Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

HITRUST Monthly Briefing July 2015

Monthly
Cyber Threat
Briefing
July 2015
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
1
Presenters
•   Dennis Palmer: Senior Security Analyst, HITRUST
•   Tawfiq Shah: Senior Threat Intelligence Analyst, FireHost
•   Thomas Skybakmoen: Research Vice President, NSS Labs, Inc.
•   Aaron Shelmire: Senior Security Researcher, Threatstream
•   Toni Benson: Team Lead, US-CERT
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
2
Future Briefings - Announcement
•   August MTB cancelled (due to Black hat), monthly report
will be released
•   Next MTB scheduled for third Thursday of September
•   FireHost will lead future briefings beginning in September
•   Content changes
–   Focus on trends in healthcare industry
–   Actionable data
–   Demonstration of how threat actors operate
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
3
Agenda
•   FireHost: Procedures used by threat actors
•   NSS Labs: Emerging and unknown exploits and
product effectiveness
•   ThreatStream: Emerging Threats
•   US-CERT: Situational update on new products
•   HITRUST: CSF Controls related to ongoing threats
•   Q&A Session
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
4
Procedures Used by Threat Actors
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
5
Activity on a Sample Medical Company
Cannot be static on your
defense attackers are
getting more innovative.
Without continuous
vigilance all companies
can be breached
eventually.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
6
New Vulnerability Detected: One hour later,
activity is noted (IOS Vul)
Companies need to
proactively search out
Indicators of Compromise
(IOCs)
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
7
Partnership Relationship Sample Medical
Company: Every Avenue is Open to Attack
Your strength is measured by your
weakest link.
Phishing remains the weakest link in
the chain.
Trust relationships between vendors,
partners, or contractors can be
leveraged to infiltrate a target network.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
8
Domain Squatting (Cybersquatting)
FireHost TRU
Recommendation:
Establish alerts with your
threat intelligences
provider/subscription to
keep an eye on
suspicious domains
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
9
Continued Vigilance in the Fight Against Phishing
FireHost TRU
Recommendation:
Continuously
reinforce employee
education and run
internal Phishing
campaigns to test
the effectiveness of
your employees
training.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
10
Targeted Vulnerabilities Related to the
Healthcare Sector
Example of APT proactively searched:
Chines APT: RasWMI, aka
HCDloadermalwarrre, used in recent major
health care system breach
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
11
Sample: Potentially Vulnerable Server
Attack
Vectors
•   App
•   OS
OS are over million lines of code
making is impossible to verify.
Keeping up with Patching is an
imperative task.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
12
NSS
LABS
Emerging and Unknown Exploits
and Product Effectiveness
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
13
Threat Capabilities Report
•   NSS observed more than a 200 percent increase in unique callbacks for the
month of June, which contrasts with May where the number of unique callbacks
declined.
•   As in previous months, exploits and attack campaigns focused on Java,
Silverlight, and Internet Explorer. Unlike previous months, attacks on Flash were
less prevalent.
•   The TS WebProxy vulnerability (CVE-2015-0016) uses an escalation of privileges
to escape the Internet Explorer sandbox and increasingly is being utilized with
CVE-2014-6332. This allows remote attackers to execute arbitrary code via a
crafted web site in several versions of the Windows operating system.
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
14
Top Targeted Applications and Operating Systems
Application/OS Combination
Windows 7 SP1
Windows Vista SP1
Internet Explorer 6
Windows XP SP3
•
Internet Explorer 7
•
Internet Explorer 8
•
•
Internet Explorer 9
•
Java 6 Update 22
•
Java 6 Update 23
•
Java 6 Update 27
•
Java 7
•
Java 7 Update 2
•
Silverlight 4.0.51204
•
•
•
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
15
Top Origin of Threats
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
16
Top Command and Control Hosting by Geo
Country
Rank
China
1
United States
2
Hong Kong
3
South Korea
4
Netherlands
5
Taiwan
6
Germany
7
France
8
Australia
9
India
9
United Kingdom
9
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
17
C&C Server Locations & Callback Ports
10 commonly used command and control (C&C) server locations in
combination with 10 commonly used callback ports
Country/Port
25
China
France
•
Germany
•
Hong Kong
80
81
99
•
•
•
3201
173
20008
40008
10086
•
•
•
•
1691
•
•
India
•
Netherlands
•
South Korea
•
Taiwan
•
•
•
United Kingdom
•
United States
•
•
•
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
18
CAWS: All Threats
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
19
CAWS: All Threats (January - June)
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
20
CAWS: Origin of Threats (January - June)
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
21
CAWS: Applications (January - June)
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
22
CAWS: Vendors (January - June)
* Data from June 2015—NSS Labs
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
23
Emerging Trends
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
24
Wekby Threat Actors
TTPs
•   Phishes
–   Wave 1 – Credential Theft
–   Later Waves – VPN or
Citrix updates
•   Living off the land
•   Long Term persistence
Tools
•   HTTPBrowser
•   Xyligan a/k/a TornRAT
•   HcdLoader – On Servers
•   PlugX – on Win7+
•   PoisonIvy – on WinXP
•   9002/NAID
Summary
•   RSA Compromise
•   Wekby.com
•   Mincesur.com
•   TG-0416
•   Dynamite Panda
•   APT-18
•   USB key compromise(s)
–   PoisonIvy Smallfish
password.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
25
Wekby 30 June Campaign
•   Modified HTTPBrowser
–   DNS C2 to it-desktop.com and get2go.com
–   ROP Chain Obfuscation
•   Evasive Maneuvers by the Wekby group with Custom ROP
packing and DNS Covert Channels
–   https://hitrustctx.threatstream.com/tip/1135
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
26
ROP Chain Obfuscation
•   Modify Stack for Execution flow
•   Pushes values for the
subsequent functions onto the
stack, when the subroutine exits,
EIP is popped from the stack
and becomes the next function.
