M-Trends 2019 Trends From the Front Lines of Todays Cyber Attacks Dan Faltisco Consulting Systems Engineer Agenda Who we are and how we gather this information Trends from the front lines Threat Actor Profiles newly identified threat actor groups Lessons Learned Q&A 2019 FireEye Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. Efforts have been taken to obscure the identity of our customers and individuals associated with our customers in this presentation.
3 2019 FireEye On the Front Lines. Every Day. 700+ THREAT RESEARCHERS, PLATFORM ENGINEERS, MALWARE ANALYSTS, INTELLIGENCE ANALYSTS, AND INVESTIGATORS 35+ NATION-STATE SPONSORED APTs TRACKED 2019 FireEye 4
CYBER THREAT OPERATIONS CENTERS WORLDWIDE 24,000 INTELLIGENCE REPORTS PUBLISHED IN 2018 THOUSAND S OF INCIDENT RESPONSE HOURS EACH YEAR 600K 1M MALWARE SAMPLES COLLECTED DAILY FROM 70+ SOURCES
M-Trends: Tracking our investigative experience 10th anniversary Informing the cyber security community since 2010 5 2019 FireEye Annual publication sought after by security professionals and market analysts Data based on 12 months of forensic investigative findings (10/01/17 09/30/18)
Whos a Target? 6 2019 FireEye Global Median Dwell Time Dwell Time is calculated as the number of days an attacker is present on a victim network, from first evidence of compromise to detection. 450416 400 350 300 250 243 229 205
58.5 56 0 2015 2016 2017 Dwell Time by Detection Source 8 2019 FireEye 50.5 2018 Once a Target, Always a Target
9 2019 FireEye Threat Actor Profiles Newly Named Groups in 2018/19 A Few Notes Before we Begin Our Methodology APT vs. FIN vs. TEMP How do we know? 2019 FireEye Newly Named APT Groups 12 2019 FireEye Newly Named APT Group APT37 North Korean threat group
Known as Reaper Primary regional targets: South Korea Japan Vietnam Middle East Primary industry targets: FEBRUARY 19, 2018 13 2019 FireEye Chemicals Electronics Manufacturing Aerospace Automotive Healthcare Foreign corporations Demonstrated willingness to use its
cyber capabilities to achieve goals without regard for international norms Newly Named APT Group APT38 North Korean threat group Primarily target financial industry in economically developing regions Execute sophisticated bank heists featuring: Long planning Access to victim environment for prolonged period of time Ability to operate across mixed operating systems OCTOBER 2, 2018
14 2019 FireEye Newly Named APT Group APT39 Iranian threat group Primarily regional target Middle East Primary industry targets Telecomm Travel High Tech Activity seems to suggest surveillance of political targets as primary function FEBRUARY 19, 2018 15 2019 FireEye Newly Named APT Group APT40
Chinese threat group Primarily regional target SE Asia, USA Primary industry targets Maritime Defense Aviation Chemicals Research Education Government High Tech Moderately sophisticated, demonstrates DECEMEBER 19, 2018
16 2019 FireEye access to significant development resources, as well as the ability to leverage shared and publicly available tools Newly Named APT Group APT 41 Chinese threat group Wide Variety of Geographical Targets: Europe, India, Japan, USA Primary industry targets Healthcare High Tech Video Game Media Telecoms Virtual Currencies Primarily Focused on Espionage operations, August 7, 2019
2019 FireEye moonlighting as financially motivated targeting gaming companies and manipulating virtual currencies. Lessons (Re)Learned Lessons (re)Learned in 2018 LESSON 1 LESSON 2 LESSON 3 Greater phishing risks during M&A using compromised email accounts Importance of Multi-Factor Authentication, Passphrase Policy & Account
Segmentation Complexity of deconflicting between legitimate testing and real attack activity Recommendations Conduct a compromise assessment of the acquisition to identify any current or previous compromises to include, sweeping, the network for Indicators of Compromise (IOCs) Recommendations Recommendation Deploy parent controls and monitoring services before merging networks
19 2019 FireEye Enforce MFA for all externally accessible login portals Minimum of 20 characters (especially for services accounts) Consider a vaulting solution to manage privilege Follow principle of least privilege when provisioning accounts
Administrators of domain controllers are inherently domain administrators Maintain process documentation to aid in deconflicting between legitimate exercise and attacker activity Never assume suspicious activity is linked to authorized red team or audit activity Require Red Teams to thoroughly document their actions in your
environment Tools used MD5s Actions preformed on endpoints Defense Trends Premediation Premediation: noun. Proactively implementing common remediation-focused initiatives General Posturing Active Directory Hardening Visibility and detection
Tiered Architecture Model Jump Boxes / PAWS MFA GPOs to restrict Privileged Account Usage Protected Users Group Separate VPN Profiles for Admins 21 2019 FireEye Office hardening
System to system communication restriction User privileges Built-in local admin account password randomization Defense Trends Programmatic Enhancements Common mistakes in enterprise investigations: Destruction of evidence Insufficient investigation/escalation -> Prolonged dwell times Poorly timed/failed eradication actions Recommendations: Conduct regular review of IRPs, Use Cases, and Playbooks Ensure processes account for evidence preservation Understand context of identified threats and escalate Incorporate concept of eradication timing
Why is Augustine's Theodicy often referred to as the Soul-deciding theodicy? Discuss in pairs. Augustine's Theodicy . Draw a flow diagram showing how Augustine's Theodicy works or describes it. Include key terms: Privation, Fall of Man, Seminally, free will.
Bilge and transfer pumps should be fitted with remote shutdowns that will allow them to be stopped by a member of the deck crew if they detect any pollutant being discharged. Fire Mains The fire main is a network of...
The most popular sports are cycling, gym and swimming. People have busy lifestyles with high levels of employment. Transport is an issue, which can add to elevated levels of rural and social isolation.
Virtual Desktop Infrastructure (VDI) and Remote Desktop Services session-based desktops are the key technologies that enable virtual desktops, whereby a desktop that runs in the data center can be delivered to the end-user's device using Remote Desktop Protocol (RDP).
Use transparencies and/or the blackboard. Do not write too much on a transparency (about 5-12 lines; does not apply to examples). Use large fonts. Use Large Fonts! Use Color!! Unreadable transparencies are unacceptable! Don't put unrelated things on the same...
3) Often only a single dose is generally needed to induce long-lasting immunity Immune Responses 4) Can be spread from an immunized individual to non-immunized people, inadvertently immunizing the contacts
Compensation Questions. Do we have to pay more for some teachers? - Math, Science, Computer. Do we pay less for Lower School? What about collegiality issues with differentiated pay - traditions of equity on campus? Does everyone deserve a raise...
Aspects of Inclusive Assessment within the context of UDL. Pre Entry UG Student Self Assessment. Leadley-Meade, Z. and Goodwin, R. (2019) Pre-entry self-assessment and mapping to relevant services as a means of developing learner autonomy in undergraduates.
Ready to download the document? Go ahead and hit continue!