Sign Florida Banking Permission Slip Secure

Industry sign banking florida permission slip secure

hello and welcome to top cyber security threats of 2021 a webinar by lmg security our presenter for our webinar today is sherry davidoff sherry davidoff is the ceo of lmg security and author of the recently released book data breaches as an expert in cyber security and data breach response sherry has been called a quote security badass by the new york times her professional experiences are featured in the book breaking and entering the extraordinary story of a hacker called alien sherrie is a gx certified forensic examiner and penetration tester receiving her degree in computer science and electrical engineering from mit also keep your eyes peeled for her new book on ransomware which is going to be available at the end of this year that's very exciting and at this time sherry i'm passing you control of the webinar thank you so much natalie i really appreciate it well certainly supply chain attacks have been in the news recently so that is our number one top threat that we're going to talk about today we will dig into depth in the solar winds hack and then related fallout from that we'll then go into sophisticated authentication attacks that have quietly becoming a trend over the past year and finally we'll end with exposure extortion and this relates both to ransomware cases and also non-ransomware related data exposure also i wanted to just mention real quick we have a cyber first responder class coming up this is a one day intensive class that will show you how to respond to cyber security incidents how to recognize them how to preserve evidence we have three hands on labs we're going to show you how to respond both to on-premise incidents and in the cloud we've got a lot of new materials so if you're interested check it out sign up the url is lmg security.com cfr hope to see some of you there all right so let's dig into supply chain attacks supply chain attacks are where hackers will infiltrate suppliers in particular technology suppliers and then leverage the access to gain either to steal information or gain access to customer network and the result of this can be data breaches it can be ransomware attack it could be espionage or other issues so what's triggering this of course is uh the news about solar winds in december on december 13th fireeye announced a supply chain hack they had recognized that the solarwinds orion network monitoring software had a back door in it that would allow criminals to come into customer networks and really take over it was a remote access unauthorized remote access vulnerability and this is particularly scary because solarwinds has many thousands of customers and in fact technology providers managed service providers and many other technology organizations are leveraging this software so the potential ripple effects are huge now some of the biggest concerns are that solarwinds themselves did not detect this in fact of the 18 000 customers that we know downloaded the infected code only one fireeye proactively detected this and announced it so right away we have some concerns that okay if solar winds is hacked what other suppliers might be hacked in the same way that we don't yet know about that's my number one question here right now but the malware that was loaded onto the system onto customer systems is now called sunburst and it allows for back door into customer networks that means it can allow attackers to gather system information conduct reconnaissance transfer files so either load files onto your system or steal files from your system execute software install new applications they can reboot your local systems if they need to disable services we often see that when it comes to disabling antivirus software or other security software so very sophisticated very capable malware that got installed in the orion software and was then distributed out to 18 000 customer networks without anybody realizing for months and months and months now many of you are probably thinking that's what we get for relying on these big suppliers um i do want to point out though that there are also security benefits of the technology supply chain and one example of that that is relevant in this case is microsoft's digital defense report so microsoft came out in september with the digital defense report they draw on over 8 trillion security event logs per day and they can also conduct proactive alerts so they've alerted over 13 000 customers to nation state attacks over recently so in some cases we can really gain access to advanced and sophisticated capabilities by relying on these centralized suppliers so it's a double-edged sword it cuts both ways on the one hand we have risks because if one of these major suppliers gets hacked then potentially we all get hacked but on the other hand these technology suppliers like microsoft are aggregating information and can potentially use that to detect large-scale attacks or provide advanced intelligence and notification capabilities so to the extent that we can start working with suppliers to leverage the benefits more we should be doing that however there are of course dangers to supply chain threats so when attackers are able to warm their way into a supplier they could steal intellectual property of course they could modify the software as we saw in the solar winds orion case and even and they can do vulnerability discovery for new attacks so we know for a fact that microsoft is one of the companies that was hit in the solar winds attack they were using solarwinds software they came out and they made a statement and said we found one unauthorized intruder that gained access to our source code so the criminals are after source code this was reported in the wall street journal i had a good conversation with bob mcmillan the author about it and microsoft played it off as oh it's no big deal it's we assume that criminals will get access to our source code and while that's probably a worthwhile assumption there's no doubt that when criminals have access to source code it gives them a leg up because they can go through it with a fine-tooth comb and look for bugs that they could potentially exploit later so even if they can't modify the code as microsoft said the accounting question couldn't modify the code they can still gain an advantage by having access to that source code and it also makes you wonder what else did they have access to right okay so here's microsoft quote we detected unusual activity with a small number of internal accounts and upon review we discovered one account had been used to view source code in a number of source code repositories so this is not even close to the first time that we have seen a major technology supplier hacked and in fact it's very likely that this has quietly been going on in the background for well over a decade and every now and then the tip of the iceberg kind of comes up above the surface and then goes back down so this is one of those times where we're seeing the iceberg but if you remember back in 2009 and 2010 there was a huge news burst about operation aurora where sophisticated attackers went after u.s corporations and technology giants and not just department of defense contractors or government agencies so at the time we found out that google was hacked adobe was hacked intel was hacked juniper rackspace yahoo semantic and more and then those stories quietly fizzled and disappeared but the attackers did not go away and specifically we found out at the time that they were after source code this was also when we started to hear the terms sophisticated being used in the context of data breaches and hackers so here