Download presentation
1
Cyber Security – Anatomy of a Hack
Ann Delenela Chief Security Officer Operator Training Workshop 2016
2
Learning Objectives Identify cyber security threats
Describe factors of an Advanced Persistent Threat Summarize the anatomy of a hack Identify the phases of the cyber kill chain model Identify security controls to address the cyber kill chain
3
Security Threat Landscape
Advanced Persistent Threat Anatomy of a Hack Industry Readiness
4
The Art of (Cyber) War “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War 500 BC
5
Attack Sophistication vs. Intruder Knowledge
Source: Software Engineering Institute & Carnegie Mellon
6
Security Threat Trends
Non-Tech Hacking Nation State Sponsored Hacktivists Crafted Malware Crimeware
7
Threat Landscape: Electric Utility Sector
Natural Disasters Physical Attack/ Theft Cyber Attack Insider Threat Coordinated Physical & Cyber Attack Supply Chain Compromise Pandemic Geomagnetic Disturbance Chemical/Biological/Radiation Electromagnetic Pulse Nuclear Source: The Chertoff Group
8
Advanced Persistent Threat (APT) Defined
An individual organization, nation state or even specific technology is the focus. Infiltration is not accidental. An unknown, zero day attack that has malware payloads and uses kernel rootkits and evasion-detection technologies. It doesn’t stop. It keeps phishing, plugging and probing until it finds a way in to serve malware.
9
Cyber Kill Chain® Background
Lockheed Martin’s process to explain and defensively mitigate future threats Deconstructs a hack to individual components
11
Step 1: Reconnaissance The attacker gathers information on the target before the actual attack starts Internet Search, Social Media Google, Wikipedia, Facebook, your webpage, etc.
13
Step 2: Weaponization The attacker uses an exploit and creates a malicious payload to send to the victim This step happens at the attacker side, without contact with the victim No longer requires advanced skills
15
Step 3: Delivery The attacker sends the malicious payload to the victim by or other means, which represents one of many intrusion methods the attacker can use Examples Phishing/ Network based attacks USBs Vendor Updates
17
Step 4: Exploitation Triggers the intruders’ code Targets can be
an application or operating system vulnerability an operating system feature that auto executes code users themselves
19
Step 5: Installation Malware Viruses Trojans Rootkits Worms Spyware Crimeware Adware Installs malware, remote access trojan or backdoor on victim system Allows the adversary to maintain persistence inside the environment Point in time within a much more elaborate attack process that may take months to operate
21
Step 6: Command and Control
ATTACKER BOTHERDER ZOMBIE TARGET Legend The attacker creates a command and control channel in order to continue to operate his internal assets remotely This step is relatively generic and relevant throughout the attack, not only when malware is installed 1. Attacker 4. Target 2. BotHerder 3. Zombie
23
Step 7: Action on Objectives
The attacker performs the steps to achieve his actual goals inside the victim’s network Elaborate active attack process that may take months Information Theft Hacker Fame/Hactivism - Defacement Extortion – Ransomware Nation State Leverage Destructive Malware
24
Cyber Kill Chain Case Study
Reconnaissance Harvest addresses, company information, etc. Weaponization Couple exploit with backdoor into deliverable payload Delivery Deliver weaponized bundle to the victim via , web, usb, etc. Exploitation Exploit vulnerability to execute code on victim system Installation Install malware on the asset Command & Control Command channel for remote manipulation of victim Actions on Objectives With “Hands on Keyboard” access, intruders accomplish their original goal Source: Lockheed Martin Cyber Kill Chain
25
Kill the Kill Chain: Security Controls
Reconnaissance & Weaponization Asset Management - Inventory systems Infrastructure & Data Security Training - Awareness & Education Delivery & Web Filtering System port control Exploitation & Installation Application Whitelisting Privileged identity management Command & Control Network Monitoring Traffic pattern analysis Actions on Intent Outbound traffic monitoring Anomaly detection
26
NERC GridEx Exercise the response to a disruptive
cyber and physical security event Table top drill using real-world scenarios Stakeholder participation and training Integration with BPS operations Government participation Integration with senior executives Interactive simulation
27
GridEx Participation Growth
GridEx II (2013) 234 organizations 2,000+ individuals GridEx I (2011) 76 organizations 420 individuals
28
GridEx III – November 18-19, 2015 Number of Registered Participants: Number of Registered Organizations:
29
GridEx III 2015 – ERCOT Region
ERCOT Region Participation 15 Entities; 41 Individuals ERCOT ISO 70 Individuals 12 Law Enforcement and Local/Federal Partners FBI Houston/Dallas/Austin TX Dept Emergency Management TX Dept Public Safety Taylor Fire Dept
30
National GridEx III Exercise Outcome
Objective 1: Exercise Crisis Response & Recovery Increased participation Increased continuing education hours earned Increased entities exercising cyber, physical and operations response Objective 2: Improve Communication Increased exercise of communications process internally and with external partners Objective 3: Identify Lessons Learned Objective 4: Engage Senior Leadership Explored information sharing between industry, public & government Explored coordination of recovery efforts
31
Future Plans: GridEx IV 2017
Expand participation of internal and external players Additional TOs, MPs Include additional external partners such as Texas Military Forces Enhance cyber and physical incident response across the ERCOT region Texas CIPWG GridEx subgroup Cross sector participation Oil/Gas, Telecom DPS Private Sector Advisory Council
32
Security and the Grizzly Bear
33
Security Trivia Questions*
B C *Provided by DHS for National Cybersecurity Awareness Month
34
Security Trivia Question #1
Who are most likely to launch successful cyber terrorist attacks against classified networks and critical infrastructure? Hackers Nation States Crackers A B C
35
Security Trivia Question #2
How many credit cards numbers were stolen in the largest known cyber theft? 160 million 90 million 215 million A B C
36
Security Trivia Question #3
What percentage of employees steal proprietary corporate data when they quit or are fired? 7% 45% 59% A B C
37
Security Trivia Question #4
Which country is the target of the highest number of Internet based attacks? China Russia US A B C
38
Security Trivia Question #5
Israel considers cyber warfare as the best tool to blunt the aggression of what Middle East neighbor? Iraq Iran Saudi Arabia A B C
39
Security Trivia Question #6
What percentages of free mobile apps capture and sell personal info from your phone? 10% 50% 30% A B C
40
Public
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.