Looking Towards the Future with Teachings from the Past...5G - from 1 Gbps to 10 Gbps, a $26B market...
Transcript of Looking Towards the Future with Teachings from the Past...5G - from 1 Gbps to 10 Gbps, a $26B market...
1
Looking Towards the Future with Teachings from the PastCybersecurity Forum – Opening Keynote, February 11, 2019
Ron Mehring, CISSPVP Technology & Security, CISO, Texas Health Resources
Axel Wirth, CPHIMS, CISSP, HCISPPDistinguished Technical Architect, Symantec Corporation
2
Ron Mehring, CISSP has no real or apparent conflicts of interest to
report.
Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a
cybersecurity vendor, but has no real or apparent conflicts of
interest to report.
Conflict of Interest
3
• Identify how cyber-attacks were actually executed and
understand cyber-attack trends
• Explain how effective response to cyber-attacks can mitigate
the impact and damage
• Discuss what we may expect in the coming year regarding
cyber-attacks in the healthcare space
• State lessons learned from the past to assist with the present
and what is anticipated in the future
Learning Objectives
4
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
5
Cybersecurity – Historic Timeline
Ancient History (1940 – 1980s)
Middle Ages (1980s – 2000’s)
Modern Age (2000’s – today)
Theory of self-replicating
code (J von Neumann)
1949
“Creeper” concept demo
(ARPANET, PDP-10)
1970
First fully-functional virus
(V Risak, TU Vienna, Siemens)
1972
“A Disease of Machinery”
(Westworld, MGM)
1973
Analogy to biological virus
(J Kraus, U of Dortmund)
1980
“Core Wars” game
(Bell Labs)
1950s
“Computer virus” general
definition (F. Cohen, UC)
1984
“Brain” tracking copyright
violations (MS-DOS)
1986
“SCA” leads to first virus
checker (Amiga, est. 40%)
1987
“AIDS” first ransomware
(MS-DOS)
1989
“Concept” first macro
virus (MS Word)
1995
“Elk Cloner” released
(15 yo, Apple II)
1982
“Melissa” 1st social eng.;
20% of world’s computers
1999
“Stuxnet” sabotage of
Iranian nuclear program
2010
Multiple highly sophisticated
viruses (e.g. Duqu, Flame)
“CryptoLocker” ransomware
“Darlloz” IoT virus
2013
“Mirai” highly disruptive
IoT DDoS, up to 1TBit/s
2016
“Conficker” infects
est. 15M computers
2008
“WannaCry” & “Petya”
cause $B+ losses
2017
“ILOVEYOU” million+
infections in hours
2000
“SQL Slammer”
fastest worm
2002
Reports of Cyberwarfare
(Syria, Ukraine, Georgia)
2007/08 2011/12
6
• Conficker (W32.Downadup) computer worm:
– 5 variants produced (Nov. 2008 – April 2009) – Win2k, XP, Server 2003 & 2008, Vista
– Multiple purposes: open backdoors, spam bot, keylogger, download other malware, …
– Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer
networking, portable media (USB)
– Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000)
• Advanced capabilities and highly resilient:
– Hides and replicates before becoming active
– Scans network for machines with the same vulnerability
– Has the capability to protect itself (e.g. disable AV and Windows updates)
• Still prevalent – but limited impact:
– No active C&C servers
– Fewer infections as target OS’s are declining,
may have run its course by 2020
– Latent infections residing on legacy systems,
e.g., leading malware in healthcare (June 2016)
• Other noteworthy facts:
– $250,000 bounty still available!
– The end goal of Conficker has never become clear
• Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016)
Conficker – Happy 10th Birthday
7
• Mealybug Cyber Crime Actor:
– Active since at least 2014
– Initially targeting banking industry in Europe
– Custom malware Trojan.Emotet (network worm)
– Brute force attack via password list
• Started shifting focus in 2017
– Providing delivery services for other threat actors
with Trojan.Emotet functioning as a “loader”
– Europe U.S. (Canada, Mexico, China)
• Key modules per direction of C&C server:
– Banking module – steals banking details from network traffic
– Email client infostealer – email credentials
– Browser infostealer – browsing history and passwords
– PST infostealer – email addresses
– DDoS module – carry out DDoS attacks
• Mealybugs, as a evolving threat actor, has been refining their techniques:
– Shifted from few regional banking attacks to a global distributor for other groups
– Maximizing returns based on core competency and tools available
Emotet – Rolling with Opportunities
Source: Symantec ISTR
8
High Impact MalwareCare Delivery, Supply Chain, Privacy
• EternalBlue exploit (NSA leak)
• WannaCry (May 2017):
• faulty Ransomware, ~$4-$8B global impact
• Petya (June 2017):
• cloaked Ransomware (Wiper), ~$10B impact
• WannaCry - care delivery impact:
• 81 of 236 hospital trusts; 595 of 7545 GP’s
• 1000+ systems, 19,000 appts., ~£92M loss
• Root Cause: Underinvestment, patching
• Leading to £21M security investment
• WannaCry still active!