the google hack was ultra sophisticated turned out it was a phishing email adobe um was uh said that they were investigating a corporate network security issue involving a sophisticated coordinated attack a sophisticated hack hit intel in january and this is a very popular image repair tactic because the idea is to illustrate that it's not that these technology vendors were negligent no it's that the attackers were ultra sophisticated and you know they're probably the truth is in the middle somewhere let's face it now at the time mcafee published a very important and i would say landmark report that didn't get enough press about the weaknesses in source code management software they found that the majority of fortune 1000 companies are were using the exact same source code management software called perforce so now we have more of a supply chain issue we're talking about fourth party suppliers fifth party suppliers that source code management software was riddled with vulnerabilities in the report they showed there were unencrypted passwords you could do easily execute authentication bypass issues so once an attacker got into a vendor's network they could just gain access to the source code modify the source code it was kind of game over and because this weak source this source code management software with all these weaknesses was used in so many companies it introduced vulnerabilities throughout the system so it's important to recognize this was an issue in 2010 that has not really been systematically addressed you're not really seeing any laws or regulations about software security very weak notification laws some contractual regulations um but by and large the source code issues that we saw in 2010 have not yet been addressed today so you should expect that solarwinds is the tip of the iceberg and we we may or may not find out the full scope of the problem but there are likely other technology vendors that have been similarly hacked um again we have a lack of information about supply chain risks so there aren't really any notification laws we don't know the true risk of backdoor technology but every now and then some stories pop to the surface that help us to understand there's more going on than we may realize for example in 2017 it came out that microsoft had had hackers attack and successfully gain access to their bug tracking database in 2013 four years previously but they had not provided any notification about it nor were they likely required to notify anyone also last year there was the ghosts in the cloud report by the wall street journal and that detailed how many over 70 different technology vendors and managed service providers were hacked including hewlett-packard ibm fujitsu and many others and because of those hacks the criminals then wormed their way into customers so they attacked saber systems they attacked american airlines successfully because of um because they were able to warm their way into suppliers and then those stories quietly went away as well so you can see again there's a trend these things are happening but we're not really um we're not requiring reporting all the time and we're not seeing the full picture speaking of seeing the full picture let's dig into how the solar winds attack happened and then talk about what you can do to respond and protect yourself because there are simple things you can do to protect your organization both from a policy perspective as well as a technical perspective so on september 4th of 2019 well over a year ago that's when attackers started attacking solarwinds and they first got into the systems they began by injecting test code little routines in the product that didn't actually do anything there's speculation that they just wanted to confirm that if they injected some source code that it would then be distributed out to solarwinds customers and they found that in fact it was so november 4th they stopped injecting the test code and then we see on february 20th the malicious back door was compiled within the systems and in march it was distributed to customers so between march and early june the infected version of the orion software was rolled out to customers and in a minute we'll talk about the very sneaky way that the attackers were able to inject their software in it because it was it represented a new level of attack and then in may the criminals started actual hands-on keyboard attacks of solarwinds customers so that's the estimated time that they were coming into customer networks using those back doors and actively engaging in network reconnaissance information theft and other activities in june they removed the malware from the solarwinds environment and again this shows the level of sophistication um probably a quite a bit of funding as well um they are they throughout the process they deliberately cleaned up after sale so it wasn't a smash and grab this was a case where they appear to be well-funded they're paying attention to the details and they're working hard to remain undetected and finally on december 12th fireeye which of course is a very capable security company detected the malware in their environments or well really they detected the unauthorized access so who is behind these sophisticated coordinated attacks well there's been a lot of a lot of speculation that it's russia according to the us government it is russian state hackers however russia does deny that officially i would imagine in either case they would deny that um as always i would take this with a grade of salt we are still pretty early on in the investigative process and again one of the very common image repair tactics is to blame a nation state um because it makes the technology companies seem like uh they were doing a normal level of diligence if it's nation state attackers that were breaking in so stay tuned it may or may not have been russia um that's some early intelligence that we've gotten again take it with a grain of salt there is certainly evidence that these were well funded they could also have been consultants for a nation state government so the hacking supply chain is pretty complex and sophisticated these days all right so let's talk about how the attackers actually modified the solarwinds code because this is again a new level of sophistication so first of all they had access to the solarwinds environment so they're inside a supplier and the supplier doesn't notice them for months and months and then they actually got access to the software build server and once they were on that server where the code actually gets compiled so it has the source it compiles it and it produces the final product they wanted to remain undetected while also injecting their code into that software that was getting rolled out to thousands and thousands of customers so they created the sunspot malware and the purpose of this was to replace source code on the fly so this is really important they didn't modify the primary source code repository the coders don't realize that anything's happened their code makes it all the way to the final build server without any modifications and then the criminals malware sunspot will check to see if there's a recognized version of the code on there if so it will replace that code with their code that has the malware in it and their code is the is what actually gets compiled so they are literally replacing source code on the fly in that final phase and you have to make sure that the suppliers are checking those final executables and making sure that they match what should be produced so this is a question of how are you securing your software development life cycle and are you really checking it from beginning to end at what points could