M-Trends 2019 - ISSA International

M-Trends 2019 - ISSA International

M-Trends 2019 Trends From the Front Lines of Todays Cyber Attacks Dan Faltisco Consulting Systems Engineer Agenda Who we are and how we gather this information Trends from the front lines Threat Actor Profiles newly identified threat actor groups Lessons Learned Q&A 2019 FireEye Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. Efforts have been taken to obscure the identity of our customers and individuals associated with our customers in this presentation.

3 2019 FireEye On the Front Lines. Every Day. 700+ THREAT RESEARCHERS, PLATFORM ENGINEERS, MALWARE ANALYSTS, INTELLIGENCE ANALYSTS, AND INVESTIGATORS 35+ NATION-STATE SPONSORED APTs TRACKED 2019 FireEye 4

CYBER THREAT OPERATIONS CENTERS WORLDWIDE 24,000 INTELLIGENCE REPORTS PUBLISHED IN 2018 THOUSAND S OF INCIDENT RESPONSE HOURS EACH YEAR 600K 1M MALWARE SAMPLES COLLECTED DAILY FROM 70+ SOURCES

M-Trends: Tracking our investigative experience 10th anniversary Informing the cyber security community since 2010 5 2019 FireEye Annual publication sought after by security professionals and market analysts Data based on 12 months of forensic investigative findings (10/01/17 09/30/18)

Whos a Target? 6 2019 FireEye Global Median Dwell Time Dwell Time is calculated as the number of days an attacker is present on a victim network, from first evidence of compromise to detection. 450416 400 350 300 250 243 229 205

200 146 150 99 100 101 78 50 0 2011 7 2019 FireEye 2012

2013 2014 2015 2016 2017 2018 Dwell Time Trending 350 External 300 320 Overall Internal

250 200 186 184 150 146 100 107 101 99 80 50 78

58.5 56 0 2015 2016 2017 Dwell Time by Detection Source 8 2019 FireEye 50.5 2018 Once a Target, Always a Target

9 2019 FireEye Threat Actor Profiles Newly Named Groups in 2018/19 A Few Notes Before we Begin Our Methodology APT vs. FIN vs. TEMP How do we know? 2019 FireEye Newly Named APT Groups 12 2019 FireEye Newly Named APT Group APT37 North Korean threat group

Known as Reaper Primary regional targets: South Korea Japan Vietnam Middle East Primary industry targets: FEBRUARY 19, 2018 13 2019 FireEye Chemicals Electronics Manufacturing Aerospace Automotive Healthcare Foreign corporations Demonstrated willingness to use its

cyber capabilities to achieve goals without regard for international norms Newly Named APT Group APT38 North Korean threat group Primarily target financial industry in economically developing regions Execute sophisticated bank heists featuring: Long planning Access to victim environment for prolonged period of time Ability to operate across mixed operating systems OCTOBER 2, 2018

14 2019 FireEye Newly Named APT Group APT39 Iranian threat group Primarily regional target Middle East Primary industry targets Telecomm Travel High Tech Activity seems to suggest surveillance of political targets as primary function FEBRUARY 19, 2018 15 2019 FireEye Newly Named APT Group APT40

Chinese threat group Primarily regional target SE Asia, USA Primary industry targets Maritime Defense Aviation Chemicals Research Education Government High Tech Moderately sophisticated, demonstrates DECEMEBER 19, 2018

16 2019 FireEye access to significant development resources, as well as the ability to leverage shared and publicly available tools Newly Named APT Group APT 41 Chinese threat group Wide Variety of Geographical Targets: Europe, India, Japan, USA Primary industry targets Healthcare High Tech Video Game Media Telecoms Virtual Currencies Primarily Focused on Espionage operations, August 7, 2019

2019 FireEye moonlighting as financially motivated targeting gaming companies and manipulating virtual currencies. Lessons (Re)Learned Lessons (re)Learned in 2018 LESSON 1 LESSON 2 LESSON 3 Greater phishing risks during M&A using compromised email accounts Importance of Multi-Factor Authentication, Passphrase Policy & Account

Segmentation Complexity of deconflicting between legitimate testing and real attack activity Recommendations Conduct a compromise assessment of the acquisition to identify any current or previous compromises to include, sweeping, the network for Indicators of Compromise (IOCs) Recommendations Recommendation Deploy parent controls and monitoring services before merging networks

