Cybersicherheit - assets.unisys.com€¦ · 2 Derived from Snowden’s leaked documents on NTOC....
Transcript of Cybersicherheit - assets.unisys.com€¦ · 2 Derived from Snowden’s leaked documents on NTOC....
Von der aktuellen Gefahrenlage bis zuMassnahmen nach dem “Breach”
Cybersicherheit
04.05.2017
www.pwc.ch/cybersecurity
PwC Digital Services
Introduction and Context
01
2
PwC Digital Services
Cybersecurity Context
Digital revolution
Growing cyber risk
More regulation
Cloud ‘IoTs’ Social media Big data
Evolvingthreats
Moreconnections
Talentshortage
Armsrace
NIS
DirectiveGDPR
PwC Digital Services
The World Economic Forum cited “data fraud or theft” and “cyber attacks” amongst the top ten global risks most likely to occur
Source: World Economic Forum Global Risks Report 2017
Global Risks Landscape Top 10
1 – Extreme Weather Events
2 – Large-scale involuntary migration
3 – Natural Disasters
4 – Terrorist Attacks
5 – Data Fraud or Theft
6 - Cyberattacks
7 – Illicit Trade
8 – Man-made environmental disasters
9 – Interstate conflict
10 – Failure of National Governance
4
Most Important Driver of Risks – Emerging Technologies
PwC Digital Services
02Anatomy of a modern cyber-threat campaign
5
Lets start the conversation
PwC Digital Services
I have a bad feeling, we
might have an issue
here…
6
What’s the problem?
Trigger event:
• Discovery of an insider
• Near miss compromise
• Seeking a baseline
“
Targeted
How do I
recover?
Seek out
help
Initial trigger
event
Eradication
What was done?
PwC Digital Services
INCIDENT
~durationAt least …
Confirmed earliest compromise identified so far
dates back some time. In network with complete
access before discovery
7
Key *metrics
ENTERPRISE SIZE
>X0,000employees
GLOBAL PRESENCE
>manyCountries in 5 continents
Global operations footprint
DATA
>1 billionRows
Individual database records collected
repeatedly from a variety of key parameters
such as running processes, unusual paths,
tcp connections, command history, and more
ENTERPRISE ESTATE
>X0,000endpoints
Partial estate across several territories
DATA
1.5 Tb+
Endpoint and log data
Data collected over 4 weeks of assessment
from endpoints and perimeter logs
*Exact metrics obfuscated to protect our client
PwC Digital Services
Anatomy of a Global Hack
8
PwC Digital Services 99
A piece of a much larger puzzle
PwC Digital Services 1010
The Big Picture: Geographically
USA,Canada,
Brazil, Norway, Sweden, Finland, France,
Switzerland, U.K.,
South Africa, India,
Thailand, Australia,
South Korea, Japan
PwC Digital Services 1111
The Big Picture: Assets at risk
• Board member information• Key personnel• Intellectual Property• Patents• Manufacturing• Contracts• Government Records
PwC Digital Services
Hunting against a modern cyber-threat
campaign
03
12
PwC Digital Services
Grounding terminology – key understanding
13
Hunting
Proactively seeking out threats across the
technology estate
(IT, OT, mobile, IoT)
Sustained iterative assessment seeking to
detect, disrupt, mitigate or isolate these
threats
Smart Intelligence-based searching
Sophistication
Accomplishing political or geopolitical goals
Utilizing lowest necessary tools to
accomplish objectives (optimized use of
resources)
Timing
Complex, compounded and well
orchestrated operations
(cyber, physical, social, deception)
Persistence
PwC Digital Services
Operating under uniform policies
Consistent privacy regulations
Simplified authority, governance, chain-of-command
Best Intelligence available
Unlimited resources
Ideal Hunting RealityThe Adversary’s advantage
14
PwC Digital Services 15
The reality of enterprise hunting
Technology
En
vir
on
me
nta
l
Economic
Consumer
Suppliers
JV/Partners
Service providers
Customer
Industry/competitors
Sovereign estates
Distinct privacy laws and requirements
Corporate IT governance
Mergers and acquisitions – lack of integration
Enterprise environment familiarity
Do you really know what you have
Understanding of crown jewels
Third parties
SLAs
Competing priorities
Persona
Logical
Physical Network
Geopolitical
Device
2 Derived from Snowden’s leaked documents on NTOC. (Simplified) to illustrate industry cross-domain interactions
PwC Digital Services
PwC Hunting Approach
16
02Investigate
PwC’s own CSIR-certified incident response
team use the most advanced technologies to
dramatically reduce dwell time of intruders,
scope intrusions and minimise the need for
fly-to-site teams on globally distributed
incidents.