attackers inject something so again very sophisticated they're not modifying the actual source code repository anymore they're getting it right at that phase where it's getting compiled the criminals also took extra steps in order to prevent detection so they would cryptographically verify this version of the soft the source code that they were replacing because if there were any changes they didn't want to risk introducing errors i'm sure they felt that if they introduced errors that the developers might dig into it and detect them and they didn't want that to happen so they're verifying using cryptography they're verifying the version of the source code that they're actually replacing they disabled warnings during compilation they actually kept logs so they were creating an encrypted log file which they named vmware.vmdump.log so something that would really blend and you know they weren't saying like hacker log file dot log no vmware vm dump dot log very smart and then what ended up happening is that the final software product that was rolled out to customers as an update was properly and cryptographically signed by solarwinds so you would expect if you're getting a valid digital signature from a supplier and that checks out that everything's good and you can install that unfortunately because the code was injected prior to the final compilation and they were leveraging the solarwinds tools they were also able to ensure that the infected version was legitimately signed and as a result 18 000 customers downloaded this infected version again the dangers of supply chain um supply chain hacks so sunburst and the criminals behind it were very evasive i wanted to go through some of the ways that they um had built in the built in the ability to evade detection so first of all the sun burst malware that back door once it was on a customer network it would check for any forensics tools anti-virus tools and disable them or it would just stop running if there were indications that it was in a laboratory environment again they're trying to evade detection it would disable event logging it would engage in time stomping that's when it goes through and changes time stamps randomly throughout the file system so that just that's just evil it makes it harder for forensic investigators to piece together what happened and to build a real timeline of the attack they also would add firewall rules at certain points to filter outgoing packets and then they would clean up those firewall rules when they didn't need them anymore and then when they did reconnaissance on a network they would store those results in things that looked like configuration files so again files that people aren't likely to open or if they do open it they're not likely to understand exactly what's going on so just another way that they're sneaking they're not creating new files they're just adding to configuration files that most of the time people aren't really looking at when they were communicating on the network they tended to blend so you'll see throughout this either they're going to use the orion improvement protocol a protocol that's already used by the orion software or in some cases we saw web traffic going across but they're trying to blend with normal network activity and they also made sure to install custom software on each system they were infecting and that way they could evade signature based detection so very very evil okay so how did the attackers what did the attackers do next on customer networks well they work to establish persistence they have this back door using the orion software and then in some cases they would install a dropper one of those was teardrop this is a memory only dropper that's used to install additional malware on the system it does not reside on the disk it is loaded only into memory again a really effective way to evade detection raindrop was another uh type of memory only malware that got installed and then finally they delivered cobalt strike now as you may know from our november webinar cobalt strike is legitimate penetration testing software but it's so good that criminals like it too and unfortunately um there are now variants of cobalt strike out there because these source code was leaked in november um so it was publicly leaked on the dark web and now we're likely to see these issues snowballing in fact i think it's really interesting that here's another supply chain security issue so the source code of cobalt strike is either reverse engineered or just stolen and now it's leaked on the dark web and as a result we're going to see more attacks including supply chain attacks because of that so an issue with the cyber security supply chain is causing ripple effects and introducing additional risks throughout the system so again cobalt strike is being used to help the attackers expand laterally throughout the network and maintain persistence the next thing that the criminals do once they have access to a customer network is they want to gain administrative access and they've been doing that in one of two ways number one they steal passwords so that shouldn't surprise anybody this has been a common tactic for 20 years or more but the next thing they the other thing that um they were seen doing was minting saml tokens so they would they stole the same old token signing certificate and that allowed them to forge saml tokens and essentially masquerade as any user they wanted on the network and we're starting to see this more and more where the criminals are going after private keys they're going after certificates that are used to sign things and in that manner they can gain a whole new level of administrative access it's not just taking over one account it's literally taking over the network and this is why if you do get hacked it's actually important to change things like your private keys and not just kind of wave it away because the attackers could still have access long term there have also been forensic analysts that say the criminals are using common tools so again not things that would trip anti-virus signatures but common tools that it staff might use to manage a network the criminals are using as well they're attacking on-premise environments they're attacking cloud environments they're jumping between the two but their primary goal is to establish persistence long-term and in fact in a lot of cases they're removing that original back door or some of their original tools as they progress as the attack progresses in order to evade detection they're also conducting data mining as you might expect so they're exploring user emails they're specifically targeting key it staff security personnel they're stealing files they're doing things like mimicking legitimate applications microsoft cautioned that if you're responding or you think that you might have been impacted by solar winds you should assume that your communications are accessible to the actor and what that means is that they are seeing the malicious actor monitoring emails as the response is underway so keep that in mind think about how you might communicate out of band in cases where you may have a an adversary on your network and this isn't just for nation state actors i mean this is becoming par for the course in ransomware cases we see and other cases we've certainly seen ransomware actors quite recently say how was your zoom call and um actually uh the you know this other company was wrong when they investigated we saw that happen recently as well um so the criminals may well be monitoring your communications uh if you have an issue all right so another thing that was announced it's hard to keep track of all the different types of malicious software and