Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to our team..

Published byRuth Shelton Modified over 7 years ago

Similar presentations

Presentation on theme: "Welcome to our team.."— Presentation transcript:

1 Welcome to our team.

2 Threat Landscape Briefing August 2017
Good afternoon and welcome to the August 2017 Info-Tech Threat Landscape Briefing. My name is TJ Minichillo and I am a Senior Director in our Security and Threat Intelligence practice. I will be facilitating today’s briefing. During today’s discussion we will cover topics related to cybersecurity, threat actor campaigns, regulatory, compliance, and legal issues, and threat actor exploits and tactics. Our cybersecurity section covers high-level topics, such as threat trends, data breaches, control strategies, and exposure to vulnerabilities, that will broaden your understanding of the cybersecurity impact on your business. Our threat actor campaign section covers topics related to nation states, cybercriminals, and hacktivists orchestrating campaigns designed to compromise networks and exfiltrate sensitive data. Our regulatory, compliance, and legal section covers trends in the global regulatory and legal landscape with the potential to impact compliance adherences or disrupt business operations. And lastly, our exploitation and tactics section provides information related to the tools, tactics, and exploits threat actors are leveraging in their attack campaigns. <<<Advance to the next slide.>>>

3 Threat Briefing Analysts TJ Minichillo, MBA, CISSP Senior Director
Security, Risk & Compliance Info-Tech Research Group Jessica Ireland Associate. Director – Security, Risk & Compliance Info-Tech Research Group Céline Gravelines, MSc, GSEC Research Manager – Security, Risk & Compliance Info-Tech Research Group Today’s briefing will also be supported by Associate Director Jessica Ireland, Research Manager Celine Gravelines, and Consulting Analyst(s) Ian Mulholland. <<<Advance to the next slide.>>> Ian Mulholland Consulting Analyst – Security, Risk & Compliance Info-Tech Research Group

4 Agenda Topics Introduction Cybersecurity Threat Actor Campaigns
Self-service food kiosk vendor Avanti hacked Threat Actor Campaigns FIN10 cyber extortion campaign Who is the threat “BestBuy” responsible for GovRAT and using the Mirai IoT botnet Regulatory, Legal, and Compliance US/Russian cybersecurity relationship Exploitation and Tactics Petya/NOPetya During today’s briefing, we will cover topics related to: A breach at the self-service food kiosk vendor Avanti The threat actor FIN10, who has launched several cyber extortion campaigns against Canadian casinos and mining companies A view into the threat actor “BestBuy” responsible for GovRAT and using the Mirai IoT botnet An update on the US/Russian cyber security relationship And an overview of the Petya/NoPetya Ransomware family I would now like to pass the presentation over to Celine who will be covering our first topic. <<<Advance to the next slide.>>>

5 Cybersecurity Target Audience: Chief Information Officer
High-level topics such as threat trends, data breaches, control strategies, and exposure to vulnerabilities that broaden your understanding of the cybersecurity impact to business. Cybersecurity Target Audience: Chief Information Officer Chief Information Security Officers IT Risk Professionals Business / Data Owners Legal, Human Resources, and Public Relations Vulnerability Management Incident Responders, Security Operations IT Professionals <<<Advance to the next slide.>>>