03Remediate
Mobilising a containment strategy and
patching vulnerable systems form a core
part of our execution plan.
Detect
PwC gleans threat intelligence from the
front lines of incident response
engagements around the world. Our threat
research team conduct independent
research on a wide variety of threats and
develop detection techniques.
04Enforce
We design integrations, processes and
workflows to ensure your teams work
effectively to achieve better security hygiene
and compliance metrics.
01
Expertise and insight…
…applied at scale
PwC Digital Services
So what do you hunt for?
Persistence
Events
Unusual paths
Past & Future
• Registry keys
• autoruns/auto-start
• Windows events, crashes, logins
• Sysmon
• Process creation
• Execution of files, services or dlls
• Alternate Data Streams (NTFS)
• ShimCache: CMD, PowerShell
• Prefetch: confirmation of execution
• AT/schtasks: Lateral movement
17
Impossibility
Relationships
Signatures
Logs
• VPN connections
• Non existent User Agent strings
• Unusual processes spawning
(i.e. != Svchost.exe → services.exe)
• Process low count
• Evaluate signed and unsigned files
• Evaluate hashes or PE file
segment hashes
• DNS logs for not just known bad
destinations but also for unusual
urls.
• DNS record entropy → DGAs
PwC Digital Services
Before you can hunt, consider the following challenges
Ready your hunting kit … as it will assist
you during incident response
(yep, it will lead there)
No. 4Outdated SLAs
Not drafted to support responsive actions. Usually
geared towards maintaining operations
No. 1IT integration
Mergers and acquisitions may have led to
heterogeneous and disjoint environments
No. 2Inventory
Unfamiliarity with baselines, hardware, topology.
Specially if outsourcing to MSPs
(i.e. I don’t have Windows XP)
No. 3Privacy regulations
Differences between US and European regulations
(i.e. financial industry)
No. 5Governance
Geographically dispersed business units, local
autonomy. Also, have you lost control of your
environment (consider No. 4)
No. 6Think ≠ Is
Defenses or mitigations you think you have may
not be real (i.e. centralized logging)
No. 7Remote = Local
See No. 3, you may be required to conduct all
hunting within country.
No. 8Priorities
Third party MSPs or business units may view
hunting deployment or actions as a lower priority
than day-to-day operations
18
PwC Digital Services
Before you can hunt, consider the following challenges
Continued…
No. 9IR team?
The Enterprise may not possess an in-house IR
team
No. 10Delays
Plan for delays due to operational milestones,
country extended holiday season, deployment
testing
No. 12Fragility
Often we find unstable fragile networks which have
suffered many recent outages. Low resources
(memory/cpu/hd space)
No. 13Legal / Pre-Vetting
Inform legal team, review every command and
data type.
19
No. 11Confidentiality /
OPSECRFPs for hunting contracts are not a good thing.
Do not communicate on compromised networks
PwC Digital Services
What to look for?
Red Typhon, Aurora Panda, APT17
20
We currently track over 110 distinct threat actors from circa 20 countries, including nation state
sponsored actors as well as hackers-for-hire.
Blue Kitsume, CozyBear, CozyDuke Red Apollo, Stone Panda, APT10
In this particular case, the threat actor is suspected to be Red Apollo (APT10) targeting Chinese dissidents around the world, and occasionally targets US defence contractors, technology, and telecoms operators. Attributing is grounded on tools, methodologies, and C2 infrastructure used.
