respond – Recover – ProtectAnatomy of an attack
Detect – Respond – Recover – ProtectAnatomy of an attack
Detect – Respond – Recover – ProtectHave I been breached?
• User experience impacted
• Encrypted/Missing files
• User accounts locked
• Slow upload speed
• MX record blacklisted
• Deep packet analysis (RSA Security Analytics)
• IPS/Anti-Virus Log
• Security Log Analysis
Detect – Respond – Recover – ProtectHow should we react?
• Threat remediation plan
• Security Information and Event Management (SIEM)
• Malware Protection Systems
• CERT (Computer Emergency Response Team)
Detect – Respond – Recover – ProtectWhat can we use to shield ourselves?
• Policies – written by entity
• Patching and maintaining up to date operating systems and essential programs
• Intrusion Detection & Prevention Systems
• Traditional Firewalls
• Web/Email Filters
• Anti-Virus
• Security Information and Event Management (SIEM)
• Malware Protection Systems
• Unbiased Penetration Testing
Detect – Respond – Recover – ProtectWhat do I do now?
• Find Patient Zero
• Execute Threat Remediation Plan
• Isolate affected machines
• Restore damaged/lost files
• Evaluate policies to better protect
• Identify attack vector
Cyber Policy as a Defense Strategy
• Policy
• Password Complexity and Expiration
• Check for CVE’s
• Use Policies
• External Device Policies (BYOD)
• Response Policy
• Hacking Event Response
• Employee training and education
• Patch Management
Layering Protection with Partnerships
• Regional Assets
• Maximize efficiency through shared costs and protection
• Leverage open-source communities
• Trade technical expertise for cost savings
• Reduce overhead
Information Sharing
• Communications
• Internal / External Communications – Who do you share with?
• Automated Communications during an event
• Herd Immunity through communication
• Passive Alert Systems
• Big Data Analysis
• Herd Alertness
UASI ProjectKey Goals
• Secure networks from attack
• Protect against known, recently discovered, and unknown malware
• Integrate threat intelligence from MS-ISAC and other sources
• Increase incident reporting to NJ SARS
• Share actionable intelligence regarding detected threats with the region (and beyond)
• Coordinate Incident Reporting
UASI ProjectPhase 1 - Evaluation
• Identify key players in cyber security market
• Evaluate solutions from market leaders on-site, with real traffic
• Generate report detailing findings and recommending solution
UASI ProjectPhase 1 – EvaluationEvaluated Solutions
• SafeMedia
• McAfee Network Security Platform (NSP)
• RSA Security Analytics (Formerly NetWitness)
• Sourcefire (now Cisco) 3D Series NGFW/NGIPS
UASI ProjectPhase 1 – Evaluation
Safemedia
• SafeMedia was found to be effective but small
• Ability to execute on the part of the company was lacking
• Very cost effective
• Very user friendly
UASI ProjectPhase 1 – Evaluation
McAfee NSP
• Not as user-friendly as Sourcefire and SafeMedia
• Very effective IPS
• Very effective malware platform
• Information sharing non-existent
• No Security Intelligence integration
UASI ProjectPhase 1 – Evaluation
RSA Security Analytics
• The least user friendly of the group
• Extremely effective analytics platform
• Very effective malware detection
• Good integration with Security Intelligence and Information Sharing
• Extremely expensive
• Can detect only. Does not block threats
UASI ProjectPhase 1 – Evaluation
Sourcefire
• Extremely user friendly
• Extremely effective IPS and Malware detection
• Excellent Security Intelligence and Information Sharing Capabilities
• Second least expensive platform
• Included firewall capabilities are an excellent value-add
• Additional value-add from optional URL filtering and optional endpoint Malware protection
UASI ProjectPhase 1 – Evaluation
Recommendation
• Based on the intensive (7 months) on-site evaluation, Sourcefire (now Cisco) was chosen as the platform that most meets the needs of the region, including integration with MS-ISAC which was defined as non-negotiable
UASI ProjectPhase 2 - Implementation
• Currently ongoing, implementation of the chosen solution will be completed within the next 21 days
• Coordination and planning are key to a successful implementation.
• When completed, the UASI area will be extremely well equipped to deal with cyber attacks, and share that actionable intelligence with the region and beyond
Any Questions?Joshua Schmookler
Security Architect/Network Administrator – Passaic County NJ MIS Department
973-881-4273
Micah Hassinger
Director of Information Technology – Bergen County NJ Communications
201-785-8512
Thank you for your time!