Managing Financial Industry Threats Through Information Sharing
Transcription
Managing Financial Industry Threats Through Information Sharing
Managing Financial Industry Threats Through Information Sharing and Analysis Chip Wickenden Vice President FS-ISAC April 5, 2016 Cyber Risk Evolution DILBERT © 2005 Scott Adams. Used By permission of UNIVERSAL UCLICK. All rights reserved. 2 April 11, 2016 — FS-ISAC Confidential Trend Micro Cyber Crime Study 3 • Cataloged 78 underground Russian forums – each with twenty thousand to hundreds of thousands of registered users • Forums offer 38 types of cybercrime goods and services including: - Distributed denial-of-service attacks - Spam - Social engineering services - Ransomware - Command-and-control services - Trojan malware - Rootkits - Anonymizing VPNs Source: Trend Micro Source:h*p://www.trendmicro.com/vinfo/us/security/research-and-analysis Malcode Infection Techniques • Phishing – Widespread email – lots of victims • Spearphishing – Targeted email aimed at a few victims. • Drive by Download – The unintentional download of malicious software, typically from an infected reputable site, merely by visiting a page. • Fake Anti-Virus Software – Alarming user with false infection warning, tricked into downloading malware. • WebInject – Functionality that can be used to modify a web page on the infected end host. 4 April 11, 2016 — FS-ISAC Confidential Mid-sized Belgian bank loses $75 million to BEC Scammers • Mid-sized Belgian bank targeted in January 2016, lost over 70 million euros (around $75.8 million). • Theft perpetrated by cybercriminals and discovered by internal audit. • Belgian newspapers report the bank was a victim of CEO fraud (or BEC scam – Business Email Compromise). • • Two possible tactics: 1) compromise of email system and CEO emails and calendar; or 2) spoof of CEO’s email address (example: Xxxx@Belgianbank.co instead of Xxxx@Belgianbank.com.) The BEC order included a reason why it should be executed immediately. • Scammers counted on employees to execute the order. • Due to capital reserves, the bank can sustain this loss. • • The bank has implemented additional security measures. Law enforcement agencies and security companies around the world have been warning businesses about BEC scams for over a year, but companies and some banks are still falling for it. Source: Help Net Security, posted 1/26/2016 5 April 11, 2016 — FS-ISAC Confidential Information Sharing ONE ORGANIZATION’S INCIDENT BECOMES THE INDUSTRY RESPONSE 6 April 11, 2016 — FS-ISAC Confidential Regulators Place Value on Info Sharing 7 April 11, 2016 — FS-ISAC Confidential FS-ISAC Key Membership Numbers FIMembersWorldwide PercentageUSBanks CountriesRepresented 6800+ 80%+ 40 Growth OtherTypesof Members Dues 2022FIsaddedin2015 223FIsaddedsofarin2016 8 • • • • • • • April 11, 2016 — FS-ISAC Confidential • CreditUnions CardBrands BrokerDealers InsuranceCompanies FSSectorThirdParty Processors FSAssociaJons ClearingHouses,Exchanges FinanceCompanies Dependingontypeof member,duesarebased onassetsorrevenues- Rangefrom$250- $50,000peryear. FS-ISAC Information Flow Information Sources Other Intel Agencies iSIGHT Partners Info Sec Secunia Vulnerabilities Wapack Labs Malware Forensics NC4 Phy Sec Incidents MSA Phy Sec Analysis 9 Information Security April 11, 2016 — FS-ISAC Confidential Physical Security Business Continuity/ Disaster Response Cross Sector (other ISACS) Open Sources (Hundreds) CROSS SECTOR SOURCES Law Enforcement PRIVATE SOURCES FS Regulators FS-ISAC 24x7 Security Operations Center GOVERNMENT SOURCES CERTs Member Communications Fraud Investigations Payments/ Risk Alerts MemberSubmissions Information Sharing Tools Threat Data, Information Sharing ¤ Anonymous Submissions ¤ Cyber Intel Listserver ¤ Relevant/Actionable Cyber & Physical Alerts (Portal) ¤ Special Interest Group Email Listservers ¤ Threat Automation (Soltra Edge) ¤ Document Repository ¤ Member Contact Directory ¤ Member Surveys ¤ Risk Mitigation Toolkit ¤ Threat Viewpoints 10 April 11, 2016 — FS-ISAC Confidential Ongoing Engagement ¤ Bi-weekly Threat Calls ¤ Emergency Member Calls ¤ Semi-Annual Member Meetings and Conferences ¤ Regional Outreach Program ¤ Bi-Weekly Educational Webinars ¤ Executive Communications Readiness Exercises ¤ Government Exercises ¤ Cyber Attack against Payment Processes (CAPP) Exercise ¤ Advanced Threat/DDoS Exercise ¤ Industry Exercise Program including 2016 CEO Exercises Building Trust: The Traffic Light Protocol When should it be used? 11 How may it be shared? RED. Sources may use FS-ISAC RED when the information’s audience must be tightly controlled, because misuse of the information could lead to impacts on a party’s privacy, reputation, or operations. The source must specify a target audience to which distribution is restricted. Recipients may not share FS-ISAC RED information with any parties outside of the original recipients. AMBER. Sources may use FS-ISAC AMBER when information requires support to be effectively acted upon, but carries risk to privacy, reputation, or operations if shared outside of the organization’s involved. Recipients may only share FS-ISAC AMBER information with other FS-ISAC Members, staff in their own organization who need to know, or with