Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
A Look into Cyber Crime
//Cyber Security 
The interconnection and reliance of physical lifeline 
functions over the Internet (cyberspace) that imp...
Cyber Security and Cyber Crime 
The first step is to admit that there is a problem. 
3
A computer lets you make more mistakes faster than any 
invention in human history - with the possible exceptions 
of hand...
5
We are all connected 
Cyber Security is like 
a Public Health Issue 
6 
We impact 
each other. 
What are and 
who sets saf...
Why is this happening? 
7
• Insulin pumps and pacemakers 
• Automobiles 
• POS and ATMs 
• ORCL – MSFT – SYMC – RSA – VRSN – Bit9 
• GOOG – AAPL – F...
Cyber Crime 
• Global and growing industry 
• Increasing in size and efficiency 
• Targets everyone and every company 
• L...
We Are Only Seeing the Tip of the Iceberg 
HEADLINE GRABBING ATTACKS 
THOUSANDS MORE BELOW THE SURFACE 
APT Attacks 
Zero-...
Who are the Cyber Crime Actors? 
11
Basic Cybercrime Organizations 
• Fluid and change members frequently 
• Will form and disband on a “per project” basis 
•...
Professional Hackers 
• Paid per the job, usually flat rates 
• State-side hackers can earn up to $200K a year 
• The work...
Spammers 
• They earn millions per year selling their direct mail 
services 
• They are not picky and do not consider the ...
Traditional Mafia 
• They are currently leaving most of the “work” 
to others 
• Online ventures are sticking close to suc...
Organized…Crime 
Different levels of participants in the underground market 
Markets for Cybercrime Tools and Stolen Data ...
Russian Mafia 
• Cybercrime elements are considered “divisions” 
– The actual hackers themselves are kept 
compartmentaliz...
Former Soviet Military 
• Military industrial complex in Soviet Russia was even 
more corrupt than their USA counterparts ...
China - Espionage 
• Mandiant’s 2013 report on the Chinese (APT1) 
– Attacks on 141 organizations since 2006 (115 were in ...
China - Espionage 
• According to the US Justice Department, of 20 cases of economic espionage 
and trade secret criminal ...
China - Espionage 
Source: FireEye 21
Espionage – China and Russia 
Source: FireEye 22
Multi-Vector Analysis of Operation Beebus Attack 
1 
Key Attack Characteristics 
SMTP / HTTP 
Backdoor Backdoor 
3 
Multi-...
China and the US Economy 
Nov 2014 
The US - China relationship is the most consequential in the world today period. 
And ...
You Should Care 
Cyber Security and Cyber Crime are 
Important Issues 
It’s Bad Right Now 
25
26
Tyler/Savage Estimate of Global Cost of Cyber Crime 
• Cost of genuine cybercrime 
• $3.46 billion 
• Cost of transitional...
Cyber Crime Costs in 2014 
• Cyber attacks on large US companies resulted in an 
average of $12.7M in annual damages 
– 9....
Cost Framework for Cyber Crime 
Cost Framework for Cyber Crime 
Internal cost activity 
centres 
Detection 
Investigation ...
Average annualized cost by industry sector 
$1,000,000 omitted 
$10.6 
$9.2 
$9.0 
$9.3 
$8.6 
$6.9 
$8.3 
$8.1 
$9.0 
$8....
Average annualized cyber crime cost weighted by attack 
frequency 
$25,110 
$20,507 
$22,631 
$18,915 
$1,819 
$1,690 
$1,...
Percentage cost for external consequences 
40% 
38% 
18% 
7% 
2% 2% 
42% 
31% 
17% 
4% 
45% 
40% 
35% 
30% 
25% 
20% 
15% ...
Percentage cost by activities conducted to 
resolve a cyber attack 
30% 
19% 
16% 
14% 15% 
14% 15% 
11% 
9% 
26% 
21% 
9%...
Budgeted or earmarked spending according to six 
IT security layers 
38% 
17% 16% 
13% 
12% 11% 
6% 
40% 
17% 
15% 
10% 
5...
