HITRUST Monthly Briefing May 2016
Transcription
HITRUST Monthly Briefing May 2016
Monthly Cyber Threat Briefing May 2016 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 1 © 2016 HITRUST Alliance. All Rights Reserved. Presenters • US-CERT: Majed Oweis, CISCP Analyst • Armor: Charity Willhoite, Intelligence Analyst • Trend Micro: Elie Nasrallah, CISSP, Business Development Manager • Anomali: Ryan Clough, Security Engineer • HITRUST: Eric Moriak, Manager – Assurance Services 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 2 © 2016 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 3 © 2016 HITRUST Alliance. All Rights Reserved. TLP: GREEN – JAR-16-20094 – Vulnerabilities and Post-Exploitation Indicators of Compromise (IOCs) for an Advanced Cyber Threat • Collaborative effort between DHS/NCCIC/US-CERT and the FBI. • Based on information obtained by DHS and the FBI regarding advanced cyber threat actors targeting sensitive information stored on U.S. commercial and government networks. • Provide TTPs used by threat actors in these instances. • Include indicators of compromise (IOCs), YARA rules and references to CVEs for use in computer network defense (CND). 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 4 © 2016 HITRUST Alliance. All Rights Reserved. TLP: GREEN – JAR-16-20094 Summary • Compromises against U.S. commercial and government networks accomplished through vulnerabilities described in CVEs listed in the JAR. Citing of older CVEs demonstrate that older vulnerabilities continue to be exploited. • Spear phishing was also identified as a vector to compromise systems. • The compromises were identified as intended to build infrastructure for follow-on activity. • CVEs and file indicators are included. • Mitigation strategies are included. • Located on the US-CERT Portal at https://portal.us-cert.gov/documents/70338/108826/JAR-16-20094/ba070d96e7c3-44e4-8ae3-7135fa149855 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 5 © 2016 HITRUST Alliance. All Rights Reserved. Questions? Comments? Contact US-CERT at: • Email: soc@us-cert.gov • Phone: 1-888-282-0870 • Website: www.us-cert.gov Contact CISCP at: CISCP@us-cert.gov 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 6 © 2016 HITRUST Alliance. All Rights Reserved. Top Threat Trends and Defenses ARMOR 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 7 © 2016 HITRUST Alliance. All Rights Reserved. Top Vulnerability Exploits NAME HITS RISK SCORE FIRST SEEN RELATED TECH CVE-2016-4117 969 10/10 Critical 4/24/16 Adobe Flash Player 21.0.0.226 and earlier versions on Windows, MacOS X, Linux, Chrome CVE-2016-0167 159 7.2/10 High 4/10/16 Flash RCE, Microsoft Windows, Microsoft, Windows 7, Windows Vista SP2 CVE-2016-0189 149 7.6/10 High 5/8/16 Microsoft IE 9,10,11, Symantec, Microsoft Windows CVE-2016-3714 38 10/10 Critical 5/3/16 ImageMagick before 6.9.3-10, 7.x before 7.0.1-1 Action Items: • Adobe: http://blogs.adobe.com/psirt/ • Microsoft patch batch: https://technet.microsoft.com/en-us/library/security/ms16-may • Recommendation: Uninstall ImageMagick or go to site for patches: https://www.imagemagick.org/ 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 8 © 2016 HITRUST Alliance. All Rights Reserved. Top Emerging Malware Entities NAME HITS RELATED TECH Bucbi 410 Palo Alto Networks, Remote Desktop Protocol, Microsoft Windows, http, RDP CryptXXX 2[.]0 213 Personal Computer, CryptXXX, CryptoTorLocker2015, Trojan-Ransom.Win32.CryptXXX… Punchbuggy 100+ Punchtrack, MS Windows, MS Word, CVE-2016-0167 Alpha 71 NMRX, ImageWare Systems, iTunes, Atlassian Inc., Encryption Action Items: • Preserve your data: Frequent data backups! • Frequent updates: Patch now—and often! • Security Awareness: Don’t click on attachments and links you don’t recognize! 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 9 © 2016 HITRUST Alliance. All Rights Reserved. Top US Healthcare Targets: April – May 2016 Organization Individuals Impacted Type of Breach Ohio Department of Mental Health and Addiction Services 59,000 Unauthorized Access/Disclosure Mayfield Clinic Inc 23,341 Hacking/IT Incident Northstar Healthcare Acquisitions LLC 19,898 Theft (Laptop) Pain Treatment Centers of America 19,397 Hacking/IT Incident (Network Server) OptumRx, Inc. 6,229 Theft (Laptop) Children's National Medical Center 4,107 Unauthorized Disclosure/Access (Network Server) RMA Medical Centers of Florida 3,906 Theft (Latptop) BioReference Laboratories, Inc 3,563 Unauthorized Disclosure/Access Wyoming Medical Center 3,184 Hacking/IT Incident (Email) Vail Valley Medical Center, and dba Howard Head Sports Medicine 3,118 Unauthorized Disclosure/Access (Laptop, Network Server) Note: Physical security is just as important as network security and defense 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 10 © 2016 HITRUST Alliance. All Rights Reserved. The Breach Epidemic in Healthcare Today The Problem: • Over 100 million healthcare records compromised last year • Healthcare data breaches cost $6.2 Billion per year • 290 public disclosures of major health data breaches in the US over the past 2 years 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net Best Practices: • Awareness training for employees • Enforce mobile device policies • Practice regular