6 Self-service food kiosk vendor Avanti hacked
What happened? Office self-serve snack kiosks breached. Customer names, credit card information, and addresses breached. 1,900 machines affected July 2–4, 2017. See for Avanti’s response to FAQ regarding the breach. You might be familiar with the self-service vending machine or snack kiosks used in thousands of workplace break rooms and lunch areas around the country, provided by Avanti Markets. These machines allow customers to pay for snacks and drinks with a credit card, fingerprint scan, or cash. In early July, Avanti was the victim of a data breach, exposing sensitive customer information, including customer names, credit card information, and addresses. There were initial reports that customer biometric data, such as fingerprints used to access accounts, were compromised, but forensic analysis has determine that those records have remained secure. The malware is believed to have been active between July 2nd and July 4th of 2017, affecting approximately 1,900 of their machines. However, only those people who actually used those affected kiosks during that timeframe may be affected. In response to the breach, Avanti alerted the FBI and law enforcement, and temporarily disabled credit card payment functionality until the incident was contained. Avanti believes that the breach was the result of a workstation of a third-party vendor’s employee that became infected and was able to spread to the Avanti network, but the final investigation hasn’t been completed at this time. The security firm RiskAnalytics first published a blog post about the suspected incident when a client’s break room snack machine started sending data out of that client’s network using an SSL encryption certification that has already been associated with cybercrime, including the 2014 TorrentLocker ransomware campaign. They realized that it was “a textbook example of an Internet of Things” breach since it involved a network-connected device, controlled & maintained by a third party, which could not be easily patched, audited, or controlled by the organization’s own IT staff.” Avanti states that they will continue to update the public with details on the attack and offer prepaid credit monitoring services to affected individuals. A call center will be set up for victims to get their questions answered – if you were affected, you’re encouraged to call the hotline. If you receive an from Avanti regarding the breach, it shouldn’t include any links or downloads. Remember, never click any links or download attachments that you’re not expecting as these may be part of a phishing campaign. Avanti has issued a Frequently Asked Questions page for those looking for more information regarding the effects of the breach – see the link in the slide for this information. The point-of-sales malware that was used in the attack was called PoSeidon – while Avanti refers to this as “sophisticated malware,” it’s actually been around for a couple of years now PoSeidon malware used in the attack. 1 POINT POINT

7 Self-service food kiosk vendor Avanti hacked
Point-of-sale (PoS) malware: PoSeidon is a strain of malware specifically designed to target point-of-sale (or PoS) systems. At a very high level, the malware starts with a Loader binary that is executed, allowing it to maintain persistence on the compromised machine, so that it can survive a system reboot. From there, it works by connecting to a command & control server and it downloads another binary to execute. This installs a keylogger, which can scan memory for numbers that it recognizes as potential be credit cards numbers. Upon verifying the validity of these credit card numbers, the keystrokes and credit card numbers are encoded and sent to an exfiltration server. This data can be sold in criminal markets, making this a significantly profitable attack avenue.

8 Self-service food kiosk vendor Avanti hacked
Point-of-sale (PoS) malware: If encryption was fully implemented, the malware wouldn’t get access to plaintext credit card numbers at Step 6. In May, Avanti had begun rolling out end-to-end encryption on all kiosks. However, at the time of the incident, the encryption solution had only been installed on about half – 50% of the kiosks. It was the remaining 50% of machines that hasn’t been updated with the encryption solution that were affected by the breach. As you can see, if it was installed on all of them, the PoSeidon malware wouldn’t have been effective – here at step 6, the attack wouldn’t have been able to successfully scrape memory for credit card numbers.

9 Self-service food kiosk vendor Avanti hacked
Recommendations Keep payment systems segmented and isolated from the internal network. Be conscious of what systems you provide with your biometric data. Verify whether or not you are a victim of the breach: Did you use an Avanti kiosk July 2–4, 2017? Was that kiosk temporarily disabled? If so, see the FAQs to enroll in the credit monitoring service provided by Avanti at no cost. When an incident like this occurs, use it as a learning opportunity. This could have been significantly worse if the attacker was able to compromise the snack machines, and then use those as a way to infiltrate the thousands of office networks they’re in across the country. So make sure that any payment system like this is always segmented and isolated from your internal network. From there, as a customer, be conscious of what systems you’re providing your biometric data too. While it turns out that biometrics weren’t actually compromised in this breach, remember that credit cards can be reissued, but your biometrics are with you for life. So figure out if your data was potentially compromised in this breach and check out the FAQs on the Avanti page to take the necessary steps to reissue data and to enroll in the credit monitoring service that Avanti is providing to anyone who fell victim to the breach.

