APT or not - does it make a difference if you are compromised?
-
Upload
thomas-malmberg -
Category
Presentations & Public Speaking
-
view
215 -
download
0
Transcript of APT or not - does it make a difference if you are compromised?
Who I am - and why you are listening to me
2
• I work with IT-risk management and IT-security
• I develop security principles, processes and architectures for both the corebanking as well as the netbanking platform
• I develop and maintain auditing principles and methodologies
• I perform and manage internal IT-audits in the bank
• I like processes, log management, web-application firewalls and IAM
- Finland is the most sparsely populated country in the European Union, with only 16 inhabitants per km². - There are exactly 187,888 lakes (larger than 500 m²) and 179,584 islands within the territory of Finland. - Both are world records.
So
urc
e: G
oo
gle
What you need to know about Aktia
3
• Aktia provides individual solutions in banking, asset management, insurance and real estate services
• Aktia operates in the Helsinki region, in the coastal area and in growth centres of Finland
• Operating profit was EUR 68.3 million and the profit for the year was EUR 55.0 million
• Aktia is renewing its core banking system and the launch of the new system is planned to the end of 2015 - the investment cost is estimated to approx. EUR 40 million
Todays topics
1. If phishing works, why bother with APT?– Finnish stats and stories
2. Easy targets are always targeted first– APT economics
– Tone at the top
3. Whether it's an attack or a disguise - logs are your best friends
– Situational (un)awareness
4. How to manage the risks - continuous “auditing”– How you hook up audits & scans, projects, backlogs, source-
code, people and risk-management together
4
So
urc
e: U
nk
no
wn
Situation in Finland 2011-2014
• Financial institutions and companies are mostly targeted by
– Phishing
– Banking malware & trojans
– Denial of Service
• Criminals have successfully monetizedphishing and malware
• “Ransom demands” have been seen in social media like Facebook & Twitter during DoS-attacks– Demands between 10-100BTC
– Monetization success rate probably zero (but not known)
6
Source: EUROPOL Exploring tomorrow’s organised crime
2015
How phishing worked best in 2014
• Background– TUPAS is an 2F authentication method created by the Federation of Finnish Financial
Services over 10 years ago
– TUPAS is based on ebanking authentication – PIN & TAN
– TUPAS is used for almost everything that requiresreal and reliable authentication in Finland –including governmental services
• The modus operandi in 2013 and 2014– Create a fake service that requires TUPAS to log into
– Acquire PIN & 1 TAN
– Use credentials to get a “payday loan”• NOTE: Targeted mainly payday loan companies, NOT banks!
7
About TUPAS-authentication
8
• Safety– There are known issues,
but it is not inherently unsafe
• Market– It is the de facto standard
– No alternatives
• Sponsorship– Standard defined by banks
– Implementations owned by banks
Source: Federation of Finnish Financial Services /
FK
Details about the simplicity of the campaign
• 1 Estonian person behind the phishing campaign
• The Estonian language is close to Finnish making it easy to create realistic phishing emails and SMS’s
• The campaign used more than 40 mules and “associates” and netted between 700k€-800k€
• KISS was a successful paradigm– Create a rock solid plan to monetize the data you gather
– Use correct and proper language for your communication
– Use psychology – “if you do not immediately … you will face liability”
– Make it easy for the targets to lose their credentials
9
<100km
So
urc
e: G
oo
gle
How this phishingcase evolved
11
So
urc
e: H
els
ing
inS
an
om
at
Maximum sentence – 7 years
11 grand frauds in 2014
0,5M€ - 100’s of people
Trends for nasty activities (financial sector)
12
2010 2011 2012 2013 2014
APT
Malware & Trojans
Phishing
DoS
This graph shows trends and
relations in an ”apples vs. oranges”
-way. This graph does not show any
actual amounts. It is based on
official reports and other public
information.
”MUCH”
”NOT SO MUCH”
Can we agree on what an APT is NOT!
• It is not an APT– If you leave the front door open, someone
walks in and steals all your data – and repeats this every workday for a month
– If your customers are targeted using phishing emails for several weeks
– If your network - which is lacking firewalls, antivirus-solutions and content-proxies – is infiltrated with malware - for months
– If your customers are infested by banking-trojans (Zeus etc.)
• A single piece of malware, a single exploit or vuln is NOT an APT.
19
Sourc
e: G
raphic
s b
y IS
AC
A
What they need to do and what you can lose
20S
ourc
e: G
raphic
s b
y IS
AC
A
What they need to do
ISACA Survey in the US in 2013
What you are scared to lose
Analyze your ”adversary landscape”
21
The only relevant threat in the table
seems to be criminal groups.
- What are their actual capabilities?
- What are their motives?
The Snowden-Greenwald –revelations
have taught us that the best APT-
capabilities are held here.
Sourc
e: G
raphic
s b
y IS
AC
A
We aim to avoid PR-disasters that could
trigger such a level of badwill that
someone in these categories might want
to target me. We adhere to money
laundering rules and maintain a high
ethical level.
