HITRUST Monthly Briefing May 2016

Transcription

HITRUST Monthly Briefing May 2016
Monthly
Cyber Threat
Briefing
May 2016
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
1
© 2016 HITRUST Alliance. All Rights Reserved.
Presenters
• US-CERT: Majed Oweis, CISCP Analyst
• Armor: Charity Willhoite, Intelligence Analyst
• Trend Micro: Elie Nasrallah, CISSP, Business Development Manager
• Anomali: Ryan Clough, Security Engineer
• HITRUST: Eric Moriak, Manager – Assurance Services
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
2
© 2016 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
3
© 2016 HITRUST Alliance. All Rights Reserved.
TLP: GREEN – JAR-16-20094 – Vulnerabilities and Post-Exploitation
Indicators of Compromise (IOCs) for an Advanced Cyber Threat
• Collaborative effort between DHS/NCCIC/US-CERT and the FBI.
• Based on information obtained by DHS and the FBI regarding
advanced cyber threat actors targeting sensitive information stored on
U.S. commercial and government networks.
• Provide TTPs used by threat actors in these instances.
• Include indicators of compromise (IOCs), YARA rules and references
to CVEs for use in computer network defense (CND).
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
4
© 2016 HITRUST Alliance. All Rights Reserved.
TLP: GREEN – JAR-16-20094 Summary
• Compromises against U.S. commercial and government networks accomplished
through vulnerabilities described in CVEs listed in the JAR. Citing of older CVEs
demonstrate that older vulnerabilities continue to be exploited.
• Spear phishing was also identified as a vector to compromise systems.
• The compromises were identified as intended to build infrastructure for follow-on
activity.
• CVEs and file indicators are included.
• Mitigation strategies are included.
• Located on the US-CERT Portal at
https://portal.us-cert.gov/documents/70338/108826/JAR-16-20094/ba070d96e7c3-44e4-8ae3-7135fa149855
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
5
© 2016 HITRUST Alliance. All Rights Reserved.
Questions? Comments?
Contact US-CERT at:
• Email: soc@us-cert.gov
• Phone: 1-888-282-0870
• Website: www.us-cert.gov
Contact CISCP at: CISCP@us-cert.gov
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
6
© 2016 HITRUST Alliance. All Rights Reserved.
Top Threat Trends and Defenses
ARMOR
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
7
© 2016 HITRUST Alliance. All Rights Reserved.
Top Vulnerability Exploits
NAME
HITS
RISK SCORE
FIRST SEEN
RELATED TECH
CVE-2016-4117
969
10/10 Critical
4/24/16
Adobe Flash Player 21.0.0.226 and earlier versions on Windows, MacOS X, Linux, Chrome
CVE-2016-0167
159
7.2/10 High
4/10/16
Flash RCE, Microsoft Windows, Microsoft, Windows 7, Windows Vista SP2
CVE-2016-0189
149
7.6/10 High
5/8/16
Microsoft IE 9,10,11, Symantec, Microsoft Windows
CVE-2016-3714
38
10/10 Critical
5/3/16
ImageMagick before 6.9.3-10, 7.x before 7.0.1-1
Action Items:
• Adobe: http://blogs.adobe.com/psirt/
• Microsoft patch batch: https://technet.microsoft.com/en-us/library/security/ms16-may
• Recommendation: Uninstall ImageMagick or go to site for patches: https://www.imagemagick.org/
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
8
© 2016 HITRUST Alliance. All Rights Reserved.
Top Emerging Malware Entities
NAME
HITS
RELATED TECH
Bucbi
410
Palo Alto Networks, Remote Desktop Protocol, Microsoft Windows, http, RDP
CryptXXX 2[.]0
213
Personal Computer, CryptXXX, CryptoTorLocker2015, Trojan-Ransom.Win32.CryptXXX…
Punchbuggy
100+
Punchtrack, MS Windows, MS Word, CVE-2016-0167
Alpha
71
NMRX, ImageWare Systems, iTunes, Atlassian Inc., Encryption
Action Items:
• Preserve your data: Frequent data backups!
