1 / 16

Targeted intrusion

You’ve been hacked!. Exfiltration. Targeted intrusion. Reconnaissance. Data collection and staging. Command and control. The Cyber Threat, Trophy Information & the Fortress Mentality. Tim Scully . What the Board & Chief Executives Need to Know. You’ve been hacked!.

sorley
Download Presentation

Targeted intrusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. You’ve been hacked! Exfiltration Targeted intrusion Reconnaissance Data collection and staging Command and control

  2. The Cyber Threat, Trophy Information & the Fortress Mentality Tim Scully What the Board & Chief Executives Need to Know

  3. You’ve been hacked! • Penetration testing (“AVA”, “Red Teaming”, “Black Box Hack”, “Ethical Hacking”…) • Legal (with CEO’s permission) • Specify trophy information • Use only publicly known vulnerabilities • No physical security breaches • No unethical action • No “special” capability • No artificial constraints 100% success in stealing the trophy information! If this can be done repeatedly without being detected while our are hands tied, what can real hackers with real capability do without these constraints?

  4. The ‘new reality’ – a pervasive & persistent cyber threat Stuxnet, Duqu, Flame?

  5. How senior executives see the cyber threat & their preparedness

  6. But it will happen to you…targeted cyber intrusion Any organisation whose Internet-connected network has information of value to a sophisticated cyber threat actor is likely already compromised Attackers cannot be kept ‘on the outside’; everything on the inside is not secure “To defend everything is to defend nothing” Frederick the Great

  7. It’s all in the mind! • Boundary Protection Mindset • Anti-virus, firewalls • IDS, IPS, ‘magic’ box, set & forget • System-centric • Compliance Mindset • Box ticking (“We're compliant!”) • Audit, not assessment • Perpetuates boundary mindset • Techie Mindset • Trophy information? • Deal with threats in isolation • Poor upward communication Executive Mindset …

  8. The Consequence … “Fortress Mentality”

  9. The threat…capability & intent OWASP Purpose Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.

  10. What (or who) is the Advanced Persistent Threat? “Over 85% of the targeted cyber intrusions that DSD responded to in 2010 could have been prevented by applying only the first four of the 35 recommended mitigation strategies.” To find this document, Google “cyber mitigation”

  11. What does an APT look like? • Advanced • Sophisticated • Agile, adaptive, innovative • Full spectrum TTPs • Off the shelf + tailor-made If they are detected by traditional measures, are they really an APT or were they meant to be detected? • Persistent • Not opportunistic • Clandestine • Varied tempo, dwell time • Works to a tactical plan • Threat • Capability + Intent • Strategic Goals • Multi-source Collection Plan • Multi-agency Coordination

  12. What can we do about it? Levels of security… Level 1: meet due diligence & compliance needs only Most basic “housekeeping” measures Reduce opportunity to intrude (i.e. reduce your “target surface”) Measures should include: Patch Control , Vulnerability Management, Privilege Management, Change & Configuration Control Management, Intrusion Detection/Prevention Are they good enough to detect a targeted intrusion? Level 2: more investment to protect info beyond basic compliance Increased risks need more sophisticated measures More continuous monitoring of network data flow Measures should include: Security Information and Event Management, Data Segregation, Whitelisting, Exception Monitoring, Application and Network Penetration Testing Should consider managed security service

  13. What can we do about it? Levels of security… Level 3: when consequences of targeted cyber intrusions are serious or catastrophic for operational effectiveness, competitiveness, reputation or the national interest Detect, isolate, monitor and terminate cyber threats Includes “low probability, high consequence” events Owners and operators of critical infrastructure systems should seriously consider these measures Systematic approach to cyber intrusion management Backed by highly skilled cyber security analysts and practitioners with continual visibility of network data flow Measures should include: Whole of enterprise data collection system (“data probes”) Data leak prevention Database activity monitoring Data analytics Cyber event investigation More…

  14. The Board owns this risk “It is likely that RSA growth will remain a bit slower as remediation efforts continue” - David Goulden, EMC CFO “China-based hackers looking to derail the $40 billion acquisition… zeroed in on the law firms handling the deal” –Bloomberg re Potash Corp. • A cyber security breach is no longer an IT problem. It is a problem for the Board. It may: • cause significant reputational damage • damage share price • compromise strategic negotiations or transactions • provide an opportunity for a class action • result in market disclosures and compliance breaches • Undermine years of R&D • sabotage critical systems “security breaches … were not sufficiently reported to management” – Verisign SEC Filing

  15. Principles for Cyber Security • The advantage is with the aggressor • Advanced, persistent response • Make it harder & more risky Our behaviour is our weakest link • National cyber security will leverage all available capabilities • Government, industry, academia • International partnerships • Strong leadership, sharing & trust • Resilience through real defence-in-depth • No fortress mentality • Know your trophy info & protect it • Technical prowess is not enough • Accountability at senior levels • Holistic policy, sound governance • Adequate resourcing & comms

  16. Cyber Warfare? The Economist 7May 2009 Tim Scully stoneleigh2129@bigpond.com

More Related