APT or not - does it make a difference if you are compromised?

APT or notDoes it make a difference if you are compromised?

Thomas Malmberg

Who I am - and why you are listening to me

2

• I work with IT-risk management and IT-security

• I develop security principles, processes and architectures for both the corebanking as well as the netbanking platform

• I develop and maintain auditing principles and methodologies

• I perform and manage internal IT-audits in the bank

• I like processes, log management, web-application firewalls and IAM

- Finland is the most sparsely populated country in the European Union, with only 16 inhabitants per km². - There are exactly 187,888 lakes (larger than 500 m²) and 179,584 islands within the territory of Finland. - Both are world records.

So

urc

e: G

oo

gle

What you need to know about Aktia

3

• Aktia provides individual solutions in banking, asset management, insurance and real estate services

• Aktia operates in the Helsinki region, in the coastal area and in growth centres of Finland

• Operating profit was EUR 68.3 million and the profit for the year was EUR 55.0 million

• Aktia is renewing its core banking system and the launch of the new system is planned to the end of 2015 - the investment cost is estimated to approx. EUR 40 million

Todays topics

1. If phishing works, why bother with APT?– Finnish stats and stories

2. Easy targets are always targeted first– APT economics

– Tone at the top

3. Whether it's an attack or a disguise - logs are your best friends

– Situational (un)awareness

4. How to manage the risks - continuous “auditing”– How you hook up audits & scans, projects, backlogs, source-

code, people and risk-management together

4

So

urc

e: U

nk

no

wn

If phishing works,

why bother with

APT?

Situation in Finland 2011-2014

• Financial institutions and companies are mostly targeted by

– Phishing

– Banking malware & trojans

– Denial of Service

• Criminals have successfully monetizedphishing and malware

• “Ransom demands” have been seen in social media like Facebook & Twitter during DoS-attacks– Demands between 10-100BTC

– Monetization success rate probably zero (but not known)

6

Source: EUROPOL Exploring tomorrow’s organised crime

2015

How phishing worked best in 2014

• Background– TUPAS is an 2F authentication method created by the Federation of Finnish Financial

Services over 10 years ago

– TUPAS is based on ebanking authentication – PIN & TAN

– TUPAS is used for almost everything that requiresreal and reliable authentication in Finland –including governmental services

• The modus operandi in 2013 and 2014– Create a fake service that requires TUPAS to log into

– Acquire PIN & 1 TAN

– Use credentials to get a “payday loan”• NOTE: Targeted mainly payday loan companies, NOT banks!

7

About TUPAS-authentication

8

• Safety– There are known issues,

but it is not inherently unsafe

• Market– It is the de facto standard

– No alternatives

• Sponsorship– Standard defined by banks

– Implementations owned by banks

Source: Federation of Finnish Financial Services /

FK

Details about the simplicity of the campaign

• 1 Estonian person behind the phishing campaign

• The Estonian language is close to Finnish making it easy to create realistic phishing emails and SMS’s

• The campaign used more than 40 mules and “associates” and netted between 700k€-800k€

• KISS was a successful paradigm– Create a rock solid plan to monetize the data you gather

– Use correct and proper language for your communication

– Use psychology – “if you do not immediately … you will face liability”

– Make it easy for the targets to lose their credentials

9

<100km

So

urc

e: G

oo

gle

How this phishingcase evolved

10

So

urc

e: H

els

ing

inS

an

om

at

So

urc

e: IT

-viik

ko

How this phishingcase evolved

11

So

urc

e: H

els

ing

inS

an

om

at

Maximum sentence – 7 years

11 grand frauds in 2014

0,5M€ - 100’s of people

Trends for nasty activities (financial sector)

12

2010 2011 2012 2013 2014

APT

Malware & Trojans

Phishing

DoS

This graph shows trends and

relations in an ”apples vs. oranges”

-way. This graph does not show any

actual amounts. It is based on

official reports and other public

information.

