Embed Size (px)
Citation preview
Innovating in Spite of Oneself
Using progressive thinking and technology to transform conventional cyber security paradigms in the financial sector
Red Blue Teaming for fun and Profit!
Spending large amounts of time and money in an endless arms race against an invisible adversary to protect data that has already been
leaked by at least 7 other companies
This slide is not endorsed by MSUFCU or its affiliates
My original working title and tagline …
Introduction
• MSUFCUoChief Information Security Officero [email protected]
• Alaska USA FCUo Enterprise Security OfficeroManager Electronic and Card Applications
• SprintoNetwork Security EngineeroWeb Engineer Sprint.com and Sprintpcs.com
Wile E. CoyoteCost Center
My point of view …Financial Sector4 Billion in assetsWho provides regulatory governance?
• National Credit Union Administration (NCUA)• Federal Financial Institutions Examination
Council (FFIEC)
What constitutes sensitive data?• Card (PAN, PIN, CVV)• Personally Identifiable Financial Information
(PIFI)
My point of view too …How is money made, where is it, how does it move?
• Loans• Card Interchange Fees• Deposits• Wire / ACH
What are some general characteristics of IT?• Main HQ and Datacenter facilities• Many satellite branches• Very little remote workforce• Many 3rd party network interfaces of various types
Objectives of a CU Cyber Security Program
• Part 748 Appendix A of NCUA Regulations• “These Guidelines provide guidance standards for developing and
implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.”
• Predict, Prevent, Detect, Respond• Achieve Continuous Improvement and Maturity• Don’t Interfere with or Interrupt the Business!
Controls (I.e. All the stuff we must have.)
• Intrusion Detection and Prevention Systems (IDS / IPS)
• Endpoint Anti-Virus
• Data Loss Prevention
• Firewall
• Security Information and Event Management (SIEM)
• Internal Network Segmentation
• Network Flow Analysis and Classification
• Risk Assessment (Enterprise and System)
• Disaster Recovery / Business Continuity
• Threat Intelligence Monitoring
• Annual and Quarterly Board Reports on Risk
• Penetration Testing
• Web Proxy and Content Filtering
• Privileged Account Management (PAM)
• Helpdesk Ticket Escalation
• Vulnerability Management (Scanning)
• Configuration Management and Hardening Baselines
• DNS Reputation Filtering
• Email Anti-Virus
• Sandbox Detonation
• Email SPAM Filtering
• Behavioral Endpoint Protection
• Endpoint and Network Forensics
• Cyber Incident Response
• Security Policy & Procedure
• Security Education and Awareness Training
• Security Architecture Review (Communication Topology, Encryption)
• Change Management
• Security Exception Processing
• Regulatory and Internal Audit Responses
• Investigation and Security Data Analysis
• Vendor Management Security Reviews (SSAE 16 / SOC I, II)
• User and Active Directory Audits
• Password Cracking
With Limited Resources a Credit Union Security Organization Must:
• Achieve a Holistic Security Posture (Breadth of Coverage)• Achieve Defense in Depth
• Interlocking controls• Variety of controls
• Provide Incident Response• Provide Business Continuity• Provide Risk Analysis• Evolve with an extremely fluid Threat-Scape
Challenges
Why do we innovate?We innovate in response to challenges that cannot be countered with existing
measures.
Threat Intelligence Reports
IBM X-Force Report 2018Verizon Data Breach Incident Report 2018
Traditional Security Management Challenges• Money
• Enterprise Class Controls and People
• Time• Improve and Mature at pace with Threat Landscape• Provide Value at pace with IT and Business Initiatives
• People• Human Bandwidth
• Breadth of function• Operations• Governance• Projects
• Skill Sets• Raw Ability
• Curiosity• Intelligence
• Core Competencies
• Cooperation and Support• Board of Directors• Executives and Staff
SophisticationSecure Works Incident Response Insights Report 2018
When do you patch your
servers?
Sophistication Lifecycle
When does my control set (including patching) become effective?When does my attacker get the exploit?
My attacker acquires exploitMy Controls mitigate threat
What can my company afford?
Cost
Sophistication and Risk
Why does this matter?• You have to choose the level of
sophistication you intend to defend against
• Each decision is specific to a particular aspect of a particular point in the kill chain
• If you choose not to decide, you still have made a choice!
Balancing Controls and Business
• Most preventive controls willinterrupt the business at one time or another
• Buy-in is necessary but tough to get• Difficult to focus on the “Why?”
when the business may not have common ground
• Convenience-Cost can be an unforeseen expense by security, the business, and the board of directors
Innovation
How do we innovate?We think then we do.
Transform VM into VRM …
Vulnerability Risk ManagementoRe-factoring Risk with TimeoGrouping vulnerabilities into
families of riskoAddressing vulnerability for
maximum reduction in exposure
oFocus on addressing systemic cause of vulnerabilities and risk
Vulnerability ManagementoRisk is linearoVulnerabilities are assigned to
remediation teams by ownership
oPrioritized based on vulnerability criticality
oCan miss systemic cause of vulnerabilities and risk
Practical VRM …
Vulnerability Risk ManagementoMy enterprise doesn’t need
adobe reader – remove it.oLet’s focus on upgrading to
Windows 10 which makes Flash updates part of the OS.
oWhy do we have a systemic inability to patch to 100%?
oOur patching window will never be shorter than 30 days – How do we mitigate?
Vulnerability ManagementoAdobe Reader is vulnerable –
patch it.oFlash is vulnerable, let’s focus
on patching it.o5% of my servers aren’t
getting patched – hunt them down and patch them.
oOur patching window is >30 days which is too long
Dial for Motive …
Persistent Remote Access is not a motive in this context –Lifting the stand-in limits on ATMs is a motive.