• Frequent updates: Patch now—and often!
• Security Awareness: Don’t click on attachments and links you don’t recognize!
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
9
© 2016 HITRUST Alliance. All Rights Reserved.
Top US Healthcare Targets: April – May 2016
Organization
Individuals Impacted
Type of Breach
Ohio Department of Mental Health and Addiction Services
59,000
Unauthorized Access/Disclosure
Mayfield Clinic Inc
23,341
Hacking/IT Incident
Northstar Healthcare Acquisitions LLC
19,898
Theft (Laptop)
Pain Treatment Centers of America
19,397
Hacking/IT Incident (Network Server)
OptumRx, Inc.
6,229
Theft (Laptop)
Children's National Medical Center
4,107
Unauthorized Disclosure/Access (Network Server)
RMA Medical Centers of Florida
3,906
Theft (Latptop)
BioReference Laboratories, Inc
3,563
Unauthorized Disclosure/Access
Wyoming Medical Center
3,184
Hacking/IT Incident (Email)
Vail Valley Medical Center, and dba Howard Head Sports Medicine
3,118
Unauthorized Disclosure/Access (Laptop, Network
Server)
Note: Physical security is just as important as network security and defense
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
10
© 2016 HITRUST Alliance. All Rights Reserved.
The Breach Epidemic in Healthcare Today
The Problem:
• Over 100 million healthcare
records compromised last year
• Healthcare data breaches cost
$6.2 Billion per year
• 290 public disclosures of
major health data breaches in
the US over the past 2 years
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
Best Practices:
• Awareness training for
employees
• Enforce mobile device
policies
• Practice regular data risk
assessments
• Enforce a least-privilege
data access model
11
© 2016 HITRUST Alliance. All Rights Reserved.
Action Items for This Month
§ § § Backup data
Patch often
Conduct awareness
training
http://blogs.adobe.com/psirt/
https://technet.microsoft.com/en-us/
library/security/ms16-may
§ Keep your employees informed
and educated on the threat
§ Enforce a mobile device policy
§ Conduct risk assessments—and
act on them
§ Enforce least-privilege policies in
your organization
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
12
© 2016 HITRUST Alliance. All Rights Reserved.
Case Study Hospital – Sandboxing Effectiveness
TREND MICRO
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
13
© 2016 HITRUST Alliance. All Rights Reserved.
Hospital Case Study
• During the trial period, this hospital had a Firewall
and Web gateway as well as AV on endpoints.
• Detected threats coming over email, web, file
shares etc.
– Threats were multi-staged and multi-flow
– Threats went undetected by traditional defenses
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
14
© 2016 HITRUST Alliance. All Rights Reserved.
Extractsdataofinterest–can
goundetectedformonths!
Gathersintelligenceabout
organiza8onandindividuals
A@ackers
Targetsindividuals
usingsocialengineering
$$$$
Establisheslinkto
Command&Controlserver
Moveslaterallyacrossnetwork
seekingvaluabledata
Employees
Targeteda@acksaresocial,stealthy,sophis8cated
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
15
© 2016 HITRUST Alliance. All Rights Reserved.
Pre-Sandboxing with Conventional Security
• A few employees are targeted and receive Spear
Phishing email
– PDF/Office Docs go through AV undetected
– URL in message is not on a Blacklist
• Customer gets infected and no one knows
– Infected machine calls back to C&C servers and start
harvesting data
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
16
© 2016 HITRUST Alliance. All Rights Reserved.
Scenario with Sandbox
• Employees are targeted and receive Spear Phishing email
– PDF/Office Docs go undetected through AV but object is sent to
Deep Discovery’s Advanced Heuristics and Sandbox – It is
flagged as High Risk
– Sandbox analysis reveals IOC
– IP, URL and Domain are sent to other layers
– Firewall blocks a C&C attempt from an Employee Laptop that just
came back to the office
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
17
© 2016 HITRUST Alliance. All Rights Reserved.
