The Hacking Team Hack: Lessons Learned for Enterprise Security

The Hacking Team Hack: Lessons Learned for Enterprise Security

Stephen Cobb, CISSPSenior Security Researcher

Stephen CobbSr. Security Researcher, ESET North America

Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on information assurance, Cobb heads a San Diego based research team for ESET North America.

Today’s topics• The messy rise of Hacktivism 3.0 • Where Hacking Team went wrong• What’s Sony Pictures got to do with it• Issues of access and authentication• Re-discovering the insider threat• The security/transparency paradox• AshleyMadison and other secrets• Situational awareness, risk analysis,

operational security, and Incident Response Planning

What’s not on the agenda…• The ethics of Hacking Team’s business model• The legality/ethics/logic of digital surveillance of

citizens by the state• The inside scoop on how these hacks went down

(although insiders may have been involved)

Q1: Has your organization issued any phishing alerts in wake of recent hacks?

Polling Question

Yes No Not sure I don’t work for an organization

Hacktivisim 3.01.0: Website defacements2.0: Exfiltration of confidential documents to sharing sites3.0: Breaching security with intent to expose documents that make a point, or a mess

– Politics: Hacking Team, Sony– Malice: Ashley Madison– Money: Adult Friend Finder

Hacking Team profile• Italian company that sells “surveillance tools”

to government agencies • Main tool is code designed to obtain

unauthorized access to systems = malware• Detected as such and blocked by AV products• Many people disapprove in general, but

particularly when client = repressive regime

Hacking Team story• Started with penetration testing • Some staff not comfortable with expansion

into surveillance tools• Management response: compartmentalize

Hacking Team critique• Adopted aggressive attitude to those who

opposed its business model• Repeatedly denied allegations of dealings

with repressive regimes • While storing evidence of dealings with

repressive regimes in digital form• Creating a risky situation:

– Target value outgrew defensive posture

Sony Pictures parallels• Decided to move forward

with an inflammatory movie despite warnings it could provoke hackers

• Sony security posture and incident response plans fell short of risk profile

• Failed to isolate digital valuables and embarrassing information in digital form

Does Mr. Clooney understand?• American companies run on systems that are

so hard to defend that provoking attack by taking a stand is a risky very business decision

Cowardice or commonsense?• The strength of our economic and social

infrastructure impacts our ability to take a stand against terrorists and other bad actors

• Strength readings are not high right now• Consider recent Blackhat survey of 460

security professionals:– 73% think it likely that their organization will have

to deal with a major data breach in the year ahead

Why? Blackhat survey says…• Staffing Shortage: Only 27% feel their

organization has enough staff to defend against current threats

• Measly Budgets: Only 34% say their organization has enough budget to defend itself against current threats

• In Need of Training: Only 36% say they have the skills they need to do their jobs (55% say they could use some training)

PDF at: http://tinyurl.com/Blackhat-Survey

PDF at: http://tinyurl.com/Blackhat-Survey

Blackhat survey tells us…“Security defense strategies and resources need serious rethinking if the protectors of the enterprise are not confident in their ability to keep adversaries out of systems” (and away from potentially damaging data)

How fresh is your risk management strategy?• Are you listening to your IT security people?• Do you have realistic situational awareness?• Where are you on Incident Response Plan?

Remember: 4 ways to handle risk• Reduction

– Make sure all systems are secure, patched regularly, users trained, etc.

• Acceptance– Take a calculated risk, but be sure odds are correct

• Avoidance– Don’t make that movie about that dictator

• Transfer– Buy insurance (but be prepared to qualify)

Q2: Are you confident in your organization’s current security posture?

Polling Question

Yes No Not sure I don’t work for an organization

Sony/HT/AM common elements• The company is engaged in activity that is not

universally admired• Someone with access to hacking abilities

decides to act against the company• The company response is sub-optimal

IT DIDN’T HAPPEN

IT HAPPENED, BUT IT’S NOT

THAT BAD

ATTACK AND/OR ADVERSARY WASSOPHISTICATED

WE MAY HAVE ISSUED FALSE STATEMENTS

Defending against Hacktivism 3.0• Situational awareness

– If it’s on the web, it’s world wide – Who in the world might not like what we do?– What are their capabilities (hint: you can rent ‘em)?– What will they think about upcoming actions?– Are we listening for/to critics?

WHO DOESN’T LIKE US?

ARE WE ANTAGONIZING

ANYONE?

ARE ALL OUR SECRETS

LOCKED DOWN?

WHERE ARE WE ON INCIDENT RESPONSE?

Situational Awareness

• It’s all about communication

Salespeople Social Media

Customer Support

Clipping Service

Google News Alerts

Project Roadmap

PR/Events Calendar

Security/transparency paradox• Security = keeping secrets, including possibly

damaging information• Choosing not to keep potentially damaging

information secret may reduce that potential• Information in digital form is inherently hard

to keep secret• Digital “secrets” are

easier to share at scaleA man that looks on glass,On it may stay his eye; Or if he pleaseth, through it pass, And then the heav'n espy.

– George Herbert, 1633

Incident response planning• Bad things will happen to your organization• So you need a plan for how to respond• Everyone in the organization needs to know

– There is a plan and we all must stick to it– We all have a role, even if that role = no comment

WHO DO YOU CALL?

WHO SHOULD SPEAK?

TO WHOM WILL THEY

SPEAK?

WHAT WILL THEY SAY?

Authentication issues • Use of weak, non-unique

passwords continues• On sensitive systems, passwords

are no longer fit for purpose• You need 2FA

Personnel “risks” must be addressed• The insider threat has never

gone away• Potential damage from

insiders is arguably greater now, given ease of digital egress

• Pay attention to people, attitudes, and the logs

2015 Vormetric Insider Threat Report

Miscellaneous fallout • HT zero days disclosed• Vulnerabilities need to be patched• Phishing campaigns may use AM data• Blackmail is also possible• Password leaks add to brute force

Opsec and AshleyMadison• Don’t engage in behavior

you may later want to deny, unless you are confident the proof of your involvement is well-protected

• Bear in mind the wide range of views on “acceptable”

Thank You

[email protected]