Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.
The Hacking Team Hack: Lessons Learned for Enterprise Security
1. The Hacking Team Hack:
Lessons Learned for
Enterprise Security
Stephen Cobb, CISSP
Senior Security Researcher
2. Stephen Cobb
Sr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996
and has helped companies large and small to
manage their information security, with a
focus on emerging threats and data privacy
issues. The author of several books and
hundreds of articles on information
assurance, Cobb heads a San Diego based
research team for ESET North America.
3. Today’s topics
• The messy rise of Hacktivism 3.0
• Where Hacking Team went wrong
• What’s Sony Pictures got to do with it
• Issues of access and authentication
• Re-discovering the insider threat
• The security/transparency paradox
• AshleyMadison and other secrets
• Situational awareness, risk analysis,
operational security, and Incident
Response Planning
4. What’s not on the agenda…
• The ethics of Hacking Team’s business model
• The legality/ethics/logic of digital surveillance of
citizens by the state
• The inside scoop on how these hacks went down
(although insiders may have been involved)
5. Q1: Has your organization issued any
phishing alerts in wake of recent hacks?
Polling Question
Yes
No
Not sure
I don’t work for an organization
6. Hacktivisim 3.0
1.0: Website defacements
2.0: Exfiltration of confidential
documents to sharing sites
3.0: Breaching security with intent to
expose documents that make a point,
or a mess
– Politics: Hacking Team, Sony
– Malice: Ashley Madison
– Money: Adult Friend Finder
7.
8. Hacking Team profile
• Italian company that sells “surveillance tools”
to government agencies
• Main tool is code designed to obtain
unauthorized access to systems = malware
• Detected as such and blocked by AV products
• Many people disapprove in general, but
particularly when client = repressive regime
9. Hacking Team story
• Started with penetration testing
• Some staff not comfortable with expansion
into surveillance tools
• Management response: compartmentalize
10. Hacking Team critique
• Adopted aggressive attitude to those who
opposed its business model
• Repeatedly denied allegations of dealings
with repressive regimes
• While storing evidence of dealings with
repressive regimes in digital form
• Creating a risky situation:
– Target value outgrew defensive posture
11. Sony Pictures parallels
• Decided to move forward
with an inflammatory movie
despite warnings it could
provoke hackers
• Sony security posture and
incident response plans fell
short of risk profile
• Failed to isolate digital
valuables and embarrassing
information in digital form
12. Does Mr. Clooney understand?
• American companies run on systems that are
so hard to defend that provoking attack by
taking a stand is a risky very business decision
13. Cowardice or commonsense?
• The strength of our economic and social
infrastructure impacts our ability to take a
stand against terrorists and other bad actors
• Strength readings are not high right now
• Consider recent Blackhat survey of 460
security professionals:
– 73% think it likely that their organization will have
to deal with a major data breach in the year ahead
14. Why? Blackhat survey says…
• Staffing Shortage: Only 27% feel their
organization has enough staff to defend
against current threats
• Measly Budgets: Only 34% say their
organization has enough budget to
defend itself against current threats
• In Need of Training: Only 36% say they
have the skills they need to do their jobs
(55% say they could use some training)
PDF at: http://tinyurl.com/Blackhat-Survey
16. Blackhat survey tells us…
“Security defense strategies
and resources need serious
rethinking if the protectors
of the enterprise are not
confident in their ability to
keep adversaries out of
systems” (and away from
potentially damaging data)
17. How fresh is your risk management
strategy?
• Are you listening to your IT security people?
• Do you have realistic situational awareness?
• Where are you on Incident Response Plan?
18. Remember: 4 ways to handle risk
• Reduction
– Make sure all systems are secure, patched
regularly, users trained, etc.
• Acceptance
– Take a calculated risk, but be sure odds are correct
• Avoidance
– Don’t make that movie about that dictator
• Transfer
– Buy insurance (but be prepared to qualify)
19. Q2: Are you confident in your
organization’s current security posture?
Polling Question
Yes
No
Not sure
I don’t work for an organization
20. Sony/HT/AM common elements
• The company is engaged in activity that is not
universally admired
• Someone with access to hacking abilities
decides to act against the company
• The company response is sub-optimal
IT DIDN’T
HAPPEN
IT HAPPENED,
BUT IT’S NOT
THAT BAD
ATTACK AND/OR
ADVERSARY WAS
SOPHISTICATED
WE MAY HAVE
ISSUED FALSE
STATEMENTS
21. Defending against Hacktivism 3.0
• Situational awareness
– If it’s on the web, it’s world wide
– Who in the world might not like what we do?
– What are their capabilities (hint: you can rent ‘em)?
– What will they think about upcoming actions?
– Are we listening for/to critics?
WHO
DOESN’T
LIKE US?
ARE WE
ANTAGONIZING
ANYONE?
ARE ALL OUR
SECRETS
LOCKED DOWN?
WHERE ARE WE
ON INCIDENT
RESPONSE?
22. Situational Awareness
• It’s all about communication
Salespeople Social
Media
Customer
Support
Clipping
Service
Google
News Alerts
Project
Roadmap
PR/Events
Calendar
23. Security/transparency paradox
• Security = keeping secrets, including possibly
damaging information
• Choosing not to keep potentially damaging
information secret may reduce that potential
• Information in digital form is inherently hard
to keep secret
• Digital “secrets” are
easier to share at scale
A man that looks on glass,
On it may stay his eye;
Or if he pleaseth, through it pass,
And then the heav'n espy.
– George Herbert, 1633
24. Incident response planning
• Bad things will happen to your organization
• So you need a plan for how to respond
• Everyone in the organization needs to know
– There is a plan and we all must stick to it
– We all have a role, even if that role = no comment
WHO DO
YOU CALL?
WHO SHOULD
SPEAK?
TO WHOM
WILL THEY
SPEAK?
WHAT WILL
THEY SAY?
25. Authentication issues
• Use of weak, non-unique
passwords continues
• On sensitive systems, passwords
are no longer fit for purpose
• You need 2FA
26. Personnel “risks” must be addressed
• The insider threat has never
gone away
• Potential damage from
insiders is arguably greater
now, given ease of digital
egress
• Pay attention to people,
attitudes, and the logs
2015 Vormetric Insider Threat Report
27. Miscellaneous fallout
• HT zero days disclosed
• Vulnerabilities need to be patched
• Phishing campaigns may use AM data
• Blackmail is also possible
• Password leaks add to brute force
28. Opsec and AshleyMadison
• Don’t engage in behavior
you may later want to deny,
unless you are confident the
proof of your involvement is
well-protected
• Bear in mind the wide range
of views on “acceptable”