SlideShare une entreprise Scribd logo
1  sur  34
Télécharger pour lire hors ligne
“Play the man, not the malware”
The Cybercriminal Underground
Understanding and categorising criminal marketplace activity
● Token Australian at Intel 471 but haven’t lived in AU for 5+ yrs
● CEO and Founder of Intel 471
● Previously Chief Researcher at iSIGHT Partners (FireEye)
● Previously Technical Specialist at Australian Federal Police
● Over a decade of researching and tracking top tier cyber threat actors
across both government and the commercial space
2
About Me
● Understand how cybercrime works by viewing it through a business lens
● Establish a common vocabulary
● Conceptualise cybercrime and all related aspects
● Show how you can map out, organise, and visualise the underground
● Remove marketing from the intelligence equation
○ “Deep and dark web” is a lame marketing term
3
Objectives
● Your own attack surface ← #1 way to observe as it relates to you
● The attack surface of other people like you (sharing)
● Technical collection (botnet/campaign tracking and emulation)
● Actor communications (the underground) 4
Observing the adversary
R
E
A
C
T
I
V
E
P
R
O
A
C
T
I
V
E
--------------------------------THE PERIMETER--------------------------------
● Vast majority of threat actors there are financially motivated
● Includes criminal forums, marketplaces and places where actors can be
engaged
○ “Adversary space”
● Nation states/espionage actors are in the underground but operate
quietly
5
What is the cybercriminal underground?
● Criminal forums/marketplaces that anyone can register for
○ Alphabay (dead), Silkroad (dead), Dreammarket etc
● Vetted/invite only forums and marketplaces
● Information obtainable only via direct communication with
cybercriminals
6
What does the underground look like from our perspective?
● Making money is the goal
● The marketplace exists so that actors can buy, sell, and talk about
buying/selling
● Reputations and brands are built over years
● Fortune 500 CEOs would be impressed
● Understand the business models, processes, and pain-points
7
Viewing cybercrime through a business lens
● Decentralised and grouped by specialisation
○ Not often structured like traditional organised crime (hierarchical,
culture of trust)
● Examples:
○ Gameover/Jabber Zeus
○ “Carbanak”
8
Typical structure of cybercriminals
Why map out
the
underground?
● Financially motivated cybercrime is primarily facilitated by the
underground marketplace comprised of actors that buy, sell and talk
about products, services, and goods
10
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
A thing that has been
refined for sale
11
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
A thing that has been
refined for sale
12
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
A thing that has been
refined for sale
13
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
Illicit digital
merchandise, wares,
or commodities
usually sold in bulk
14
Underground Marketplace - Organisation
Tier 1
● Least number of actors
● Most significant actors
● Biggest victim impact
Underground Marketplace - Tier 1
Cybercrime
Products GoodsServices
Tier 1 Tier 1 Tier 1
Tier 1 products, services, and goods are core elements
and key enablers of financially motivated cybercrime
activity. They form the basis for what we consider
“financially motivated cybercrime”
Underground Marketplace - Tier 1
Cybercrime
Products GoodsServices
Tier 1 Tier 1 Tier 1
- Malware - Banking Trojans
- Malware - Ransomware
- Malware - Loaders
- Account checking tools
- Webinjects, ATS, Grabbers
- Bulletproof Hosting
- Ransomware-as-a-service
- Malware Installs
- Traffic
- Spam
- Exploit Kits
- Cashout, Exchangers
- CC dumps / dump shops
- Database dumps
- Account credentials
Underground Marketplace - Tier 2
Cybercrime
Products GoodsServices
Tier 2 products, services, and goods are those
periphery elements of financially motivated cybercrime
Tier 1
Tier 2
Tier 1
Tier 2
Tier 1
Tier 2
Underground Marketplace - Tier 2
Cybercrime
Products GoodsServices
Tier 1
Tier 2
Tier 1
Tier 2
Tier 1
Tier 2
- Scam/phishing pages
- One-off compromised
accesses
- Malware - Cryptocurrency
miners
- Call services
- Travel Services
- SMS Spamming
- Gift cards / codes
Underground Marketplace - Tier 3
Cybercrime
Products GoodsServices
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 3 products, services, and goods are those tertiary
elements of financially motivated cybercrime that have
limited impact on their own
The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
● Used by cybercriminals to host malicious things and not have them
taken down
21
Introduction to Bulletproof Hosting (BPH)
22
Categories of hosting infrastructure
Good Abused Bulletproof
● Key enabler for huge amounts of cybercrime
○ Malware C&C, phishing, exploit kits etc
● Spend lots of resources tracking the malware and exploit kit IOCs (after
they are used) = lots of resources
● Track bulletproof hosters = Proactive, timely and less resources
required
● Only 8-10 tier 1 bulletproof hosters in the underground
23
Putting it into practise - Bulletproof Hosting (BPH)
● RFI received from a customer
● Identified a Hancitor malspam campaign detected at their perimeter
● Provided IOCs and other info (domain WHOIS info, etc) related to the
campaign
● The ask:
○ Provide information about “WHO” (Infrastructures, Groups, Individuals,
etc)
○ Highlight any TTPs associated with the threat actors and their activity
24
Real case study
Visualise the flow of what happened
!
Phishing email sent from
fedex@wowgreatshop.com
palmbeachmarinecontractor.com
palmbeachstrykers.com
cleanairexperts.com
palmbeachautomotive.com
gonegreensupply.com
1
Victims click on
malicious URLs
2
Visualise the flow of what happened
Malicious Word doc drops
Hancitor
Hancitor makes C2 call to
domains for trojans
kedmolorop.com
tttconstruction.co.za
thettertrefbab.ru
3 4
Visualise the flow of what happened
Trojans (Pony, Evil
Pony, Zloader, Gozi-
ISFB, etc) make C2
call for extra malware
or functionality
pahattitbut.com
Infection on device &
positioned for data
extraction
5 6
Patterns across a dozen Hancitor campaigns
Malspam Campaign
wowgreatshop.com
palmbeachautomotive.com
palmbeachstrykers.com
kedmolorop.com
tttconstruction.co.za
pahattitbut.com
Spoofed sender
domain
Phishing urls
Hancitor C2
Pony C2
EvilPony C2
Zloader C2
BPH 1
Tier 1 BPH
service
BPH 2
Dedicated small
time BPH and
abused hosters
● Get upstream and monitor/track infrastructure providers to be proactive
against many different threats
● Track BPH services to identify infrastructure before the bad guys are using it
for badness - pre-IOCs (our marketing gimmick term)
● Understand the business models and processes to identify proactive and
more impactful courses of action
29
End result of bulletproof hosting tracking
● Have been tracking the actor Alex for over a year
● The IP addresses on the previous slide tied to his bulletproof hosting
infrastructure
30
Alex
31
Who are Alex’s clients?
MALWARE PHISHING
CERBER,
LOCKY/OSIRIS
SAGE
YAKES
RAZY
BARYS
KOVTER
DRIDEX
HANCITOR
NEMUCOD
PANDA BANKER
(ZEUS)
NYMAIM
ZUSY
SYMMI/GRAFTOR
GAFGYT (LINUX)
MARCHER
(ANDROID)
VALYRIA
PONY/FAREIT
MIRAI
and more
GLOBAL BANKS
AMAZON
CDN
PROVIDERS
YANDEX
MICROSOFT
LOCAL UK GOV
CROWN
PROSECUTION
HILTON
Google
and whole lot
more
EXPLOITATION
OF
CVE-2017-0199
DRUG SHOPS
CYBERCRIME
FORUMS
DUMP SHOPS
CASINOS
PIRATING/FILE
SHARING
RANSOMWARE MALWARE PHISHING OTHER
The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
● Visualize the underground marketplace in terms of products, services, and
goods (and consumers)
● Organize products, services, and goods in terms of their significance by Tier
1-3
● Understand that cybercrime is a collection of systems, processes, actors, and
groups working very similar to how businesses work to make money
● Realize that it’s possible to map out the marketplace and identify that small
amount of actors that do the most damage
33
Conclusions
contact us
34
Questions?