”MUCH”

”NOT SO MUCH”

One known & disclosed real APT in Finland

13

A few words about the DDOS

14

A few words about the DDOS

15

Easy targets are

alwaystargeted first

Can we even agree on what an APT is?

17

Sourc

e: N

IST

Can we even agree on what an APT is?

18

Can we agree on what an APT is NOT!

• It is not an APT– If you leave the front door open, someone

walks in and steals all your data – and repeats this every workday for a month

– If your customers are targeted using phishing emails for several weeks

– If your network - which is lacking firewalls, antivirus-solutions and content-proxies – is infiltrated with malware - for months

– If your customers are infested by banking-trojans (Zeus etc.)

• A single piece of malware, a single exploit or vuln is NOT an APT.

19

Sourc

e: G

raphic

s b

y IS

AC

A

What they need to do and what you can lose

20S

ourc

e: G

raphic

s b

y IS

AC

A

What they need to do

ISACA Survey in the US in 2013

What you are scared to lose

Analyze your ”adversary landscape”

21

The only relevant threat in the table

seems to be criminal groups.

- What are their actual capabilities?

- What are their motives?

The Snowden-Greenwald –revelations

have taught us that the best APT-

capabilities are held here.

Sourc

e: G

raphic

s b

y IS

AC

A

We aim to avoid PR-disasters that could

trigger such a level of badwill that

someone in these categories might want

to target me. We adhere to money

laundering rules and maintain a high

ethical level.

”Threat Agent”

The financial anatomy of an APT

22

• The criminal– The criminal does not know the financial outcome or gain

beforehand

– The research phase will require a significant amount of investment in time

– The penetration requires costly tools• 0-days or “near-zero” can cost between 5k-100k

• You probably need other tools or social engineering & bribes

– The (financial) outcome has to outweigh the investment

• You– Protection (licenses + appliances) can cost many 100k€

– A forensics project costs around 100k€-150k€

Input: 100k€

Output: ?€

Input: 3k€

Output: 50k€

23

Sourc

e: s

cm

agazin

e a

ustra

lia

Don’t be an easy target

24

• Every risk can be quantified as a business risk

• Don’t let salespersons fool you into false security with silver bullets – not on any level

• IT-security (security appliances and software) is only one component in the IT-risk landscape

• Also – “cyber security” is hidden somewhere in those boxes…

• Use your money wisely

Business risk

IT risk

IT security

IT

Risk assessment for the win!

25

Create a culture of security awareness

26

• Management has to be involved

• All incentive programs should have a security awareness and/or security incentive built in – including those at the C-level

• All of us – act accordingly

“Well, once again,

we’ve saved civilization as we know it.” Captain James T. Kirk

Create a culture of security awareness

27

”But we are so secure already”

28

Sourc

e: M

icro

sfo

t Security

Inte

lligence R

eport

A small banks perspective

29

Sourc

e: IS

AC

A

• I have a limited budget

• I want to spend my money against – Things I understand and

– Things I can measure

• Because I cannot reasonably motivatespending if I am not able to– Make my management understand

– Show my management figures

Who cares?

30

• “Industry analysts have inferred that shareholders are numb to news of data breaches”

• “Since consumers don’t have sufficient tools to measure the impact of breaches themselves, they are at the mercy of companies to disclose the impacts of their own corporate data breaches”

• “New, more stringent regulations on when to disclose data breaches and more sophisticated technologies […] may contributeto more shareholder reaction to these types of incidents down the road. “

Whether it’s an

attack or not –

logs are your best friends

All your logs are belong to us

32

• Nobody has ”all the logs”

• Case Gemalto

Sourc

e: G

em

alto

Pre

ss R

ele

ase

Logs are just a bunch of huge files

33

• Gathering logs can be is a tough job

• Who knows what the logs actually contain and which logs are important?

• You can easily kill your efforts by choosing too simple sources which– are high volume

– add very little value on their own

– cost a lot to store

– create only a limited ”buzz” in your organization ?

Logs are DevOps!

