THE QUESTION IS NOT “IF” BUT “WHEN”...• CU employees target of a phishing campaign with...

of 45/45
THE QUESTION IS NOT “IF” BUT “WHEN” A Look Into the Importance of Cyber Resilience and Incident Response for Financial Institutions
  • date post

    27-Jun-2020
  • Category

    Documents

  • view

    1
  • download

    0

Embed Size (px)

Transcript of THE QUESTION IS NOT “IF” BUT “WHEN”...• CU employees target of a phishing campaign with...

  • THE QUESTION IS NOT “IF” BUT “WHEN”A Look Into the Importance of Cyber Resilience and Incident Response for Financial Institutions

  • ABOUT THE SPEAKER

    • Tom Neclerio, VP of Cyber Consulting Services

    • 18 Years Providing Consulting to Regulated Industries

    • Advised over 1000 FIs on security/regulatory compliance

    • Trainer/speaker to the FFIEC agencies on Security

    • Former CISO of SilverSky developed internal controls

    • PCI Qualified Security Assessor to large banks, service providers, and merchants

  • Cyber Professional Services summaryCyber Advisory Services• Full range of consulting services for information security•Review entire security programs or components thereof•Assess against industry standards/best practices•Perform risk assessments, compliance review, gap analysis•Create an improvement plan, provide implementation

    Cyber Technical Services•Technically focused “intelligence led” security testing and assessments•Programs where we “think like an adversary”•Cyber Exposure Profiling, Security Testing•Targeted Attack Resistance / Red Teaming• Security architecture and controls assessment and improvement

    Cyber Incident Response Services•Complete coverage for the 3 crucial areas of incident response•Planning, Preparing, and Responding •Assessments and Incident Response Plan development• Incident Readiness exercises•Enterprise Incident Response and Management services

  • AGENDA

    • The Financial Threat Landscape

    • Case Study: Lesson Learn From Real Attacks

    • FFIEC Cyber Resilience Guidance

    • How to be Prepared

    1

    2

    3

    4

  • AGENDA

    • The Financial Threat Landscape

    • Case Study: Lesson Learn From Real Attacks

    • FFIEC Cyber Resilience Guidance

    • How to be Prepared

    1

    2

    3

    4

  • TARGET OF ATTACKS

  • RETAIL AND FINANCIAL: TOP TARGETS AGAIN

    • Retail and Financial Continue to be Top Targets• Organized Crime w/ focus on monetary gain• Financial: Malware/Web Banking Application• Retail: POS Terminals

  • THE TARGET

    TOXIC DATACommoditized information you are compelled to protect by regulation, statute or contract.

    SECRETSSensitive intellectual property whose disclosure would cause strategic harm.

    Examples:• Customer PII• Electronic protected health

    information (ePHI)• Credit card numbers• Account Numbers

    Loss value determined by criminals (de facto) and regulators (de jure).

    Examples:• Trade secrets• Strategic plans• Sales forecasts• Company financials

    Loss value is intrinsic, tangible or incalculable (reputation).

  • CYBERCRIME IN FINANCIAL SERVICES INDUSTRY

    Two Categories made up approx. 70% of Financial Breaches

    Crimeware – Classified into two types• Backdoor: Maintaining persistence and staging advanced attacks • Data Stealing: Capturing and data exfiltration

    Web App Attacks• Compromised individual customer accounts • Hacked website or database

  • PHISHING STATISTICS

    For last two years, more than two-thirds of incidents

    reported have featured phishing

    23% of recipients now open phishing messages

    90% success rate on a phishing campaign of 10 or more emails

    11% click attachments

    50% open e-mails and click on phishing links within the first hour

  • CRIMEWARE

    • Bank Records and Credentials are by far the most targeted data (approx. 90%)

    • Opportunistic and financially motivated to establish long term foothold in network

