Monthly Cyber Threat Briefing - HITRUST...Indicators of Compromise (IOCs) for an Advanced Cyber...

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net

© 2016 HITRUST Alliance. All Rights Reserved.

Monthly Cyber Threat Briefing May 2016



Presenters • US-CERT: Majed Oweis, CISCP Analyst • Armor: Charity Willhoite, Intelligence Analyst • Trend Micro: Elie Nasrallah, CISSP, Business Development Manager • Anomali: Ryan Clough, Security Engineer • HITRUST: Eric Moriak, Manager – Assurance Services



NCCIC/US-CERT REPORT



TLP: GREEN – JAR-16-20094 – Vulnerabilities and Post-Exploitation Indicators of Compromise (IOCs) for an Advanced Cyber Threat

• Collaborative effort between DHS/NCCIC/US-CERT and the FBI. • Based on information obtained by DHS and the FBI regarding

advanced cyber threat actors targeting sensitive information stored on U.S. commercial and government networks.

• Provide TTPs used by threat actors in these instances. • Include indicators of compromise (IOCs), YARA rules and references

to CVEs for use in computer network defense (CND).



TLP: GREEN – JAR-16-20094 Summary • Compromises against U.S. commercial and government networks accomplished

through vulnerabilities described in CVEs listed in the JAR. Citing of older CVEs demonstrate that older vulnerabilities continue to be exploited.

• Spear phishing was also identified as a vector to compromise systems. • The compromises were identified as intended to build infrastructure for follow-on

activity. • CVEs and file indicators are included. • Mitigation strategies are included. • Located on the US-CERT Portal at

https://portal.us-cert.gov/documents/70338/108826/JAR-16-20094/ba070d96-e7c3-44e4-8ae3-7135fa149855



Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov

Contact CISCP at: [email protected]



ARMOR Top Threat Trends and Defenses



Action Items: • Adobe: http://blogs.adobe.com/psirt/ • Microsoft patch batch: https://technet.microsoft.com/en-us/library/security/ms16-may • Recommendation: Uninstall ImageMagick or go to site for patches: https://www.imagemagick.org/

NAME HITS RISK SCORE FIRST SEEN RELATED TECH

CVE-2016-4117 969 10/10 Critical 4/24/16 Adobe Flash Player 21.0.0.226 and earlier versions on Windows, MacOS X, Linux, Chrome

CVE-2016-0167 159 7.2/10 High 4/10/16 Flash RCE, Microsoft Windows, Microsoft, Windows 7, Windows Vista SP2

CVE-2016-0189 149 7.6/10 High 5/8/16 Microsoft IE 9,10,11, Symantec, Microsoft Windows

CVE-2016-3714 38 10/10 Critical 5/3/16 ImageMagick before 6.9.3-10, 7.x before 7.0.1-1

Top Vulnerability Exploits



NAME HITS RELATED TECH

Bucbi 410 Palo Alto Networks, Remote Desktop Protocol, Microsoft Windows, http, RDP

CryptXXX 2[.]0 213 Personal Computer, CryptXXX, CryptoTorLocker2015, Trojan-Ransom.Win32.CryptXXX…

Punchbuggy 100+ Punchtrack, MS Windows, MS Word, CVE-2016-0167

Alpha 71 NMRX, ImageWare Systems, iTunes, Atlassian Inc., Encryption

Action Items: • Preserve your data: Frequent data backups! • Frequent updates: Patch now—and often! • Security Awareness: Don’t click on attachments and links you don’t recognize!

