What s Lurking in Your Network & The Business Impact of Data Breaches. Colby Clark Director of Incident Management FishNet Security

Full text


What’s Lurking in Your Network &

The Business Impact of Data Breaches

Colby Clark – Director of Incident Management FishNet Security


Colby Clark is the Director of Incident Management at Fishnet Security and is a senior professional in the information security, computer forensic, and regulatory compliance fields with over 15 year’s experience and leadership. He is a leader in the incident response field developing methodologies to stay ahead of evolving threats and working with top security vendors to create tool-sets to target threats.

Previous employment:

AccessData – 2009-2013

Guidance Software – 2003-2009

Total Information Security, Digital Investigations, & Consulting – 15+ years

Education and Certifications:

Graduated Cum Laude from the University of Southern California with a Bachelors of Business Administration Maintains the QSA, PCIP, EnCE, CISSP, OPSA, CISA, and CISM certifications


Problems We Face

The Targets

The Victims

The Motivations

Breach and Response Metrics

Key Concepts for Combating

Modern Threats


 Waves of malware attacks per industry with malware optimized for each wave and software types

 Thousands of machines infected in large environments

 Large numbers of ingress/egress points and unmanaged devices

 Polymorphism of malware per machine instead of per organization circumventing most host and network based detection methods

 Multi-vector malware in layers creating distraction and chaos while allowing unauthorized access, performing massive data exfiltration, and leading to

extortion and data loss: W32.Changeup Zeus Cryptolocker Data Loss

 Malware with Domain Generation Algorithm (DGA)

 Long term presence within infiltrated organizations

 Reconnaissance for worse activity later

 Ransomware encrypting hard drives and network shares

 High-grade commodity malware is a distraction for APT

 Attack vectors often not notable (low hanging fruit)

 Customers often have security/IR infrastructure, but not properly configured,

Problems We Face


Problems We Face

Nobody is immune to compliance. But it’s more than just

checking a box.

Everyone needs to be compliant with a policy, regulation or legal requirement: PCI Compliance, HIPAA, GLBA, FTC, NERC, FERC… Are you secure or just compliant? You can be completely compliant and totally insecure.

Promote compliance through

security. It does not come in a can or clip board.


Problems We Face

The uncomfortable truth

Everyone is 0wn3d.

How exposed are you to cyber criminals?

You have been breached

whether you know it or not.

Malware patiently waits in

nearly every environment

allowing clandestine command

and control, data harvesting,

and arbitrary code execution

Hackers are like water in a

bucket. If there is a hole, they

will find it.

Focus on solving the security

problem holistically.


Problems We Face

Bottom line - Security threats have evolved…

Script Kiddies, Web

defacement, Bragging Rights, Backdoors in open source

Code Red Nimda Klez Anna Kournikova Crime Syndicates, Nation States, Identity Theft, Industrialized Malware APT

Mobile phone attacks

Targeted attacks

232 million identities stolen

Security Spending  Anti-virus  Firewall/VPN  Content Filtering  IDS/IPS Security Spending  Anti-virus  Firewall/VPN  Secure Email/Web  IDS/IPS



…Security spending hasn’t!

The response no longer fits the threat!

Threats Threats Sub7 Back Orifice Night Dragon Red October Zeus NTDaddy NetBus


Everyone is a target


Large Corporations

Small Companies

Private Individuals

Every target is of interest

Defacement for bragging rights

PII, IP, and identity theft

Credential stealing

Confidential data leakage

Customer information

Supply chain attacks

Adding to their botnet

Use your network and devices as jump points


Top Target Countries of 2013




Top News Clips from 2012 - What Happened?

All were sued (Content Based on Public Knowledge):

Zappos – Class action suit

LinkedIn – $5M class action suit

South Carolina - $12M settlement

Global Payments – Class action suit

Nationwide – Class action suit

Wyndham – FTC Consent Order (really bad)

Yahoo – Class action suit





Ransomware becoming increasingly common

Now in corporate environments and affecting hard drives and shares

Highly lucrative; attacks win either way


Breach and Response Metrics & Facts

Financial Metrics (from Ponemon 2013 Cost of Data Breach Study):

• Average total cost of a breach: $5.4 Million

• Average per record cost for data breach: $192 (actual costs vary per organization type)

• Average per record cost reductions

– Having a strong security posture: $34

– Having an incident response plan in place: $42 – Appointing a CISO: $23

– Hiring consultants to respond to a breach: $13

Important Facts:

• Attackers infiltrate and maintain persistence for about 1 year on average before detection

• Antivirus is around 3-5% effective at detecting new threats

• Fran Rosch, Senior Vice President of Mobility at Symantec, testifies before congress that signature-based detection methodology is ineffective

• Pentagon claimed that Chinese 2011 military spending equaled $180 billion with sustained investment in cyberwarfare

• Hacking has resulted in the largest transfer of wealth in human history – As of July 2013, Chinese hackers have cost the US about $2 Trillion


Endpoint Technology

Corporate environments

Behavioral analysis

Continuous monitoring

Least prevalence detection

Not limited to the security perimeter

Application restrictions to know good behavior

Scanning for IOCs

Cardholder data environments

Application whitelisting

Application restrictions to know good behavior


Network Monitoring & Restrictions

SSL decryption

Network malware analysis



Network traffic IOCs and anomalies

2 factor authentication for remote access

Restrict egress from cardholder data environment

to processing only


Data Security – Cloud, Endpoint, Repository…


 Lock down documents so it does not matter if they are stolen

 Utilize the cloud with out concern

 Reduced fear of IP theft

Program Development

 Incident response gap analysis

 Policy and procedure development

 Incident handling playbook development

Training & Testing

 Provide hands-on training for all technology, playbook scenarios, and threats

 Provide tabletop testing for realistic scenarios involving stakeholders

 Practice communications and methodology

Incident Response Retainer

 Subject matter experts on call

 Augment internal capabilities


Thank You

Colby Clark

Director of Incident Management

FishNet Security






Related subjects :