Exploring the Capabilities and Economics of Cybercrime
•Télécharger en tant que PPTX, PDF•
2 j'aime•836 vues
In this talk we will look at the current attacker community as well as the tactics and capabilities that are currently being leveraged against targets across the globe. We will then go into the financial mechanics behind both financial based cybercrime as well as nationstate espionage. We will touch on some of the scary capabilities of attackers and try to work thru the reason why we still aren’t seeing the broad scale destructive attacks that everyone has been predicting for years. By Jim Walter, Senior Research Scientist, Cylance
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (18)
En vedette
En vedette (10)
Similaire à Exploring the Capabilities and Economics of Cybercrime
Similaire à Exploring the Capabilities and Economics of Cybercrime (20)
Dernier
Dernier (20)
Exploring the Capabilities and Economics of Cybercrime
- 1. Exploring the Capabilities and Economics of Cybercrime Recent Trends and Highlights JIM WALTER SENIOR RESEARCH SCIENTIST| CYLANCE
- 2. INTRODUCTIONS JIM WALTER Sr. Research Scientist w/ Cylance Previously ran Threat Intelligence and Advanced Threat Research efforts at McAfee / Intel Security (1998-2015)
- 3. OVERVIEW Current Attacker Community / Climate Current Campaign and TTP Highlights Mechanics Mitigations & Countermeasures Conclusions
- 4. Statistics Cybercrime Average Annualized Cost = 9.5 Million 21% Increase in total cost over 2015 Global cost of Cybercrime in FY2016 = ~ 460 Billion “Malware” dominates attack ‘types’ in 2016 Information loss/theft is now the most costly consequence of cybercrime
- 5. Statistics Cybercrime CryptoWall Alone - ~325 Million 6 Trillion by 2021??* Cybercrime has become the 2nd most reported economic crime**
- 6. Statistics
- 7. Statistics
- 8. Statistics
- 9. Current Community / Climate Surface Level / Skiddies / unskilled Mid-level order-followers / unskilled / compensated by higher- ups to install and manage infrastructure and infected nodes (ex: Nigerian Pony Loader networks) Skilled –to-highly-skilled Exclusive for-hire operations (ex: Sality & Gazavat) Nation States / Gov-backed Long-term and ultra-stealth
- 10. Current Community / Climate Ransomware & For-Hire Offerings Turn-key systems / All Inclusive
- 11. Current Community / Climate Ransomware & For-Hire Offerings
- 12. Current Community / Climate Ransomware & For-Hire Offerings
- 13. Current Community / Climate Ransomware & For-Hire Offerings
- 14. Current Community / Climate Ransomware & For-Hire Offerings
- 15. Current Community / Climate Ransomware & For-Hire Offerings
- 16. Current Community / Climate
- 17. Current Community / Climate
- 18. Current Community / Climate Ransomware & For-Hire Offerings
- 19. Current Community / Climate Full Service Carding
- 20. Campaigns and TTP Highlights Nigerian BEC ‘gangs’ PassCV Group CozyBear / APT29 (PowerDuke, etc.)
- 21. Mechanics Nigerian BEC ‘gangs’ Spearphishing, BEC, Pony Loader, Hawkeye, Citadel, iSpy Premium PassCV Group Digitally Signed malware Targets gaming companies ZxShell, Gh0st RAT, Netwire (COTS) CozyBear / APT29 (PowerDuke, etc.)
- 22. Mechanics CozyBear / APT29 (PowerDuke, etc.) PowerShell-based malware tools Phish / SpearPhish Malicious Macros in Office documents Spikerush malware encrypted in PNG image files
- 23. Mitigations and Countermeasures Take Note . . A majority of malware is single-use or target/host specific. A majority of malware does not end up in-the-wild or on VT or similar sharing sites/services.
- 24. Mitigations and Countermeasures In 60% Of Cases, Attackers Are Able To Compromise An Organization Within Minutes. 99.9% Of The Exploited Vulnerabilities Were Compromised More Than A Year After The CVE Was Published 95% Of Malware Types Showed Up For Less Than A Month, And Four Out Of Five Didn’t Last Beyond A Week. 70–90% Of Malware Samples Are Unique To An Organization.
- 25. Mitigations and Countermeasures Just under 1500 ‘malware-related’ breaches in 2016 (opposed to physical theft, miscellaneous hacking, social engineering and more) “Analysis of one of our larger datasets showed that 99% of malware hashes are seen for only 58 seconds or less. In fact, most malware was seen only once. This reflects how quickly hackers are modifying their code to avoid detection.”
- 26. Mitigations and Countermeasures What to do? Signatures and traditional methods will never keep up. Learn from the past and smarten your countermeasures. AI /or Machine Learning lead to true prevention and application of updated methodology to endpoint protection.
- 28. Supporting
- 29. SAMSA RANSOMWARE TARGETING HOSPITALS / MEDICAL FACILITIES Payload = Samsa / Samsam Ransomware ‘Pay up to restore functionality’ Targeting Java-based webservers (JBOSS) Jexboss (python-based JBOSS exploit toolkit) reGeorg – tunnel RDP via HTTP csvde, psexec, sdelete – legit tools used to move and function internally
- 30. SAMSA RANSOMWARE
- 31. SAMSA RANSOMWARE
- 32. SAMSA RANSOMWARE
- 33. SAMSA RANSOMWARE
- 34. SAMSA RANSOMWARE
- 35. SAMSA RANSOMWARE
Notes de l'éditeur
- Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2 Numbers vary depending on report but main takeaway – billions and growing.
- Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2 Herjavec Group. ** http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf
- Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2 Pon – eh - men
- Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2 Note Overlaps in categories Note issues with 2nd item and Dwell time (DBIR)
- Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2 Note Overlaps in categories Note issues with 2nd item and Dwell time (DBIR)
- DBIR
- dbir
- dbir
- dbir
- dbir
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe (embedded in ransomware executable) after encryption is complete
- Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect. . Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file. Much control is manual via reGeorg – tunneling RDP over HTTP Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file. In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks. Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec. Ransomware self-deletes via Microsoft’s sdelete.exe (embedded in ransomware executable) after encryption is complete