Sandbox Effectiveness
• Timer Evasion
• Human Interaction Detection
• CPUID Detection
• • • • • Driver Detection
BIOS/License Code Detection
Network Address Detection
Virtual Device Detection
Hypervisor Detection
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
18
© 2016 HITRUST Alliance. All Rights Reserved.
Custom Sandboxing: Most Effective Anti Evasion
Offers the unique ability for customers to import their own system images as the basis for
virtual analysis.
Benefit:
• Mimics real life customer environment
• Customer supplied OS language
• Customer supplied applications
• Corporate IT customizations
• Patching level to match customer environment
All of which contributes in more custom threat detonation and accurate detections!
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
19
© 2016 HITRUST Alliance. All Rights Reserved.
Top Sandbox Detections
• Download_abirir_arquivos_anexos179381551.zip
• 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI
• Spotify_installar-1.0.16.104.g3b776ce-267.exe
• 2015019118005.exe
• Setup.exe
• CC Proxy 8 keygen is here latest.rar
• Installer_win.exe
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
20
© 2016 HITRUST Alliance. All Rights Reserved.
Top Threats Detected Exclusively by Sandbox
• Download_abirir_arquivos_anexos179381551.zip
• 8737219a68-1dba-4835-8e29-170253f9e3ab.MSI
• Spotify_installar-1.0.16.104.g3b776ce-267.exe
• 2015019118005.exe
• Setup.exe
• CC Proxy 8 keygen is here latest.rar
• Installer_win.exe
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
21
© 2016 HITRUST Alliance. All Rights Reserved.
Detected Known Malware Threats
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
22
© 2016 HITRUST Alliance. All Rights Reserved.
Evasive Threats Originate Everywhere
Spear-phishing
Longlining
Malvertising
Personal webmail
USB infection
How they bypass static security ?
• Exploit : 0-days, fresh or old vulnerabilities
• Malicious macro document
• Script malware (VBS, PowerShell, Ruby…)
• Daily custom binary (C, AutoIT, VB NET…)
• And many more (JS, Java…)
« 99 % of unique malware will infect less than 10 hosts »
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
23
© 2016 HITRUST Alliance. All Rights Reserved.
Sandbox Functionality
Compared to common
sandboxes, we greatly
enhanced the detection on
exploit. An effective sandbox
should have three-layer
analysis:
On Feb 1st 2015, we were the first to detect a
Flash 0 Day without any update. Most Sandbox
were evaded
1. script behavior (emulator)
2. shell-code behavior
3. payload behavior
In addition to analyzing the
exploit, it’ll analyze payloads in
three layers, but also gets more
completed script behavior by
emulation. This strength helps
us to detect zero-days without
engine/pattern updates.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
24
© 2016 HITRUST Alliance. All Rights Reserved.
Compromised Credentials Overview
ANOMALI
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
25
© 2016 HITRUST Alliance. All Rights Reserved.
Overview:
• State of “Credential Dumps”
• Where are “Credential Dumps” coming from?
• Motivations
• Observed Trends
• Mitigation techniques
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
26
© 2016 HITRUST Alliance. All Rights Reserved.
State of “Credential Dumps”
h@p://techcrunch.com/2016/04/25/hundreds-of-spo8fy-creden8als-appear-online-users-report-accounts-hacked-emails-changed/
h@p://www.mirror.co.uk/tech/facebook-hacked-security-researcher-stumbles-7829312
h@p://arstechnica.com/tech-policy/2016/02/irs-website-a@ack-nets-e-filing-creden8als-for-101000-taxpayers/
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
27
© 2016 HITRUST Alliance. All Rights Reserved.
State of “Credential Dumps”
“63% of confirmed data
breaches involved weak,
default or stolen passwords.”
Page 20, 2016 Verizon Data Breach Investigations Report
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
28
© 2016 HITRUST Alliance. All Rights Reserved.
Where are “Credential Dumps” coming from?
• Paste Sites
– Pastebin
– Ghostbin
– Pastie
– etc...
• Virustotal
• “Dark Web”
• Anonymous File sharing sites
– Mega
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
29
© 2016 HITRUST Alliance. All Rights Reserved.
