SlideShare ist ein Scribd-Unternehmen logo

Incident handling of cyber espionage

Marie Elisabeth Gaup Moe
Marie Elisabeth Gaup Moe

Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?

Regierungs- und gemeinnützige Organisationen
1 von 28
Downloaden Sie, um offline zu lesen
SINTEF  ICT The  Honeynet Project  Workshop  2015 1 Marie  Moe,  Ph.  D.,  Researcher  at  SINTEF Incident  handling  of  cyber  espionage
SINTEF  ICT • Threats  and  trends • Case  studies  with  examples  from  real  incidents • Incident  handling 2 Agenda
SINTEF  ICT 3 About  me § Research  scientist  at  SINTEF § Associate  Professor  II  at  HiG (20%) § MSc  in  Mathematics   § PhD  in  Information  Security § GIAC  certified  Incident  Handler § Previously  working  for  NSM  NorCERT PHOTO:  ROBERT  MCPHERSON,  Aftenposten
SINTEF  ICT Espionage Sabotage Financial  crime Pranks Crisis /  War Political protests 4 Society in  general National  security Chaotic actors Advanced  Persistent  Threats
SINTEF  ICT 5 Espionage  trends • Modern  espionage  is  most  effectively   conducted  through  network   operations • Significant  amounts  of  information   stolen • Russia  and  China  are  the  most  active   nation  states  behind  network   operations  against  Norway Source:   https://forsvaret.no/ForsvaretDocuments/FOKUS2 015-­‐endelig.pdf
SINTEF  ICT How  do  they  compromise  our  systems? 6 • Spear  phishing • Often  contains  predictable  elements • Targeting  information  often  available  online • Watering  hole/strategic  web  compromise • User  profiling  and  whitelisting  of  targets • Harder  to  detect  and  more  difficult  to  handle  than  spear  phishing • Credentials  harvesting • Using  compromised  accounts  for  new  spear  phishing • Direct  access  to  mail  and  systems  without  leaving  traces • Known  vulnerabilities • Zero-­‐days  may  be  used  against  high  priority  targets • Physical  delivery  rarely  used
SINTEF  ICT How  do  they  compromise  our  systems?
SINTEF  ICTSINTEF  ICT Case  A:  Industrial  espionage
SINTEF  ICTSINTEF  ICT 9 https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-­‐china-­‐chopper-­‐report.pdf
SINTEF  ICT • NorCERT was  contacted  by  a  company  that  discovered  that  they  were  compromised • Detected  at  the  exfiltration  stage • Data  ready  for  exfil was  filling  up  the  disk  on  the  Exchange  server! • Large  files  that appeared to  be  image  files  (.jpg),  but these were in  fact password protected RAR-­‐files • The  exfiltration was carried out via  HTTP  GET-­‐requests • NorCERT coordinated incident response with the victim and  performed forensic analysis • The  initial  attack vector was found to  be  a  vulnerability in  ColdFusion which gave  the attackers the ability to  upload a  ”China  chopper”  webshell   • The  password for  the RAR-­‐files  was eventually found and  the company could get a  clear idea of the amount of intellectual property that was lost..
SINTEF  ICTSINTEF  ICT Case  B:  Spear  phishing  against  the  energy  sector
12 http://www.scmagazineuk.com/hundreds-­‐of-­‐norwegian-­‐energy-­‐companies-­‐hit-­‐by-­‐cyber-­‐attacks/article/368539/
SINTEF  ICTSINTEF  ICT Case  C:  APT  C&C  proxy  server  in  Norway
17 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
SINTEF  ICT HTRAN  report  (Aug.  2011) http://www.secureworks.com/research/threats/htran
SINTEF  ICT 19
SINTEF  ICT Incident  Handling  of  cyber  espionage • Know your assets! • Common reaction to  incidents: “We  don’t  have  anything  of  value” “We  don’t  understand  why  this  happened  to  us”
SINTEF  ICT The  incident  response  lifecycle NIST SP 800-61, Revision 2
SINTEF  ICT Preparation IT  Operations/maintenance Clear  understanding of network and  systems Access  control and  segmentation Quick updating and  patching What about cloud services?  Are  you in  control? IT  Security Control  and  monitor  network  traffic Detection  team that look for  intruders and  abnormalities Threat intelligence Contingency  planning Clear  areas  of  responsibility Escalation  routines,  contact  information Guidelines for  incident  handling The  contingency plan  should be  rehearsed!
SINTEF  ICT Detection  and  Analysis Your  IDS  needs  to  be  constantly  updated  with  the  latest  threat  intel! Logging  enables  detection  and  scoping  of  an  incident! • Traffic  logs   – Web  traffic  logs – Proxy  logs  w/  SSL-­‐inspection – Netflow – DNS  logging  /  Passive  DNS – Web  access  logs  on  your  own  web  servers • Authentication  logs • Administration  logs • Security  logs • E-­‐mail  logs
SINTEF  ICT Containment,  Eradication  and  Recovery You  detected  or  got  informed  that  you  have  been  a  victim  of  cyber  espionage… What  to  do  now? Selection  of  strategy: • Protect  and  forget • Watchful  waiting,  possible  honeypot   operation?
SINTEF  ICT Clean  up  after  compromise • Plan  and  execute clean ups in  a  controlled fashion!   – Hire  a  MSSP  if you lack the necessary know-­‐how • Establish necessary logging   and  monitoring/IDS • Isolate compromised systems  from  the network • Secure memory dump  and  disc image  of compromised systems   • Reinstall clean back  ups • Change all  passwords! • Evaluation  of the incident handling – Identification of lessons learned – Update  contingency plans – Case  studies  are very useful for  training
SINTEF  ICT The  ”Cyber  Kill  Chain” • Lockheed  Martin:  7  stages/states of an  ”APT-­‐style”  incident • If  the attacker fails in  one of the stages  the compromise will not  succeed! • Detection and  response should be  implemented for  each stage ● What can the organization handle  themselves? ● Where is  collaboration or  outsourcing required? ● Risks  and  costs increase for  each stage ● Timeline:  hours or  days from  successful exploitation http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf Recon Weaponize Deliver Exploit Install C2 Action
SINTEF  ICT Guidelines  for  incident  handling • NSM  has  published  a  guide  for   incident  handling  of  cyber   espionage – Can  be  downloaded  at   https://www.nsm.stat.no/globalas sets/dokumenter/temahefter/apt _2014.pdf (only  in  Norwegian) • Overview  of  logging  that   should  be  in  place   • What  information  to  submit  to   NorCERT if  you  want  their   assistance  
SINTEF  ICTSINTEF  ICT Thank  you! marie.moe@sintef.no @MarieGMoe @SINTEF_Infosec