Dollar Losses from Computer Fraud Cases 
IC3 report, mainly US, mainly cases referred for investigation 
35
Contrast with FBI non-cyber crime stats: 
Fewer bank robberies, less loot 
7,644 7,720 
6,957 7,272 
Average loot 
Inciden...
Numbers Show a Harsh Reality 
2/3 of U.S. firms 
report that 
they have been the 
victim of cyber attacks 
00.01 Every sec...
The Attacks and Weapons 
38
Elements of Cyber Crime Operations 
• Host an exploit kit on a server 
• Put malware on different server 
• Send malicious...
The Weapons 
• Botnets 
– Average size is 5000 computers, some have been as large as 500,000 
computers 
– New command and...
Exploit Toolkits & Malware 
• In 2013, Exploit Toolkits cost between $40 and $4k 
• The Malware that likely compromised Ta...
Exploit Toolkits & Malware 
• Traditional attacks were loud, high volume attacks typically 
stopped by threat monitoring t...
Cyber Crime Tools are Readily Available 
From a chart by DeepEnd Research 
• Exploit Kits 
• Buy or rent 
• A few hundred ...
Proliferation and Variety of Exploit Kits Over Time 
Markets for Cybercrime Tools and Stolen Data (RAND, 2014) 
44
Attacks: Spam 
2013 SPAM Results 
• Spam is at 69% of all global email 
• Phishing attacks are 1 in every 414 
emails 
• E...
Attacks: Phishing / Spearing Phishing 
46
Attacks: Ransomware 
• Mobile Internet will continue to increase as it 
eventually takes the place of desktop Internet. 
•...
Attacks: Botnets 
48 
 A botnet is a large number of compromised computers that are used to 
create and send spam or viru...
Attacks: Water Holing 
Several attacks in 2013 were conducted by luring 
victims to accept malware or follow a link to an ...
Attacks: Water Holing 
50
Attacks: Water Holing – Facebook 
• Typo-Squatting 
• Fake Facebook Applications 
• Hidden Camera Video Lure 
• Celebrity ...
Search Engine Poisoning (SEP) 
2013 saw an increase in malware infections as a result of 
SEP. 
• Hackers crawling current...
Attacks: Amplification DDoS 
Attacker Amplifier Victim 
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Pro...
DDOS - 14 Network Protocols Vulnerable to Amplification 
54 
‘87 
’90 
‘88 
‘87 
‘99 ‘83 
‘83 ‘99 
2003 
2001 
2002 
C.Ros...
DDOS - Amplification Attacks in Practice 
55 
Cloudflare Blog post, February 2014 
Cloudflare Blog post, March 2013 
C.Ros...
November 2014 Massive Website Attack on One Company 
56
Attacks: Remote Access Tools (RATs) 
• RATs and Remote Server Administration Tools 
– Avoid using remote administration to...
Attack: Passwords 
//Passwords are the new perimeter 
• Passwords are weak 
• Use multi-factor authentication as much as y...
Underground Dump store - McDumpals 
krebsonsecurity.com 60
61
62
63
64
Underground Stolen Medical Records for Sale 
9/14 Medical 
records being sold 
in bulk for as little 
as $6.40 apiece 
kre...
Imperial Russia: 
Ad selling medical and financial records stolen 
66
ID Theft Service - Superget.info 
krebsonsecurity.com 67
Fraud Forum: Point-and-Click Tools for Sale 
krebsonsecurity.com 68
Example - Internet Black Market Pricing Guide 
• Exploit code for known flaw 
– $100-$500 if no exploit code exists 
– Pri...
Contents used with permission from FireEye.
~80% 
of companies are 
compromised! 
Contents used with permission from FireEye.
Value of a Hacked Email Account 
krebsonsecurity.com 
Crime shops charge between $1 to $3 for active accounts at dell.com,...
The Scrap Value of a Hacked PC 
Your life 
commoditized 
krebsonsecurity.com 73
Value of a Hacked Smart Mobile Device 
74
Problems with Cyber Security 
Executive and Business Issues: 
• Under investing on Information Security 
• Security needs ...
