Security Breach: It’s not if, it’s not when; it’s will you know? Keynote
ORBIT
Megan Brister, Cyber Risk Services Deloitte LLP Ashkan Rahimian, Threat Intelligence & Analytics Deloitte LLP
Your next security breach. It’s not if, it’s not when, it’s will you know.
Understanding the cyber threat landscape in the insurance sector
Evolving your cyber risk program to respond to cyber threats
Anatomy of an advanced persistent threat
Improving your outcomes
Contents
3 Cyber Risk Services | Deloitte LLP
Understanding the cyber threat landscape Shift in cyber threat actors
5 Cyber Risk Services | Deloitte LLP
Cyber attacks are no longer the result of a single hacker looking for bragging rights. Most attacks are now performed by well-funded, well-resourced professionals and teams (e.g. nation states, organized crime) seeking to profit from the attack. New capabilities are required to detect these advanced threats.
Security Information and Event Management (SIEM) 1.0
SIEM 2.0
cyber analytics Signature-based detection
Real-time Machine learning
Threat intelligence
Understanding the cyber threat landscape Commodity attacks are more accessible than ever
6 Cyber Risk Services | Deloitte LLP
Low barriers to entry into the cyber threat market make commoditized cyber attacks easier to carry out. Booter services provide low cost DDOS.
Image credit: Krebs on Security
90 % more DDoS attacks from 2013 to 2014 Source: Akamai Q4 2014 State of the Internet – Security Report
A retailer has a card scraping malware affecting 30% of stores that process 1M credit and debit transaction per day:
Detection at Day 0 ~ $10k
Detection at Day 2 $2 – $5M
Detection at Day 30
$23M+
Understanding the cyber threat landscape Speed of attacks are accelerating, while response times lag
7 Cyber Risk Services | Deloitte LLP
As the speed of attack increases, the ability for organizations to detect an attack will determine the impact and cost of the cyber incident on the business.
Source: Client scenario prepared by Deloitte Cyber Intelligence Centre
The cost of responding is increasing, while the volume of records breached increases as well
Understanding the cyber threat landscape
Breaches of personal information are expensive to remediate as credit monitoring and identity protection services have become the standard for customers.
8 Cyber Risk Services | Deloitte LLP
A fraud alert will alert or “flag”
Identity theft insurance
Credit monitoring
~$8/pp ~$4/pp ~$40/pp
Understanding the cyber threat landscape Global talent shortage impacts organizations ability to defend themselves
9 Cyber Risk Services | Deloitte LLP
Estimated to be as high as 22%, the cyber security talent vacancy rate* is not only an operational challenge, but also a significant risk for businesses.
The average salary to a Certified Ethical Hacker per year (Source: EC-Council that provides the CEH Certificate)
$71,331 for a banking Trojan, the exploit and a spam mailing to spread them around
Average pay out
(Source: Kaspersky Lab 2014)
$3,000
$72,000
Source: Bruce Schneier on Security, 2015 Predictions and Trends Webcast
No organization is immune Understanding the cyber threat landscape
10 Cyber Risk Services | Deloitte LLP
Small and medium sized businesses (SMEs), are not immune to attacks. 62% of data breaches were at the SME level (<1000 employees). With most data losses as a result of cyber attacks in the following sectors:
Confirmed Data Losses in SME in 2014
180 Travel/ Accommodation
95 Retail
33 Financial Services
31 Health Care
Source: Verizon Communications Data Breach Investigations Report
It starts with understanding who might attack, why, and how
Evolving your cyber risk program
12 Cyber Risk Services | Deloitte LLP
Who might attack, what tactics might they use, what are
they after?
How mature are my controls to
address my risk?
What does the road map for
improved cyber defense look like?
Who might attack an insurance broker? Evolving your cyber risk program
13 Cyber Risk Services | Deloitte LLP
Organized crime targeting high volume
personal information for financial gain
Hackivists seeking to push an
agenda or embarrass a country
Cyber criminals leveraging an insurance broker to attack another
high value
Nation states targeting intellectual
property (IP), key personnel information,
critical infrastructure data for cyber terrorism
Competitors seeking IP or business plans for competitive
advantage
Malicious insiders seeking to disrupt the business or harm the company’s reputation
What are they after and why? Evolving your cyber risk program
• Insurance brokers hold rich databases of personal, medical, and financial information.
• A launching pad to another high value target, such as a payment processor, financial institution, or health care.
• Disrupt or embarrass your business – even when you company is caught in the middle of a politically-motivated attack.
14 Cyber Risk Services | Deloitte LLP
What tactics might they use? Evolving your cyber risk program
• Phishing continues to be a common and successful entry point for attackers. In 2014, email phishing rate was 1 in 965 emails.
• Mobile phishing has become the new entry point.
• 24 zero day vulnerabilities* were reported - meaning hackers could immediately start exploiting the vulnerability in that system until the vendor provides a patch.
• Inter-connected third party compromise.
15 Cyber Risk Services | Deloitte LLP Source: Symantec Internet Threat Report
Evaluate and plan for improved cyber defense Evolving your cyber risk program
16 Cyber Risk Services | Deloitte LLP
CyberRiskProgram
SECUREArecontrolsinplacetoguard
againstknownandemergingthreats?
VIGILANTCanwedetectmaliciousorunauthorized
ac=vity,includingtheunknown?
RESILIENTCanweactand
recoverquicklytominimizeimpact?
Road map priorities:
• Implement user training and testing
• Improve mobile application development processes
• Integrate cyber threat intelligence to proactively implement countermeasures
• Implement standard for third party connections
The main intention of an APT attack is to gain access, stay undetected, and perform long-term operations.
Anatomy of an advanced persistent threat (APT)
18 Cyber Risk Services | Deloitte LLP
Anatomy of an advanced persistent threat Hammertoss lifecycle
19 Cyber Risk Services | Deloitte LLP
1. Attacker sends spear phishing email containing malicious attachments
2. User downloads and opens attachments
3. Each attachment is a dropper releasing Hammertoss
5. Hammertoss checks the daily twitter handle for instructions
6. Tweets may direct Hammertoss to fetch images from GitHub
4. Hammertoss is loaded in memory and initiates connection
7. PowerShell commands are extracted, decrypted and run
9. Beacons check-in the team servers
10. Attack team ready for accept sessions
11. Further compromise to meet objectives
8. Hammertoss performs privilege escalation and lateral movement via PowerShell commands
Improving your outcome
• Traditional cyber defense is not enough to address advanced threats
• Intelligence is critical understanding possible attack campaigns and how to put in place proactive countermeasures
• Organizations need to know who might attack, why, and how so that you can invest your resources in the right things
21 Cyber Risk Services | Deloitte LLP
Megan Brister PMP, CISSP, SABSA Senior Manager Cyber Risk Services [email protected]
613.762.6623
Ashkan Rahimian Cyber Threat Intelligence Lead Cyber Risk Services [email protected]
416.202.2746
Contacts
23 Cyber Risk Services | Deloitte LLP
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2015. For more information, contact Deloitte Touche Tohmatsu Limited.
Cyber Risk Services | Deloitte LLP 24