“Motive” should be a key deliverable in any incident analysis.Clues to motive can be found by analyzing tools, techniques, and procedures (TTPs)
Motive, TTPs, and persistence (tenacity) give us an idea about our adversary's true sophistication.
Application Whitelisting
A Default Deny on execute and write operations provides mitigation for advanced exploits which are early in their lifecycle.Whitelisting controls work from a model of known-good instead of known-bad.
VS.
The Whitelisted Attack Surface
Unknown (Banned)
Known Bad (Anti-Virus)
Known Good(Authorized)
Reduces attack surface to a smaller set of authorized files
Forces attackers to work within a narrow band … Which they do!
Behavioral Controls
Whitelisting and Anti-Virus controls still leave an exposure that must be countered by preventive behavioral rules
Example APR04102018_TD_INV.doc
Microsoft Equation Editor
Writes and executes tasks.bat
Which executes PowerShell
C2 Call – HTTPS download of payload
Black Hole DNS
Perhaps the best ROI in security – Low cost, High efficacy.Only effective against malware that uses domain names.Supplements Web Filtering.
Endpoint Detection and Response (EDR)
Threat Data Feed AggregationIOC Based DetectionThreat HuntingProcess RelationshipsRemote Forensics
Secure Works Incident Response Insights Report 2018
Host IsolationBreakout Containment
Red teaming for fun and profit …o Typically have a more flexible
timelineo Can accumulate in-depth
intelligence on their targetso Are a key stakeholder in the
continuity of the target systems
o Can participate in the ongoing surgical testing of controls
o Can perform proof of concept testing on controls before buying them
Daily Stand-Up
Gives everyone a voice every day.Can prevent poor execution due to negligent or accidental group-think.Provides high-resolution correction as strategies are implemented.
Monthly Table TopsRehearse Incident Responseto uncommon situations.Review and correctresponse to common situations.Produce artifacts for regulators to consume.Builds collaboration with Risk Management and Business Continuity teams.
Some Unconventional Strategies …
Sometime all it takes is a change in mindset to break out of a rut.
Let computers do the things that computers are good at.• Automate everything that doesn’t require a subjective or qualitative
judgment• Employ DevOps when possible (SecOps?)
Let humans do the things humans are good at.• Develop strengths in your staff rather than fixing deficiencies• Let people gravitate toward their core competency• Talk about “why” not just “how”
Assert that an Innovative Maturity requiresopen source, zero cost security controls.
• Spend financial resources only on those technologies that require it:• Next Gen Firewall• Email Spam Filters• Web Application Firewall (WAF)• Data Loss Prevention (DLP)• Anti-Virus • Security Information and Event Management (SIEM)
• Develop open source technologies that compliment core enterprise controls:• IDS / IPS (Snort / Suricata)• Data Flow Analysis (Bro)• File Integrity Monitoring (FIM) (OSSEC HIDS)• Black Hole DNS (Implement in Bind, Unbound, Mara, etc.)• Honeypots (Honeywall, HoneyC, Honeyd)• Community Threat Intelligence (ISCSANS, Independent Researchers, Spamhaus, Mitre.org,
etc.)
Implement alternative mitigations to overly-complex or cost-prohibitive controls first.• Build your own monitoring systems• Use built in host based firewall technologies• Harden systems with configuration management rather than host
based controls• Patch everything, all the time• Segment internal networks using access controls that are readily
available• Use commonly available ad-blockers
Prioritize internal Red Team exercises overexternal 3rd party pen tests.• 3rd Party Pen Testers:
• Are on a limited timeline • Have limited reconnaissance• Operate in a commoditized environment• Run their canned scripts and move on if they fail
• Internal Pen Testers:• Typically have a more flexible timeline• Can accumulate in-depth intelligence on their targets• Are a key stakeholder in the continuity of the target systems• Can participate in the ongoing surgical testing of controls
Actively reduce the expense of functional operations for those things that have become commoditized.
• Managed Security Services Providers (MSSP) can partner with an in-house security team:
• 24x7 Log Monitoring• IDS/IPS Monitoring• WAF Administration
• A robust Internship Program can provide skilled individuals in cases where an MSSP solution is not possible.
• Repetitive data analytics• Daily reputation data pulls• Educational content development
Deliberately staff a % of your organization with Application, System, and Network engineers.
• Once someone has the right foundation they will naturally develop into security professionals
• Without this, how will an information security staff develop a well rounded technical understanding of:
• Enterprise Scale Virtualization• How packets route / TCP States• How sessions persist in an application container• How load balancers work• How DNS works• Routing broadcast protocols• Storage• Multithreaded object synchronization• *nix operating systems
• The key to staffing is balance … Your aggregate staff must cover a broad base of disciplines
Discourage outside hires from assimilating.
Adopt the 10th man rule.
“if nine men agree, it is the duty of the tenth man to disagree.“- Carl Cullotta, Frank Lynn & Associates
• Adapt this to your staff size• Assign a Devil’s Advocate
in critical situations
Work on too many projects at the same time.
• Efforts get blocked – have many irons in the fire
• Be careful of rapid context shifting• The key to this strategy is to adapt
deadlines when the completion of a project is within sight
• Allow people to naturally shift between projects
• Warning! Does not lend itself to accurate annual planning
Avoid burning talent on paperwork.
• Security = Paperwork• Paperwork != Fun• DO NOT arbitrarily spread
paperwork across the team to be “fair”.
Rehearse your cyber incident response program on routine security events.
Questions?
