Managing Financial Industry Threats Through Information Sharing

Managing Financial Industry Threats
Through Information Sharing and Analysis
Chip Wickenden
Vice President
FS-ISAC
April 5, 2016
Cyber Risk Evolution
DILBERT © 2005 Scott Adams. Used By permission of UNIVERSAL UCLICK. All rights reserved.
2
April 11, 2016 — FS-ISAC Confidential
Trend Micro Cyber Crime Study
3
• 
Cataloged 78 underground Russian forums – each with twenty
thousand to hundreds of thousands of registered users
• 
Forums offer 38 types of cybercrime goods and services
including:
-  Distributed denial-of-service attacks
-  Spam
-  Social engineering services
-  Ransomware
-  Command-and-control services
-  Trojan malware
-  Rootkits
-  Anonymizing VPNs
Source: Trend Micro
Source:h*p://www.trendmicro.com/vinfo/us/security/research-and-analysis
Malcode Infection Techniques
•  Phishing – Widespread email – lots of victims
•  Spearphishing – Targeted email aimed at a few victims.
•  Drive by Download – The unintentional download of malicious
software, typically from an infected reputable site, merely by
visiting a page.
•  Fake Anti-Virus Software – Alarming user with false infection
warning, tricked into downloading malware.
•  WebInject – Functionality that can be used to modify a web page
on the infected end host.
4
April 11, 2016 — FS-ISAC Confidential
Mid-sized Belgian bank loses
$75 million to BEC Scammers
• 
Mid-sized Belgian bank targeted in January 2016, lost over 70 million euros (around
$75.8 million).
• 
Theft perpetrated by cybercriminals and discovered by internal audit.
• 
Belgian newspapers report the bank was a victim of CEO fraud (or BEC scam –
Business Email Compromise).
• 
• 
Two possible tactics: 1) compromise of email system and CEO emails and calendar;
or 2) spoof of CEO’s email address (example: [email protected] instead of
[email protected].)
The BEC order included a reason why it should be executed immediately.
• 
Scammers counted on employees to execute the order.
• 
Due to capital reserves, the bank can sustain this loss.
• 
• 
The bank has implemented additional security measures.
Law enforcement agencies and security companies around the world have been
warning businesses about BEC scams for over a year, but companies and some
banks are still falling for it.
Source: Help Net Security, posted 1/26/2016
5
April 11, 2016 — FS-ISAC Confidential
Information Sharing
ONE ORGANIZATION’S INCIDENT BECOMES
THE INDUSTRY RESPONSE
6
April 11, 2016 — FS-ISAC Confidential
Regulators Place Value on Info Sharing
7
April 11, 2016 — FS-ISAC Confidential
FS-ISAC Key Membership Numbers
FIMembersWorldwide
PercentageUSBanks
CountriesRepresented
6800+
80%+
40
Growth
OtherTypesof
Members
Dues
2022FIsaddedin2015
223FIsaddedsofarin2016
8
• 
• 
• 
• 
• 
• 
• 
April 11, 2016 — FS-ISAC Confidential
• 
CreditUnions
CardBrands
BrokerDealers
InsuranceCompanies
FSSectorThirdParty
Processors
FSAssociaJons
ClearingHouses,Exchanges
FinanceCompanies
Dependingontypeof
member,duesarebased
onassetsorrevenues-
Rangefrom$250-
$50,000peryear.
FS-ISAC Information Flow
Information Sources
Other Intel
Agencies
iSIGHT Partners
Info Sec
Secunia
Vulnerabilities
Wapack Labs
Malware
Forensics
NC4 Phy Sec
Incidents
MSA Phy Sec
Analysis
9
Information
Security
April 11, 2016 — FS-ISAC Confidential
Physical
Security
Business
Continuity/
Disaster
Response
Cross Sector
(other ISACS)
Open Sources
(Hundreds)
CROSS SECTOR
SOURCES
Law
Enforcement
PRIVATE SOURCES
FS Regulators
FS-ISAC 24x7
Security Operations Center
GOVERNMENT
SOURCES
CERTs
Member
Communications
Fraud
Investigations
Payments/
Risk
Alerts
MemberSubmissions
Information Sharing Tools
Threat Data, Information Sharing
¤  Anonymous Submissions
¤  Cyber Intel Listserver
¤  Relevant/Actionable Cyber &
Physical Alerts (Portal)
¤  Special Interest Group Email
Listservers
¤  Threat Automation (Soltra Edge)
¤  Document Repository
¤  Member Contact Directory
¤  Member Surveys
¤  Risk Mitigation Toolkit
¤  Threat Viewpoints
10
April 11, 2016 — FS-ISAC Confidential
Ongoing Engagement
¤  Bi-weekly Threat Calls
¤  Emergency Member Calls
¤  Semi-Annual Member Meetings
and Conferences
¤  Regional Outreach Program
¤  Bi-Weekly Educational Webinars
¤  Executive Communications
Readiness Exercises
¤  Government Exercises
¤  Cyber Attack against Payment
Processes (CAPP) Exercise
¤  Advanced Threat/DDoS Exercise
¤  Industry Exercise Program
including 2016 CEO Exercises
Building Trust: The Traffic Light Protocol
When should it be used?
11
How may it be shared?
RED. Sources may use FS-ISAC RED when the
information’s audience must be tightly controlled,
because misuse of the information could lead to
impacts on a party’s privacy, reputation, or
operations. The source must specify a target
audience to which distribution is restricted.
Recipients may not share FS-ISAC RED information with
any parties outside of the original recipients.
AMBER. Sources may use FS-ISAC AMBER
when information requires support to be effectively
acted upon, but carries risk to privacy, reputation,
or operations if shared outside of the
organization’s involved.
