Transcript MS-ISAC Overview

LEE MYERS
S E N I O R M A N AG E R O F
SECURITY OPERATIONS
MULTI-STATE INFORMATION
SHARING AND ANALYSIS CENTER
The U.S. Department of Homeland Security has designated
the MS-ISAC as its key cybersecurity resource for
cyber threat prevention, protection, response and recovery for all
U.S. State, Local, Tribal and Territorial (SLTT) governments.
WHO WE SERVE
MS-ISAC Members include:
 All 56 US States and Territories
 All 78 federally recognized fusion
centers
 More than 1,000 local governments and
tribal nations
State, Local, Tribal, and Territorial
Cities, counties, towns, airports, public education,
police departments, ports, transit associations,
and more
24
X
7 SECURITY OPERATIONS CENTER
Central location to report any cybersecurity incident
 Support:
 Network Monitoring Services
 Research and Analysis
 Analysis and Monitoring:
 Threats
 Vulnerabilities
 Attacks
 Reporting:
 Cyber Alerts & Advisories
 Web Defacements
 Account Compromises
 Hacktivist Notifications
To report an incident or
request assistance:
Phone: 1-866-787-4722
Email: [email protected]
INTELLIGENCE SOURCES
 24 x 7 x 365 Monitoring
 Analysis of ~500 billion logs/month
 Integration with federal agencies
via the NCCIC, NCIJTF and
private companies
 Research into vulnerabilities,
exploits, TTPs, patterns, and trends
 Constant contact with all ISACs
Information Sharing and Analysis Centers
Multi-State
Electric Sector
Defense Industrial Base
Health
Oil and Gas
Surface Transportation
Public Transit
Aviation
Downstream Natural Gas
ICS
Legal Services
Supply Chain
Real Estate Sector
Water Sector
Research and Education
Emergency Management and Response
Information Technology
Automotive
Financial Services
Maritime
Nuclear Sector
Communications
LEVELS
OF
ACCESS
Public
Information
Fee
Based
Services
Any
SLTT
Full MS-ISAC
Membership
MS-ISAC ADVISORIES
Public Information
MONTHLY NEWSLETTER
Distributed in template form to allow for
re-branding and redistribution by your agency
Public Information
MONITORING OF IP RANGE & DOMAIN SPACE
IP Monitoring
Domain Monitoring
 IPs connecting to
malicious C&Cs
 Compromised IPs
 Indicators of
compromise from the
MS-ISAC network
monitoring (Albert)
 Notifications from
Spamhaus
Notifications on
compromised user
credentials, open source
and third party
information
Vulnerability
Management Program
(VMP)
Send domains, IP ranges,
and contact info to:
[email protected]
Any SLTT
VULNERABILITY MANAGEMENT PROGRAM
What Data Are We Collecting?
 Server type and version (IIS, Apache, etc.)
 Web programming language and version
(PHP, ASP, etc.)
 Content Management System and version
(WordPress, Joomla, Drupal, etc.)
Email notifications are sent with 2 attachments containing
information on out-of-date and up-to-date systems:
• Out-of-Date systems should be patched/updated and
could potentially have a vulnerability associated with it
• Up-to-Date systems have the most current patches
Any SLTT
COMPUTER EMERGENCY RESPONSE TEAM (CERT)
 Incident Response (includes on-site assistance)
 Network & Web Application Vulnerability
Assessments (Fee)
 Malware Analysis
 Computer & Network Forensics
 Log Analysis
 Statistical Data Analysis
 Penetration Testing (Fee)
To report an incident or
request assistance:
Phone: 1-866-787-4722
Email: [email protected]
Any SLTT
WHAT
IS AN
“INCIDENT”?
As defined by NIST:
A computer security incident is a violation or
imminent threat of violation of computer security
policies, acceptable use policies, or standard
security practices.
Examples:
Phishing
Network Intrusion
DDoS
Ransomware
AFTER ACTION REVIEW

Who, What, When, Where and How it Happened

The Good, The Bad, and The Ugly

Incident Response Plan

Training

Documentation
BENEFITS
OF
MEMBERSHIP

Access to information, intelligence, products,
resources, and webcasts

Insider access to federal information

Training and resource discounts

CIS Security Benchmarks discounts

US-CERT Portal access

Cybersecurity exercise participation

Malicious Code Analysis Platform (MCAP) access
MS-ISAC Membership
US-CERT PORTAL
Access to:
 MS-ISAC Cyber Alert Map
 Archived webcasts & products
 Cyber Table Top Exercises
 Guides and templates
 Message Boards
MS-ISAC Membership
MS-ISAC PRODUCTS
Cybersecurity Advisory:
Incident Notifications:
via phone or email, as appropriate – domain & IP based
short, timely, emails containing technical
information regarding system patching
and similar system maintenance activity
National Webcasts:
Purchasing Alliance:
End User Newsletters:
Discounted purchasing buys
6 bi-monthly webcasts on national topics of interest
Monthly newsletter to rebrand and distribute
Cyber Alerts:
Intel Papers:
short, timely, emails containing
information on a specific cyber
incident or threat
Intelligence-driven papers on
TTPs, trends, patterns, and actors
affecting SLTT governments
Threat Information:
Information on malicious domains, IPs, and current threat events
Cybersecurity Toolkit:
Hot Topics Webcasts:
Items to promote cybersecurity
awareness in your organization
Monthly guest speakers on areas
of interest to MS-ISAC members
MS-ISAC CYBER ALERTS
MS-ISAC Membership
MS-ISAC INTEL PAPERS
MS-ISAC Membership
WEEKLY MALWARE IPS
AND
DOMAINS
MS-ISAC Membership
MALICIOUS CODE ANALYSIS PLATFORM
A web based service that enables members
to submit and analyze suspicious files in a
controlled and non-public fashion