34

• Leverage your dev’s!– They know the application logs

– They SHOULD know the application logs

– They can enhance and add to the logs – given the motive

• Leverage your ops!– They know the infrastructure logs

– They SHOULD know the infrastructure logs

– They can configure the logs – given the motive

• Leverage yourself!– Add security as a viewpoint

Put a SOC in it

35

• You can outsource everything – and make your life easy – but...– You can not outsource understanding

– You should not outsource understanding

– You can not outsource responsibility

• An outsourced SOC can– do a lot of the hard work

– leverage special skills

• The information and data should be yours, not just a quarterly report and some (hopefully)

occasional alerts Delivered as ordered?

Add external information and tools to the brew

36

• HAVARO– An IDS-IPS –like tool developed by CERT-FI (NCSC-FI) and the National Emergency

Supply Agency in 2011

– Targeted primarily for Finnish companies that have some kind of statutory duties in a national emergency situation

• Does NOT compete with commercial solutions – is not meant to be the only security solution

• Creates security awareness within Finland and within specific industries

• Governed by Finnish laws – safe for companies

Add people and communications to the brew

37

• In Finland, exchange of critical information is good

Public mailinglists

Closed mailinglists

Personal contacts & first name basis

Interest groups

International cooperation

Federation of Finnish Financial Services /

Security

National Emergency

Supply Agency

National Bureau of

Investigation

NCSC-FI

Europol

Banks

Create Awareness

38

• Enable critical logs

• Gather and SECURE logs

• Understand log relevance

• Understand volume relevance

• Correlate

• Visualize

Show Off !

39

CIO

Product

OwnerIT

ManagerDevs

CRO

Ops

How to manage the risks –

continuous security auditing

continuous monitoringcontinuous risk assessment

continuous excellencecontinuous risk monitoring

Definition of continuos <activity>

41

• “Continuous auditing has been defined as a methodology or framework that enables auditors to provide written results on the subject matter using one or a series of reports issued simultaneously”

• “Continuous monitoring allows an organization to observe the performance of one or many processes, systems or types of data“

• “Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning”

Source: ISACA & Wikipedia

Our implementation of continuos auditing

42

• The definitions are not really optimal

• We do a best of breed combining – continuous (technical and process) auditing,

– continous monitoring (of logs and events) and

– continuous (security) risk monitoring and assessment

• I call this continuous auditing to make it sound simple (enough)

– Hopefully it isn’t simplifying this matter too muchWhile you plan for next years audit, I hack away.

Source: Juha Strandman

How we link things together

43

• Processes– Regular pentests (3rd party, external & internal)

– Weekly security scans

– Systems security audits and process analysis

– Log analysis and monitoring

– Most important critical business processes

• Dogmas and paradigms– Ticket everything

– Track everything

– Analyze everything

What hinders progress

44

• Management commitment and ”tone”– ”We want more powerpoints”

– ”We want more email attachments”

• Separate tools with nonexistent integration– A bad stack doesn’t make it easy enough to

integrate the security efforts into the process

• Resistance– ”A valid pentest report is only valid if it looks

exactly like this.”

• No DevOps– Dev’s love agile, Ops hate it

What enables progress

45

• Link to the real activities, goals and people– Our security organization is small

– Written reports and formal bureaucracy would cripple us

• Projects use agile methodologies– Teams are used to managing tickets

– Projects are agileboard-driven

• Tools that work together– Link tickets, reports, sourcecode, releases,

deliverables, configurations, backlogs, sprints and documentation

46

Credits & thanks• Images and pictures are

• created by the author• sourced as noted in the

presentation• from freeimages.com

• Thanks to everyone who gave insight and comments during the creation of this presentation

• Thanks for the pig!

Wrapup

• Do your homework and spend your money wisely

• Share information - internally and externally

• The ”tone at the top” is a decisive factor• Keep focus on the real threats• Good is not good enough (only good enough is!)

linkedin.com/in/thomasmalmberg

@tsmalmbe

[email protected]