10 Threat Actor Campaign Target Audience:
Current intelligence that addresses the increasing threat from prevalent nation states, cybercriminals, hacktivists, and/or cyberextremists orchestrating attack campaigns to compromise networks and exfiltrate sensitive data. Threat Actor Campaign Target Audience: Chief Information Security Officers Information Security Officers IT Risk Professionals Threat Intelligence Analysts Vulnerability Management Incident Responders Security Operations IT Professionals <<<Advance to the next slide.>>>

11 FIN10 cyber extortion campaign
Overview According to the FBI, extortion is facilitated through Denial of Service, hitman, impersonation, loan, data breaches, and other cyberattack campaigns. 1 2 FIN10, dubbed by FireEye, has been compromising predominantly Canada casino and mining company networks, exfiltrating and publically disclosing sensitive data. 3 In at least one instance, FIN10 has identified themselves as the “Angels_of_Truth” claiming the intrusion was in retaliation to Canada’s economic sanctions on Russia. 2016 FBI IC Internet Crime Report 4 FIN10 has been known to use publically available penetration testing tools and has also been known to destroy Windows-based systems in retaliation for ransom non-payment. 4 Our media headlines are filled with stories about botnets, ransomware, malware, phishing, and data breaches facilitated my multiple threat actors. This month I am going to cover the threat actor FIN10, which is responsible for targeting many Canadian casino and mining organizations with cyber extortion campaigns. Cyber extortion is another tactic threat actors use to fund their criminal enterprises. According to an FBI IC3 study, cyber-extortion-related incidents included losses of over $15 million ahead of other cybercrimes such as ransomware. FIN10 is primarily driven by the theft of sensitive data that is used to extort a ransom in exchange for the public release of the sensitive data. To lend credibility to FIN10s claims, the threat actor typically posts publically a sample of the compromised data. Many threat actors, to include FIN10, still employ traditional attack vectors by crafting phishing s to deliver malware through malicious URLs or weaponized file attachments. Organizations should continue to follow best practices and remind end users not to click unfamiliar links or questionable file attachments delivered in from unknown sources. In 2016, the FBI IC3 received 17,146 extortion-related complaints with adjusted losses of over $15 million ahead of other cybercrimes such as ransomware. FIN10 has also been known to use spear phishing tactics to deliver weaponized file attachments to victims to deliver remote access Trojans like SplinterRAT. 5 5 Sources: FBI IC3; FireEye; Fortune “Angels_of_Truth” was the alias used to communicate with a blogger claiming credit for previous intrusions.

12 FIN10 cyber extortion campaign
A typical FIN10 cyber extortion campaign typically includes various phases leading towards a ransom demand. A Canadian casino or mining company employee is sent an with a weaponized file attachment to lure the employee into opening the file to execute remote access Trojan designed to maintain persistent access. Infection FIN10 typically uses the Windows Remote Desktop Protocol to authenticate to internal systems and laterally move throughout the network. Lateral Movement FIN10 demands a ransom demand Bitcoin payment in exchange for not publically releasing exfiltrated data. Ransom Demand Since 2013, FIN10 made ransom demands of 100 Bitcoins (~$124,000) to 500 Bitcoins (~$620,000) and threatened public disclosure via “paste” websites for non-payment. Payment Non- Payment Treats FIN10 typically sends multiple messages to victims threating public disclosure for non-payment. The threat actor FIN10 has been known to follow a specific attack cycle that includes Infection, Lateral Movement, Ransom Demand, Payment and Non-Payment Threats. Although FIN10 has targeted many organizations in North America, the threat actor typically targets Canadian companies in the hospitality and mining industry. The tactics used to infect victims oftentimes starts with an sent with either a weaponized file attachment or malicious hyperlink to lure the victim into opening the file or clicking on the hyperlink to execute a Remote Access Trojan designed to maintain persistent access. Once the remote access Trojan is installed, the threat actor has been known to use the Windows Desktop Protocol to log into other internal systems and laterally move throughout the network and steal sensitive information. FIN10 then contacts the victim typically through to demand a Bitcoin ransom payment in exchange for not publically releasing the stolen data. The ransom demands are historically between of 100 Bitcoins or approximately $1124,000 to 500 Bitcoins or around $620,000. For organizations that do not pay the ransom demand, FIN10 then threatens to publicly disclose the stolen data to further encourage the victim organization to pay. Sources: FBI IC3; FireEye