Executables
DLLs
Documents
Quarantine files
Archives
To gain an account contact:
[email protected]
MS-ISAC Membership
FEE BASED SERVICES







Network Monitoring (Albert)
Managed Security Services (MSS)
Web application vulnerability assessments
Network vulnerability assessments
Penetration testing
Phishing engagements
Security assessments
For more info on any of these contact:
[email protected]
Fee Based Services
NETWORK MONITORING (ALBERT)





SLTT focus
24x7x365 research, analysis, and support
Signatures unique to SLTT governments
Real-time information sharing
with SLTT partners
Experienced cybersecurity
analysts who review each event
minimizing the number of
false-positive notifications
Fee Based Services
LEE MYERS
S E N I O R M A N AG E R O F
SECURITY OPERATIONS
TRAFFIC LIGHT PROTOCOL (TLP)
FINANCIALS, PII, PHI
Account compromises of PII
• Emails
• Login credentials
• DOB, SSN, Contact Information
PHI
• PHI is more valuable in underground markets
• Hospitals a potential target in the wake of
insurance breaches
Point of Sale systems
• Those slow to adopt EMV
become a target
TLP: WHITE
Vikingdom
“Lulz,” Bragging Rights, Personal
Motivations
VIKINGDOM
From March –August 2015 Vikingdom
claimed:
77 DDoS attacks against state and local
government
websites in 34 states
SQLi POC targeting against 1000+ university URLs
2015 VIKINGDOM DDOS ACTIVITY
WA
OR
2
MT
1
ND
2
ID
1
CA
2
NV
2
UT
1
AZ
2
MN
1
SD
1
WY
IA
1
K
S
OK
9
NM
TX
2
AK
MI
1
WI
NB
2
CO
1
ME
11
IL
1
MO
1
IN
4
PA
1
OH
WV
KY
MS
LA
A
L
1
NJ, 2
MD DE, 1
VA
1
NC
1
TN
5
AR
2
NH
NY VT
2
3
MA
CT,1 RI
GA
3
SC
1
Impact Levels
No Targeting
FL
2
Unknown
Limited
Moderate
M
P
AS
GU
HI
Severe
VI
TLP: AMBER
PR
Catastrophic
WHAT CAN YOU DO?
Low Hanging Fruit!
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
PATCH!
Use defensive software
Back-up
Train users
Enforce strong, complex, unique passwords
Critical Security Controls
Identify authorized and unauthorized devices
Inventory authorized and unauthorized software
Secure configurations for hardware and software
Continuous vulnerability assessment and remediation
Controlled use of admin privileges
TLP: WHITE
IDENTIFY MALICIOUS ACTIVITY





Antivirus
Firewalls
IDS/IPS
Logs (90 days!)
Places to Look





Pastebin, Ghostbin, Zerobin
Twitter
Facebook
Google
SHODAN
 Things to Look For:
 Announcements
 Hashtags
 Doxings
Hacktivist DDoS Claim
TLP: WHITE
SHARE INFORMATION
 Be prepared
 Learn from others’ best practices
 Gather intel to help you be proactive
 Be willing to ask for help
 Identify other resources to augment what
you are doing
 Be a part of the solution

Take part in information sharing
LOOKING FORWARD
Tactics, Techniques, and Procedures
Targeted Data and Systems
Cyber Threat Actors
Developing Issues
TLP: WHITE
EXTORTION
• DDoS
• DDoS for Bitcoin (DD4BC)
• Ransomware
• New threats (data posting)
• Ransomware-as-a-service
TLP: WHITE
TTPs
PII, PHI, FINANCIALS
Account compromises of PII
• Emails
• Login credentials
• DOB, SSN, Contact Information
PHI
• PHI is more valuable in underground markets
• Hospitals a potential target in the wake of
insurance breaches
Point of Sale systems
• Those slow to adopt EMV
become a target
TLP: WHITE
ICS & MEDICAL DEVICES
INDUSTRIAL CONTROL SYSTEMS
• Increased interest in ICS vulnerabilities
• Honeypots
• Black Energy
Medical Devices
• Personal vs. Hospital Devices
• Continued vulnerabilities
• Increased regulation
TLP: WHITE
CYBER INSURANCE
Organizations need to consider cyber risk
insurance as part of their insurance
portfolio:
Cost of remediating/replacing systems
Cost of notifying/protecting affected
individuals
Don’t Get Burned!
Ensure you understand your policy’s
coverage
QUESTIONS?
WHO DO I CALL?
Security Operations Center
(SOC)
[email protected] - 1-866-787-4722
31 Tech Valley Dr., East Greenbush, NY 12061-4134
www.cisecurity.org
to join or get more information:
https://msisac.cisecurity.org/memb
ers/index.cfm
TLP: WHITE
MS-ISAC CONTACT NUMBERS
Thank You!
Lee Myers
[email protected]
Security Operations Center
24/7 Phone Number
1-866-787-4722
[email protected]
MS-ISAC HQ
Front Desk
518-266-3460
[email protected]