ways that criminals had access to the solarwinds network because it turns out that there was another sneaky backdoor installed on customer systems and that is called supernova it was likely planted by a different attacker group that had access in march of 2020 and it allows for arbitrary remote code execution this is a really interesting piece of software it actually allows for remote code to reside in memory only so it looks like a program it's an infected.net library module that can come with the solarwinds package and it looks like it's just producing a copy of the logo upon request there's a lot of cases where other parts of the software might need the logo so it takes a request it produces the logo however if there are four parameters four very specific parameters set via http then it will provide more than just the logo in fact the software will then execute any arbitrary code that the attacker feeds it it will read it into memory it will execute it and that's it so that allows criminals again a remote backdoor into customer systems it's you're not going to find traces of whatever was executed on the disk because it's just loaded directly into memory however if you review the loss if you're curious if this has happened to you you can review the logs and find those http requests with four specific parameters and that's how you know that there was at least an attempt to activate this malware so again it's a little frightening that this is likely related to a wholly different attacker group so what's next well we should expect to see more fallout from the solar winds attack over time particularly because so many organizations are still investigating all of us should be investigating doing your due diligence and we'll talk in a moment about how to do that but in general there's a lack of detection capabilities it's very hard to detect attacks like this solar winds themselves didn't detect it almost 18 000 other customers detected did not detect it either and there's also gaps in notification requirements so if a supplier like this gets hacked when do they have to notify you and do they have to notify you at all we've also seen again major providers who have been impacted by the solar winds hack deloitte and touch is one of them so they came out and said uh yes we were running solar winds and everything's fine and there's there's this cute article about it this is fine don't worry about it um but then the question is you know what other providers are we going to see um making similar statements over the next year or two years or more so that's um that's a quick run through of the solar winds attack if there are any questions please feel free to shout it out i also just i think i may have skipped a slide i wanted to mention how many customers were affected we saw tech giants like intel cisco vmware microsoft belkin again professional services firms security firms obviously many branches of the government were impacted universities hospitals here's a chart that was produced by microsoft that shows 44 of the organizations impacted were information technology companies and i think that's really telling because it means that once hackers get into an information technology company they can potentially use that to gain access to really our entire technology supply chain how many of you use adobe products yep pretty much all of us so again if you have any questions feel free to shout it out and let's talk about how we respond to this one sec let me just jump jump ahead okay so how should you respond to the solarwinds hack first of all we have to check our own networks and it's a good idea just to write something up so that you know you've done your due diligence um we have an advisory as well in the handouts panel of this talk so you can go through and take a peek at that but ask was the solar winds malware installed on your network you know first of all do you use solarwinds software at all and if you do check to see if you used one of the versions that has been affected if that's the case make sure you are conducting thread hunting even that if that original back door was removed uh the criminals may still have installed malware on your network so it's a very smart idea these days to install to do proactive threat hunting something lmg has been doing quite a bit for some of our customers recently and then respond appropriately um csa and dhs and the cert teamed up they produced emergency directive 2101 i put a link on the screen for you guys so take a look at that and if you have any questions again feel free to drop me a line on linkedin and i can provide more guidance also there's a new tool out a new free tool for hardening microsoft 365. fire i just released it a week or two ago it's called the azure ad investigator and it will automatically go through your environment and audit your systems and look for any signs of the solar winds attack and indicators so check that out it just came out on january 19th again i've provided a link for you guys here it's the azure ad investigator and then finally perhaps the hardest part we need to check our supply chains so do you have any third-party suppliers that you rely upon which have been infected by the solarwinds malware now you may or may not be able to check all of your suppliers what's most important is that you prioritize think about cloud providers hardware and software vendors managed service providers in particular anyone that has privileged access to your network environment that can change configuration you're going to want to check on um security firms like fireeye or or other critical vendors professional services firms that may hold on to your data so think about who has access to your data directly and then who has privileged access to your network or whose software do you use and you can ask them some specific questions again we gave you some examples um in the one sheet that i've provided as a handout but ask them to confirm in writing if they're using if they have used an affected version of solarwinds orion and ask if their effect if they're actively assessing the risk due to their supply chain because we are seeing criminals engaging in these multi-stage attacks where they get access to one supplier and they use that to get access to their customers and then they may even use that access to get access to customers customers so we have to worry about fourth party risks and fifth party risks make sure you're giving your suppliers a deadline for responding and don't assume that a supplier will proactively contact you if there's a problem if you do not hear from a supplier assume it's bad news and act accordingly all right so speaking of suppliers there are other supply chain issues besides solar winds so here's one example from last week where a ransomware installation occurred because of an infected supplier iobit forums was hacked they were used to send phishing emails to their community and also their website was used to serve up malware that would then lead to ransomware so unfortunately people who clicked on the link in that phishing email and downloaded the code were impacted with ransomware you can see the ransom note on the screen right here we also saw last year again this is a trend managed service providers were used to infect customers there were 22 towns in texas that were hit the sadiniki gang was deliberately targeting managed service providers because hey why in fact just one organization if you could infect like a hundred right and again we saw more and more managed service providers being used to for criminals to leapfrog into customer networks now the good news is that most msps have really put much stronger security measures in place over