Motivations
• Financial
• Credibility
• Initial attack vector
• Victim Embarrassment
• Password reuse
– Lateral Movement
– Account Takeovers
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
30
© 2016 HITRUST Alliance. All Rights Reserved.
Observed Trends
Unique Credentials/Day, past 6 months
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
31
© 2016 HITRUST Alliance. All Rights Reserved.
Observed Trends
Credentials by Industry Vertical, past 6 months
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
32
© 2016 HITRUST Alliance. All Rights Reserved.
Observed Trends
Interesting frequently reused accounts
• • • test@test.com
a@a.com
aa@aa.com
• • • • a@b.com
1@1.com
xx@xx.com
xyz@gmail.com
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
33
© 2016 HITRUST Alliance. All Rights Reserved.
Mitigation Techniques
Easy
• Implement MFA where possible
• Strong password policy
• Automate actions when matching credentials are found for your users
Hard
• Static authentication techniques can not be trusted
• Change in mindset, accounts are already compromised
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
34
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
HITRUST
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
35
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Compromised Credentials (Credential Dumps)
• Control Reference: 01.f Password Use
– Control Text: Users shall be made aware of their responsibilities for
maintaining effective access controls and shall be required to follow good
security practices in the selection and use of passwords and security of
equipment
– Implementation Requirement: Users are made aware of the organization’s
password policies and requirements to keep passwords confidential, select
quality passwords, use unique passwords, not provide their password to any
one for any reason, and change passwords when there is suspected
compromise.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
36
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Compromised Credentials (credential dumps)
• Control Reference: 01.j User Authentication for External
Connections
– Control Text: Appropriate authentication methods shall be used to control
access by remote users.
– Implementation Requirement: Remote users shall be authenticated by use
of a password/passphrase and at least one of the following: Certificate,
Challenge/Response, Software Token, Hardware Token, Cryptographic or
Biometric Technique
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
37
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Compromised Credentials (Credential Dumps)
• Control Reference: 01.f Password Use
– Control Text: Users shall be made aware of their responsibilities for
maintaining effective access controls and shall be required to follow good
security practices in the selection and use of passwords and security of
equipment
– Implementation Requirement: Users are made aware of the organization’s
password policies and requirements to keep passwords confidential, select
quality passwords, use unique passwords, not provide their password to any
one for any reason, and change passwords when there is suspected
compromise.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
38
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for reducing Command and Control functions of
malicious logic
• Control Reference: *01.i Policy on the Use of Network Services
– Control Text: Users shall only be provided access to internal and external
network services that they have been specifically authorized to use.
Authentication and authorization mechanisms shall be applied to users and
equipment.
– Implementation Requirement: The organization shall specify the networks
and network services to which users are authorized access.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
39
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Monitoring System Use (network monitoring)
• Control Reference: *09.ab Monitoring System Use
– Control Text: Procedures for monitoring use of information processing
systems and facilities shall be established to check for use and effectiveness
of implemented controls. The results of the monitoring activities shall be
reviewed regularly.
– Implementation Requirement: The organization shall employ automated
tools to support near real-time analysis of events and maintain an audit log to
track prohibited sources and services. Inbound and outbound
communications shall be monitored at an organization-defined frequency for
unusual or unauthorized activities or conditions.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
40
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Vulnerability Patching (Top Exploits)
• Control Reference: *10.m Control of technical vulnerabilities
– Control Text: Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and
appropriate measures taken to address the associated risk
– Implementation Requirement: Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current state
of deployment (e.g. what software is installed on what systems) and the person(s) within
Appropriate, timely action shall be taken in response to the identification of potential
technical vulnerabilities. Once a potential technical vulnerability has been identified, the
organization shall identify the associated risks and the actions to be taken. Such action
shall involve patching of vulnerable systems and/or applying other controls.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
41
© 2016 HITRUST Alliance. All Rights Reserved.
QUESTIONS?
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
42
© 2016 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the
Content Spotlight
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
43
© 2016 HITRUST Alliance. All Rights Reserved.