Problems with Cyber Security 
Problems with Infosec: 
• The bad guys have the upper hand 
– Only need to find one way in 
...
Learning From Other’s Mistakes 
• Target breach clean up estimated at $100M 
• The Home Depot breach clean up estimated at...
Learning From Other’s Mistakes 
Root Cause / Post Incident Review 
• How did these companies get hacked? 
• What did the i...
The REAL Big Data for Infosec, BUT need more 
79
Percentage annualized cyber crime cost by attack type 
5% 
4% 
4% 
4% 
6% 
9% 
8% 
10% 
10% 
13% 
14% 
13% 
19% 
18% 
24% ...
Verizon 2014 Data Breach Investigations Report 
81
Problems with Detection 
Mandiant appears to have more solid data on nation-state attacks 82
Problems with Detection 
Verizon 2014 DBIR 170 days to detect an attack 
31 days on average to resolve cyber attacks 
• $2...
What Can You Do About This 
• Be Better Prepared 
• Acknowledge You’re Not Doing Enough 
• Acknowledge You Need Help 
84
Doomsday and Naked and Afraid Criteria 
0-100 Scale: 
1- Food (renewable) 
2- Water 
3- Shelter 
4- Security 
5- X-Factor ...
Framework for Defensible Cyber Security 
NIST Cyber Security Framework 
• Highlights 5 security standards 
– ISOIEC 27001,...
Due Care and Heightened Expectations 
Refers to the effort made by an ordinarily prudent or reasonable 
party to avoid har...
Cyber Security Framework of Success 
Risk Management 
NIST CSF 
We will bankrupt ourselves in the vain search for absolute...
The Defender’s Advantage 
Learning from the past – Implementing Cyber Kill Chain 
Should Be Your Infosec Team’s Mindset 
8...
The Attack Life Cycle – Multiple Stages 
1 Exploitation of system 
2 Malware executable download 
3 Callbacks and control ...
The Defender’s Advantage 
One person's "paranoia" is another person's "engineering redundancy.“ 
~Marcus J. Ranum 
91
What Defenders Need to Know 
• The type of cyber crime to expect 
• This is one area where we do have data 
• Strategy to ...
Our Users and Current Culture 
The user's going to pick dancing pigs over security every time. 
— Bruce Schneier 
If you r...
What Leaders Can Do to Help 
Educate, inspire, and demand 
real change towards the culture of security 
Security is Everyo...
</What is Needed> 
• Organization visibility and agility for security 
• Seek thought leadership (a CISO) 
– Security need...
Security used to be an inconvenience sometimes, but now it's a necessity all the time. 
~Martina Navratilova after the sta...
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
Prochain SlideShare
Chargement dans…5
×

AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid

1 496 vues

Publié le

Cyber Crime Primer
A Look into Cybercrime
Doomsday Preppers for the Naked and Afraid

Publié dans : Internet
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid

  1. 1. A Look into Cyber Crime
  2. 2. //Cyber Security The interconnection and reliance of physical lifeline functions over the Internet (cyberspace) that impacts: – National Security – Public Health and Safety – Economic well-being Most people spend more time and energy going around problems than trying to solve them. ~Henry Ford 2
  3. 3. Cyber Security and Cyber Crime The first step is to admit that there is a problem. 3
  4. 4. A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. ~Mitch Ratliff With just a few keystrokes, cybercriminals around the world can disrupt our economy. ~Ralph Basham, Director of the U.S. Secret Service The Internet is the crime scene of the 21st Century. ~ Cyrus Vance Jr. , Manhattan District Attorney 4
  5. 5. 5
  6. 6. We are all connected Cyber Security is like a Public Health Issue 6 We impact each other. What are and who sets safety protocols? Sometimes getting a shot only treats the symptoms and not the cause…
  7. 7. Why is this happening? 7
  8. 8. • Insulin pumps and pacemakers • Automobiles • POS and ATMs • ORCL – MSFT – SYMC – RSA – VRSN – Bit9 • GOOG – AAPL – FB – AMZN –YHOO – LNKD – GM – NSANY • US drone fleet • Internet of Things 8 Vulnerable! Connected! Cloud Mobile Big Data Social
  9. 9. Cyber Crime • Global and growing industry • Increasing in size and efficiency • Targets everyone and every company • Low barrier to entry • Levels the playing field for many interests //Are you surprised? Seriously? 9