the past year ensure that they're using two-factor authentication um you can set time limits things like that for when vendors can access your network so we have certainly seen an improvement but it's definitely something to keep an eye on and then there's the cloud ransomware absolutely hits the cloud that's one of our big research topics for this year at lmg but we certainly saw in the blackbaud case um blackbaud was a cloud provider is a cloud provider that serves um thousands of different organizations all around the world they help many non-profits and even for-profit companies do fundraising and so they hold financial information social security numbers and all kinds of other sensitive information about people's activities and interests so they were hit with ransomware and reportedly the criminals accessed data um blackbaud stated that they actually paid to ensure that the data was deleted and that of course raises the question of how can you trust criminals but as a result hundreds of organizations then had to do their own investigation to determine what data exactly were they storing on blackbaud systems and did they need to announce a data breach so this caused huge ripple effects throughout the whole system you can see millions of individuals were affected because of this same thing with tyler technologies many of you i'm sure have been impacted by this it hit a lot of public entities um and they urged clients to reset remote network passwords after they too were hit with a ransomware attack and as we'll talk about later in this presentation more and more ransomware gangs are taking to stealing data and not just locking it up so that has changed the way we need to deal with those i received a question before this talk and thanks to those of you wh have asked questions ahead of time what is risk management so as we go through this presentation and we talk about how to manage your supply chain risk i just want to make sure we're all on the same page so a risk is a matched threat and vulnerability pair so you have a threat like a hacker group and you have a vulnerability like let's say a vulnerability in your website and the hacker group goes after the vulnerability and you need to think about what is the potential impact if that happens what is the likelihood of this happening and then finally how do i control this risk or do i even want to do that so risk management is the process of actively monitoring and controlling your risks you can't control your risks unless you monitor them unless you know what they are so our options for risk treatment include avoid the risk entirely i don't need to have a website these days you do probably you can mitigate the risk so you can make sure to stay up to date on software patches and things like that you can accept the risk and we all accept a certain level of risk just to go about our everyday business so we're always accepting risks and then finally you can transfer your risk to a third party and that's where we see cyber insurance coming into play where we're transferring some of those potential financial losses to a third party making sure that we have some help in the response so that is what we talk about when we discuss risk management so how can we manage the risks involved in the supply chain well you need to vet your suppliers first and foremost and i know for many of this supply chain vetting has been on the would like to have list but not on the lake it's it's typically not the fire of the day so this year in 2021 make it a resolution to make your supply chain vetting program just a little bit better it doesn't have to be perfect but try to make some progress number one as madison eiler on our team says she runs our advisory team she says keep it simple so the simpler you make it the more the easier it will be to actually implement make sure you are prioritizing your suppliers you will not be able to vet all of your suppliers but examine your list of suppliers and think about which ones have privileged access to your network which ones do you rely on for critical services and then which ones have access to your confidential information prioritize them take a risk based approach so uh address the highest risk issues first i would definitely recommend establishing a standard questionnaire for every single supplier and ideally a form that they need to fill out so that you're receiving all your responses in the same form then you want to collect information evaluate your responses track and follow up and that's where again a lot of times we see these programs kind of falling down where suppliers don't respond and then um before you know it a whole year has gone by so this year try to identify your top suppliers if you haven't already uh identify the questions you need to ask get responses and then see what you need to do to at least make those risks a little bit less we've also surprised we've also provided you with a handout on supply chain risk management hot off the presses so take a look at that let me know what you think if you use the nist cyber security framework i know many of you do then you can do your due diligence by following the supply chain risk management controls so it starts with defining your risk management processes prioritizing your suppliers delegating requirements through contracts that is one of the biggest challenges make sure that you are spelling out your cyber security requirements your expectations for notification and that you intend to be vetting them on an annual basis and they need to respond so when you have that kind of leverage and i know we always we don't always when you have that kind of leverage build it in and then make sure you're monitoring your supplier risk that you're tracking this in one central place you've established responsibility for doing that and then finally this last item i think is really important integrate your key suppliers into response and recovery planning so when you have a tabletop exercise make sure it's not just your internal team if you're hosting data in the cloud think about how are we going to contact our cloud provider what kind of evidence are we going to get and involve your cloud provider in that response and recovery planning process okay so some questions to ask will suppliers notify you if they suspect a breach i can tell you nine times out of ten the answer is no in the case of blackbaud they knew that there was a hack they were hit with ransomware they paid a ransom demand and they did not tell customers for two months and then at that point each of the customers needed to do their own investigation and would have had to rely on blackbaud for evidence you know to the extent possible speaking of which what evidence exists what logs will the supplier give you in the event that there is an incident and who will cover the investigation and notification costs a lot of people think well if a cloud provider is hacked it's their fault so they're going to cover my investigation costs not so much of the time often there are um big carve outs in those contracts you are responsible for the security of your own data or they may simply not have the means to cover investigation for their many thousands of customers so really think through if our cloud provider was hacked even if it's not your fault who is responsible for funding the cost of the investigation the notification would your insurance cover it with their insurance coverage a lot of times no insurance covers it and then crank up your own logging and monitoring this is the year of detection we need to get much better about detecting incidents so make sure that you turn on logging this can save you an absolute fortune if you do experience