13 FIN10 cyber extortion campaign
Insight Recommendations FIN10 typically leverages common attack vectors such as spear phishing to compromise corporate networks. Threat actors such as FIN10 commonly claim the compromise of sensitive data and threaten public disclosure to encourage victims to pay a ransom. Protect your front line by reminding users not to click on suspicious links or open questionable file attachments. Validate and investigate the alleged compromise, coordinate with internal legal teams, and consider involving law enforcement when dealing with a cybercriminal. Validate, integrate, and block known indicators of compromise (e.g. malicious domains, URLs, and IPs), especially if your organization is in an industry that has been previously targeted by FIN10. Launch an awareness campaign to educate users about attack tactics such as phishing, a commonly used method for FIN10. Evaluate organizational network segmentation and backup strategy. As I have mentioned previously, FIN10 typically leverages common attack vectors such as spear phishing to compromise corporate networks. Member organizations are encouraged to remind users not to click on suspicious links or open questionable file attachments. We recommend that members not negotiate with cybercriminals and pay any ransom demands. We do however, encourage members to launch an awareness campaign to educate users about attack tactics such as phishing, a commonly used method for FIN10, and to evaluate organizational network segmentation and your backup strategy. We also encourage you to report the incident to either Canadian Royal Mounted Police or the U.S. Federal Bureau of Investigation. I will now cover our next topic about the BestBuy threat actor. For more information about how to protect your organization from these threats, please visit our blueprints Secure Critical Systems and Intellectual Property Against APT, Humanize the Security Awareness and Training Program, and Develop and Implement a Security Incident Management Program.

14 BestBuy threat actor Overview 1 2 3 3 4 4 5 5
UK law enforcement arrested the threat actor known as “BestBuy” for launching DDoS attacks against several German Deutsche Telekom customers. 1 The threat actor leveraged a modified version of the Internet of Things Mirai botnet to disrupt services for more than 900,000 German customers. 2 To gain a foothold into corporate networks, the remote access Trojan GovRAT was used in the attack campaigns. 3 3 Alleged BestBuy, Facebook alias “DanielKaye.il” Open sources have confirmed that GovRAT was being sold in underground forums by the threat actors named BestBuy and Popopret. 4 4 Recently, UK Law Enforcement arrested the threat actor BestBuy for his involvement with launching DDoS attacks against more than 900,000 German Deutsche Telekom customers leveraging a modified version of the Mirai Internet of Things botnet. Bestbuy has also been known to use the Remote Access Trojan GovRAT in his attack campaigns. The cyber security researcher, Brian Krebs has been tracking the activities of BestBuy and has identified him as a 29 year old UK citizen Daniel Kaye. Recently, a German court issued a suspended sentence to Mr. Kaye who now faces many cybercrime charges in the United Kingdom. Kaye admitted in court proceedings that he has also used the online alias "Peter Parker" and "Spider man.“ In addition, he has admitted to running a DDoS for hire service and claims he was hired by West African telecommunications provider who paid him $10,000 to orchestrate a DDoS attack against a competitor. However, these claims have not been confirmed. Like most malware, the Mauri malware source code was leaked in 2016 for any threat actor to modify and use in their attack campaigns. To facilitate his DDoS for hire service, Kaye is alleged to have exploited either default and hard-coded credentials in many typed of Internet of Things devices such as surveillance cameras, baby monitors, routers, and digital video recorders. Once the IoT device is compromised, he then enrolls the device into the Mauri botnet to launch DDoS attacks. Kaye is also believed to be the author of GovRAT, a remote-access Trojan and keylogger. GovRAT has been used in multiple cyber-espionage campaigns since 2014. According to KrebOnSecurity, Daniel Kaye is the threat actor known as BestBuy. 5 BestBuy also admitted to using the online alias “Peter Parker" and "Spider man.“ 5 Sources: Krebs; BankInfoSecurity; InfoArmor A UK man named as "Daniel K." recently plead guilty in a German court to charges of impacting 1.25 million German routers and causing $2.33 million in damages.

