Cloudcamp Chicago Nov 2104 Fintech Lightning talk "East / West Challenges in Fintech" from Dwight Koop, COO at Cohesive @dwightkoop

1. “The East / West Problem”
!
Dwight Koop,
COO at CohesiveFT
!
Tweet: @dwightkoop
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

2. The East / West
Problem
Chicago Cloud Camp
Chalk Talk
November 3, 2014
Dwight Koop
No CohesvieFT
Logo Here!

3. Axiom Threat Group
fbi TLP:GREEN
f b i flash
fbi liaison alert system
#a-000042-mw
The following information was obtained through FBI investigations and is provided in accordance with
the FBI's mission and policies to prevent and protect against federal crimes and threats to the national
security.
This FLASH has been released TLP:GREEN: The information in this product is useful for the awareness of all
participating organizations as well as with peers within the broader community or sector. Recipients may share
this information with peers and partner organizations within their sector or community, but not via publicly
accessible channels.
There is no additional information available on this topic at this time.
SUMMARY
The FBI is providing the following information with HIGH confidence:
The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely
steal high value information from US commercial and government networks through cyber espionage. These
state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit
61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013.
This Chinese Government affiliated group previously documented by private sector reports referencing
Operation Deputy Dog, Operation Snowman, Operation Ephemeral Hydra, Hidden Lynx, and APT17, as well as
Bit9 and Google security alerts has heavily targeted the high tech information technology industry including
microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple
countries and multinational corporations. These actors have deployed at least four zero-day exploits in the
attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group
detected on a network should be considered an indication of a compromise requiring extensive mitigation and
contact with law enforcement.
TECHINICAL DETAILS
The FBI is providing the following information with HIGH confidence:
This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH,
and given highest priority for enhanced mitigation. The presence of such tools is typically part of a
comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data. The custom tools
used by this group are as follows:
October 15, 2014
Chinese Government
Hackers
Sophistication moving
“LATERALLY’’
once inside … they go
undetected

4. SEC OCIE Softball
Office of Compliance Inspections and Examinations
Cybersecurity Exam
Question 10 - Networks
Unauthorized Lateral
Movement
Business Function
Isolation
Separate Dev/Test/Prod/DR
INcident Response Logs

5. Let’ Just Assume
They’re Inside Already
JPMC - 2 Monyhs
Neiman Marcus - 5 Months
Home Depot - 5 Months
Goodwill - 18 Months
Wall Street Secirity Gaps
New York Times 10/21/2014
SAAB - No Comment
Mexico President’s Office - 2 years
Source…

6. Walls vs. Windows
VM VM VM VM
Virtualization
Hardware
Network
NIC NIC NIC NIC
Network
VMware’s View
CISCO’s View

7. “VMs sure talk a Lot”
NORTH
WEST EAST
SOUTH
80% of
DataCenter
Traffic Is
E-W,
Martìn Casado, VMW
80% of
Security
Spend Is
N-S.
Martìn Casado, VMW

8. Not just a bunch of VMs
Currencies
DB Tier
APP Tier
WEB Tier
ETLs
Mes. Q’s
APIs
BONDS
DB Tier
APP Tier
WEB Tier
ETLs
Mes. Q’s
APIs

9. Who Knows Each App Best?

10. Who Knows Each App Best?
DevOps - Meet - DevSec