  10. 10. We Are Only Seeing the Tip of the Iceberg HEADLINE GRABBING ATTACKS THOUSANDS MORE BELOW THE SURFACE APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks Source: FireEye 10
  11. 11. Who are the Cyber Crime Actors? 11
  12. 12. Basic Cybercrime Organizations • Fluid and change members frequently • Will form and disband on a “per project” basis • Rife with amateurs, take a lot of risk considering the small payoffs • Although the most troublesome, they are considered the bottom feeders – Think criminal script kiddies – This is usually who the Feds get, not the big guys 12
  13. 13. Professional Hackers • Paid per the job, usually flat rates • State-side hackers can earn up to $200K a year • The work is usually writing tools for others to use, developing/finding new exploits, and coding up malware • Occasionally they will do a black bag job, but these are rare, unless they are simply looking for “loot” on easy targets 13
  14. 14. Spammers • They earn millions per year selling their direct mail services • They are not picky and do not consider the person doing the selling is committing fraud, including the Russia Mafia • After years of jumping from ISP to ISP, it is much easier to lease “capacity” from hacker botnets or develop their own • They are the main employer of professional hackers 14
  15. 15. Traditional Mafia • They are currently leaving most of the “work” to others • Online ventures are sticking close to such things as pr0n, online gambling, etc. • They are taking advantage of technology, using computers heavily, and using reliable encryption 15
  16. 16. Organized…Crime Different levels of participants in the underground market Markets for Cybercrime Tools and Stolen Data (RAND, 2014) 16
  17. 17. Russian Mafia • Cybercrime elements are considered “divisions” – The actual hackers themselves are kept compartmentalized • Due to protection from a corrupt Russian government, most “big cases” do not net the big players, e.g. Operation Firewall • There are thousands of organized crime gangs operating out of Russia, although most are not involved in cybercrime. • When new hacking talent is needed, they will force hackers to work for them (or kill them and/or their families) 17
  18. 18. Former Soviet Military • Military industrial complex in Soviet Russia was even more corrupt than their USA counterparts • With the collapse of communism, many upper military personnel in Russia had few skills that paid well – Good at money laundering – Good at moving goods across borders – Connections with international crime 18
  19. 19. China - Espionage • Mandiant’s 2013 report on the Chinese (APT1) – Attacks on 141 organizations since 2006 (115 were in the US) • Substantial evidence of Chinese sponsored activities – Report includes photos, forensics, communications, and profiles • Soon after Mandiant’s report, the US government publishes a 140 page strategy to combat the theft of US trade secrets • The US government initially attempted to halt the attacks on US organizations – But soon resorted to asking China to please stop stealing our stuff • China’s response to the Mandiant report was that it was “unprofessional” to publish and make such claims 19
  20. 20. China - Espionage • According to the US Justice Department, of 20 cases of economic espionage and trade secret criminal cases from January 2009 to January 2013, 16 involved Chinese nationals; i.e. organizations hired foreign nationals to work on national security level projects (DuPont, NASA, Google, Intel, DoD, etc.) • 63% of impacted organizations learn they were breached from an external source, like law enforcement • Organizations are being targeted by more than one attack group, sometimes in succession • In 2012, 38% of targets were attacked again after the original incident was remediated, lodging more than one thousand attempts to regain entry to former victims • Feb 2013 report (Akamai) shows that 30% of all observed attacks came from China and 13% originated from within the US • March 2013 report (Solutionary) states that the majority of attacks on the US are now originating in the US 20
  21. 21. China - Espionage Source: FireEye 21
  22. 22. Espionage – China and Russia Source: FireEye 22