Contenu connexe

Similaire à The Cybercriminal Underground: Understanding and categorising criminal marketplace activity

Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Business of Hacking
Business of HackingBusiness of Hacking
Business of HackingDaniel Ross
 
The Business of Hacking - Business innovation meets the business of hacking
The Business of Hacking - Business innovation meets the business of hackingThe Business of Hacking - Business innovation meets the business of hacking
The Business of Hacking - Business innovation meets the business of hackingat MicroFocus Italy ❖✔
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Cyber intelligence-services
Cyber intelligence-servicesCyber intelligence-services
Cyber intelligence-servicesCyber 51 LLC
 
The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?Pierluigi Paganini
 
Cybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfCybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfHamzaAfzal61
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewOCTF Industry Engagement
 
2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling finalMARIUS EUGEN OPRAN
 

Similaire à The Cybercriminal Underground: Understanding and categorising criminal marketplace activity (20)

Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Business of Hacking
Business of HackingBusiness of Hacking
Business of Hacking
 
The Business of Hacking - Business innovation meets the business of hacking
The Business of Hacking - Business innovation meets the business of hackingThe Business of Hacking - Business innovation meets the business of hacking
The Business of Hacking - Business innovation meets the business of hacking
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Cyber intelligence-services
Cyber intelligence-servicesCyber intelligence-services
Cyber intelligence-services
 
The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?
 
Cybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfCybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdf
 
unit-1.pptx
unit-1.pptxunit-1.pptx
unit-1.pptx
 
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenDeep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
Godfather 2.0
Godfather 2.0Godfather 2.0
Godfather 2.0
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
 
Cyber security lifting the veil of hacking webinar
Cyber security   lifting the veil of hacking webinarCyber security   lifting the veil of hacking webinar
Cyber security lifting the veil of hacking webinar
 
10 types of_hackers
10 types of_hackers10 types of_hackers
10 types of_hackers
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final
 

Dernier

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_planJamie (Taka) Wang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Dernier (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_plan
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

The Cybercriminal Underground: Understanding and categorising criminal marketplace activity

  • 1. “Play the man, not the malware” The Cybercriminal Underground Understanding and categorising criminal marketplace activity
  • 2. ● Token Australian at Intel 471 but haven’t lived in AU for 5+ yrs ● CEO and Founder of Intel 471 ● Previously Chief Researcher at iSIGHT Partners (FireEye) ● Previously Technical Specialist at Australian Federal Police ● Over a decade of researching and tracking top tier cyber threat actors across both government and the commercial space 2 About Me
  • 3. ● Understand how cybercrime works by viewing it through a business lens ● Establish a common vocabulary ● Conceptualise cybercrime and all related aspects ● Show how you can map out, organise, and visualise the underground ● Remove marketing from the intelligence equation ○ “Deep and dark web” is a lame marketing term 3 Objectives
  • 4. ● Your own attack surface ← #1 way to observe as it relates to you ● The attack surface of other people like you (sharing) ● Technical collection (botnet/campaign tracking and emulation) ● Actor communications (the underground) 4 Observing the adversary R E A C T I V E P R O A C T I V E --------------------------------THE PERIMETER--------------------------------
  • 5. ● Vast majority of threat actors there are financially motivated ● Includes criminal forums, marketplaces and places where actors can be engaged ○ “Adversary space” ● Nation states/espionage actors are in the underground but operate quietly 5 What is the cybercriminal underground?
  • 6. ● Criminal forums/marketplaces that anyone can register for ○ Alphabay (dead), Silkroad (dead), Dreammarket etc ● Vetted/invite only forums and marketplaces ● Information obtainable only via direct communication with cybercriminals 6 What does the underground look like from our perspective?
  • 7. ● Making money is the goal ● The marketplace exists so that actors can buy, sell, and talk about buying/selling ● Reputations and brands are built over years ● Fortune 500 CEOs would be impressed ● Understand the business models, processes, and pain-points 7 Viewing cybercrime through a business lens
  • 8. ● Decentralised and grouped by specialisation ○ Not often structured like traditional organised crime (hierarchical, culture of trust) ● Examples: ○ Gameover/Jabber Zeus ○ “Carbanak” 8 Typical structure of cybercriminals
  • 10. ● Financially motivated cybercrime is primarily facilitated by the underground marketplace comprised of actors that buy, sell and talk about products, services, and goods 10 Underground Marketplace - Organisation Cybercrime Products GoodsServices
  • 11. A thing that has been refined for sale 11 Underground Marketplace - Organisation Cybercrime Products GoodsServices
  • 12. A thing that has been refined for sale 12 Underground Marketplace - Organisation Cybercrime Products GoodsServices Organised system that provides accomodation required by the underground
  • 13. A thing that has been refined for sale 13 Underground Marketplace - Organisation Cybercrime Products GoodsServices Organised system that provides accomodation required by the underground Illicit digital merchandise, wares, or commodities usually sold in bulk
  • 14. 14 Underground Marketplace - Organisation Tier 1 ● Least number of actors ● Most significant actors ● Biggest victim impact
  • 15. Underground Marketplace - Tier 1 Cybercrime Products GoodsServices Tier 1 Tier 1 Tier 1 Tier 1 products, services, and goods are core elements and key enablers of financially motivated cybercrime activity. They form the basis for what we consider “financially motivated cybercrime”
