Security Breach: It's not if, it's not when, it's will you know

SecurityBreach:It’snotif,it’snotwhen;it’swillyouknow?

Keynote

ORBIT

Megan Brister, Cyber Risk Services Deloitte LLP Ashkan Rahimian, Threat Intelligence & Analytics Deloitte LLP

Your next security breach. It’s not if, it’s not when, it’s will you know.

Understanding the cyber threat landscape in the insurance sector

Evolving your cyber risk program to respond to cyber threats

Anatomy of an advanced persistent threat

Improving your outcomes

Contents

3 Cyber Risk Services | Deloitte LLP


Understanding the cyber threat landscape

Understanding the cyber threat landscape Shift in cyber threat actors


Cyber attacks are no longer the result of a single hacker looking for bragging rights. Most attacks are now performed by well-funded, well-resourced professionals and teams (e.g. nation states, organized crime) seeking to profit from the attack. New capabilities are required to detect these advanced threats.

Security Information and Event Management (SIEM) 1.0

SIEM 2.0

cyber analytics Signature-based detection

Real-time Machine learning

Threat intelligence

Understanding the cyber threat landscape Commodity attacks are more accessible than ever


Low barriers to entry into the cyber threat market make commoditized cyber attacks easier to carry out. Booter services provide low cost DDOS.

Image credit: Krebs on Security

90 % more DDoS attacks from 2013 to 2014 Source: Akamai Q4 2014 State of the Internet – Security Report

A retailer has a card scraping malware affecting 30% of stores that process 1M credit and debit transaction per day:

Detection at Day 0 ~ $10k

Detection at Day 2 $2 – $5M

Detection at Day 30

$23M+

Understanding the cyber threat landscape Speed of attacks are accelerating, while response times lag


As the speed of attack increases, the ability for organizations to detect an attack will determine the impact and cost of the cyber incident on the business.

Source: Client scenario prepared by Deloitte Cyber Intelligence Centre

The cost of responding is increasing, while the volume of records breached increases as well

Understanding the cyber threat landscape

Breaches of personal information are expensive to remediate as credit monitoring and identity protection services have become the standard for customers.


A fraud alert will alert or “flag”

Identity theft insurance

Credit monitoring

~$8/pp ~$4/pp ~$40/pp

Understanding the cyber threat landscape Global talent shortage impacts organizations ability to defend themselves


Estimated to be as high as 22%, the cyber security talent vacancy rate* is not only an operational challenge, but also a significant risk for businesses.

The average salary to a Certified Ethical Hacker per year (Source: EC-Council that provides the CEH Certificate)

$71,331 for a banking Trojan, the exploit and a spam mailing to spread them around

Average pay out

(Source: Kaspersky Lab 2014)

$3,000

$72,000

Source: Bruce Schneier on Security, 2015 Predictions and Trends Webcast

No organization is immune Understanding the cyber threat landscape


Small and medium sized businesses (SMEs), are not immune to attacks. 62% of data breaches were at the SME level (<1000 employees). With most data losses as a result of cyber attacks in the following sectors:

Confirmed Data Losses in SME in 2014

180 Travel/ Accommodation

95 Retail

33 Financial Services

31 Health Care

Source: Verizon Communications Data Breach Investigations Report

Evolving your cyber risk program


It starts with understanding who might attack, why, and how

Evolving your cyber risk program


Who might attack, what tactics might they use, what are

they after?

How mature are my controls to

address my risk?

What does the road map for

improved cyber defense look like?

Who might attack an insurance broker? Evolving your cyber risk program


Organized crime targeting high volume

personal information for financial gain

Hackivists seeking to push an

agenda or embarrass a country

Cyber criminals leveraging an insurance broker to attack another

high value

Nation states targeting intellectual

property (IP), key personnel information,

critical infrastructure data for cyber terrorism

Competitors seeking IP or business plans for competitive

advantage

Malicious insiders seeking to disrupt the business or harm the company’s reputation

What are they after and why? Evolving your cyber risk program

•  Insurance brokers hold rich databases of personal, medical, and financial information.

•  A launching pad to another high value target, such as a payment processor, financial institution, or health care.

•  Disrupt or embarrass your business – even when you company is caught in the middle of a politically-motivated attack.


What tactics might they use? Evolving your cyber risk program

•  Phishing continues to be a common and successful entry point for attackers. In 2014, email phishing rate was 1 in 965 emails.

•  Mobile phishing has become the new entry point.

•  24 zero day vulnerabilities* were reported - meaning hackers could immediately start exploiting the vulnerability in that system until the vendor provides a patch.

•  Inter-connected third party compromise.

15 Cyber Risk Services | Deloitte LLP Source: Symantec Internet Threat Report

Evaluate and plan for improved cyber defense Evolving your cyber risk program


CyberRiskProgram

SECUREArecontrolsinplacetoguard

againstknownandemergingthreats?

VIGILANTCanwedetectmaliciousorunauthorized

ac=vity,includingtheunknown?

RESILIENTCanweactand

recoverquicklytominimizeimpact?

Road map priorities:

•  Implement user training and testing

•  Improve mobile application development processes

•  Integrate cyber threat intelligence to proactively implement countermeasures

•  Implement standard for third party connections


Anatomy of an advanced persistent threat

The main intention of an APT attack is to gain access, stay undetected, and perform long-term operations.

Anatomy of an advanced persistent threat (APT)


Anatomy of an advanced persistent threat Hammertoss lifecycle


1. Attacker sends spear phishing email containing malicious attachments

2. User downloads and opens attachments

3. Each attachment is a dropper releasing Hammertoss

5. Hammertoss checks the daily twitter handle for instructions

6. Tweets may direct Hammertoss to fetch images from GitHub

4. Hammertoss is loaded in memory and initiates connection

7. PowerShell commands are extracted, decrypted and run

9. Beacons check-in the team servers

10. Attack team ready for accept sessions

11. Further compromise to meet objectives

8. Hammertoss performs privilege escalation and lateral movement via PowerShell commands

Improving your outcome


Improving your outcome

•  Traditional cyber defense is not enough to address advanced threats

•  Intelligence is critical understanding possible attack campaigns and how to put in place proactive countermeasures

•  Organizations need to know who might attack, why, and how so that you can invest your resources in the right things


Thank you


Megan Brister PMP, CISSP, SABSA Senior Manager Cyber Risk Services [email protected]

613.762.6623

Ashkan Rahimian Cyber Threat Intelligence Lead Cyber Risk Services [email protected]

416.202.2746

Contacts


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2015. For more information, contact Deloitte Touche Tohmatsu Limited.

Cyber Risk Services | Deloitte LLP 24

Technology

Security Breach: It's not if, it's not when, it's will you know