1 / 44

MS-ISAC Overview

The MS-ISAC serves all U.S. State, Local, Tribal, and Territorial governments by providing cybersecurity threat prevention, protection, and recovery services. This includes 24/7 Security Operations Center support, network monitoring, threat analysis, cyber alerts, and incident reporting. For assistance, contact 1-866-787-4722 or email soc@msisac.org.

michaelblewis
Download Presentation

MS-ISAC Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MS-ISAC Overview Lee Myers Senior Manager of Security Operations

  2. Multi-State Information Sharing and Analysis Center The U.S. Department of Homeland Security has designated the MS-ISAC as its key cybersecurity resource for cyber threat prevention, protection, response and recovery for all U.S. State, Local, Tribal and Territorial (SLTT) governments.

  3. Who We Serve • MS-ISAC Members include: • All 56 US States and Territories • All 78 federally recognized fusion centers • More than 1,000 local governmentsand tribal nations • State, Local, Tribal, and Territorial • Cities, counties, towns, airports, public education, police departments, ports, transit associations, • and more

  4. 24 x 7 Security Operations Center Central location to report any cybersecurity incident • Support: • Network Monitoring Services • Research and Analysis • Analysis and Monitoring: • Threats • Vulnerabilities • Attacks • Reporting: • Cyber Alerts & Advisories • Web Defacements • Account Compromises • Hacktivist Notifications To report an incident or request assistance: Phone: 1-866-787-4722 Email: soc@msisac.org

  5. Intelligence Sources • 24 x 7 x 365 Monitoring • Analysis of ~500 billion logs/month • Integration with federal agencies via the NCCIC, NCIJTF and private companies • Research into vulnerabilities, exploits, TTPs, patterns, and trends • Constant contact with all ISACs Information Sharing and Analysis Centers Multi-State Electric Sector Public Transit Aviation Legal Services Real Estate Sector Defense Industrial Base Downstream Natural Gas ICS Supply Chain Water Sector Maritime Health Oil and Gas Research and Education Emergency Management and Response Nuclear Sector Communications Information Technology Automotive Surface Transportation Financial Services

  6. Levels of Access Public Information Fee Based Services Any SLTT Full MS-ISAC Membership

  7. Public Information

  8. MS-ISAC Advisories Public Information

  9. Monthly Newsletter • Distributed in template form to allow for re-branding and redistribution by youragency Public Information

  10. Any SLTT Government

  11. IP Monitoring Domain Monitoring Notifications on compromised user credentials, open source and third party information Vulnerability Management Program (VMP) Monitoring of IP Range & Domain Space • IPs connecting to malicious C&Cs • Compromised IPs • Indicators of compromise from the MS-ISAC network monitoring (Albert) • Notifications from Spamhaus Send domains, IP ranges, and contact info to: soc@msisac.org Any SLTT

  12. Vulnerability Management Program • What Data Are We Collecting? • Server type and version (IIS, Apache, etc.) • Web programming language and version (PHP, ASP, etc.) • Content Management System and version (WordPress, Joomla, Drupal, etc.) • Email notifications are sent with 2 attachments containing information on out-of-date and up-to-date systems: • Out-of-Datesystems should be patched/updated and could potentially have a vulnerability associated with it • Up-to-Date systems have the most current patches Any SLTT

  13. Computer Emergency Response Team (CERT) • Incident Response (includes on-site assistance) • Network & Web Application Vulnerability Assessments (Fee) • Malware Analysis • Computer & Network Forensics • Log Analysis • Statistical Data Analysis • Penetration Testing (Fee) To report an incident or request assistance: Phone: 1-866-787-4722 Email: soc@msisac.org Any SLTT

  14. What is an “Incident”? • As defined by NIST: A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. • Examples: • Phishing • Network Intrusion • DDoS • Ransomware

  15. After Action Review • Who, What, When, Where and How it Happened • The Good, The Bad, and The Ugly • Incident Response Plan • Training • Documentation

  16. MS-ISAC Membership

  17. Benefits of Membership • Access to information, intelligence, products, resources, and webcasts • Insider access to federal information • Training and resource discounts • CIS Security Benchmarks discounts • US-CERT Portal access • Cybersecurity exercise participation • Malicious Code Analysis Platform (MCAP) access MS-ISAC Membership

  18. US-CERT Portal • Access to: • MS-ISAC Cyber Alert Map • Archived webcasts & products • Cyber Table Top Exercises • Guides and templates • Message Boards MS-ISAC Membership

  19. MS-ISAC Products Incident Notifications: via phone or email, as appropriate – domain & IP based Cybersecurity Advisory: short, timely, emails containing technical information regarding system patching and similar system maintenance activity National Webcasts: 6 bi-monthly webcasts on national topics of interest Purchasing Alliance: Discounted purchasing buys End User Newsletters: Monthly newsletter to rebrand and distribute Cyber Alerts: short, timely, emails containing information on a specific cyber incident or threat Intel Papers: Intelligence-driven papers on TTPs, trends, patterns, and actors affecting SLTT governments MembersOnly Threat Information: Information on malicious domains, IPs, and current threat events Cybersecurity Toolkit: Items to promote cybersecurity awareness in your organization Hot Topics Webcasts: Monthly guest speakers on areas of interest to MS-ISAC members