  • 16. Underground Marketplace - Tier 1 Cybercrime Products GoodsServices Tier 1 Tier 1 Tier 1 - Malware - Banking Trojans - Malware - Ransomware - Malware - Loaders - Account checking tools - Webinjects, ATS, Grabbers - Bulletproof Hosting - Ransomware-as-a-service - Malware Installs - Traffic - Spam - Exploit Kits - Cashout, Exchangers - CC dumps / dump shops - Database dumps - Account credentials
  • 17. Underground Marketplace - Tier 2 Cybercrime Products GoodsServices Tier 2 products, services, and goods are those periphery elements of financially motivated cybercrime Tier 1 Tier 2 Tier 1 Tier 2 Tier 1 Tier 2
  • 18. Underground Marketplace - Tier 2 Cybercrime Products GoodsServices Tier 1 Tier 2 Tier 1 Tier 2 Tier 1 Tier 2 - Scam/phishing pages - One-off compromised accesses - Malware - Cryptocurrency miners - Call services - Travel Services - SMS Spamming - Gift cards / codes
  • 19. Underground Marketplace - Tier 3 Cybercrime Products GoodsServices Tier 1 Tier 2 Tier 3 Tier 1 Tier 2 Tier 3 Tier 1 Tier 2 Tier 3 Tier 3 products, services, and goods are those tertiary elements of financially motivated cybercrime that have limited impact on their own
  • 21. ● Used by cybercriminals to host malicious things and not have them taken down 21 Introduction to Bulletproof Hosting (BPH)
  • 22. 22 Categories of hosting infrastructure Good Abused Bulletproof
  • 23. ● Key enabler for huge amounts of cybercrime ○ Malware C&C, phishing, exploit kits etc ● Spend lots of resources tracking the malware and exploit kit IOCs (after they are used) = lots of resources ● Track bulletproof hosters = Proactive, timely and less resources required ● Only 8-10 tier 1 bulletproof hosters in the underground 23 Putting it into practise - Bulletproof Hosting (BPH)
  • 24. ● RFI received from a customer ● Identified a Hancitor malspam campaign detected at their perimeter ● Provided IOCs and other info (domain WHOIS info, etc) related to the campaign ● The ask: ○ Provide information about “WHO” (Infrastructures, Groups, Individuals, etc) ○ Highlight any TTPs associated with the threat actors and their activity 24 Real case study
  • 25. Visualise the flow of what happened ! Phishing email sent from fedex@wowgreatshop.com palmbeachmarinecontractor.com palmbeachstrykers.com cleanairexperts.com palmbeachautomotive.com gonegreensupply.com 1 Victims click on malicious URLs 2
  • 26. Visualise the flow of what happened Malicious Word doc drops Hancitor Hancitor makes C2 call to domains for trojans kedmolorop.com tttconstruction.co.za thettertrefbab.ru 3 4
  • 27. Visualise the flow of what happened Trojans (Pony, Evil Pony, Zloader, Gozi- ISFB, etc) make C2 call for extra malware or functionality pahattitbut.com Infection on device & positioned for data extraction 5 6
  • 28. Patterns across a dozen Hancitor campaigns Malspam Campaign wowgreatshop.com palmbeachautomotive.com palmbeachstrykers.com kedmolorop.com tttconstruction.co.za pahattitbut.com Spoofed sender domain Phishing urls Hancitor C2 Pony C2 EvilPony C2 Zloader C2 BPH 1 Tier 1 BPH service BPH 2 Dedicated small time BPH and abused hosters
  • 29. ● Get upstream and monitor/track infrastructure providers to be proactive against many different threats ● Track BPH services to identify infrastructure before the bad guys are using it for badness - pre-IOCs (our marketing gimmick term) ● Understand the business models and processes to identify proactive and more impactful courses of action 29 End result of bulletproof hosting tracking
  • 30. ● Have been tracking the actor Alex for over a year ● The IP addresses on the previous slide tied to his bulletproof hosting infrastructure 30 Alex
  • 31. 31 Who are Alex’s clients? MALWARE PHISHING CERBER, LOCKY/OSIRIS SAGE YAKES RAZY BARYS KOVTER DRIDEX HANCITOR NEMUCOD PANDA BANKER (ZEUS) NYMAIM ZUSY SYMMI/GRAFTOR GAFGYT (LINUX) MARCHER (ANDROID) VALYRIA PONY/FAREIT MIRAI and more GLOBAL BANKS AMAZON CDN PROVIDERS YANDEX MICROSOFT LOCAL UK GOV CROWN PROSECUTION HILTON Google and whole lot more EXPLOITATION OF CVE-2017-0199 DRUG SHOPS CYBERCRIME FORUMS DUMP SHOPS CASINOS PIRATING/FILE SHARING RANSOMWARE MALWARE PHISHING OTHER
  • 33. ● Visualize the underground marketplace in terms of products, services, and goods (and consumers) ● Organize products, services, and goods in terms of their significance by Tier 1-3 ● Understand that cybercrime is a collection of systems, processes, actors, and groups working very similar to how businesses work to make money ● Realize that it’s possible to map out the marketplace and identify that small amount of actors that do the most damage 33 Conclusions