19 2019 FireEye Enforce MFA for all externally accessible login portals Minimum of 20 characters (especially for services accounts) Consider a vaulting solution to manage privilege Follow principle of least privilege when provisioning accounts

Administrators of domain controllers are inherently domain administrators Maintain process documentation to aid in deconflicting between legitimate exercise and attacker activity Never assume suspicious activity is linked to authorized red team or audit activity Require Red Teams to thoroughly document their actions in your

environment Tools used MD5s Actions preformed on endpoints Defense Trends Premediation Premediation: noun. Proactively implementing common remediation-focused initiatives General Posturing Active Directory Hardening Visibility and detection

Asset management Enterprise password Forest architecture and trusts Operational Processes and resets Network segmentation 20 2019 FireEye Monitoring Defense Trends Premediation Privileged Account Management Endpoint Hardening

Tiered Architecture Model Jump Boxes / PAWS MFA GPOs to restrict Privileged Account Usage Protected Users Group Separate VPN Profiles for Admins 21 2019 FireEye Office hardening

System to system communication restriction User privileges Built-in local admin account password randomization Defense Trends Programmatic Enhancements Common mistakes in enterprise investigations: Destruction of evidence Insufficient investigation/escalation -> Prolonged dwell times Poorly timed/failed eradication actions Recommendations: Conduct regular review of IRPs, Use Cases, and Playbooks Ensure processes account for evidence preservation Understand context of identified threats and escalate Incorporate concept of eradication timing

22 2019 FireEye Questions? Thank You

Recently Viewed Presentations

  • Moral or Natural evil?

    Moral or Natural evil?

    Why is Augustine's Theodicy often referred to as the Soul-deciding theodicy? Discuss in pairs. Augustine's Theodicy . Draw a flow diagram showing how Augustine's Theodicy works or describes it. Include key terms: Privation, Fall of Man, Seminally, free will.
  • General Engineering Knowledge General Engineering Knowledge Part 1

    General Engineering Knowledge General Engineering Knowledge Part 1

    Bilge and transfer pumps should be fitted with remote shutdowns that will allow them to be stopped by a member of the deck crew if they detect any pollutant being discharged. Fire Mains The fire main is a network of...
  • www.nwleics.gov.uk Developing a Health and Wellbeing Strategy for

    www.nwleics.gov.uk Developing a Health and Wellbeing Strategy for

    The most popular sports are cycling, gym and swimming. People have busy lifestyles with high levels of employment. Transport is an issue, which can add to elevated levels of rural and social isolation.
  • Module 1: Introduction to Desktop Virtualization

    Module 1: Introduction to Desktop Virtualization

    Virtual Desktop Infrastructure (VDI) and Remote Desktop Services session-based desktops are the key technologies that enable virtual desktops, whereby a desktop that runs in the data center can be delivered to the end-user's device using Remote Desktop Protocol (RDP).
  • INTRODUCTION TO Machine Learning 2nd Edition

    INTRODUCTION TO Machine Learning 2nd Edition

    Use transparencies and/or the blackboard. Do not write too much on a transparency (about 5-12 lines; does not apply to examples). Use large fonts. Use Large Fonts! Use Color!! Unreadable transparencies are unacceptable! Don't put unrelated things on the same...
  • Lymph System - Georgia Highlands College

    Lymph System - Georgia Highlands College

    3) Often only a single dose is generally needed to induce long-lasting immunity Immune Responses 4) Can be spread from an immunized individual to non-immunized people, inadvertently immunizing the contacts
  • Compensation - nesacenter.org

    Compensation - nesacenter.org

    Compensation Questions. Do we have to pay more for some teachers? - Math, Science, Computer. Do we pay less for Lower School? What about collegiality issues with differentiated pay - traditions of equity on campus? Does everyone deserve a raise...
  • Education Research Groups Lead: Professor Nicola Martin PhD

    Education Research Groups Lead: Professor Nicola Martin PhD

    Aspects of Inclusive Assessment within the context of UDL. Pre Entry UG Student Self Assessment. Leadley-Meade, Z. and Goodwin, R. (2019) Pre-entry self-assessment and mapping to relevant services as a means of developing learner autonomy in undergraduates.