Recipients may only share FS-ISAC AMBER information
with other FS-ISAC Members, staff in their own
organization who need to know, or with service providers to
mitigate risks to the member’s organization if the providers
are contractually obligated to protect the confidentiality of
the information. FS-ISAC AMBER information can be
shared
GREEN. Sources may use FS-ISAC Green when
information is useful for the awareness of all
participating organizations as well as with peers
within the broader community.
Recipients may share FS-ISAC GREEN information with
peers, trusted government and critical infrastructure partner
organizations, and service providers with whom they have
a contractual relationship, but not via publicly accessible
channels.
WHITE. Sources may use FS-ISAC WHITE when
information carries minimal or no foreseeable risk
of misuse, in accordance with applicable rules and
procedures for public release.
FS-ISAC WHITE information may be distributed without
restriction, subject to copyright controls.
April 11, 2016 — FS-ISAC Confidential
Member Submissions via Portal
Anonymous or Attributed
Submission Types: Cyber Incident, Physical Incident
Member
Notifications
Other
Notifications
(security
services, etc.)
12
April 11, 2016 — FS-ISAC Confidential
12
Circles of Trust
PRC
IRC
Asset
Mgr.
CYBER
INTEL
FSISAC
CHEF
• 
• 
• 
BRC
CIC
Broker
Dealer
CAC
PPISC
TIC
Member Reports
Incident to Cyber
Intel list, or via
anonymous submission
13
April 11, 2016 — FS-ISAC Confidential
• 
• 
• 
• 
• 
• 
• 
• 
Clearing House and Exchange Forum (CHEF)
Payments Risk Council (PRC)
Payments Processor Information Sharing
Council (PPISC)
Business Resilience Committee (BRC)
Threat Intelligence Committee (TIC)
Community Institution Council (CIC)
Insurance Risk Council (IRC)
Compliance and Audit Council (CAC)
Cyber Intelligence Listserv
Asset Manager Council
Broker-Dealer Council
Members respond in
real time with initial
analysis and
recommendations
SOC completes analysis,
anonymizes the source, and
generates alert to general
membership
Types of Information Shared
Cyber Threats, Incidents,
Vulnerabilities
Malicious Sites
Threat Actors, Objectives
Threat Indicators
Tactics, Techniques,
Procedures
ü  Courses of Action
ü  Exploit Targets
ü  Denial of Service Attacks
ü  Malicious Emails: Phishing/
Spearphishing
ü  Software Vulnerabilities
ü  Malicious Software
ü  Analysis and risk mitigation
ü  Incident response
ü 
ü 
ü 
ü 
14
April 11, 2016 — FS-ISAC Confidential
Physical Threats, Incidents
ü Terrorism
ü  Active Shooter
ü  Hurricanes
ü  Earthquakes
ü  Other meteorological events
ü  Geopolitical impacts
ü  Pandemic
ü  Type, location, severity
ü  Impact analysis and risk mitigation
ü Business resilience preparation
and incident response
Threat Automation
Soltra Edge
15
April 11, 2016 — FS-ISAC Confidential
Threats (& Intelligence) Growing Fast
16
April 11, 2016 — FS-ISAC Confidential
STIX Constructs
17
April 11, 2016 — FS-ISAC Confidential
Threat Intelligence Awareness to Action:
Manual vs. Automated
18
April 11, 2016 — FS-ISAC Confidential
Intelligence-Driven
Community Defense
19
April 11, 2016 — FS-ISAC Confidential
Trustwave’s List of
7 Deadly Employee Sins
1) 
2) 
3) 
4) 
5) 
6) 
7) 
20
Pathetic Passwords: The most common corporate password is "Password1" because it
meets the minimum complexity requirements. 15% of physical security tests, written
passwords were found on and around user workstations.
Peeping ROM: 71% of workers sneak a peek at a co-workers or stranger's workstation. One
in three workers leaves their computers logged on when they are away from their desk.
USB Stick Up: 60% of users who find random USB sticks in a parking lot will plug them into
their computers; add those sticks that includes a company logo and the number increases to
90%.
Phish Biting: 69% of phishing messages past spam filters; 27% of IT organizations have
users who have fallen for malicious e-mail attacks.
Reckless Abandon: 70% of users do not password-protect their smartphones, and 89% of
people who find lost cell phones rummage through the digital contents.
Hooking up with Another Man's WiFi: By 2015, the number of WiFi hotspot deployments
will increase 350%, but currently, only 18% of users use a VPN tool when accessing public
WiFi.
A Little Too Social: 67% of young workers think corporate social media policies are outdated,
and 70% regularly ignore IT policies. Just over half (52%) of enterprises have seen an
increase of malware infections due to employees' use of social media.
April 11, 2016 — FS-ISAC Confidential
Source:h*ps://www.trustwave.com/home/
21
April 11, 2016 — FS-ISAC Confidential
Contact Information
Bill Nelson
President & CEO
[email protected]
John Carlson
Chief of Staff
[email protected]
Eric Guerrino
EVP Operations
[email protected]
Brian Tishuk
General Counsel
[email protected]
Kris Herrin
SVP, Global Operations
[email protected]
Robin Fantin
SVP Marketing
[email protected]
Cindy Donaldson
SVP, COO Sector Services
[email protected]
Kristi Horton
Chief Intelligence Officer
[email protected]
Chip Wickenden
VP, Sector Services
[email protected]
Beth Hubbard
Director, Member Services
[email protected]
Charles Bretz
Director, Payment Services
[email protected]
Rick Lacafta
Director, Summits, CAC, IRC
[email protected]
Susan Rogers
Director, Business Resiliency
[email protected]
Jeffrey Korte
Director, Community Institution Council
[email protected]
Member Services
Non-critical inquiries
[email protected]
22
April 11, 2016 — FS-ISAC Confidential
www.fsisac.com