20140226 Cyber incident dilemmas for CxO level

60 %
40 %
Information about 20140226 Cyber incident dilemmas for CxO level
Business & Mgmt

Published on February 27, 2014

Author: LucBeirens

Source: slideshare.net

Description

Short overview of recent cybercrime.
Choices to make by management during cyber incidents.
And some explanation to help reflect on the issues.

Security seminar Cyber incident dilemmas New challenges for cybercrime victims Can you make the right choice ? Luc Beirens Head Federal Computer Crime Unit © Luc Beirens - FCCU

Challenging cybercrime Challenging questions © Luc Beirens - FCCU

Cost & time to attack cyber space Cost & time to secure cyber space

Police ransomware

New versions give you 72 hours to react after this : no more keys available

New dilemmas © Belgian Federal Computer Crime Unit

New dilemmas © Belgian Federal Computer Crime Unit © Luc Beirens - FCCU

New dilemmas © Belgian Federal Computer Crime Unit

Malware Malware Botnets Botnets Social engineering •Generic malware •Targetted malware •External botnet •Internal botnet •Role of social media •Focused on individual situation Social engineering © Luc Beirens - FCCU

Cheap” versions (starting from 25 €) Easily available • Sold as a package • Offered as Crime as a service (subscribe & manage online) Goal => Large scale infections to create botnets Use of botnets for e-banking fraud, spam, DDOS, spying © Luc Beirens - FCCU

Goal of MW : Stay in & control network unnoticed over long period Very expensive => where is the Return on Investment ? Several infection methods - waterholing, quantum injection, social eng. Built in several stages from different files / often with artisanal interventio Own storage system – hidden for the operating system Own network routing – guarantee routing in network & exit to internet Configuration files specific for attacked architecture Crypto on stored data and data in transmission Large number of powerfull network operating & maintenance functions Antidetection capabilities (cmds do not show processes / connections) Antiforensic functions (act without logging, clean up & self destructing) © Luc Beirens - FCCU

Dilemmas © Luc Beirens - FCCU

Question 1 Do you call in external experts ? © Luc Beirens - FCCU

External experts ? • In most cases : discovery of some strange event own ICT personel or even help of usual ICT service providers => do not recognize problem • Cybercrime & espionnage goes way beyond daily maintenance • Difficult to find traces => is it crime or just software problem ? • Easy to wipe out traces => by doing restore to recover • Help in incident management • Collect / analyse / interprete traces => forensic services • How to mitigate problem ? => teaming up ICT & forensics • How to communicate ? => communication specialists ©Luc Beirens - FCCU

Question 2 Do you immediately clean up the detected infected system ? © Luc Beirens - FCCU

Immediate cleanup ? • If after analysis you determine : it might be malware • • • • Stop problem by shutting down => RAM contains valuable data Clean up by restoring (infected backup) Clean up by reinstalling (overwriting evidence ?) Clean up by replacing infected system ? => we keep evidence • Was it the only infected system ? • Consider leaving the infection exist for some time => to look at suspected data trafic • Dilemma : is damage of leaving the infection ongoing bigger than damage of not detecting other possible infected systems ©Luc Beirens - FCCU

Question 3 Do you give a sample of the malware to AV industry / CERT community so that similar infections in other organizations can be detected ? © Luc Beirens - FCCU

Do you give a sample of the malware ? • We all want to be protected as well as any other firm in the same sector commercial advantage => do we want to help each other ? • Why malware analysis ? • What does it do ? How does infect my system? With whom does it communicate ? • Malware analysis is expert work • Forensic copies of RAM / harddisks • Network communication analysis • Reverse engineering of malware / decryption • Dilemma • NOT sharing : As malware contains sometimes configuration files of your system sharing might be “exposure of hacked infrastructure” => impact on business • SHARING : helps defining Indicators of compromise / signatures • Solution : start with one specialist firm under strict Non disclosure agreement ©Luc Beirens - FCCU

Question 4 Do you pay in case of an extortion ? © Luc Beirens - FCCU

Do you pay in case of an extortion ? • Dilemma • If you pay : will the criminal keep his promise ? (give decryption keys / not devulge “your security problem”) • If you don’t pay : will you be able to recover ? Will he reveal ? • Paying a criminal is in most cases a bad option => known cases with positive & negative result => BUT it might never stop • But getting in touch with criminal and “negociate” • Might give you some time to reduce possible damage • Prepare communication on the event even if you paid Criminals think only of themselves and do NOT care about your reputation ©Luc Beirens - FCCU

Question 5 Do you file a complaint or inform authorities ? © Luc Beirens - FCCU

Do you file a complaint to authorities ? • Dilemma • If I file complaint => it will be in public and my image will suffer • If I don’t file complaint => can my problem remain “secret” and what if the “secret” gets in the public ? Will my image not suffer a bigger damage ? • Your problem might be a more “general problem” for society • Has any personal (employees, customers) data been disclosed ? • Have any communications been compromised ? • Has data with possible stock exchange impact been disclosed ? • Know legal obligations : privacy law, elect com law, ... Know the sanctions for not filing complaint if you were obliged ©Luc Beirens - FCCU

Question 6 Do you inform your employees ? © Luc Beirens - FCCU

Do you inform your employees ? • Dilemma • If you do inform them => it will be in public and my image will suffer • If you do not inform them => what are the risks ? • Employees are the Achilles tendon in your information system • If their workstation was infected or if network traffic was scanned • All their personal credentials data were (possibily) compromised • Personal systems (including social media) easy way to reinfect your system • Consider a general information of your employees on need to know basis : what might have been compromised & rules to correct attitude rules to update security in personal environment (social networks) ©Luc Beirens - FCCU

Question 7 Do you inform your customers ? © Luc Beirens - FCCU

Do you inform your customers ? • Dilemma • If you do inform them => it will be in public and my image will suffer • If you do not inform them => what are the risks ? • Customers remain customers as long as they trust you • If their data / communications / activities have been compromised and you do NOT inform them risks are : • • • • Contractual liability General civil liability Penal liability Impact commercial • Consider a general information of your customers on need to know basis : what might have been compromised & what was done to clean up & what are remaining risks & what should customer do to verify or secure his system ©Luc Beirens - FCCU

+32 2 743 74 74 © Luc Beirens - FCCU

Add a comment

Related presentations