    • Less likely to be forensically discovered if not detected early

    • Usually starts with a Phishing campaign

  • ATTACK DIFFICULTY

    High

    Medium

    Low

    Very Low

    0.2%

    22.7%

    67.3%

    9.8%

  • DISCOVERY TIMEFRAME

    801233.9x

    DAYS TO DISCOVER MALICIOUS BREACHES

    DAYS TO RESOLVE MALICIOUS BREACHES

    HIGHER COST OF CYBER CRIME IF UNDERPROTECED

  • LESSONS LEARNED SO FAR

    • Retail and Financial verticals are the top targets of attack

    • Financial Institutions are HIGH VALUE targets for Cyber Crime

    • Organized & Funded Criminal Gangs are behind FI Attacks

    • 70% of FI breach types are Crimeware and Web Applications

    • Phishing is often used to carry out initial hacks

    • Phishing is highly successful with a small detection window

    • Credentials and backdoor malware are top modes of entry

    • Large timeframes exist from initial compromise to discovery

    • Criminals are increasingly exploiting third party vendors

  • AGENDA

    • The Financial Threat Landscape

    • 2014 Data Breaches – Lessons Learned

    • FFIEC Cyber Resilience Guidance

    • How to be Prepared

    1

    2

    3

    4

  • CASE STUDY 1: 2014 MAJOR ATTACKS

    Third Party Stolen Credentials

    Third Party

    Vendor BreachRemote Access Hack

  • CASE STUDY 2: SMALL NORTHEAST CREDIT UNION• Infected with Cryptolocker

    Ransomware Trojan

    • Most likely source a phishing email attachment.

    • Critical systems infected through multiple attacks.

    • BOD personal computers infected

    • Multiple rebuilding of systems, reputational damage, lost productivity

  • CASE STUDY 3: MEDIUM CU NORTHEAST• BAE/SilverSky SOC noticed suspicious activity outbound to several known C&C

    services in Ukraine

    • Large volumes of traffic was originating outbound to the C&C servers from several computers in the CU environment.

    • CU employees target of a phishing campaign with malware attachments. Over 50% of employees opened emails and attachments.

    • Volume of outbound activity from malware grinded the network to a halt.

    • SOC was able to block all outbound traffic to C&C servers while IR team was deployed to helped clean network from malware infestation.

  • AGENDA

    • The Financial Threat Landscape

    • Case Study: Lesson Learn From Real Attacks

    • FFIEC Cyber Resilience Guidance

    • How to be Prepared

    1

    2

    3

    4

  • REGULATION: EXECUTIVE ORDER 13636

    Definition of Critical Infrastructure: • Systems/assets so vital to the US that the incapacity or destruction of such

    systems/assets would have a debilitating impact on security, national economy, national public health or safety, or any combination thereof

    Executive Order 13636

    2/2013

    • The Cyber threat to critical infrastructure…represents one of the most serious national security challenges… to the national and economic security of the US.

    • Goal - Enhance the security and resilience of the nation’s critical infrastructure

  • FFIEC CYBER SECURITY ASSESSMENTS

    • NIST to lead the development of a framework to reduce cyber risk to critical infrastructure (the “Cybersecurity Framework”)

    Identify

    Protect

    DetectRespond

    Recover

    Measure Risk and Develop a program

    Implement controls to mitigate risk

    Implement process to detect events

    The Ability to respond/

    communicate

    The Ability to recover and improve

  • FFIEC CYBER SECURITY ASSESSMENTS

    • Summer of 2014, FFIEC piloted new cyber security assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cyber risks

    • Integrated into regular IT Examination process• Cyber Risk Management (IDENTIFY)• Cyber Security Controls (PROTECT/DETECT)• Threat Intelligence and Collaboration (DETECT)• Cyber Resilience (RESPOND/RECOVER)• External Dependency Management (VENDOR MGMT)

    Executive Order 13636

    2/2013

    FFIEC Cyber Assessments

    6/2014

  • FFIEC CYBER SECURITY ASSESSMENTS

    OBSERVATIONS AND RECOMMENDATIONS

    Cyber Risk Management

    • Set a “tone from the top”

