1 / 29

Getting Ahead of the Security Threat: Proactive Mitigation for State Government

Bruce Roton CISSP, CISM, CEH, CISA, CGEIT, ISO27001, CSSGB Director, Security Solutions Architecture . Getting Ahead of the Security Threat: Proactive Mitigation for State Government. Agenda. Security Statistics and Trends

raleigh
Download Presentation

Getting Ahead of the Security Threat: Proactive Mitigation for State Government

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bruce Roton CISSP, CISM, CEH, CISA, CGEIT, ISO27001, CSSGB Director, Security Solutions Architecture Getting Ahead of the Security Threat: Proactive Mitigation for State Government

  2. Agenda Security Statistics and Trends Traditional Security Infrastructures and Protection Models (and Why they Fail) Analytics Using NetFlow Statistics (and Packet Capture) Turning Detection into a Prevention Strategy Custom Crafted Compromise Detection Level 3 Communications: Carrier View Summary and Recommendations

  3. Cyber Warfare on the Rise • In 2007 US-CERT* received almost 12,000 cyber incidents reported • By 2009, there were over 24,000 cyber incidents reported • By 2012, there were over 48,000 cyber incidents reported *US-CERT is the US Department of Computer Emergency Readiness Team, under the US Department of Homeland Security

  4. Cyber Attacks Explained • Notable Statistics: • Social Engineering is back on the rise after a 2 yr decline (spear phishing) • Malware and Hacking are consistent leaders • Physical attacks though on the rise are primarily tampering and POS attacks (discounting espionage for IP) • While Misuse seems to rise, it is likely skewed by sample and focused on financially motivated attacks Source: Verizon 2013 Data Breach Investigations Report

  5. Role of Botnets in Attacks • Botnets are proliferating at a high rate. • Botnets uses are expanding rapidly: • Theft of financial credentials • Self propagation • DDoS sourcing • Installation of keyloggers • Spam and Phishing sourcing • Botnets are regularly updated and provide a Flexible platform for malware loading Source: Verizon 2013 Data Breach Investigations Report

  6. Who is being Attacked? • Biggest Target is Financial Services • Second Biggest Target is Government • News attacks are typically State Sponsored and Hacktivist • Industry attacks are typically espionage targeting IP

  7. Cyber Attacks hit State Government too

  8. Cyber Security in the News • Idaho State University fined over $400K for breach of unsecure electronic health information of patients at the University’s Medical Clinic (June 2013) • Utah State Tax Commission promising tighter security on new software in the shadows of the Utah Department of Health’s 2012 breach of 780,000 pieces of data • Washington State Administrative Office of the Courts announced a data breach of 160,000 Social Security numbers and 1 million driver’s license numbers (May 2013) • California launches Cybersecurity Task Force, in an effort to mitigate the growing number of sophisticated cyber attacks hitting state governments (May 2013) • Recent Cyberintrusion Data • The Pentagon reports getting 10 Million cyberintrusion attempts a day • The National Nuclear Security Administration, of the Energy Department, also records 10 million hacks a day • The State of Michigan deals with close to 120,000 cyberincidents a day • Utah says it faces 20 million attempts a day – up from 1million a day 2 years ago • -from nextgov.com

  9. Is your agency at risk? LAW ENFORCEMENT May 2013 Man pleads guilty to attacks on Texas intelligence firms; also admits involvement in cyber attacks on law enforcement websites UNIVERSITY SYSTEM March 2013 “2 Journalism Sites University of Texas at Austin hit by massive Cyberattack” Recent Examples: http://www.washingtontimes.com/news/2011/nov/18/hackers-apparently-based-in-russia-attacked-a-publ/?page=all http://www.upi.com/Top_News/US/2013/05/29/Anonymous-hacker-pleads-guilty-to-Austin-Texas-cyberattack/UPI-96691369830610/ http://www.signix.com/credit-union-news/bid/93563/Texas-credit-union-website-hit-by-cyber-attack http://www.cyberwarnews.info/2013/04/01/first-national-bank-texas-hacked-social-security-details-leaked-for-opblacksummer/ http://otm.myfoxal.com/news/crime/157323-cybercrooks-use-interest-texas-plant-explosion-attack-computers http://news.softpedia.com/news/Two-Journalism-Sites-of-the-University-of-Texas-at-Austin-Hit-by-Massive-Cyberattack-340277.shtml http://www.esecurityplanet.com/network-security/texas-tech-university-health-sciences-center-admits-data-breach.html