data risk assessments • Enforce a least-privilege data access model 11 © 2016 HITRUST Alliance. All Rights Reserved. Action Items for This Month § § § Backup data Patch often Conduct awareness training http://blogs.adobe.com/psirt/ https://technet.microsoft.com/en-us/ library/security/ms16-may § Keep your employees informed and educated on the threat § Enforce a mobile device policy § Conduct risk assessments—and act on them § Enforce least-privilege policies in your organization 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 12 © 2016 HITRUST Alliance. All Rights Reserved. Case Study Hospital – Sandboxing Effectiveness TREND MICRO 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 13 © 2016 HITRUST Alliance. All Rights Reserved. Hospital Case Study • During the trial period, this hospital had a Firewall and Web gateway as well as AV on endpoints. • Detected threats coming over email, web, file shares etc. – Threats were multi-staged and multi-flow – Threats went undetected by traditional defenses 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 14 © 2016 HITRUST Alliance. All Rights Reserved. Extractsdataofinterest–can goundetectedformonths! Gathersintelligenceabout organiza8onandindividuals A@ackers Targetsindividuals usingsocialengineering $$$$ Establisheslinkto Command&Controlserver Moveslaterallyacrossnetwork seekingvaluabledata Employees Targeteda@acksaresocial,stealthy,sophis8cated 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 15 © 2016 HITRUST Alliance. All Rights Reserved. Pre-Sandboxing with Conventional Security • A few employees are targeted and receive Spear Phishing email – PDF/Office Docs go through AV undetected – URL in message is not on a Blacklist • Customer gets infected and no one knows – Infected machine calls back to C&C servers and start harvesting data 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 16 © 2016 HITRUST Alliance. All Rights Reserved. Scenario with Sandbox • Employees are targeted and receive Spear Phishing email – PDF/Office Docs go undetected through AV but object is sent to Deep Discovery’s Advanced Heuristics and Sandbox – It is flagged as High Risk – Sandbox analysis reveals IOC – IP, URL and Domain are sent to other layers – Firewall blocks a C&C attempt from an Employee Laptop that just came back to the office 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 17 © 2016 HITRUST Alliance. All Rights Reserved. Sandbox Effectiveness • Timer Evasion • Human Interaction Detection • CPUID Detection • • • • • Driver Detection BIOS/License Code Detection Network Address Detection Virtual Device Detection Hypervisor Detection 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 18 © 2016 HITRUST Alliance. All Rights Reserved. Custom Sandboxing: Most Effective Anti Evasion Offers the unique ability for customers to import their own system images as the basis for virtual analysis. Benefit: • Mimics real life customer environment • Customer supplied OS language • Customer supplied applications • Corporate IT customizations • Patching level to match customer environment All of which contributes in more custom threat detonation and accurate detections! 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 19 © 2016 HITRUST Alliance. All Rights Reserved. Top Sandbox Detections • Download_abirir_arquivos_anexos179381551.zip • 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI • Spotify_installar-1.0.16.104.g3b776ce-267.exe • 2015019118005.exe • Setup.exe • CC Proxy 8 keygen is here latest.rar • Installer_win.exe 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 20 © 2016 HITRUST Alliance. All Rights Reserved. Top Threats Detected Exclusively by Sandbox • Download_abirir_arquivos_anexos179381551.zip • 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI • Spotify_installar-1.0.16.104.g3b776ce-267.exe • 2015019118005.exe • Setup.exe • CC Proxy 8 keygen is here latest.rar • Installer_win.exe 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 21 © 2016 HITRUST Alliance. All Rights Reserved. Detected Known Malware Threats 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 22 © 2016 HITRUST Alliance. All Rights Reserved. Evasive Threats Originate Everywhere Spear-phishing Longlining Malvertising Personal webmail USB infection How they bypass static security ? • Exploit : 0-days, fresh or old vulnerabilities • Malicious macro document • Script malware (VBS, PowerShell, Ruby…) • Daily custom binary (C, AutoIT, VB NET…) • And many more (JS, Java…) « 99 % of unique malware will infect less than 10 hosts » 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 23 © 2016 HITRUST Alliance. All Rights Reserved. Sandbox Functionality Compared to common sandboxes, we greatly enhanced the detection on exploit. An effective sandbox should have three-layer analysis: On Feb 1st 2015, we were the first to detect a Flash 0 Day without any update. Most Sandbox were evaded 1. script behavior (emulator) 2. shell-code behavior 3. payload behavior In addition to analyzing the exploit, it’ll analyze payloads in three layers, but also gets more completed script behavior by emulation. This strength helps us to detect zero-days without engine/pattern updates. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 24 © 2016 HITRUST Alliance. All Rights Reserved. Compromised Credentials Overview ANOMALI 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 25 © 2016 HITRUST Alliance. All Rights Reserved. Overview: • State of “Credential Dumps” • Where are “Credential Dumps” coming from? • Motivations • Observed Trends • Mitigation techniques 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 26 © 2016 HITRUST Alliance. All Rights Reserved. State of “Credential Dumps” h@p://techcrunch.com/2016/04/25/hundreds-of-spo8fy-creden8als-appear-online-users-report-accounts-hacked-emails-changed/ h@p://www.mirror.co.uk/tech/facebook-hacked-security-researcher-stumbles-7829312 h@p://arstechnica.com/tech-policy/2016/02/irs-website-a@ack-nets-e-filing-creden8als-for-101000-taxpayers/ 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 27 © 2016 HITRUST Alliance. All Rights Reserved. State of “Credential Dumps” “63% of confirmed data breaches involved weak, default or stolen passwords.” Page 20, 2016 Verizon Data Breach Investigations Report 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 28 © 2016 HITRUST Alliance. All Rights Reserved. Where are “Credential Dumps” coming from? • Paste Sites – Pastebin – Ghostbin – Pastie – etc... • Virustotal • “Dark Web” • Anonymous File sharing sites – Mega 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 29 © 2016 HITRUST Alliance. All Rights Reserved. Motivations • Financial • Credibility • Initial attack vector • Victim Embarrassment • Password reuse – Lateral Movement – Account Takeovers 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 30 © 2016 HITRUST Alliance. All Rights Reserved. Observed Trends Unique Credentials/Day, past 6 months 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 31 © 2016 HITRUST Alliance. All Rights Reserved. Observed Trends Credentials by Industry Vertical, past 6 months 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 32 © 2016 HITRUST Alliance. All Rights Reserved. Observed Trends Interesting frequently reused accounts • • • test@test.com a@a.com aa@aa.com • • • • a@b.com 1@1.com xx@xx.com xyz@gmail.com 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 33 © 2016 HITRUST Alliance. All Rights Reserved. Mitigation Techniques Easy • Implement MFA where possible • Strong password policy • Automate actions when matching credentials are found for your users Hard • Static authentication techniques can not be trusted • Change in mindset, accounts are already compromised 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 34 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats HITRUST 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 35 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Compromised Credentials (Credential Dumps) • Control Reference: 01.f Password Use – Control Text: Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment – Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 36 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Compromised Credentials (credential dumps) • Control Reference: 01.j User Authentication for External Connections – Control Text: Appropriate authentication methods shall be used to control access by remote users. – Implementation Requirement: Remote users shall be authenticated by use of a password/passphrase and at least one of the following: Certificate, Challenge/Response, Software Token, Hardware Token, Cryptographic or Biometric Technique 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 37 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Compromised Credentials (Credential Dumps) • Control Reference: 01.f Password Use – Control Text: Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment – Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 38 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for reducing Command and Control functions of malicious logic • Control Reference: *01.i Policy on the Use of Network Services – Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment. – Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 39 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Monitoring System Use (network monitoring) • Control Reference: *09.ab Monitoring System Use – Control Text: Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. – Implementation Requirement: The organization shall employ automated tools to support near real-time analysis of events and maintain an audit log to track prohibited sources and services. Inbound and outbound communications shall be monitored at an organization-defined frequency for unusual or unauthorized activities or conditions. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 40 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Vulnerability Patching (Top Exploits) • Control Reference: *10.m Control of technical vulnerabilities – Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk – Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 41 © 2016 HITRUST Alliance. All Rights Reserved. QUESTIONS? 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 42 © 2016 HITRUST Alliance. All Rights Reserved. Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 43 © 2016 HITRUST Alliance. All Rights Reserved.
Similar documents
Monthly Cyber Threat Briefing July 2016
© 2016 HITRUST Alliance. All Rights Reserved.
More information