Notes de l'éditeur

  1. At the top is things directly relevant to you At the top is being the most reactive - like doing a boxing match with your hands tied by your back At the bottom is being the most proactive Ultimately cyber threat intelligence is threat focused meaning threat is a person with an intent, goal, motivation and TTPs (malware isn’t a threat, the person using it against you or your customers is)
  2. Fortune 500 CEOs would be impressed Marketing Productization / Commoditization Impressive returns on investment Longevity in a semi-permissive environment Sophistication Understand the business models, processes, and pain-points Provides a fuller understanding of the threat from a macro to micro view Help Identify realistic and most impactful courses of action
  3. Gameover Zeus Slavik sold Zeus on a buy in amount of $ plus a % of every transaction that went through it The actors who bought this service used a third party service for the management and recruiting of mules which cost a % of the $ Carbanak Horrible name to describe this activity as Carbanak is a combination of the words Carberp and Anunak which are separate trojans Some actors who have used Anunak have also used Carberp alongside other trojans/tools like Money Maker Banker Bot, Smoke Loader etc Not a good idea to name a group after the malware they have used especially when said malware is used by multiple actors
  4. Of the 17M actors in the underground, probably less than 2,500 actually are doing most of the real damage Of the 17M you have lots of duplicates, researchers, LE, skids, and scammers too There’s a good bit of effort up front to do this, but it’s a bell curve basically Once completed efforts are focused on the threat actors that matter for most impact and valuable intelligence collection You build an intimate knowledge of the underground marketplace that new actors are quickly noticed, actors that are assuming other’s identities are easily sniffed out, legitimate and scammers are easily identified, etc. In the end this provides true intelligence value to the teams you can support
  5. This marketplace facilitates actors involved with buying, selling, or talking about products, services and good A lot of analysts don’t realize that if you listen to what the criminals say they’ll tell you some interesting stuff...of course criminals are lying scum as well so we need to assess the info appropriately. This ability comes with time. Examples: Malware authors announce new releases and functionality BPH providers provide descriptions of their services Actor’s complain about others You can elicit information from actors (HUMINT/engagements) We can divide the underground marketplace up into 3 primary areas Products, Services, and Goods...these are all business terms for the most part
  6. Products are basically just stuff that you can buy Actor’s have productized this stuff into a solid product The market is the judge
  7. Services play an enabling role in cybercrime These folks are the hidden hand of cybercrime As is expected, service providers interact with more cybercriminals than any other Easy to quantify impact a product or good, but very hard to quantify the impact of services
  8. This is your bulk data that’s often advertised in the marketplace, but sold in custom shops
  9. Before we get into some examples I want to organize the marketplace 1 step further Think of “Tiers” as a measure of significance some product, service, or good plays in the cybercrime ecosystem 1 - most significant, 3- least significant Tier 1 is the top tier actors Tier 1 is often the most sophisticated and mature in a business sense Impacting Tier 1 has more of a downstream effect on the entire model essentially making things harder or even impossible
  10. Most impact can be realized when you affect key enabling services Tend to involve more sophisticated actors and business models/setups - front companies, large amounts of money, etc This is usually where your Top tier and most impactful actors like to hang out
  11. Now we start mapping in the actors and making sense of things Our job starts to get much easier as we build that clarity on the “who’s who” We can even categorize the actor’s in terms of significance within their respective area/specialty, but we’ll leave that for another day
  12. Lastly we start to target the actor’s specifically to answer key questions and fill gaps in knowledge This is where we really start to understand the business models, processes, and identify pain-points where max impact can be realized Yalishanda is a Russian actor who spends his time between Russia and China and is a tier 1 bulletproof hoster Huge amounts of badness has been hosted by him including ransomware (cerber, locky), malware (dridex, Panda banker, Pony, Mirai and more), phishing (banks, CDNs, retail companies) and other things like exploits, drug shops, cybercrime forums, CC dump shops etc