  23. 23. Multi-Vector Analysis of Operation Beebus Attack 1 Key Attack Characteristics SMTP / HTTP Backdoor Backdoor 3 Multi-vectored attack update.exe Apr 2011 UKNOWN Sept 2011 RHT_SalaryGuide_2012.pdf Dec 2011 Feb 2012 Mar 2012 Apr 2012 May 2012 Jul 2012 Aug 2012 Sept 2012 Nov 2012 Jan 2013 install_flash_player.tmp2 Conflict-Minerals-Overview-for-KPMG.doc dodd-frank-conflict-minerals.doc update.exe Boeing_Current_Market_Outlook_…pdf Understand your blood test report.pdf RHT_SalaryGuide_2012.pdf sensor environments.doc FY2013_Budget_Request.doc Dept of Defense FY12 …Boeing.pdf April is the Cruelest Month.pdf National Human Rights…China.pdf Security Predictions…2013.pdf rundll32.exe UKNOWN сообщить.doc install_flash_player.ex install_flash_player.tmp2 Global_A&D_outlook_2012.pdf Defense Industry UAV/UAS Manufacturers Aerospace Industry 1 – Email/Web with weaponized malware 2 – Backdoor DLL dropped 3 – Encrypted callback over HTTP to C&C 2 C&C Server: worldnews.alldownloads.ftpserver.biz Encrypted callback Timeline of attack – multiple vectors, multiple campaigns Weaponized Email (RHT_SalaryGuide_2012.pdf) 1. Nation state driven attack using multiple vectors & files in campaigns spread over 2 years 2. Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player 3. Targeted attacks - each campaign tried to compromise few specific individuals 4. Encrypted callback communications to hide exfiltrated data Source: FireEye 23
  24. 24. China and the US Economy Nov 2014 The US - China relationship is the most consequential in the world today period. And it will do much to determine the shape of the 21st century. That means we have to get it right. ~John Kerry, Secretary of State US trade deficit with China is the largest in the world. US imports more from China than from Canada, Mexico, Japan, and Germany. US invests more in China, than China does in US. You could say China is America's banker. ~CNN 24
  25. 25. You Should Care Cyber Security and Cyber Crime are Important Issues It’s Bad Right Now 25
  26. 26. 26
  27. 27. Tyler/Savage Estimate of Global Cost of Cyber Crime • Cost of genuine cybercrime • $3.46 billion • Cost of transitional cybercrime • $46.60 billion • Cost of cybercriminal infrastructure • $24.84 billion • Cost of traditional crimes going cyber • $150.20 billion • Total = $225.10 billion Based on 2007-2010 data, authors disinclined to aggregate 27
  28. 28. Cyber Crime Costs in 2014 • Cyber attacks on large US companies resulted in an average of $12.7M in annual damages – 9.7% Increase from 2013 – $1,601 Cost of damages for smaller companies per worker – $427 Cost of damages for larger companies per worker Ponemon Institute 2014 Cost of Cybercrime Survey 28
  29. 29. Cost Framework for Cyber Crime Cost Framework for Cyber Crime Internal cost activity centres Detection Investigation & escalation Containment Recovery Ex-post response External consequences and costs Information loss or theft Business disruption Equipment damage Revenue loss Direct, indirect and opportunity costs associated with cyber crimes 10/7/14 Ponemon Institute© presentation 29
  30. 30. Average annualized cost by industry sector $1,000,000 omitted $10.6 $9.2 $9.0 $9.3 $8.6 $6.9 $8.3 $8.1 $9.0 $8.1 $4.2 $6.3 $5.7 $6.4 $6.8 $4.7 $5.9 $6.0 $5.9 $14.5 $12.7 $20.6 $20.6 $21.9 $20.8 $26.5 $4.2 $17.6 $- $5.0 $10.0 $15.0 $20.0 $25.0 $30.0 Energy & utilities Defense Financial services Technology Communications Transportation Services Retail Industrial Public sector Education & research Consumer products Healthcare Hospitality Five-year average FY 2014 10/7/14 Ponemon Institute© presentation 30
  31. 31. Average annualized cyber crime cost weighted by attack frequency $25,110 $20,507 $22,631 $18,915 $1,819 $1,690 $1,495 $1,166 $1,166 $933 $150,539 $121,725 $146,005 $131,254 $120,519 $207,527 $182,025 $226,449 $- $50,000 $100,000 $150,000 $200,000 $250,000 Denial of service Malicious insiders Malicious code Web-based attacks Phishing & social engineering Stolen devices Botnets Viruses, worms, trojans Malware Five-year average FY 2014 10/7/14 Ponemon Institute© presentation 31