• Petya – healthcare supply chain
• Global pharma company - ~$310M loss,
global drug and vaccine availability
• Transcription service provider - ~$68M loss,
impacted hosted transcription service
WannaCry, Petya
• Largest national HC provider, SE Asia• July 2018 attack
• 1.5M records, incl. Prime Minister
• Post mortem report:• Breach identified, but no action taken
• Missing Risk Assessment
• Lack of training, awareness, and concern
• Lack of vulnerability scans and pen testing
• Missing patch, poor password policies
• 16 recommendations (7 critical):• Enhance security structure
• Review and assess cyber security stack
• Improved staff awareness - prevent, detect,
and respond to security incidents
• Enhanced security checks
• Tighten privileged admin account controls
• Improve incident response processes
• Private/public partnerships around security
Trojan.Nibatad
9
Summary – Threat Landscape TrendsCybercrime continues to follow money and opportunity
Top 10 Malwares 12/2018
• Emotet
• Kovter
• ZeuS
• NanoCore
• Cerber
• Gh0st
• CoinMiner
• Trickbot
• WannaCry
• Xtrat Source: CIS
Worms are back:• Hitting networks today, expect next generation IoT worms
Targeted attacks are hitting diverse targets:• Profiling, targeting, and execution continue to improve
• E.g. Orangeworm group - healthcare
Email malware rates are increasing again:• Dropped 50% in 2017, back up in 1H 2018
BEC scams continue to be profitable:• Business Email Compromise: $12B loss in 6 years
Ransomware numbers are stable:• Crowded market, some have moved on
Cryptojacking remains popular• But – rises and falls with Cryptocurrency value
IoT devices are the soft target:• Patching, default credentials, forgotten
• 159% increase of attacks (7/17-7/18)
10
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
11
Effective Response
Preparation is the key to
managing the incident response
cycle and reducing impact.
1. Preparation
Getting Organized
Response activities must
account for multiple conditions
and complexity of organization.
2. Execution
Detection and
Response
Timely escalation to peering
response groups and
leaderships teams.
3. Communication
Escalation and
Peering
12
Effective Response: PreparationPreparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
Identity InventoryAccurate inventory of identities and entitlements across technology and application
portfolio.
Tool ManagementInventory of analytics and response tools.
ExercisesIncident exercise plan tailored to
unique environments and playbooks.
Data InventoryInventory of sensitive data and
data flow.
Asset InventoryAccurate inventory of
technology assets that includes location, criticality and use.
Threat CatalogCatalog of potential threats with associated response
playbooks.
13
Effective Response: Execution
• Effective incident
response plans
account for diverse
operating
environments and
stakeholder
protection,
detection and
response needs.
• Reduction in time to
respond and
remediate
Pla
ybo
oks
Respo
nse P
lan
Pre
para
tio
n P
hase
Respo
nse
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
Privacy
Cybersecurity
Patient Safety
01 02 03Risk Based
Equilibrium
Regulated Data, Credit Card Data. Requirements may conflict with patient safety needs.
1. Protect Data Confidentially
Control robustness must balance reliability and security.
2. Protect the Enterprise
Medical devices and other critical care device protection needs may conflict with
data confidentially requirements.
3. Protect the Patient
14
Effective Response: Playbooks
Example: Malware Attack Playbook
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
• What type of
Attack?
• What type of Asset,
Identity, Data Type?
• Exposure? Privacy Patient
Safety
Physical
Security
Legal
HICS/System
Preparedness
Treasury
(PCI)
HTM
(Medical Devices)
Cascading Unique Playbooks
HR Risk
Financing
Business Process
Owners
Facilities
JV/Business
Partners/Vendors
Cyber Incident Response Phases
Cyber/Technology
Teams
15
Effective Response: Communication
• The need to communicate effectively before, during and after
incident should not be underestimated.
• Preparation phase requirements and inputs should be well
understood by technology/data custodians and system owners.
• Timing of stakeholder involvement is important.
• Balancing incident sensitivity classification and transparency must
be addressed up front.
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
A robust communication plan that reflects the different cyber
incident stakeholder groups is critical to controlling incident impacts.