    • BOD and management discussions

    • Ongoing employee training/testing including Social Engineering

    • Include BOD in training

    Cyber Security Controls

    • Deploy preventive, detective, and corrective procedures

    • Patching, encryption, limit user access

    • Intrusion detection/prevention, firewall alerting

    • Formal audit program with regular findings

    Cyber Resilience

    • Formal Incident response programs

    • Includes key phases of prepare, test and recover

    • Senior management and board incident reporting

    • Increase Information Sharing (FS-ISAC)

  • FFIEC CYBER-RESILIENCE GUIDELINES

    FFIEC added appendix to its Business Continuity Booklet"Strengthening the Resilience of Outsourced Technology Services"

    Cyber-Resilience - an organization's ability to withstand and recover from a cyber attack by minimizing the disruption or impact that attack has on its ability to conduct business

    Term was added to illustrate the changing threats and vulnerabilities financial institutions face

    Executive Order 13636

    2/2013

    FFIEC Cyber Assessments

    6/2014

    FFIEC Cyber Resilience

    3/2015

  • FFIEC CYBER-RESILIENCE GUIDELINES

    Incident Response

    Financial institutions and their service providers should anticipate potential cyber incidents and develop a framework to respond to these incidents.

    The financial institution and its TSPs should periodically update and test their incident response plan to ensure that it functions as intended, given the rapidly changing threat landscape.

    The financial institution and TSP should consider identifying and making advance arrangements for third-party forensic and incident management services.

  • NIST FRAMEWORK AND INCIDENT RESPONSE

    Identify

    Protect

    DetectRespond

    Recover

    • Most FI’s have large gaps in their ability to respond and recover from events

    • IR Today is what DR was in 2011

    • Most FIs have a DR plan but are missing any IR process

    • A recent study of financial institutions 83% were not prepared to handle an incident

  • THE FUTURE OF FFIEC EXAMINATIONS (WHAT TO EXPECT)

    Increased Board and C-Suite Involvement

    Participation in information-sharing group(s)

    Reviews of incident preparedness and response process

    Cyber security scenario testing w/ employees and BOD

    Increased oversight of third party service providers

  • AGENDA

    • The Financial Threat Landscape

    • Case Study: Lesson Learn From Real Attacks

    • FFIEC Cyber Resilience Guidance

    • How to be Prepared

    1

    2

    3

    4

  • NOT “IF”…BUT “WHEN”?

  • Verify that an incident occurred

    Maintain or Restore Business Continuity

    Reduce the incident impact

    Determine the root cause of the incident

    Prevent future attacks or incidents

    Improve security and incident response

    8 GOALS OF INCIDENT RESPONSE

    Prosecute illegal activity

    Keep key stakeholders informed of the situation

    1

    2

    3

    4

    5

    6

    7

    8

  • SIX STEPS OF INCIDENT RESPONSE

    Practice

    Train

    Test

    Preparation

    Identification and Scoping

    Response and Containment

    Eradication and Remediation

    Recovery

    Review and Update

  • PREPARATION

  • DEVELOPING AN INCIDENT RESPONSE PLAN

    A comprehensive Incident Response plan should:

    • Assess the nature and severity of the event

    • Identify the potential impact of the event

    • Establish roles and responsibilities

    • Establish lines of communications regarding the event

    • Help you identify response team(s) to handle the event

    • Act as a launching point to initiate other plans (DR/BCP, Evacuation, etc.)

  • IDENTIFICATION AND SCOPING

  • INCIDENTS COME IN ALL SHAPES AND SIZESConfidentiality – Employee emails confidential data file to the wrong person; Loss of information confidentiality (data theft)

    Integrity – A file is detected to have unauthorized changes

    Theft – An employee’s work computer is stolen from their house

    Physical – A computer hard drive is destroyed in a fire

    Availability – An attack on the FI’s ebanking application leaves it unavailable for 24 hours; Misuse of services, information, or assets