  32. 32. Percentage cost for external consequences 40% 38% 18% 7% 2% 2% 42% 31% 17% 4% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Information loss Business disruption Revenue loss Equipment damages Other costs FY 2014 Five-year average 10/7/14 Ponemon Institute© presentation 32
  33. 33. Percentage cost by activities conducted to resolve a cyber attack 30% 19% 16% 14% 15% 14% 15% 11% 9% 26% 21% 9% 35% 30% 25% 20% 15% 10% 5% 0% Detection Recovery Investigation Containment Ex-post response Incident mgmt FY 2014 Five-year average 10/7/14 Ponemon Institute© presentation 33
  34. 34. Budgeted or earmarked spending according to six IT security layers 38% 17% 16% 13% 12% 11% 6% 40% 17% 15% 10% 5% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Network layer Data layer Application layer Human layer Physical layer Host layer FY 2014 FY 2013 10/7/14 Ponemon Institute© presentation 34
  35. 35. Dollar Losses from Computer Fraud Cases IC3 report, mainly US, mainly cases referred for investigation 35
  36. 36. Contrast with FBI non-cyber crime stats: Fewer bank robberies, less loot 7,644 7,720 6,957 7,272 Average loot Incidents 6,182 6,071 6,062 5,628 5,086 $10,086 $8,268 $9,254 $9,996 $11,787 $10,198 $7,585 $7,643 $7,539 14,000 12,000 10,000 8,000 6,000 4,000 2,000 - 2003 2004 2005 2006 2007 2008 2009 2010 2011 36
  37. 37. Numbers Show a Harsh Reality 2/3 of U.S. firms report that they have been the victim of cyber attacks 00.01 Every second 14 adults become a 40% of all IT executives expect a major cybersecurity incident 115% CAGR unique malware since 2009 victim of cyber crime 9,000+ malicious websites identified per day 6.5x Number of cyber attacks since 2006 95 new vulnerabilities discovered each week Source: FireEye 37
  38. 38. The Attacks and Weapons 38
  39. 39. Elements of Cyber Crime Operations • Host an exploit kit on a server • Put malware on different server • Send malicious email linked to exploit kit • Find holes in visiting systems • Use holes to infect visitors with malware • Use console on command and control box • To steal, DDoS, spread more malware • Use markets to sell/rent infected systems • Use markets to sell any data you can find 39
  40. 40. The Weapons • Botnets – Average size is 5000 computers, some have been as large as 500,000 computers – New command and control software allows botnet capacity leasing of subsections of the botnet • Phishing – You guys *do* know what phishing is, right? • Targeted Viruses – Used to create quick one-time-use botnets – Also used when specifically targeting a single site or organization • The usual Internet attack tools 40
  41. 41. Exploit Toolkits & Malware • In 2013, Exploit Toolkits cost between $40 and $4k • The Malware that likely compromised Target’s POS system, cost less than $3,000. • 61% of all malware is based on pre-existing toolkits; upgrades keep them current and provide additional capabilities (“Value”) • Toolkits used for Targeted Attacks can create custom Blog entries, emails, IMs, & web site templates to entice targets toward malicious links / content. (Blackhole >100k/day) 41
  42. 42. Exploit Toolkits & Malware • Traditional attacks were loud, high volume attacks typically stopped by threat monitoring tools • Today’s sniper attacks use specific exploits to get clear shots at the objective • The convergence of Social Engineering, Social Profiling, and Geo-Location improve attack success • Rogue software (anti-virus, registry cleaner, machine speed improvement, backup software, etc) – Increase in MAC Malware (MAC Defender) – +50% attacks on Social Media sites were Malware 42
  43. 43. Cyber Crime Tools are Readily Available From a chart by DeepEnd Research • Exploit Kits • Buy or rent • A few hundred dollars to thousands • Add new exploits over time • Note all of the Java exploits 43
  44. 44. Proliferation and Variety of Exploit Kits Over Time Markets for Cybercrime Tools and Stolen Data (RAND, 2014) 44
  45. 45. Attacks: Spam 2013 SPAM Results • Spam is at 69% of all global email • Phishing attacks are 1 in every 414 emails • Email that contained a virus were 1 in every 291 • Top Industries Attacked: Manufacturing, Financial, Services, Government, Energy • Top Recipients Attacked: R&D, Sales, C-Suite, Shared Mailbox 45
  46. 46. Attacks: Phishing / Spearing Phishing 46