Empfohlen

Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
презентация1
презентация1презентация1
презентация1
sagidullaa01
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
inLabFIB
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
isc2-hellenic
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
XEventsHospitality
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Reducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksReducing the Impact of Cyber Attacks
Reducing the Impact of Cyber Attacks
James Cash
 
A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
Joey Hernandez
 

Empfohlen

Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
презентация1
презентация1презентация1
презентация1
sagidullaa01
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
inLabFIB
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
isc2-hellenic
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
XEventsHospitality
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Reducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksReducing the Impact of Cyber Attacks
Reducing the Impact of Cyber Attacks
James Cash
 
A military perspective on cyber security
A military perspective on cyber securityA military perspective on cyber security
A military perspective on cyber security
Joey Hernandez
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
Stephen Cobb
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
Kabul Education University
 
Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat Simulation
Tonex
 
Cybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity lawsCybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity laws
Bryan Len
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Morakinyo Animasaun
 
Security tools
Security toolsSecurity tools
Security tools
arfan shahzad
 
Cyber Security –PPT
Cyber Security –PPTCyber Security –PPT
Cyber Security –PPT
Rajat Kumar
 
The importance of Cybersecurity
The importance of CybersecurityThe importance of Cybersecurity
The importance of Cybersecurity
Benoit Callebaut
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
Marneil Sanchez
 
Cyber security
Cyber securityCyber security
Cyber security
Eduonix
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
GGV Capital
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
Scott Geye
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
R-Style Lab
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
AT-NET Services, Inc. - Charleston Division
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
dadkhah077
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-Up
Chinatu Uzuegbu
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011
Directorate of Information Security | Ditjen Aptika
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat Simulation
Tonex
 
Cybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity lawsCybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity laws
Bryan Len
 
Cyber Security –PPT
Cyber Security –PPTCyber Security –PPT
Cyber Security –PPT
Rajat Kumar
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
Scott Geye
 

Was ist angesagt? (20)

Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
 
Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat Simulation
 
Cybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity lawsCybersecurity training seminars, courses, cybersecurity laws
Cybersecurity training seminars, courses, cybersecurity laws
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
Security tools
Security toolsSecurity tools
Security tools
 