15 BestBuy threat actor Insight Recommendations
Both addresses were linked to a larger DDoS-for- hire service. Unconfirmed reports suggest that the Mirai botnet and GovRAT have ties to Israeli threat actors. Reverse engineering analysis by InfoArmor suggests GovRAT has sandbox aware detection capabilities.   Validate, integrate, and block known indicators of compromise (e.g. malicious domains, URLs, and IPs), especially if your organization is in an industry that has been previously targeted by BestBuy. Known indicators include: C2 IP 62[dot]113[dot]238[dot]138, address spdr01[at]gmail.com, parkajackets[at]gmail.com Remind users not to click on suspicious links or open file attachments. Leverage Info-Tech resources to complete an assessment of your organization’s ability to defend against APTs. Daniel Kaye’s Facebook profile leverages an Israeli top-level domain extension indicating a connection to Israel. According to the cybersecurity firm InfoArmor, there are several indicators that are linked to the threat actor BestBuy. In addition, the remote access Trojan, GovRAT, commonly used by BestBuy, has the ability to detect security defence technologies that leverage malware sandboxing techniques to minimize the impact of malware infections. Members are encouraged to validate, integrate, and block known indicators of compromise (e.g. malicious domains, URLs, and IPs). We, especially if your organization is in an industry that has been previously targeted by BestBuy. In addition, we encourage our members to remind users not to click on suspicious links or unknown file attachments as part of your defense in depth strategy. If you are a member that needs help increasing your security program, Info-Tech has a research blueprints designed to help members defend against malware and other advanced persistent threats. I will now pass the presentation over to Jessica who will cover our next topic. Sources: Krebs; BankInfoSecurity; InfoArmor For more information about how to protect your organization from these threats, please visit our blueprints Secure Critical Systems and Intellectual Property Against APT, Humanize the Security Awareness and Training Program, and Develop and Implement a Security Incident Management Program.

16 Regulatory, Legal, and Compliance
Trends in the global regulatory and legal landscape with the potential to impact compliance adherences or disrupt business operations. Regulatory, Legal, and Compliance Target Audience: Chief Information Officer Chief Information Security Officers IT Risk Professionals Chief Privacy Officers Privacy Professionals Business / Data Owners Legal, Human Resources, Public Relations IT Professionals <<<Advance to the next slide.>>>

17 US/Russian cybersecurity relationship
United States Kaspersky In July, President Trump attempted a partnership around cybersecurity with Russia. The decision received criticism from US government representatives given Russia’s alleged involvement in the recent US presidential election. President Trump reversed his decision after his two- hour conversation with Russia’s President Putin. Putin denies Russia’s activity in the presidential election. Trump tweeted: “The fact that President Putin and I discussed a Cyber Security unit doesn’t mean I think it can happen. It can’t.” In a similar vein, the US government is making moves to keep Kaspersky products out of US government entities. Kaspersky has offered up its product codes for audit to prove it is not actually involved with the Russian government. Background: Trump attempted a partnership around cybersecurity with Russia - the intention was to create a "cybersecurity unit" (Boston Herald) to help prevent election hacking and generally bolster strategies against cyberattacks. This occurred during a meeting at the G20 summit in Germany in July. The irony is that Russia was the country accused of interfering in last year's presidential election - Putin still denies this claim. Further adding to the confusion - Trump went back on his idea after his tweets about the plan received a lot of criticism. Republican Senator Lindsey Graham deeming it "'pretty close' to the dumbest idea he's ever had." Trump never provided an explanation as to why he reversed his decision only hours after their meeting, tweeting: "The fact that President Putin and I discussed a Cyber Security unit doesn't mean I think it can happen. It can't." Critics could not understand why Trump would even suggest the partnership in the first place given the allegations against Russia tampering with US elections. In the same vein, Kaspersky has said it is fine with the US government auditing its source code. The idea behind this is to prove that the Kaspersky Labs are not actually corroborating with the Russian government. In June, the US government had made claims that they would not choose Kaspersky products - concerned over the company's potential vulnerabilities to the Russian government. Early June, the Senate Armed Services Committee altered the National Defence Authorization Act for Fiscal 2018 regarding spend that would prohibit the use of Kaspersky's products at the US Defense Department. However, there has been no demonstrate that Kaspersky Lab's was involved in any interference in the US presidential election. Kaspersky continues to offer up its source code and Kaspersky founder and CEO, Eugene Kaspersky, has offered to testify before US lawmakers as well. There isn't a lot of clarity attached to this scenario - while we're aware that US government outlets use Kaspersky Lab software, we aren't sure how much of it is used within the Department of Defense. The US government started using Kaspersky products in 2008, and then 6 years later, it was in the Department of Justice, the Treasury Department, and multiple State department offices and US embassies.