  47. 47. Attacks: Ransomware • Mobile Internet will continue to increase as it eventually takes the place of desktop Internet. • The illegal drug organizations are looking to Cyber Crime to facilitate their business and expand their operations. Your organization could be infiltrated by an insider, socially engineered for identities and social profiles, and potentially held hostage with ransomeware. • Localized Crypto-LNoactikone Srta fter aottmack sR oun Us.sSi. ain cirsea soen e of the current Threats 47
  48. 48. Attacks: Botnets 48  A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.  The compromised computers are called zombies
  49. 49. Attacks: Water Holing Several attacks in 2013 were conducted by luring victims to accept malware or follow a link to an infected site. 4% of all email contained a Malware or a link to and infected site. There are 6 stages of the attack: 49
  50. 50. Attacks: Water Holing 50
  51. 51. Attacks: Water Holing – Facebook • Typo-Squatting • Fake Facebook Applications • Hidden Camera Video Lure • Celebrity Deaths • Fake Offers & Gifts • Browser Plugin Scams • Fake Profile Creeper • Blog Spam Attack 51
  52. 52. Search Engine Poisoning (SEP) 2013 saw an increase in malware infections as a result of SEP. • Hackers crawling current news headlines, creating related malicious sites and conducting SEP • Google Images – links to source photo • Using web analytics to determine what people are searching for 52
  53. 53. Attacks: Amplification DDoS Attacker Amplifier Victim C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 53
  54. 54. DDOS - 14 Network Protocols Vulnerable to Amplification 54 ‘87 ’90 ‘88 ‘87 ‘99 ‘83 ‘83 ‘99 2003 2001 2002 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
  55. 55. DDOS - Amplification Attacks in Practice 55 Cloudflare Blog post, February 2014 Cloudflare Blog post, March 2013 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
  56. 56. November 2014 Massive Website Attack on One Company 56
  57. 57. Attacks: Remote Access Tools (RATs) • RATs and Remote Server Administration Tools – Avoid using remote administration tools on point-of-sale devices • Severely lock them down with strong passwords and use other strong security controls – Crooks exploit vulnerabilities or use weak/default credentials – Verizon and Trustwave findings: • Remote access tools installed on the point-of-sale device are the leading cause of card data breaches • Attackers scan Internet for remote administration software and then use automated tools to break-in • Symantec pcAnywhere – January 2012, Symantec acknowledged that hackers stole the source code – Urged users to either update the software or remove the program altogether 57
  58. 58. Attack: Passwords //Passwords are the new perimeter • Passwords are weak • Use multi-factor authentication as much as you can • Obey common good practices for administrative accounts • Do not reuse passwords on multiple sites – Utilize a password wallet – Utilize privileged account vault • Obey common good practices for passwords • Be mindful what email account resets account password 59
  59. 59. Underground Dump store - McDumpals krebsonsecurity.com 60
  60. 60. 61
  61. 61. 62
  62. 62. 63
  63. 63. 64
  64. 64. Underground Stolen Medical Records for Sale 9/14 Medical records being sold in bulk for as little as $6.40 apiece krebsonsecurity.com 65
  65. 65. Imperial Russia: Ad selling medical and financial records stolen 66
  66. 66. ID Theft Service - Superget.info krebsonsecurity.com 67
  67. 67. Fraud Forum: Point-and-Click Tools for Sale krebsonsecurity.com 68
  68. 68. Example - Internet Black Market Pricing Guide • Exploit code for known flaw – $100-$500 if no exploit code exists – Price drops to $0 after exploit code is “public” • Exploit code for unknown flaw - $1000-$5000 – Buyers include iDefense, Russian Mafia, Chinese and French governments, etc • List of 5000 IP addresses of computers infected with spyware/trojan for remote control - $150-$500 • List of 1000 working credit card numbers - $500-$5000 – Price has increased since Operation Firewall • Annual salary of a top-end skilled black hat hacker working for spammers - $100K-$200K 69
  69. 69. Contents used with permission from FireEye.