”Threat Agent”
The financial anatomy of an APT
22
• The criminal– The criminal does not know the financial outcome or gain
beforehand
– The research phase will require a significant amount of investment in time
– The penetration requires costly tools• 0-days or “near-zero” can cost between 5k-100k
• You probably need other tools or social engineering & bribes
– The (financial) outcome has to outweigh the investment
• You– Protection (licenses + appliances) can cost many 100k€
– A forensics project costs around 100k€-150k€
Input: 100k€
Output: ?€
Input: 3k€
Output: 50k€
Don’t be an easy target
24
• Every risk can be quantified as a business risk
• Don’t let salespersons fool you into false security with silver bullets – not on any level
• IT-security (security appliances and software) is only one component in the IT-risk landscape
• Also – “cyber security” is hidden somewhere in those boxes…
• Use your money wisely
Business risk
IT risk
IT security
IT
Create a culture of security awareness
26
• Management has to be involved
• All incentive programs should have a security awareness and/or security incentive built in – including those at the C-level
• All of us – act accordingly
“Well, once again,
we’ve saved civilization as we know it.” Captain James T. Kirk
A small banks perspective
29
Sourc
e: IS
AC
A
• I have a limited budget
• I want to spend my money against – Things I understand and
– Things I can measure
• Because I cannot reasonably motivatespending if I am not able to– Make my management understand
– Show my management figures
Who cares?
30
• “Industry analysts have inferred that shareholders are numb to news of data breaches”
• “Since consumers don’t have sufficient tools to measure the impact of breaches themselves, they are at the mercy of companies to disclose the impacts of their own corporate data breaches”
• “New, more stringent regulations on when to disclose data breaches and more sophisticated technologies […] may contributeto more shareholder reaction to these types of incidents down the road. “
All your logs are belong to us
32
• Nobody has ”all the logs”
• Case Gemalto
Sourc
e: G
em
alto
Pre
ss R
ele
ase
Logs are just a bunch of huge files
33
• Gathering logs can be is a tough job
• Who knows what the logs actually contain and which logs are important?
• You can easily kill your efforts by choosing too simple sources which– are high volume
– add very little value on their own
– cost a lot to store
– create only a limited ”buzz” in your organization ?
Logs are DevOps!
34
• Leverage your dev’s!– They know the application logs
– They SHOULD know the application logs
– They can enhance and add to the logs – given the motive
• Leverage your ops!– They know the infrastructure logs
– They SHOULD know the infrastructure logs
– They can configure the logs – given the motive
• Leverage yourself!– Add security as a viewpoint
Put a SOC in it
35
• You can outsource everything – and make your life easy – but...– You can not outsource understanding
– You should not outsource understanding
– You can not outsource responsibility
• An outsourced SOC can– do a lot of the hard work
– leverage special skills
• The information and data should be yours, not just a quarterly report and some (hopefully)
occasional alerts Delivered as ordered?
Add external information and tools to the brew
36
• HAVARO– An IDS-IPS –like tool developed by CERT-FI (NCSC-FI) and the National Emergency
Supply Agency in 2011
– Targeted primarily for Finnish companies that have some kind of statutory duties in a national emergency situation
• Does NOT compete with commercial solutions – is not meant to be the only security solution
• Creates security awareness within Finland and within specific industries
• Governed by Finnish laws – safe for companies
Add people and communications to the brew
37
• In Finland, exchange of critical information is good
Public mailinglists
Closed mailinglists
Personal contacts & first name basis
Interest groups
International cooperation
Federation of Finnish Financial Services /
Security
National Emergency
Supply Agency
National Bureau of
Investigation
NCSC-FI
Europol
Banks
Create Awareness
38
• Enable critical logs
• Gather and SECURE logs
• Understand log relevance
• Understand volume relevance
• Correlate
• Visualize
Show Off !
How to manage the risks –
continuous security auditing
continuous monitoringcontinuous risk assessment
continuous excellencecontinuous risk monitoring
Definition of continuos <activity>
41
• “Continuous auditing has been defined as a methodology or framework that enables auditors to provide written results on the subject matter using one or a series of reports issued simultaneously”
• “Continuous monitoring allows an organization to observe the performance of one or many processes, systems or types of data“
• “Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning”
Source: ISACA & Wikipedia
Our implementation of continuos auditing
42
• The definitions are not really optimal
• We do a best of breed combining – continuous (technical and process) auditing,
– continous monitoring (of logs and events) and
– continuous (security) risk monitoring and assessment
• I call this continuous auditing to make it sound simple (enough)
– Hopefully it isn’t simplifying this matter too muchWhile you plan for next years audit, I hack away.
Source: Juha Strandman
How we link things together
43
• Processes– Regular pentests (3rd party, external & internal)
– Weekly security scans
– Systems security audits and process analysis
– Log analysis and monitoring
– Most important critical business processes
• Dogmas and paradigms– Ticket everything
– Track everything
– Analyze everything
What hinders progress
44
• Management commitment and ”tone”– ”We want more powerpoints”
– ”We want more email attachments”
• Separate tools with nonexistent integration– A bad stack doesn’t make it easy enough to
integrate the security efforts into the process
• Resistance– ”A valid pentest report is only valid if it looks
exactly like this.”
• No DevOps– Dev’s love agile, Ops hate it
What enables progress
45
• Link to the real activities, goals and people– Our security organization is small
– Written reports and formal bureaucracy would cripple us
• Projects use agile methodologies– Teams are used to managing tickets
– Projects are agileboard-driven
• Tools that work together– Link tickets, reports, sourcecode, releases,
deliverables, configurations, backlogs, sprints and documentation
Credits & thanks• Images and pictures are
• created by the author• sourced as noted in the
presentation• from freeimages.com
• Thanks to everyone who gave insight and comments during the creation of this presentation
• Thanks for the pig!
Wrapup
• Do your homework and spend your money wisely
• Share information - internally and externally
• The ”tone at the top” is a decisive factor• Keep focus on the real threats• Good is not good enough (only good enough is!)
linkedin.com/in/thomasmalmberg
@tsmalmbe