Cyber Security –PPT
Cyber Security –PPTCyber Security –PPT
Cyber Security –PPT
 
The importance of Cybersecurity
The importance of CybersecurityThe importance of Cybersecurity
The importance of Cybersecurity
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-Up
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 

Ähnlich wie Incident handling of cyber espionage

Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
 
Creating a Culture of Security
Creating a Culture of SecurityCreating a Culture of Security
Creating a Culture of Security
TechSoup
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 

Ähnlich wie Incident handling of cyber espionage (20)

Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
APCERT Updates
APCERT UpdatesAPCERT Updates
APCERT Updates
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
Creating a Culture of Security
Creating a Culture of SecurityCreating a Culture of Security
Creating a Culture of Security
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Security Incident Handling for Schools
Security Incident Handling for Schools Security Incident Handling for Schools
Security Incident Handling for Schools
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 

Mehr von Marie Elisabeth Gaup Moe

Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Marie Elisabeth Gaup Moe
 
Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insured
Marie Elisabeth Gaup Moe
 

Mehr von Marie Elisabeth Gaup Moe (13)

Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
 
Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insured
 
Når cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserNår cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenser
 
Unpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionUnpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 edition
 
From Ukraine to Pacemakers!
From Ukraine to Pacemakers!From Ukraine to Pacemakers!
From Ukraine to Pacemakers!
 
Sikkerhet i Internet of Things
Sikkerhet i Internet of ThingsSikkerhet i Internet of Things
Sikkerhet i Internet of Things
 
Unpatchable: 32C3 edition
Unpatchable: 32C3 editionUnpatchable: 32C3 edition
Unpatchable: 32C3 edition
 
Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted device
 
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
 
NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?
 
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
 

Kürzlich hochgeladen

Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Call Girls in Nagpur High Profile
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
tanu pandey
 
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
Call Girls in Nagpur High Profile
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Dipal Arora
 
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Call Girls in Nagpur High Profile
 
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
MOHANI PANDEY
 

Kürzlich hochgeladen (20)

Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSPPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
 
Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'
 
Scaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processScaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP process
 
An Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCCAn Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCC
 
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - Poster
 
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition PlansSustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
 
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
Top Rated Pune Call Girls Hadapsar ⟟ 6297143586 ⟟ Call Me For Genuine Sex Se...
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
 
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Bhavnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
 
A PPT on digital India initiative by Government of India
A PPT on digital India initiative by Government of IndiaA PPT on digital India initiative by Government of India
A PPT on digital India initiative by Government of India
 
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
 
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
 
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
 
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Budhwar Peth Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
 