  20. MS-ISAC Cyber Alerts MS-ISAC Membership

  21. MS-ISAC Intel Papers MS-ISAC Membership

  22. Weekly Malware IPs and Domains MS-ISAC Membership

  23. Malicious Code Analysis Platform • A web based service that enables members to submit and analyze suspicious files in a controlled and non-public fashion • Executables • DLLs • Documents • Quarantine files • Archives To gain an account contact: soc@msisac.org MS-ISAC Membership

  24. Fee Based Services

  25. Fee Based Services • Network Monitoring (Albert) • Managed Security Services (MSS) • Web application vulnerability assessments • Network vulnerability assessments • Penetration testing • Phishing engagements • Security assessments For more info on any of these contact: info@msisac.org Fee Based Services

  26. Network Monitoring (Albert) • SLTTfocus • 24x7x365 research, analysis, and support • Signatures unique to SLTT governments • Real-time information sharing withSLTT partners • Experienced cybersecurityanalysts who review each event minimizing the number of false-positive notifications Fee Based Services

  27. Cyber Threat Landscape Lee Myers Senior Manager of Security Operations

  28. Traffic Light Protocol (TLP)

  29. Financials, PII, PHI • Account compromises of PII • Emails • Login credentials • DOB, SSN, Contact Information • PHI • PHI is more valuable in underground markets • Hospitals a potential target in the wake of insurance breaches • Point of Sale systems • Those slow to adopt EMV become a target

  30. Case Study • Vikingdom

  31. Vikingdom • From March –August 2015 Vikingdom claimed: • 77 DDoS attacks against state and local government websites in 34 states • SQLi POC targeting against 1000+ university URLs “Lulz,” Bragging Rights, Personal Motivations

  32. 2015 Vikingdom DDoS Activity WA MT 1 ME 11 ND 2 OR 2 MN 1 ID 1 NH 2 VT NY 3 SD 1 MI 1 WI MA WY CT,1 RI IA 1 PA 1 NV 2 NB 2 NJ, 2 IL 1 IN 4 OH UT 1 MD DE, 1 CA 2 CO 1 VA 1 WV WV MO 1 KS KY NC 1 AZ 2 TN 5 OK 9 AR 2 SC 1 NM AL 1 GA 3 MS TX 2 LA FL 2 AK AS HI GU VI PR MP

  33. Wrapping it Up

  34. What Can You Do? • Low Hanging Fruit! • PATCH! • Use defensive software • Back-up • Train users • Enforce strong, complex, unique passwords • Critical Security Controls • Identify authorized and unauthorized devices • Inventory authorized and unauthorized software • Secure configurations for hardware and software • Continuous vulnerability assessment and remediation • Controlled use of admin privileges

  35. Identify Malicious Activity • Antivirus • Firewalls • IDS/IPS • Logs (90 days!) • Places to Look • Pastebin, Ghostbin, Zerobin • Twitter • Facebook • Google • SHODAN • Things to Look For: • Announcements • Hashtags • Doxings Hacktivist DDoS Claim

  36. Share Information • Be prepared • Learn from others’ best practices • Gather intel to help you be proactive • Be willing to ask for help • Identify other resources to augment what you are doing • Be a part of the solution • Take part in information sharing

  37. Looking Forward • Tactics, Techniques, and Procedures • Targeted Data and Systems • Cyber Threat Actors • Developing Issues

  38. Extortion • DDoS • DDoS for Bitcoin (DD4BC) • Ransomware • New threats (data posting) • Ransomware-as-a-service TTPs

  39. PII, PHI, Financials • Account compromises of PII • Emails • Login credentials • DOB, SSN, Contact Information • PHI • PHI is more valuable in underground markets • Hospitals a potential target in the wake of insurance breaches • Point of Sale systems • Those slow to adopt EMV become a target

  40. ICS & Medical Devices • INDUSTRIAL CONTROL SYSTEMS • Increased interest in ICS vulnerabilities • Honeypots • Black Energy • Medical Devices • Personal vs. Hospital Devices • Continued vulnerabilities • Increased regulation

  41. Cyber Insurance • Organizations need to consider cyber risk insurance as part of their insurance portfolio: • Cost of remediating/replacing systems • Cost of notifying/protecting affected individuals Don’t Get Burned! Ensure you understand your policy’s coverage

  42. Questions?

  43. Who do I call? Security Operations Center (SOC) SOC@cisecurity.org - 1-866-787-4722 31 Tech Valley Dr., East Greenbush, NY 12061-4134 www.cisecurity.org to join or get more information: https://msisac.cisecurity.org/members/index.cfm

  44. MS-ISAC HQ Front Desk 518-266-3460 info@msisac.org MS-ISAC Contact Numbers • Security Operations Center • 24/7 Phone Number • 1-866-787-4722 • soc@msisac.org Thank You! Lee Myers Lee.Myers@cisecurity.org

More Related