Yep, sometimes it really is China. But also Russia, the USA, Spain, Israel, Brazil, and many more …
PwC Digital Services
Attribution
21
PwC Digital Services
Attribution (Continued)
22
The limits of Super Spy Agencies:1. Human Resources Department
2. Family – Work / Life Balance
PwC Digital Services
Contributing factors to success
No. 1Legal
Early engagement with client legal teams. Vetting
of data collection. Education of operations
No. 4Intelligence
Fusing the right level of in-house developed
intelligence with incident response indicators and
community insights
No. 7Agility
Near real-time ability to query the enterprise for
key data nuggets
No. 2Governance
Clear support and alignment for hunting priorities
No. 3Patience
Methodical focused attention towards sophisticated
threat discovery
No. 6Multi-Pronged
Combining endpoint and perimeter data
No. 8Analytics
Seek out not just the known bad through fragile
IOCs but expand towards anomalies. Go after the
techniques, tactics and procedures (TTPs)
No. 9Discretion / OPSEC
The adversary watches communications on the
environment. They own VoIP, email, Active
Directory
No. 5Visibility
Having wide spread visibility into the environment,
across territories.
34
PwC Digital Services
Becoming Resilient against Modern
Cyberthreats
04
24
PwC Digital Services
What are cyber business risks to become resilient against?
25
Data Disclosure
Customer accounts are taken over by criminals and sensitive information is disclosed to an unauthorized recipient
A few examples…
Fraud / Theft
Hackers compromise the low touch order management system and execute unauthorized financial transactions
Business Outage / Service Disruption
A denial of service attack causes an extended outage of the business platform
Client Dissatisfaction
Loss of brand loyalty and trust following a cyber attack that leads to significant customer defection
Data Manipulation
Malicious or inadvertent manipulation of critical business information (e.g., market data)
Insider Trading
Non-public data is compromised during a cyber attack and used for financial gain (e.g., to trade on the stock market)
PwC Digital Services
The cyber challenge now extends beyond the enterprise
Global Business Ecosystem
Pressures and changes which create opportunity and risk
Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.
• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.
• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.
• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.
Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.
PwC Digital Services
Which cyber risks can you expect?
Insider Threats
External Threats
Nation States
Organized Crime
• Disgruntled Employees
• Cleaning Crew
• Every day attacks
• APT
• DDoS
• USA, China, Russia, Israel, North
Korea
• Significant resources and skills
• High financial gain and low risks
27
Ransomware
Espionage
Social
engineering
BYOD
• Unavailability or loss of integrity of
sensitive data
• Lack of training
• Humans can be fooled
• Smartphones, tablets
• Mobile fluid workforce
• Your competitors, nation states or
cyber criminals are interested in
your intellectual property
PwC Digital Services
NIST Cybersecurity Framework
29
PwC Digital Services
What next?
Organizations should organize their cybersecurity programs around six core objectives
Core Cybersecurity
Objectives
Identify and
protect
critical
business
assets
Identify,
manage and
monitor
cyber threats
Understand
the
organizational
boundary
Build cyber
resiliency
Implement
cyber risk
dashboard and
reporting
Prepare and
respond to
cyber events
Cybersecurity in today’s business environment is a complex problem that requires management engagement, creative techniques and new capabilities
Adversaries are sophisticated, determined and patient. They can target individuals, companies and entire industries for malicious or criminal gain
An effective cybersecurity program should enable the organization to detect cyber threats, manage the corresponding risks and respond to cyber incidents to minimize business disruption 29
PwC Digital Services
Our recommendations
Prepared for
attacks?
Third parties risk
Critical assets
protection
• Incident response program
• Crisis management concept
• Train your people to incidents / crisis
• Assess your risk linked to 3rd parties
• Review of your SLAs with MSPs
and critical third parties
• What are your critical assets?
• Do you protect them in line with
their value?
30
BCM
APT Hunting
Threat
Intelligence
• Business Continuity Management
• Business Impact Analysis (BIA)
• Endpoint analysis
• Network analysis
• Log analysis
• Know your enemies (their
resources, motivations, tactics,
techniques, and procedures)
• Be alerted on time
Compliance• How do you handle personal data?
• EU GDPR comes with big
penalties in 2018
• Employees are the weakest link of
your security
Security
Awareness
PwC Digital Services
Questions and Answers
04
31
PwC Digital Services
PwC Digital Services
32
Reto Häni
Partner and Leader Cybersecurity
+41 79 345 0124