an incident it's once you think a hacker may have broken in you want to know where did they go what did they have access to and that's the point where most people say oh i wish we had turned on that logging so run don't walk after this presentation turn it on now make sure you have appropriate retention times so in the cloud e3 is i think by default 90 days e5 you can get up to a year um logging is often built in but just not turned on to the extent that you can centralize your logging i love splunk it's a commercial tool where you can use elf stack and kibana that is free or the software itself is free and then make sure that you're effectively monitoring it will do you very little good if you're collecting a bunch of logs that show their issues but nobody's looking at them regularly for most small to mid-size organizations i would definitely recommend outsourcing your monitoring program because it's just the kind of activity that you really need to scale up you need a whole team of people that's constantly monitoring and one way you can prevent problems cheaply and efficiently is by limiting your suppliers access so often suppliers have much more access than they really need or if you're looking at a professional service provider they want to hang on to your data for long periods of time so think about what you actually want them to have access to and limited to what they really need and that in and of itself will reduce your risk we also need to be collaborating on supply chain security supply chain security might seem like a really daunting problem and it is it's not something that one organization can fix but right now we need to be working together on this issue so raise this topic supply chain security in your local community if you have a meetup group if you have a local infosec group or an isac that you work with now is the time for us to be pushing for better and stronger supply chain standards for notification requirements that match our expectations and help us to reduce risk we are likely to see legislation of some kind coming out over the next year or two relating to cyber security particularly because of the impact on the federal government with the fallout of the solar winds attack so biden has already made a statement on cyber security priorities they've hired some very talented security professionals to work in the new administration i'm really excited about it so stay tuned again we're likely to see more legislation all right with that again feel free to shout out if there are any questions and in the meantime let's continue on and talk about sophisticated authentication attacks this year criminals have moved beyond password theft which is too bad because many of us are still trying to get a handle on the huge amount of password theft that happens but criminals have already lapped us they've moved on to stealing private keys and certificates as we've alluded to they're leveraging application consent phishing and they're bypassing multi-factor authentication so let's dig into how this works first of all just to make sure we're on the same page authentication is how we verify someone's identity and there are three ways to authenticate an entity with something you know like password something you have like a driver's license or something you are like a fingerprint or some other kind of biometrics when you use more than one type together we call that multi-factor authentication so in the case of solar winds there have been many indications that the solarwinds hackers are bypassing multi-factor authentication or gauging these in these engaging in these very sophisticated attacks for example in one case they found that uh the solarwinds hackers access to customers network and they were able to access the email of a user um that was using multi-factor authentication so they got access to the owa interface and they were reading this email and it was looking like they were successfully authenticating using duo but they weren't turns out what happened is that the criminals gained administrative privileges to the owa server and at that point it's game over if they have access to the backend server they can do whatever they want including again implementing these very sophisticated attacks so they stole a duo secret key from the outlook web access web app server and they use that key to generate a valid duo sid cookie so when they went to log into the system they would present the valid username and password and then they would present the valid duo sid cookie so that it looks like they are successfully authenticating and in this way they bypassed multi-factor authentication so again the lesson to this is that if you've been hacked if you suffer a breach change all of your secrets not just passwords make sure you're also changing the secret keys everything you can think of or the criminals will still have access mimecast was hacked um minecast announced that criminals stole a private certificate that was used to secure communications between microsoft 365 and customer networks and that meant that criminals could successfully intercept emails and other communications and read the contents of communication so mimecast is again an email security provider their private certificate was compromised and about 10 of their customers could potentially have had their email or other private communication communications read reportedly this was the same threat after as the solar winds attack so why do attackers steal private keys well they can be used to digitally sign software that's scary when you think about it they can be used to read encrypted communications they we saw earlier they can be used to forge tokens um so for example to forge tokens for active directory accounts and ultimately to gain privileged access to resources here's another one malwarebytes said they were hacked yet another cyber security company that said they were hacked by the same group that breached solar winds and this case was a little different in the case of malware whites the criminals actually created a self-signed certificate so they forged a certificate and they then they installed it uh so that it would be a trusted certificate and you can see a little quote from the malwarebytes researcher um the threat actor added a self-signed certificate with credentials to the service principal account so again allowing them to masquerade as an entity of their choice okay let's talk about consent fishing consent fishing has been huge especially as more and more people have suddenly raced to the cloud over the past year consent fishing is when criminals send phishing emails to victims uh in in the hopes that the victim will grant permission to an app and that app will then be able to read your files or access your email or engage in other privileged activity in september microsoft discovered and removed 18 azure ad apps that were sponsored by chinese or that were used by chinese state-sponsored hackers so these are just one example of malicious apps that are already installed in trusted systems and on the right you can see an example of the permissions that are requested of victims so again that email goes out uh people are asked to click on a link and give this app permissions and it says this app would like to read your contacts read your mail read and write to your mailbox settings so potentially forward to your emails have full access to all the files you have access to and so much of the time users will click accept which is scary to think about so you can prevent this from happening by limiting the uh your users abilities to just install random apps willy-nilly that's one important defensive measure that you can take this is also how the sans