Incident handling of cyber espionage

  • 1. SINTEF  ICT The  Honeynet Project  Workshop  2015 1 Marie  Moe,  Ph.  D.,  Researcher  at  SINTEF Incident  handling  of  cyber  espionage
  • 2. SINTEF  ICT • Threats  and  trends • Case  studies  with  examples  from  real  incidents • Incident  handling 2 Agenda
  • 3. SINTEF  ICT 3 About  me § Research  scientist  at  SINTEF § Associate  Professor  II  at  HiG (20%) § MSc  in  Mathematics   § PhD  in  Information  Security § GIAC  certified  Incident  Handler § Previously  working  for  NSM  NorCERT PHOTO:  ROBERT  MCPHERSON,  Aftenposten
  • 4. SINTEF  ICT Espionage Sabotage Financial  crime Pranks Crisis /  War Political protests 4 Society in  general National  security Chaotic actors Advanced  Persistent  Threats
  • 5. SINTEF  ICT 5 Espionage  trends • Modern  espionage  is  most  effectively   conducted  through  network   operations • Significant  amounts  of  information   stolen • Russia  and  China  are  the  most  active   nation  states  behind  network   operations  against  Norway Source:   https://forsvaret.no/ForsvaretDocuments/FOKUS2 015-­‐endelig.pdf
  • 6. SINTEF  ICT How  do  they  compromise  our  systems? 6 • Spear  phishing • Often  contains  predictable  elements • Targeting  information  often  available  online • Watering  hole/strategic  web  compromise • User  profiling  and  whitelisting  of  targets • Harder  to  detect  and  more  difficult  to  handle  than  spear  phishing • Credentials  harvesting • Using  compromised  accounts  for  new  spear  phishing • Direct  access  to  mail  and  systems  without  leaving  traces • Known  vulnerabilities • Zero-­‐days  may  be  used  against  high  priority  targets • Physical  delivery  rarely  used
  • 7. SINTEF  ICT How  do  they  compromise  our  systems?
  • 8. SINTEF  ICTSINTEF  ICT Case  A:  Industrial  espionage
  • 9. SINTEF  ICTSINTEF  ICT 9 https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-­‐china-­‐chopper-­‐report.pdf
  • 10. SINTEF  ICT • NorCERT was  contacted  by  a  company  that  discovered  that  they  were  compromised • Detected  at  the  exfiltration  stage • Data  ready  for  exfil was  filling  up  the  disk  on  the  Exchange  server! • Large  files  that appeared to  be  image  files  (.jpg),  but these were in  fact password protected RAR-­‐files • The  exfiltration was carried out via  HTTP  GET-­‐requests • NorCERT coordinated incident response with the victim and  performed forensic analysis • The  initial  attack vector was found to  be  a  vulnerability in  ColdFusion which gave  the attackers the ability to  upload a  ”China  chopper”  webshell   • The  password for  the RAR-­‐files  was eventually found and  the company could get a  clear idea of the amount of intellectual property that was lost..
  • 11. SINTEF  ICTSINTEF  ICT Case  B:  Spear  phishing  against  the  energy  sector
  • 13.
  • 14.
  • 15.
  • 16. SINTEF  ICTSINTEF  ICT Case  C:  APT  C&C  proxy  server  in  Norway
  • 18. SINTEF  ICT HTRAN  report  (Aug.  2011) http://www.secureworks.com/research/threats/htran
  • 20. SINTEF  ICT Incident  Handling  of  cyber  espionage • Know your assets! • Common reaction to  incidents: “We  don’t  have  anything  of  value” “We  don’t  understand  why  this  happened  to  us”
  • 21. SINTEF  ICT The  incident  response  lifecycle NIST SP 800-61, Revision 2
  • 22. SINTEF  ICT Preparation IT  Operations/maintenance Clear  understanding of network and  systems Access  control and  segmentation Quick updating and  patching What about cloud services?  Are  you in  control? IT  Security Control  and  monitor  network  traffic Detection  team that look for  intruders and  abnormalities Threat intelligence Contingency  planning Clear  areas  of  responsibility Escalation  routines,  contact  information Guidelines for  incident  handling The  contingency plan  should be  rehearsed!
  • 23. SINTEF  ICT Detection  and  Analysis Your  IDS  needs  to  be  constantly  updated  with  the  latest  threat  intel! Logging  enables  detection  and  scoping  of  an  incident! • Traffic  logs   – Web  traffic  logs – Proxy  logs  w/  SSL-­‐inspection – Netflow – DNS  logging  /  Passive  DNS – Web  access  logs  on  your  own  web  servers • Authentication  logs • Administration  logs • Security  logs • E-­‐mail  logs
  • 24. SINTEF  ICT Containment,  Eradication  and  Recovery You  detected  or  got  informed  that  you  have  been  a  victim  of  cyber  espionage… What  to  do  now? Selection  of  strategy: • Protect  and  forget • Watchful  waiting,  possible  honeypot   operation?
  • 25. SINTEF  ICT Clean  up  after  compromise • Plan  and  execute clean ups in  a  controlled fashion!   – Hire  a  MSSP  if you lack the necessary know-­‐how • Establish necessary logging   and  monitoring/IDS • Isolate compromised systems  from  the network • Secure memory dump  and  disc image  of compromised systems   • Reinstall clean back  ups • Change all  passwords! • Evaluation  of the incident handling – Identification of lessons learned – Update  contingency plans – Case  studies  are very useful for  training
  • 26. SINTEF  ICT The  ”Cyber  Kill  Chain” • Lockheed  Martin:  7  stages/states of an  ”APT-­‐style”  incident • If  the attacker fails in  one of the stages  the compromise will not  succeed! • Detection and  response should be  implemented for  each stage ● What can the organization handle  themselves? ● Where is  collaboration or  outsourcing required? ● Risks  and  costs increase for  each stage ● Timeline:  hours or  days from  successful exploitation http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf Recon Weaponize Deliver Exploit Install C2 Action
  • 27. SINTEF  ICT Guidelines  for  incident  handling • NSM  has  published  a  guide  for   incident  handling  of  cyber   espionage – Can  be  downloaded  at   https://www.nsm.stat.no/globalas sets/dokumenter/temahefter/apt _2014.pdf (only  in  Norwegian) • Overview  of  logging  that   should  be  in  place   • What  information  to  submit  to   NorCERT if  you  want  their   assistance  
  • 28. SINTEF  ICTSINTEF  ICT Thank  you! marie.moe@sintef.no @MarieGMoe @SINTEF_Infosec