Incident Response for Data BreachesInterview with Shane Sims, PricewaterhouseCoopers
Listen to this podcast and hear Sims insights on:
LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor for BankInfoSecurity and CUInfoSecurity. Today's Information Security Media Group's Podcast is with Shane Sims, a veteran cyber security professional. Shane is a Director in the Forensic Services Practice at Price Waterhouse Coopers. He is also a former FBI Supervisory Special Agent who specialized in cyber crime, digital evidence, computer exploitation and network surveillance. Welcome Shane.
SHANE SIMS: Thank you. Glad to be here.
McGLASSON: What are the types of cyber threat groups out there now and how are they targeting? Any specific types going after financial institutions?
SIMS: The cyber threat groups are varied and complex and they always seem to be evolving. One common denominator across the groups is that they remain highly motivated. The threat groups from my perspective can be classified as criminals, state sponsors, terrorists or insiders. The insiders and criminals are the primary threat groups to financial institutions and I can describe each of these threat groups in a little more detail.
McGLASSON: That would be great.
SIMS: Criminal enterprises are becoming more sophisticated at compromising private cyber space. They are spending time recruiting technical talent, they are devoting funds to research and development of malware and their breach operations are planned and organized. This threat group's main objective is to convert data into profit primarily; secondarily they attempt to extort organizations by holding IT assets hostage.
I have seen criminal hacker groups actually develop custom malware on the fly while they are in the midst of compromising a target organization. Stated differently, as they infiltrate an environment and begin to learn what hardware and software is alive and active, custom applications are developed to defeat counter measures employed by those victim organizations. This type of malware can't be detected by in house antivirus technology.
Today's sophisticated hacker crews are using data egress methods that really mirror the well-funded techniques of state sponsors. Ten years ago, traditional organized crime families would hire hackers to steal data for them; today hackers and hacker groups operate independently of traditional organized crime and these groups will often team with each other to compromise certain target organizations in order to leverage the skill sets needed based on the target environment. That is my quick assessment of the criminal threat group.
Moving on to the state sponsored threat group, obviously this is the best funded, most organized and most difficult to detect. Foreign intelligence services actively target the U.S. government, its military and its private sector cyber space. The purpose of the foreign government cyber threat is to acquire intelligence and steal intellectual property, so they are not a major threat to financial institutions.
Terrorist organizations, like criminals, can convert stolen data into financial gain, but they need identities to permit the movement of terrorist operators around the globe so that is one of their primary focuses of a cyber attack. The most feared objective of this threat group is the disruption or sabotage of a cyber space of any organizations that have been designated as critical infrastructures by DHS. So the cyber WMD, if you will, is the big fear of the terrorist groups and obviously this type of activity would have serious implications on national security. DHS has designated the banking and financial sector as a critical infrastructure and this sector has nearly 30,000 financial firms I believe.
The final group that I mentioned was the insider threat and this threat is really multifaceted. Traditionally a discussion of this threat has been human centric, so a disgruntled employee or contractor that is experiencing financial difficulty or an agent of a foreign government tasked with becoming an employee or contractor.
Today the insider threat is much more complex. Poor IT security practices create threats and exploitable opportunities and the interconnectivity of an organization's network to the internet, vendors and so forth results in that organization assuming the risk of the poor security practices of those external modes.
Strangely, the insider threat with the highest probability of realization is the human finger. As comical as that may sound, it is true. Laptops with encrypted hard drives and secure remote VPN access to private networks are really no match for somebody who clicks on the wrong e-mail attachment or some embedded e-mail link. And when that happens, if there is some malicious intent behind the attachment or the link, that person's computer gets infected and compromised and the network it has access to potentially becomes compromised, and then any data obviously within that network could be potentially compromised.
McGLASSON: Has there been an evolution of attack vectors or targets along with the types of criminal groups attacking networks?
SIMS: That is an interesting question Linda. On one hand I would say no connections to the internet and corruptible insiders are constant targets, but on the other hand, every time the latest and greatest operating system, COTS application or custom developed application is installed, basically a new attack vector is born.
I think the most significant attack vector of late, which will not likely disappear anytime soon, is the compromise of technology products while in the supply chain. Supply chain compromise typically involves installing an undetectable back door on your newly purchased router or firewall, etc., either at the manufacturer or after it leaves the manufacturer and before it arrives at its destination. Organizations today are really starting to think about this problem and stepping up their due diligence efforts with all of their suppliers.
McGLASSON: What are some of the specific items that these criminal groups are targeting at financial institutions?
SIMS: Ultimately they are trying to get at the data and the data that they really want is payment car industry data and what people call personally identifiable information. Basically, identities have a price tag on the black market and PCI data can quickly be used to counterfeit credit cards and ATM cards. So somebody can get data that allows them to counterfeit a debit card and they can walk up to an ATM machine and quickly get cash. That is the primary focus.