    Malware – A system containing customer information is infected with crimeware

    Hack – An unauthorized criminal gains access to the internal network and systems

  • INCIDENT INDICATORS

    Tip-off from CERT

    Customer complaints

    Targeted phishing email

    Systems off-line

    Email with demands

    Alerts from monitoring tools

    Unexplained transaction

    Assumed insider

    Account lockouts

    Website defacement

    Data leaked on Internet

    Cyber espionage

    Cyber-enabled

    Fraud

    Insider Cyber extortion

    Hacktivist

  • RESPONSE, REMEDIATION, RECOVERY

  • INCIDENT RESPONSE PRINCIPLES

    Integrate with the business

    Communication through every department

    Everyone knows how to report incidents in a timely manner

    Maximize your preparation

    The first time you are seeing the event should not be in a real

    scenario

    Keep pace with threatsThe groups behind cyber attacks are

    constantly evolving so incident response procedures need to be regularly reviewed and updated

    Don’t make things worse, avoid:

    Alarming stakeholdersBeing noticed by the attacker Causing further disruption

    Right first time

    Minimize the change for mistakes by using common protocols, scenario-based procedures, templates, and

    checklists

    Confirm remediation success

    It’s critical to confirm that remediation has been successful

    and has met agreed criteria

  • REVIEW AND UPDATE

  • REVIEW AND MAINTENANCE

    Post Incident Reviews

    • Should be performed after any incident• Any lessons learned should be discussed• Plan improvements should be documented and

    incorporated into the next plan revision

    Plan Update Reviews

    • Plan owners should schedule periodic reviews to ensure that the document is up to date, and any improvements to ensure that the plan remains relevant (e.g., audits) should also be scheduled

  • MAINTENANCE:PRACTICE, TRAIN, TEST!

  • Plan TestingCritical to ensure that the Incident Response Plan is current and ready

    Periodic testing is advised to validate:

    1. The steps in the plan are relevant 2. Team members are properly trained 3. Team members understand their roles and responsibilities4. That all the participants, including senior management, can

    work together effectively under pressure5. That there is a reduced risk of a counterproductive response

    during the incident6. Involve any outsourced first responders in testing

    WHY PRACTICE YOUR PLAN?

  • TYPES OF INCIDENT TESTING

    GROUP WALK THROUGH

    Periodic reviews to ensure that the document is up to date and any improvements to ensure that the plan remains relevant (e.g. audits) should also be scheduled.

    TABLE TOP TESTS

    Key plan stakeholders gather to discuss a given scenario or simulated event. Focus on how the group would respond to the event as the scenario develops.

    WAR GAMESUsually performed in conjunction with a penetration test or other simulated hacking event. Real-life testing to determine how teams respond to realistic scenarios.

  • SIX STEPS OF INCIDENT RESPONSE

    Practice

    Train

    Test

    Preparation

    Identification and Scoping

    Response and Containment

    Eradication and Remediation

    Recovery

    Review and Update

  • QUESTIONS?

    Tom NeclerioVice President Cyber ConsultingBAE Systems Applied Intelligence

    M: +1 954..873.6823 E: [email protected]

    Slide Number 1About the speakerCyber Professional Services summaryAGENDAAGENDATarget of attacksRetail and Financial: Top Targets AGAINThe TargetCybercrime in Financial Services IndustryPhishing StatisticsCrimewareAttack DifficultyDiscovery TimeframeLessons learned so farAGENDACase Study 1: 2014 Major AttacksCase Study 2: Small Northeast Credit UnionCASE STUDY 3: MEDIUM CU NORTHEASTAGENDARegulation: Executive Order 13636Ffiec cyber security assessmentsFfiec cyber security assessmentsFfiec cyber security assessmentsFfiec cyber-resilience guidelinesFfiec cyber-resilience guidelinesNist framework and incident responseThe future of ffiec examinations (what to expect)AGENDASlide Number 298 GOALS OF INCIDENT RESPONSESix steps of incident responseSlide Number 32Developing an incident response planSlide Number 34INCIDENTS COME IN ALL SHAPES AND SIZESINCIDENT INDICATORSSlide Number 37Incident response principlesSlide Number 39REVIEW AND MAINTENANCESlide Number 41WHY PRACTICE YOUR PLAN?Types of incident testingSix steps of incident responseSlide Number 45