18 “ US/Russian cybersecurity relationship Insights & Recommendations
No immediate actions necessary. US/Russia relationship is important information for situational awareness for your organization. It is also information that’s important as you evaluate security vendors where there is controversy. Currently there have been no clear links between Kaspersky and any disruption in the US presidential election. No “element of the Department of Defense may use, whether directly or through work with or on behalf of another … [element] of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.” – Amendment to National Defence Authorization Act for Fiscal 2018 From

19 Exploitation and Tactics
Information related to the tools, tactics, and exploits threat actors are leveraging in their attack campaigns. Exploitation and Tactics Target Audience: Chief Technology Officer Chief Information Security Officers Information Security Officers Threat Intelligence Analysts Vulnerability Management Incident Responders Security Operations IT Professionals <<<Advance to the next slide.>>>

20 Petya/NOPetya Overview 1 2 3
Petya/NOPetya used a unique vector for initial infection – Petya/NOPetya successfully utilized trusted software updates from a legitimate software company as its initial malware delivery mechanism. 1 Petya/NOPetya was specifically designed to not allow data to be recovered – this malware will attempt to overwrite the MBR code if administrative privileges are obtained. Failing this, it will erase the first ten sectors of the disk drive. 2 Petya/NOPetya is more sophisticated than WannaCry – Petya/NOPetya used several known exploits and legitimate administrative tools to pivot across networks. Patching simply was not enough to stop it. 3 The Petya/NOPetya ransom note seen upon restart of an infected machine. From: Malwarebytes Labs In this section, I’ll provide a general overview of the destructive ransomware variant called Petya/NOPetya. Over the past year, and more recently during the U.S. presidential election, Russian hacking has certainty filled the headlines. News about the Russian Government orchestrating the hacking of the U.S. Democratic National Committee and our election system is now part of the public debate. Regardless of the Russian Government’s involvement in the incident, Russian cybercrime has been commonplace for many years now. When talking about threat actors, we have historically been able to differentiate between nation state, cybercriminal and hacktivists threat actors. Nation state threat actors are directly associated with a government agenda. Cybercriminal actors are motivated by financial gain and not directly associated to a government agenda. Hacktivist are cyber activists that are inspired by causes and typically associated to the Anonymous Collective. Traditionally, I have considered most Russian threat actors as cybercriminals due to their historical campaign activity. However, given the recent news attention related to Russian hacking, the line between nation state and cybercriminals continues to blur. Historically, Russian cyber criminals have authored and facilitated campaigns to propagate banking Trojans designed to steal financial credentials, which are bought and sold in the underground economy, and then used to steal money through online banking applications. This was the case with the Gameover Zeus Trojan that was responsible for, a minimum, of $100 million in reported fraud losses. The Gameover Zeus Trojan author, Yenny Bogchief (Yevgeniy Bogachev), was also responsible for creating the popular Ransomware variant Cryptolocker, which accounts for a minimum of $27 million in reported fraud losses. Some experts have estimated that ransomware, in general, accounts for over $1 billion in fraud losses to date. This is big business for Russian threat actors. So a question that I struggle with is why would these actors get into the business of cyber espionage in support of Russian Government agendas? Unfortunately, were not going to answer that question during today’s briefing. However, I will discuss the Russian threat actors that are involved in this controversy. The threat intelligence service provider Fox-IT claims that Bogachev, using the hacker alias “Slavik,” used his Zeus botnet to target Ukrainian systems and exfiltrate classified information in support of the Russian/Ukrainian conflict over the annexation of Crimea. This is an example of the grey line between the nation state and cybercriminal threat actor landscape. In my opinion, this is highly controversial given the Zeus code has been publically available for any actor to modify, use, and update. Regardless of the opinion, the FBI has placed Bogachev on the FBI Most Wanted list for authoring the Zeus Trojan and directly linked him to the DNC hack. In the media you will hear reporters referring to Grizzly Steppe, Cozy/Fancy Bear, or APT 28/29. These are all referring to Russian threat actors. US DHS refers to them as Grizzly Steppe, Crowdstrike refers to them Cozy and Fancy Bear, and FireEye/Mandiant refers to them as APT-28 and 29. These threat actors have also been responsible for launching hacking campaigns against the White House Unclassified Network, U.S. State Department, U.S. Joint Chiefs of Staff, German Parliament, and a French television station. Petya/NOPetya is smarter and more sophisticated than WannaCry. This new malware follows less than a month and a half after WannaCry affected over 200,000 endpoints in more than 200 countries. Welcome to the new normal. Sources: Microsoft - TechNet, Talos, Kryptos