Top Emerging Malware Entities



Organization Individuals Impacted Type of Breach

Ohio Department of Mental Health and Addiction Services 59,000 Unauthorized Access/Disclosure

Mayfield Clinic Inc 23,341 Hacking/IT Incident

Northstar Healthcare Acquisitions LLC 19,898 Theft (Laptop)

Pain Treatment Centers of America 19,397 Hacking/IT Incident (Network Server)

OptumRx, Inc. 6,229 Theft (Laptop)

Children's National Medical Center 4,107 Unauthorized Disclosure/Access (Network Server)

RMA Medical Centers of Florida 3,906 Theft (Latptop)

BioReference Laboratories, Inc 3,563 Unauthorized Disclosure/Access

Wyoming Medical Center 3,184 Hacking/IT Incident (Email)

Vail Valley Medical Center, and dba Howard Head Sports Medicine 3,118 Unauthorized Disclosure/Access (Laptop, Network Server)

Note: Physical security is just as important as network security and defense

Top US Healthcare Targets: April – May 2016



The Problem: • Over 100 million healthcare

records compromised last year • Healthcare data breaches cost

$6.2 Billion per year • 290 public disclosures of

major health data breaches in the US over the past 2 years

Best Practices: • Awareness training for

employees • Enforce mobile device

policies • Practice regular data risk

assessments • Enforce a least-privilege

data access model

The Breach Epidemic in Healthcare Today



Action Items for This Month

http://blogs.adobe.com/psirt/

https://technet.microsoft.com/en-us/library/security/ms16-may

§ Keep your employees informed and educated on the threat

§ Enforce a mobile device policy

§ Conduct risk assessments—and act on them

§ Enforce least-privilege policies in your organization

§ Backup data § Patch often § Conduct awareness

training



TREND MICRO Case Study Hospital – Sandboxing Effectiveness



Hospital Case Study • During the trial period, this hospital had a Firewall and Web gateway as well as AV on endpoints.

• Detected threats coming over email, web, file shares etc.

– Threats were multi-staged and multi-flow – Threats went undetected by traditional defenses



Moveslaterallyacrossnetworkseekingvaluabledata

Gathersintelligenceaboutorganiza8onandindividuals

Targetsindividualsusingsocialengineering

Employees

EstablisheslinktoCommand&Controlserver

A@ackers

Extractsdataofinterest–cangoundetectedformonths!

$$$$

Targeteda@acksaresocial,stealthy,sophis8cated15



Pre-Sandboxing with Conventional Security

• A few employees are targeted and receive Spear Phishing email

– PDF/Office Docs go through AV undetected – URL in message is not on a Blacklist

• Customer gets infected and no one knows – Infected machine calls back to C&C servers and start

harvesting data



Scenario with Sandbox • Employees are targeted and receive Spear Phishing email

– PDF/Office Docs go undetected through AV but object is sent to Deep Discovery’s Advanced Heuristics and Sandbox – It is flagged as High Risk

– Sandbox analysis reveals IOC – IP, URL and Domain are sent to other layers – Firewall blocks a C&C attempt from an Employee Laptop that just

came back to the office



Sandbox Effectiveness • Timer Evasion • Human Interaction Detection • CPUID Detection • Driver Detection • BIOS/License Code Detection • Network Address Detection • Virtual Device Detection • Hypervisor Detection



Custom Sandboxing: Most Effective Anti Evasion Offers the unique ability for customers to import their own system images as the basis for virtual analysis. Benefit: • Mimics real life customer environment • Customer supplied OS language • Customer supplied applications • Corporate IT customizations • Patching level to match customer environment All of which contributes in more custom threat detonation and accurate detections!



Top Sandbox Detections • Download_abirir_arquivos_anexos179381551.zip • 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI • Spotify_installar-1.0.16.104.g3b776ce-267.exe • 2015019118005.exe • Setup.exe • CC Proxy 8 keygen is here latest.rar • Installer_win.exe



Top Threats Detected Exclusively by Sandbox • Download_abirir_arquivos_anexos179381551.zip • 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI • Spotify_installar-1.0.16.104.g3b776ce-267.exe • 2015019118005.exe • Setup.exe • CC Proxy 8 keygen is here latest.rar • Installer_win.exe



Detected Known Malware Threats



How they bypass static security ? • Exploit : 0-days, fresh or old vulnerabilities • Malicious macro document • Script malware (VBS, PowerShell, Ruby…)