  10. The Target is Growing • Employee Mobility • Social Networking and Engagement • Cloud-based Services • BYOD • Mobile Devices

  11. Threat Trends and Attack Strategy Advancements • Get in, stay in, steal quietly for years • Not all APT is really ATP (and why we hate this term) • Submarine warfare and the Hunt for Red 0Day. • Highly motivated, willing to make capital investment • Proliferation of comprehensive toolkits and malware packaging websites (with customer support!) • They share attacks better than we share defenses • Understanding the value proposition for criminals. • Beyond the criminal mind: State Sponsorship • Critical infrastructure • Patents, research, and theft of Intellectual Property • Political motivations

  12. Traditional Infrastructures and Protection Models ( AKA, how did we end up spending so much?) • Protect the perimeter from intrusion • Protecting the network • Protecting the user systems • Filters, filters and more filters (web, email, file, and content) • Stopping the leaks with DLP • Protecting the web servers • The “Protect Everything” model

  13. Controls and Validations Email Filter Host/App Identity Authentication WEB Filter DOS Protection Firewalls and IPS File Integrity Host AV Host IPS DLP Filter Penetration Testing Application Testing Vulnerability Testing

  14. State of the Market Protection Models

  15. Why our Security Architectures Fail Two Primary Reasons SOFTWARE Developed by humans and not perfect PEOPLE Coincidentally, also developed by humans and not perfect (social engineering works)

  16. Why Can’t We Make it Secure Through Testing? • First and foremost the goal of testing has traditionally been to validate that something works and does what we planned, not to see if we can make it do unplanned stuff. • Vulnerability assessors and Penetration testers generally don’t build custom tools just to exploit your environment. • Vulnerability assessors and Penetration testers do not have the same level of motivation as a hacker. • Vulnerability assessors and Penetration testers care about collateral damage • Vulnerability assessors and Penetration testers don’t have years to find your weak spots

  17. Good Analytics Using NetflowStatistics • Catches the obvious • Abuse (so why is 80% of your traffic iTunes?) • Misuse (so why are you running a game server on the campus net?) • Catches the less obvious • Talking to restricted locations (so who do you know in Cuba?) • Unexpected/Banned protocols (so what are you using FTP for?) • Encrypted channels (so do you have a business partner in Belarus?) • Can catch the true outliers (a bit more work/storage) • Rare Comms (so why do we only talk at 3am on Wednesday?) • Suspicious new connections (so why are you acting different now?) • Compare realtime streams with historical norms

  18. Advanced Analytics with Flow Statistics • Requires one-for-one capture • Potential triggers and fingerprinting • Packet size within sequence: fingerprint potential malware download • Conversation timing: Associating packet delta with specific malware • Flags and window size: Fingerprinting systems and malware • Data Mining for Traffic Signatures • Step 1: Use honeypots/tar-pits to attract and capture • Step 2: Lots of post attack traffic correlation to identified attacks • Step 3: Investigate suspicious sequences for potential attacks • Step 4: Reverse engineer captured malware to determine purpose and look for similar activities • Step 5: Build a malicious IP watchlist for traffic risk management (may also augment with external sources) • Step 6: Correlate realtime traffic to signatures and watchlist

  19. Better Analytics Using PCAP Bleeding Edge Research • This is what the AV and IPS companies are doing. • Payload capture and analytic modeling • Note: Some assembly required • Potential triggers and fingerprinting • Size of the malware payload • Executable code and scripts • Application and port targeting • Data Mining for Payload Signatures • Step 1: Use honeypots/tar-pits to attract and capture • Step 2: Lots of post attack traffic correlation to identified attacks • Step 3: Etc, etc, etc