16
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
17
What to Expect for 2019The Big Picture / Broader and Continuing Trends
• A serious cyber event with socio-economic impact is increasingly likely
• Continued evolution of cyber conflicts for strategic and economic benefits
• Digitization (more data)
• Digitalization (more digital infrastructure)
• Technology adoption (IoT, cloud, 5G, AI/ML)
• Supply Chain as attack vector
• Data in Motion attacks
• We will continue to see big names in the headlines
• It will not just be about Confidentiality anymore
Consequently:
New and creative attack vectors:
Growing attack surface – attackers roll with opportunities:
Political cyber-conflicts will be a growing risk:
18
Us v
s. T
hem
What to Expect for 2019 – AI & ML
Let’s not confuse the two – AI/ML refer to the capability of a machine to:
ML = learn without explicitly being programmed (= learning)
AI = imitate intelligent human behavior (= perception, decision, autonomy)
Attackers will exploit ML/AI systems and use them to aid their assaults:
• Craft new attacks, uncover new vulnerabilities (zero days)
• Circumvent our ML/AI defenses through model extraction or poisoning
Defenders will increasingly depend on ML/AI to counter attacks and identify
vulnerabilities:
• Reliable and fast analysis of large, complex (and boring) data sets across
multiple internal and external security control points
• Analyze information with no apparent logical or discernable pattern
• Rapid identification of new exploits (threat intelligence)
• Predictive protection (automate identification and response)
• Augment human talent (or lack thereof)
19
What to Expect for 2019 – AI & ML
Attackers
Corrupt AI-based business systems
Support intelligence and reconnaissance
(network probing, vulnerabilities)
Sophisticated and tailored social
engineering attacks
Realistic disinformation campaigns
AI-powered toolkits and services
The “Terminator Wars” of the future will likely occur in cyber space
and play out at scale, speed, and cost that humans cannot match
Defenders
Identify new threats and provide better
(faster) threat intelligence
Uncover & fix new vulnerabilities
Advanced attack simulations
Better detection and response capabilities
Protect digital security and privacy
(UBA, ID protection, content monitoring)
ML / AI Utilization and Benefits - Examples
20
Technology Adoption as Opportunity
5G - from 1 Gbps to 10 Gbps, a $26B market by 2022 (IDG)
• 5G will drive other technologies and make
them even more attractive:
Cloud – any data anywhere
Mobile – slow consumer adoption may limit
penetration, but 5G will enable
cheaper devices (less storage)
IoT – new IoT devices will provide 5G “out of
the gate” and enable convenience and
new value-added services
• IoT (and other) device traffic will bypass
home routers and enterprise networks
• Crossover within a few years:
More 5G devices will connect directly to
public networks than via a Wi-Fi routers
• Expanded attack surface area
• Circumvent enterprise and home
security controls
• Direct attack on devices
• Leverage device as “bridgehead”
• Capture or manipulate “data in
motion” or poorly protected cloud
accounts
Source: Symantec ISTR
Technology Trends and Impact: Opportunity for Adversaries:
21
Technology Adoption as Opportunity
IoT (IoMT / Embedded Systems / Medical Devices)
• Business: improve efficiency, reduce costs, benefit from more data points, etc.
• Consumer: improve comfort, ease of use, quality of life
• Enable new business and service delivery models through physical devices
• Provide service where the consumer (patient) is
Technology Trends and Impact:
Source: Symantec ISTR
• Exploit poorly secured IoT infrastructure
• Bridge the virtual and physical worlds –
attacks that can do damage:• Kinetic attacks (e.g. cars, pacemaker)
• Critical Infrastructure: utilities, food supply, ports,
traffic control, finance, healthcare
• IoT-based events will move beyond massive
DDoS assaults (e.g. Mirai):• Ransom, blackmail, stalking, botnets, etc.
Opportunity for Adversaries:
22
Data-in-Transit Attacks:
• Gain access to routers and other network infrastructure:
– Steal credentials, account, or other confidential information
– Deliver compromised web page to capture confidential information
(a variation of “formjacking”)
– Manipulate data between sender and recipient
Other Relevant Threat Trends
Supply Chain Attacks:
• Deliver payload (malware) via trusted 3rd party software (e.g. Petya):
– Difficult to identify: Trusted domain, digitally signed, trusted update process
– Benefits: Rapid distribution within a targeted industry or region
– Circumvent traditional security controls, access with elevates privileges
• Potential to infect and utilize hardware supply chain in the future:
– Such attack would be highly sophisticated and difficult to detect
– Resistant to malware removal, reboot, reformatting, or reinstallation
23
GDPR (European General Data Protection regulation) set the Stage
• Other nations are following suit (Canada, Brazil)
Distinct drivers are evolving: compliance, security, privacy, safety
• U.S. has traditionally had a disparate approach (by State or by Industry):
– In 2018, California passed toughest privacy law yet
– Federal security and/or privacy laws may evolve over the next few years
– Revision of HIPAA Privacy Rule is under discussion
– FDA Guidance's on Medical Device Cybersecurity
– NIST Cybersecurity Framework
– NIST Privacy Framework (in progress)
– HHS Cybersecurity Working Group and resulting in Task Group Workstreams
– Multiple House and Senate bills in process (Med Devices, IoMT, IoT, certification)
• An uptick in legislative and regulatory security and privacy action is certain
– Improve consumer rights and protection
– Reduce the risk of breach or harm
– Harmonize requirements across regions and industries
– Balanced with the need for information sharing
Regulatory and Legislative Action
24
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
25
What have we learned
1. Orchestration
Playbooks and
Automation
Response activities must
account for complex
environments.