institute was hacked i'm sure many of you in the security industry are familiar with them sans provide security education they were hacked and they truly formed they shared details i was pretty impressed at the level of detail that they provided the community here's the phishing email that was used to hack them copy of july bonus and when you open that it sends it will take you to a microsoft login page where you are then asked to type in your password and sign in and give an app permissions so again they're bypassing multi-factor authentication by trying to give apps trusted uh trusted privileges and these are targeting cloud collaboration sites so what can you do about this verify third-party apps lock it down restrict that default user access to third-party apps it's kind of like the local admin issue of the day you don't want people to install things willy-nilly make sure that you're really limiting application permissions and only giving applications the access that they need in order to do what you want them to do and finally let's talk about the ways that criminals are bypassing interactive multi-factor authentication again this has become more and more of an issue over the past year or two so social engineering is one big way we see this done criminals are literally calling up users and and tricking them into reading codes over the phone or we've seen cases where a user will get a notification on their phone saying you know hey someone's trying to log into your microsoft account accept or deny and they click accept even though it wasn't them we also see phishing sites so they click on a link it looks like a phishing site microsoft is the number one most impersonated brand out there today so not to pick on them but it's very common and it might ask for their username their password and a code from their phone and again once the user enters that code that code the criminals can then steal that and feed it into microsoft's real site so that they get access we also see sim jacking or sim swapping where criminals take over your phone this happened to jack dorsey the twitter ceo they'll call a telecommunications provider up or maybe just use an app and say hey i got a new phone and if they have personally identifiable information like your social security number they're a lot more likely to succeed in that once your phone number is ported to their new phone the criminals will then receive all your pins so that they can potentially log into your bank account your work or other places you can prevent this from happening by adding a pin to your cellular account in general text messa e sms based authentication is much less secure than app-based two-factor authentication we saw nist uh declare i think it was four years ago in 2016. yep that sms-based two-factor authentication is dead because text messages sms messages are not encrypted and they can easily be intercepted reddit is one example of a company that was hacked even though they had turned on multi-factor authentication for their employee accounts but what they found was that those text messages were intercepted and sms-based authentication was not as secure as they had hoped that was their quote so instead first of all any multi-factor authentication is better than no mfa i would way rather see you guys using sms-based authentication than nothing right but ideally um and partly that's because password-based attacks are rampant we know as of this summer that there are over 15 billion compromise credentials available for sale on hacker forums we know that employees reuse passwords from personal accounts to work accounts and it's very hard to stop them from doing that and so criminals will buy those databases and just find them every place they can at this point i assume that if something is secured just with a password it's that password will be stolen or has already been stolen and criminals are in so any multi-factor authentication is better than no multi-factor authentication but if you can choose stronger multi-factor authentication so turn off sms based authentication use hardware tokens or apps i love apps because they are cheap but sometimes free they're convenient you can keep a whole a long list of different sites uh just using one app make sure you're configuring your apps wisely so that they're authenticating using these strong measures and then train users to resist social engineering and phishing attacks they should know if they get a pop-up on their phone that says um hey will you please uh click this to allow someone access to your account if it's not them they shouldn't be clicking on the link all right we have a few minutes left to briefly touch on our third top threat of 2021 exposure extortion this was a huge change over the past year and it is only going to continue we are seeing more and more threats to expose stolen data and criminal criminals are using that as an extortion tactic pay us or we're going to publish your data online a year ago i advised people do not pay these extortion attempts because what's to stop them from coming back in six months and trying to get more money from you but the problem we're seeing over the past year is that often data subjects whose information stolen see these see the payment as due diligence that it shows that your company did everything they could to prevent the hackers from publishing the data so we're seeing unfortunately a lot of pressure to pay the criminals these extortion demands even though it may or may not actually do any good so here's a couple examples of where data exposure already has been taking center stage in january of 2021. we saw parlor the social media platform 70 terabytes of information was just dumped out there to the world and so these are messages that users thought were private for better for worse including gps location information including deleted messages so when users deleted a message poller didn't actually take the time to remove that message from the system it would just mark it as deleted those are out there as well so this can potentially be very damaging for people's reputation for their relationships and that's just on a personal level not to mention potential business implications we also saw in the solar winds case um exposure extortion suddenly rose to the forefront as well just uh in the past week or two criminals set up a site called solar leaks.net and they claimed as you can see on the screen here that they're putting data from our recent adventure for sale they have microsoft windows source code cisco source code solarwinds source code and fireeye private red team tools source code binaries and documentation all for sale you can get all the sleep data for a million dollars is this true i suspect not i my gut is that these criminals are just putting this out there and hoping someone will pay them some money but you never know and i think we're going to see more and more of that over the next year where we're seeing criminals threaten to expose data to the world and we don't even know if they have that data but so think about that carefully if you see a news article or a website where criminals say we have this sensitive information remember they're criminals don't trust them and and think about whether or not they actually have proof that they have the data so there's been a spike of double extortion ransomware attacks if you are hit with ransomware it's not just about having backups anymore if you have backups the criminals will still try to extort money from you in about 50 of all ransomware cases they are stealing your information before they ever install ransomware and that makes sense because they have access to your data in order to lock it up might