  20. Turning Detection into a Prevention Strategy • Understanding the investment • Building the basic analytics engines and developing the tuning skills to effectively operate them will take a minimum of 6 months • Building the monitoring infrastructure will take 2-6 months depending on the complexity of the network environment • Building the database of traffic signatures and heuristic models will take a minimum of 6 months • Building your reverse engineered malware library may take 8-12 months • When should encrypted channels be permitted? • When knowing can hurt you • The liability of knowledge • Make sure you have funding for remediation efforts • Make sure your Incident Response plan is sound and tested

  21. Steganography Based Compromise Detection • Cool new use for your IPS box • Stego traps simplified • Step 1: Pick multiple locations of increasing sensitivity within the network • Step 2: Use Stego tool to create invisible digital watermarks at differing levels • Step 3: Create custom IPS signatures for the watermarks and watch for them on Egress points • Note the obvious issues with encrypted channels and pre-transit encryption. • Tool options: StegoMagic, Steghide, Staanote, Cloak, DataStash, S-tools, Steganos Security Suite, Playmaker, Wbstego, Stegspy, etc

  22. Global Security Scope of Operation We operate some of the worlds largest networks and application environments • Level 3 Global Internet • 8 Tbps of traffic continuous • Level 3 DNS Caching Infrastructure • http://en.wikipedia.org/wiki/User:Incu_Master/4.2.2.2 • Level 3 CDN

  23. Global Security Monitoring Environment • We monitor 950 million security events per day • Enterprise, Products, Managed Security • We monitor over 90 billion netflowsessions per day • Over 2 TB of storage capacity per day • We perform daily audits, protect and monitor all Level 3 products, services and systems • 200,000 elements (130k network, 70k systems) • 3,000 applications • 3,000 video cameras • 10,000 badge readers

  24. Global Security Defense Environment • Defending against some of the most sophisticated attacks in the industry • Over six attacks a second on our public infrastructure • Numerous zero day attacks per month • Focus on intelligent, role targeted attacks • Social research to find targeted employees • Attacks from sophisticated, adaptable botnet armies • Centralized Security Organization • Enterprise, infrastructure, products/services and Managed Security • Proactive Protection • Attack Detection and Reactive Response • Predictive Analysis • Lifecycle Management • Policy, Physical, Logical, Compliance • Policy structure based on NIST 800-53, and ISO 27001 • Four global Security Operations Centers

  25. Threat Intelligence System • We monitor 90B netflow messages a day, looking for botnet activity and compromised computer systems • We track botnet and other malicious traffic based on known and unknown traffic patterns • Database is linked to our Managed Security service for proactive blocking • We issue “take down” requests to hosting ISPs to notify them of C2s

  26. Summary and Recommendations

  27. Summary and Basic Recommendations • Focus on the easy stuff first and harness the power of your network visibility and controls (Detective/Preventive) • Excuse me, but what are you looking for? • Define suspicious, and then look for it! • Where is Data-XXX supposed to live and have you seen it anywhere else? • Should that server ever communicate with anyone outside this network? • Exactly who should be accessing those data stores? • Should Fill in the blank type of data be traversing your network? • Do you have a business partner in Iran? • Should that comms channel really be encrypted? • Why is there a Telnet session running or port 25?

  28. Outsource Options to Get Ahead of the Attack • Full managed UTM services • Managing device health • Proactive and reactive configurations for filter rules • IPS/IDP features and custom rules • Web URL and Content Filters • Anti-virus settings • DDoS Protection • Detection services • Cloud Based Mitigation services Proactive discovery and mitigation of potential security issues • Advanced SIEM content and Expert analytical skill with Fine-tuned process and procedures to leverage people and tools • Realtime blocking of zero day attacks Reactive Response to Security Issues • Immediate detection and recognition of Attacks and Suspicious or abnormal network activity Connection, authentication and performance support for secure VPN solutions • Site-to-Site static tunnels • Remote end-user solutions (SSL/IPSec) Professional Services • Assessments and Testing • Data Discovery • Roadmaps and Planning

  29. Questions

More Related