•   In this case the subroutine at
0x40F62E
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
27
Investigation and Protection
•  DNS C2 complicates simple searches for indicators.
•  dnscmd /enumrecords it-desktop.com /type TXT
•  Global Query Block List Active Directory
https://technet.microsoft.com/en-us/library/
cc794902(WS.10).aspx
•  Bind block via zone
–  “it-desktop.com" { type master; file “blockfile"; };
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
28
Evasive Maneuvers by the Wekby group with Custom
ROP-Packing and DNS Covert Channels
https://hitrustctx.threatstream.com/tip/1135
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
29
Situational Update
on New Products
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
30
CSF Controls Related to
Ongoing Threats
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
31
CSF Controls Related to Threats
•  CSF Control for Phishing
–  Control Reference: 01.f Password Use
•   Control Text: Users shall be made aware of their responsibilities for
maintaining effective access controls and shall be required to follow
good security practices in the selection and use of passwords and
security of equipment
•   Implementation Requirement: Users are made aware of the
organization’s password policies and requirements to keep passwords
confidential, select quality passwords, use unique passwords, not
provide their password to any one for any reason, and change
passwords when there is suspected compromise.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
32
CSF Controls Related to Threats
•   CSF Control for Suspicious Domain Registrations (Cybersquatting)
–   Control Reference: 01.i Policy on the Use of Network Services
•   Control Text: Users shall only be provided access to internal and
external network services that they have been specifically authorized
to use. Authentication and authorization mechanisms shall be
applied to users and equipment.
•   Implementation requirement: The organization shall specify the
networks and network services to which users are authorized
access.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
33
CSF Controls Related to Threats
•   CSF Control for Vendor Security
–   Control Reference: 01.j User Authentication for External
Connections
•   Control Text: Appropriate authentication methods shall be used to
control access by remote users.
•   Implementation requirement: Remote users shall be authenticated
by use of a password/passphrase and at least one of the following:
Certificate, Challenge/Response, Software Token, Hardware Token,
Cryptographic or Biometric Technique.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
34
CSF Controls Related to Threats
•   CSF Control for Vulnerability Patching
–   Control Reference: *10.m Control of technical vulnerabilities
•   Control Text:Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and
appropriate measures taken to address the associated risk
•   Implementation Requirement: Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current state
of deployment (e.g. what software is installed on what systems) and the person(s) within
Appropriate, timely action shall be taken in response to the identification of potential
technical vulnerabilities. Once a potential technical vulnerability has been identified, the
organization shall identify the associated risks and the actions to be taken. Such action
shall involve patching of vulnerable systems and/or applying other controls.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
35
CSF Controls Related to Threats
•   CSF Control for Dropper tools dropping basic Backdoors / RATs
–   Control Reference: 09.j Controls Against Malicious Code
•   Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user
awareness procedures on malicious code shall be provided.
•   Implementation Requirement: Protection against malicious code
shall be based on malicious code detection and repair software,
security awareness, and appropriate system access and change
management controls.
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
36
Q&A SESSION
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
37
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the
Content Spotlight
© 2015 HITRUST, Frisco, TX. All Rights Reserved. For more information, visit www.hitrustalliance.net
38
Related documents
last chance to experience the magic & beauty of odysseo in texas!
last chance to experience the magic & beauty of odysseo in texas!
April 9, 2015 - Frisco ISD Schools
April 9, 2015 - Frisco ISD Schools
to read the city`s proclamation.
to read the city`s proclamation.
Relevant Costing Problems
Relevant Costing Problems
LONE STAR RANGER FOOTBALL LONE STAR VARSITY
LONE STAR RANGER FOOTBALL LONE STAR VARSITY
Twenty-One Strategies and Tactics for Teaching Critical Thinking
Twenty-One Strategies and Tactics for Teaching Critical Thinking
Luker-Final-Economic-Analysis-
Luker-Final-Economic-Analysis-
appraisers - Keller Williams Realty
appraisers - Keller Williams Realty
Teaching Application – DOC
Teaching Application – DOC
Download