McGLASSON: The mindset at most companies, including financial institutions, has been data breaches and attacks happen to other companies but not here. What would you say to them to make them change their minds?
SIMS: Linda you are absolutely right. That is not an unusual stance and again, it is a stance that doesn't really apply to any specific industry; you see it everywhere. I could remotely understand that perspective maybe ten years ago, but not today. However, the bottom line is that preventative and defensive measures only reduce risk to an acceptable level if defined by any organization and none of the measure completely eliminates all risk of a breach or insider bad behavior, data loss or asset sabotage.
Of course the acceptable level of risk reduction is subjective to any given organization and its leadership, so I think it is safe to say that if a breach and/or data loss were to happen and become public knowledge, that organization's risk reduction program and the associated budget assigned to it will certainly be scrutinized by customers, stockholders, regulators, etc.
McGLASSON: Let's say you have been breached, what are some of the before steps that a company should take before a breach happens to prepare for a forensic investigation such as formation of a CERT or any other preventative steps?
SIMS: It is nice if somebody has the budget to form a CERT or have in-house investigators and forensic staff, but at minimum just having a defined incident response plan that involves notification and deployment of qualified forensic incident responders, whether they are internal or leveraged through some outside advisor. The response plan should be clear and concise and not a complex attempt to cover every potential scenario.
In my experiences a lot of organizations that actually have response plans create them in a way that they become so complex and so lengthy that no one can even consume them much less use them. In my opinion the best plans are always written by people who have experience in these matters and you just can't really afford to operate from a position of a hypothetical or academic position or perspective.
And then just as important as the plan is training on the execution of the plan. The training in my opinion should be provided in two forms at a minimum, what I would call a walk through drill and a tabletop exercise.
A walk through drill is where you would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where you gather all of the incident response players around a table and you walk through a breach scenario and you ask the different folks who are required to do certain actions to chime up and play the role that they would in the incident response.
McGLASSON: Shane what are the things that should not be done after a breach is discovered? And, are there any examples that you can give of particularly damaging things that can happen before the forensic team arrives on the scene?
SIMS: The thing I see most and it is completely innocent and unintentional, but the most typical action when a breach is discovered is that someone from the victim organization puts hands on the keyboard of a known compromised system for the purpose of investigating and mitigating the situation. This natural human reaction unfortunately can damage visual evidence and call into question the forensic purity of any evidence that is uncovered.
Also, because investigating a computer intrusion requires the collection and analysis of visual evidence, the overriding of backup media, system and event logs should be stopped immediately. This should be clearly articulated in any incident response plan.
McGLASSON: Shane what are some of the not widely used cyber crime investigative techniques that one can leverage to improve their organization's proactive security countermeasures?
SIMS: Two areas come to mind right off the bat. Malware analysis from a proactive standpoint and what we at PWC have been calling breach indicator assessments. A breach indicator assessment ideally would be comprised of two elements, host based and network based.
Both of these elements are more of an art than a science. Unauthorized remote access to systems and the egress of data can be detected by monitoring network traffic if the right and experienced set of eyes are on the job, typically unauthorized remote access and data theft involving installation and execution of malware on systems.
Again, the right and experienced set of eyes analyzing certain components of a computer system can identify breaches that haven't been detected by your in-house technology. Now if the budget is there and you can hire an outside firm to analyze malware you find in the environment, then you are going to have a leg up as well. Typically what we do is we let the antivirus technology immediately neutralize malware when it is discovered, and then we assume everything is okay.
But I think the better approach is when malware is discovered, preserve it, neutralize it and then you analyze it. Often the analysis will uncover intelligence that permits an organization to take actions to further improve its security posture.
McGLASSON: Finally Shane, what do you recommend in terms of proactive measures that financial institutions may take to protect themselves, their networks and their customers from data breaches that aren't even their fault? I am thinking along the lines of Heartland and some of the other more notable data breaches of late.
SIMS: I mentioned the supply chain problem earlier; so I think this doesn't get enough attention in my opinion, but conducting full, complete, thorough background investigations of your vendors, suppliers and the organizations that might be in a merger/acquisition pipeline. The banking and financial sector relies heavily on a complex supply chain that includes providers outside the U.S. so I think this important proactive measure can't be underestimated or overlooked. I would say the same about key personnel that have sensitive access to data; do a full, complete background investigation.
Another item I would mention is conducting security assessments and treating them as an organic program and not a series of one-time events.
McGLASSON: Thank you Shane for your excellent insights that you have shared with us today.
SIMS: My pleasure Linda.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.