• Daily custom binary (C, AutoIT, VB NET…)

• And many more (JS, Java…)

« 99 % of unique malware will infect less than 10 hosts »

Spear-phishing Longlining Malvertising Personal webmail USB infection

Evasive Threats Originate Everywhere



Compared to common sandboxes, we greatly enhanced the detection on exploit. An effective sandbox should have three-layer analysis:

1. script behavior (emulator)

2. shell-code behavior

3. payload behavior

In addition to analyzing the exploit, it’ll analyze payloads in three layers, but also gets more completed script behavior by emulation. This strength helps us to detect zero-days without engine/pattern updates.

On Feb 1st 2015, we were the first to detect a Flash 0 Day without any update. Most Sandbox were evaded

Sandbox Functionality



ANOMALI Compromised Credentials Overview



Overview: • State of “Credential Dumps” • Where are “Credential Dumps” coming from? • Motivations • Observed Trends • Mitigation techniques



State of “Credential Dumps”

h@p://techcrunch.com/2016/04/25/hundreds-of-spo8fy-creden8als-appear-online-users-report-accounts-hacked-emails-changed/

h@p://www.mirror.co.uk/tech/facebook-hacked-security-researcher-stumbles-7829312

h@p://arstechnica.com/tech-policy/2016/02/irs-website-a@ack-nets-e-filing-creden8als-for-101000-taxpayers/



State of “Credential Dumps”

“63% of confirmed data breaches involved weak, default or stolen passwords.”

Page 20, 2016 Verizon Data Breach Investigations Report



Where are “Credential Dumps” coming from? • Paste Sites

– Pastebin – Ghostbin – Pastie – etc...

• Virustotal • “Dark Web” • Anonymous File sharing sites

– Mega



Motivations • Financial • Credibility • Initial attack vector • Victim Embarrassment • Password reuse

– Lateral Movement – Account Takeovers



Observed Trends Unique Credentials/Day, past 6 months



Observed Trends Credentials by Industry Vertical, past 6 months



Observed Trends Interesting frequently reused accounts

• [email protected] • [email protected] • [email protected] • [email protected] • [email protected] • [email protected] • [email protected]



Mitigation Techniques Easy • Implement MFA where possible • Strong password policy • Automate actions when matching credentials are found for your users Hard • Static authentication techniques can not be trusted • Change in mindset, accounts are already compromised



HITRUST CSF Controls Related to Threats



CSF Controls Related to Threats CSF Control for Compromised Credentials (Credential Dumps) • Control Reference: 01.f Password Use

– Control Text: Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment

– Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.



CSF Controls Related to Threats CSF Control for Compromised Credentials (credential dumps) • Control Reference: 01.j User Authentication for External

Connections – Control Text: Appropriate authentication methods shall be used to control

access by remote users.

– Implementation Requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique



CSF Controls Related to Threats CSF Control for Compromised Credentials (Credential Dumps) • Control Reference: 01.f Password Use

– Control Text: Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment

– Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.



CSF Controls Related to Threats CSF Control for reducing Command and Control functions of malicious logic • Control Reference: *01.i Policy on the Use of Network Services

– Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

– Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access.



CSF Controls Related to Threats CSF Control for Monitoring System Use (network monitoring) • Control Reference: *09.ab Monitoring System Use

– Control Text: Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

– Implementation Requirement: The organization shall employ automated tools to support near real-time analysis of events and maintain an audit log to track prohibited sources and services. Inbound and outbound communications shall be monitored at an organization-defined frequency for unusual or unauthorized activities or conditions.



CSF Controls Related to Threats CSF Control for Vulnerability Patching (Top Exploits) • Control Reference: *10.m Control of technical vulnerabilities

– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.



QUESTIONS?



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Monthly Cyber Threat Briefing - HITRUST...Indicators of Compromise (IOCs) for an Advanced Cyber...

Documents

Transcript of Monthly Cyber Threat Briefing - HITRUST...Indicators of Compromise (IOCs) for an Advanced Cyber...