21 Collaboration Environment
Petya/NOPetya Threat Mitigation Additional Recommendations If you have not yet applied Microsoft’s March 2017 patch (MS17-010), do so as soon as possible. If you have been infected, shut down and disconnect any infected systems. Do not attempt to reboot these devices as this may cause Petya/NOPetya to wipe the computer. Do not pay the ransom. In the case of Petya/NOPetya, doing so will not result in receiving decryption keys. Make the time to back up all critical data, ideally to devices that are kept offline. Create a disaster recovery plan for backing up and restoring critical data. Implement a threat intelligence program to stay ahead of future threats and improve incident response times and vulnerability patching efforts. Threat Intelligence Threat Collaboration Environment Vulnerability Management Security Operations Incident Response Diagram from Info-Tech’s Integrate Threat Intelligence Into Your Security Operations blueprint

22 Welcome to our team. This concludes our August 2017 threat briefing. Included in today’s presentation were several hyperlinks to our research blueprints that you can use to address some of the threats presented during the briefing. If you have any questions or need any support, please do not hesitate to contact us to set up an analyst call. Thank you.

Download ppt "Welcome to our team.."

Similar presentations

PEOPLE’S REPUBLIC OF HACKING By: Lani N, Ashley R, Michael R, Gregory R.

PEOPLE’S REPUBLIC OF HACKING By: Lani N, Ashley R, Michael R, Gregory R.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Study Results Advanced Persistent Threat Awareness.

Study Results Advanced Persistent Threat Awareness.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
1 AFCOM Data Center World March 15, 2016 Moderator: Donna Jacobs, MBA Panel: Greg Hartley Bill Kiss Adam Ringle, MBA ITM 9.2 The New Security Challenge:

1 AFCOM Data Center World March 15, 2016 Moderator: Donna Jacobs, MBA Panel: Greg Hartley Bill Kiss Adam Ringle, MBA ITM 9.2 The New Security Challenge:
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.

External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
Www.spiceworks.com. www.gntsolutions.com R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING EMAIL CAMPAIGNS,

R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,
CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via email.

CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via .
Protecting Against Cyber Attacks PLEASE TAKE A MINUTE TO LOOK AT THIS IMPORTANT MESSAGE. THIS IS HAPPENING HERE AND NOW! LET US SAVE YOU AND YOUR INFORMATION.

Protecting Against Cyber Attacks PLEASE TAKE A MINUTE TO LOOK AT THIS IMPORTANT MESSAGE. THIS IS HAPPENING HERE AND NOW! LET US SAVE YOU AND YOUR INFORMATION.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Similar presentations

Ads by Google