2. Analytics
Detection and
Response
Risk Management and Root
Cause analysis provides an
important feedback loop.
3. Post Incident
Lessons
Learned
Threat models will need to
have dynamically assigned
actions with predefined
escalation.
26
What have we learned: Orchestration
Advancing Orchestration
capabilities will be key in
handling current and future
threats. People training will
be key!
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
27
What have we learned: Analytics
John Boyd’s OODA Loop
Event Obs
erve
Incident
Speed and quantity of attacks are increasing. This will require data
to become a stronger factor in
reducing friction within response
processes
Improving system to system interfaces and automation to
reduce response dwell time.
Artificial intelligence and behavioral analytics are required
to help better inform analysts and
improve response cycle.
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
28
What have we learned: Integration
• AI and analytics will need to be considered to help drive orchestration / automation and
analyst practices to help improve time to detection, time to respond performance.
• Security architecture planning, reliability engineering and development of performance
measures will be critical.
• Integrating analytics into a continuous controls testing model and security architecture will
be necessary to keep up with the changing business, architectures, and development
cycles.
Advanced Cyber Operations
Orchestration Platform and
Processes
Event -Analytics SystemsAI/Behavioral
Analytics An
aly
st
Tim
e C
onsum
ption
Number of Event/Alerts to be acted
Opportunity for AI and behavioral
analytics
Village elders, rule of thumb, heuristics
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
on
Low quantity,
minimal time and
high fidelity
29
What we have learned: Post Incident
Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity
RiskProvides transparency for
executive leadership and defines
risk tolerance, policy and
remediation investment priorities.
OperationsCoordinates root cause analysis of
bad outcomes (incidents or control
performance issues). Operations
consumes risk decisions and
advances or corrects processes
and technologies.
FeedbackA control architecture review
helps define the requirements
and control robustness
signaling between risk and
operations.
30
1. Evolution of Cyber-Attacks
2. Effective response and impact mitigation
3. What we may expect in the coming year
4. Lessons learned and anticipating the future
5. Discussion / Q&A
Agenda
31
Axel Wirth, CPHIMS, CISSP, HCISPP
617-999-4035
@axel_wirth
Questions
“There's a clear pattern here which suggests an analogy to an
infectious disease process, spreading from one area to the next. …
I must confess, I find it difficult to believe in a disease of machinery."
From the Movie Westworld (1973)
Ron Mehring, CISSP
682-236-8282
@mehringrc
32
Scientific American: “When and how did the metaphor of the computer 'virus' arise?”,
https://www.scientificamerican.com/article/when-and-how-did-the-meta/
Richard Clarke: “Cyber War: The Next Threat to National Security and What to Do About It”,
April 2012, https://www.amazon.com/gp/product/0061962244
Bruce Schneier: “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”
Sept. 2018, https://www.amazon.com/dp/0393608883
The Conficker Working Group, http://www.confickerworkinggroup.org/wiki/pmwiki.php
Magnolia Pictures: “Zero Days”, July 2016, https://www.imdb.com/title/tt5446858/
ISE: “Hacking Hospitals”, Feb. 2016, https://www.securityevaluators.com/hospitalhack/
UK Health and Social Care System: “Lessons learned review of the WannaCry Ransomware Cyber
Attack”, Feb. 2018, https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-
wannacry-ransomware-cyber-attack-cio-review.pdf
AAMI: “Medical Device Cybersecurity – A Guide for HTM Professionals”, June 2018,
http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=6489
Symantec: “Internet Security Threat Report”, annual, http://www.symantec.com/threatreport
HIMSS Privacy & Security Committee, https://www.himss.org/library/healthcare-privacy-security
NIST SP 800-61, “Computer Security Incident Handling Guide”,
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Ponemon Institute: The value of AI in Cybersecurity: July 2018, https://www-
01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=41017541USEN
Further Reading