as well grab it as well so they're threatening to publish that there's journalists that are following many of the websites that that the maze group and other uh popular double extortion groups were putting up there and as a result these threats have um some weight behind them here's one where a financial institution a bank was actually hacked by criminals and um instead of just locking up the data the criminals threatened to dump millions of credit cards out there for the world and they ended up doing that they leaked that credit card information causing potential pci violations fraud and more so this hits financial institutions for sure here's law firms um the rivo gang has been they're kind of they started copying the maze group and they created the happy blog where they started leaking stolen information to the world you can see two law firms were hacked by the rival gang and their data was put up there for sale and that's again a supply chain concern if one of these law firms was hacked would they notify you that your data was out there a lot of times they don't even know about it but once they do know about it it can take a long time before they decide to notify clients and sometimes if they pay the ransom and the data is never published they choose not to notify so make sure that you have those expectations in writing we've seen a huge rise in uh targeted health care ransomware attacks and tenfold did a research project they found that 46.4 of healthcare data breaches were actually caused by ransomware attacks so almost 50 of healthcare breaches have an underlying cause of ransomware the criminals are getting better and better at what they do so last year we started seeing them form stronger cartels the maze group had a very popular site again that many journalists and others were visiting to see what their latest leaks were and so they started allowing other um cyber criminals to post their stolen data here so here's one maze cartel provided by ragnar and the ragnar locker ransomware start gang started posting their data there as well so that's scary as a result of this we're starting to see more and more data breach lawsuits that happen as a result of ransomware attacks this is a trend that started last year and absolutely will continue so blackbaud was sued um we see some uh healthcare clinics getting sued as a result so again that's a trend that we're likely going to see the good news is that you can prevent a lot of the damage from happening with effective detection tactics so in this chart by fire you can see the amount of time that has elapsed between the time a ransomware gang accesses your network and the time that they actually deploy ransomware and in that time period they are lurking and researching and stealing your data so you want to be able to proactively find them before they have stolen your crown jewels so make sure that you are conducting threat hunting and monitoring budget for effective monitoring budget for threat hunting this year in addition to moving forward on your supply chain vetting process again if you have any questions feel free to drop us a line i'm on linkedin you can drop us a line through the contact form at lmg's website as well or any other way you would like to contact us okay so if you are hit with exposure extortion do you pay the ransom or do you not um again one question is how do you know if they've really deleted the data we are starting to see cracks in the facade we know that many of the games like sadina kibi maze netwalker and others are have in some cases not held up their end of the bargain and for one reason or another the data gets published anyway so you're out the money and then you still might have to announce but you know there's pros and cons to this um last year we saw uber uh the former uber security chief was charged with concealing a hack um two criminals extorted uber for a hundred thousand dollars they stole data and they promised if they were paid a hundred thousand dollars they would delete it uber did not disclose that breach and their former cso is now being criminally charged as a result so watch out that is again likely to be a trend the criminals even signed an nda but later on they were actually indicted as a result of another hack and they said yeah we deleted it but we also shared the data with one of our friends and we don't know what that person did with it so you can't trust criminals and a lot of times this data gets laundered and put out on the dark web anyway so again we are seeing a new trend of payment as due diligence it makes the data subjects feel better if you pay the ransom it can make them angry if you don't um but uh then you're also funding criminal operations so how do ransomware um how do ransomware gangs get in typically three ways either they compromise your organization using exposed rdp login interfaces they engage in email phishing or there's a software vulnerability that they exploit so what can we do to protect ourselves from these types of exposure extortion attacks number one use a vpn so that you don't have an exposed rdp interface make sure you're defending against fishing not to sound like a broken record but it's one of the top ways that you can prevent problems from happening think before you click patch your systems i know cases like solar winds might make people hesitant to patch but it is so important to patch your systems and not just your your workstations and servers but also things like your vpns we have seen criminals over the past you're really monitoring carefully for vulnerabilities and vpns um we saw the rebel ransomware gang was specifically targeting pulse secure vpn servers after vulnerability was announced um we've seen some other vulnerabilities announced recently so make sure you're right on top of patching the risk from not patching is greater than the risk involved in a supply chain issue so patch your systems regularly to recap our top threats in 2021 number one supply chain attacks cannot emphasize that enough number two sophisticated authentication bypass issues number three exposure extortion and here's our checklist of defensive measures to prioritize this year number one vet your suppliers and include those key suppliers in your response planning crank up your logging and monitoring this is the year of detection make sure you're limiting your suppliers access that can reduce your risk very quickly without a big investment um choose strong multi-factor authentication conduct thread hunting and patch your systems there's a few others in there i'll let you go through this at your leisure again just try to make whatever progress you can aim for progress and not perfection in 2021. again we have another cyber first responder class coming up hope to see some of your faces there it's one day boot camp hands-on and it'll show you how to detect and respond to cyber security incidents so check it out lgsecurity.com cfr and thank you so much i will stick around for a few minutes in case anyone has any questions thanks so much sherry for that presentation um we have come to the end of our time today so if anyone has any questions that they would like to be answered feel free to drop sharia line she has her social media information up on the screen and you're also welcome to reach out to lmg security and somebody will be happy to answer any questions you have we would like to thank everyone who attended today's webinar please take a moment to fill out the survey afterwards and let us know what you thought the recorded video from this presentation and handouts will be made available to attendees and we will send out a notification once they are live thank you to everybody and have a great day