service providers to mitigate risks to the member’s organization if the providers are contractually obligated to protect the confidentiality of the information. FS-ISAC AMBER information can be shared GREEN. Sources may use FS-ISAC Green when information is useful for the awareness of all participating organizations as well as with peers within the broader community. Recipients may share FS-ISAC GREEN information with peers, trusted government and critical infrastructure partner organizations, and service providers with whom they have a contractual relationship, but not via publicly accessible channels. WHITE. Sources may use FS-ISAC WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. FS-ISAC WHITE information may be distributed without restriction, subject to copyright controls. April 11, 2016 — FS-ISAC Confidential Member Submissions via Portal Anonymous or Attributed Submission Types: Cyber Incident, Physical Incident Member Notifications Other Notifications (security services, etc.) 12 April 11, 2016 — FS-ISAC Confidential 12 Circles of Trust PRC IRC Asset Mgr. CYBER INTEL FSISAC CHEF • • • BRC CIC Broker Dealer CAC PPISC TIC Member Reports Incident to Cyber Intel list, or via anonymous submission 13 April 11, 2016 — FS-ISAC Confidential • • • • • • • • Clearing House and Exchange Forum (CHEF) Payments Risk Council (PRC) Payments Processor Information Sharing Council (PPISC) Business Resilience Committee (BRC) Threat Intelligence Committee (TIC) Community Institution Council (CIC) Insurance Risk Council (IRC) Compliance and Audit Council (CAC) Cyber Intelligence Listserv Asset Manager Council Broker-Dealer Council Members respond in real time with initial analysis and recommendations SOC completes analysis, anonymizes the source, and generates alert to general membership Types of Information Shared Cyber Threats, Incidents, Vulnerabilities Malicious Sites Threat Actors, Objectives Threat Indicators Tactics, Techniques, Procedures ü Courses of Action ü Exploit Targets ü Denial of Service Attacks ü Malicious Emails: Phishing/ Spearphishing ü Software Vulnerabilities ü Malicious Software ü Analysis and risk mitigation ü Incident response ü ü ü ü 14 April 11, 2016 — FS-ISAC Confidential Physical Threats, Incidents ü Terrorism ü Active Shooter ü Hurricanes ü Earthquakes ü Other meteorological events ü Geopolitical impacts ü Pandemic ü Type, location, severity ü Impact analysis and risk mitigation ü Business resilience preparation and incident response Threat Automation Soltra Edge 15 April 11, 2016 — FS-ISAC Confidential Threats (& Intelligence) Growing Fast 16 April 11, 2016 — FS-ISAC Confidential STIX Constructs 17 April 11, 2016 — FS-ISAC Confidential Threat Intelligence Awareness to Action: Manual vs. Automated 18 April 11, 2016 — FS-ISAC Confidential Intelligence-Driven Community Defense 19 April 11, 2016 — FS-ISAC Confidential Trustwave’s List of 7 Deadly Employee Sins 1) 2) 3) 4) 5) 6) 7) 20 Pathetic Passwords: The most common corporate password is "Password1" because it meets the minimum complexity requirements. 15% of physical security tests, written passwords were found on and around user workstations. Peeping ROM: 71% of workers sneak a peek at a co-workers or stranger's workstation. One in three workers leaves their computers logged on when they are away from their desk. USB Stick Up: 60% of users who find random USB sticks in a parking lot will plug them into their computers; add those sticks that includes a company logo and the number increases to 90%. Phish Biting: 69% of phishing messages past spam filters; 27% of IT organizations have users who have fallen for malicious e-mail attacks. Reckless Abandon: 70% of users do not password-protect their smartphones, and 89% of people who find lost cell phones rummage through the digital contents. Hooking up with Another Man's WiFi: By 2015, the number of WiFi hotspot deployments will increase 350%, but currently, only 18% of users use a VPN tool when accessing public WiFi. A Little Too Social: 67% of young workers think corporate social media policies are outdated, and 70% regularly ignore IT policies. Just over half (52%) of enterprises have seen an increase of malware infections due to employees' use of social media. April 11, 2016 — FS-ISAC Confidential Source:h*ps://www.trustwave.com/home/ 21 April 11, 2016 — FS-ISAC Confidential Contact Information Bill Nelson President & CEO bnelson@fsisac.us John Carlson Chief of Staff jcarlson@fsisac.us Eric Guerrino EVP Operations eguerrino@fsisac.us Brian Tishuk General Counsel btishuk@fsisac.us Kris Herrin SVP, Global Operations kherrin@fsisac.us Robin Fantin SVP Marketing rfantin@fsisac.us Cindy Donaldson SVP, COO Sector Services cdonaldson@fsisac.us Kristi Horton Chief Intelligence Officer khorton@fsisac.us Chip Wickenden VP, Sector Services cwickenden@fsisac.com Beth Hubbard Director, Member Services bhubbard@fsisac.us Charles Bretz Director, Payment Services cbretz@fsisac.us Rick Lacafta Director, Summits, CAC, IRC rlacafta@fsisac.us Susan Rogers Director, Business Resiliency srogers@fsisac.us Jeffrey Korte Director, Community Institution Council jkorte@fsisac.us Member Services Non-critical inquiries members@fsisac.us 22 April 11, 2016 — FS-ISAC Confidential www.fsisac.com