  70. 70. ~80% of companies are compromised! Contents used with permission from FireEye.
  71. 71. Value of a Hacked Email Account krebsonsecurity.com Crime shops charge between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few 72
  72. 72. The Scrap Value of a Hacked PC Your life commoditized krebsonsecurity.com 73
  73. 73. Value of a Hacked Smart Mobile Device 74
  74. 74. Problems with Cyber Security Executive and Business Issues: • Under investing on Information Security • Security needs Board and Senior Team visibility – Boards and Senior Team need cyber education • Use your CISO (if you have one) • Need to think more broadly on the ecosystem – Critical security decisions are missing in Product and Services Teams • Associated with revenue • Where is cyber security thinking pre-launch? 75
  75. 75. Problems with Cyber Security Problems with Infosec: • The bad guys have the upper hand – Only need to find one way in – Mostly exploit the weakest link – People – Security is not built-in to most products and services by default • Security is a People, Process, and then Technology problem – Security is not a Product • Focus misplaced on Compliance only – Problem is shared with Audit and Compliance teams • Need to learn from others’ mistakes – Lots of examples • Breaches - Root Cause Analysis and Post Incident Review – Information Sharing & Analysis Centers (ISACs) 76
  76. 76. Learning From Other’s Mistakes • Target breach clean up estimated at $100M • The Home Depot breach clean up estimated at $62M “If I only got a fraction of that annually.” ~anonymous CISO 77
  77. 77. Learning From Other’s Mistakes Root Cause / Post Incident Review • How did these companies get hacked? • What did the intruders do once in? • Did they take anything? //Who knows what really happened? 78
  78. 78. The REAL Big Data for Infosec, BUT need more 79
  79. 79. Percentage annualized cyber crime cost by attack type 5% 4% 4% 4% 6% 9% 8% 10% 10% 13% 14% 13% 19% 18% 24% 23% 6% 12% 0% 5% 10% 15% 20% 25% 30% Malicious code Denial of services Web-based attacks Phishing & social engineering Stolen devices Malicious insiders Malware Viruses, worms, trojans Botnets Five-year average FY 2014 10/7/14 Ponemon Institute© presentation 80
  80. 80. Verizon 2014 Data Breach Investigations Report 81
  81. 81. Problems with Detection Mandiant appears to have more solid data on nation-state attacks 82
  82. 82. Problems with Detection Verizon 2014 DBIR 170 days to detect an attack 31 days on average to resolve cyber attacks • $21,000 cost per day to resolve • Insider attacks took the longest time to resolve 2014 Cost of Cybercrime Survey Ponemon Institute There is data is out there. There is a lot of data that is not collected. There is a lot of data that is not out there and stays protected. 83 Verizon appears to have more solid data on merchant/commercial attacks
  83. 83. What Can You Do About This • Be Better Prepared • Acknowledge You’re Not Doing Enough • Acknowledge You Need Help 84
  84. 84. Doomsday and Naked and Afraid Criteria 0-100 Scale: 1- Food (renewable) 2- Water 3- Shelter 4- Security 5- X-Factor 0-10 Rating Scale: Primitive Survival Rating (PSR) Novice--Intermediate--Expert 85 5 Functions Low, Medium, and High Notice a Pattern Forming?
  85. 85. Framework for Defensible Cyber Security NIST Cyber Security Framework • Highlights 5 security standards – ISOIEC 27001, COBIT, NIST 800-53, CCS SANS 20, ISAIEC 62443 • Risk-based – ISO 31000, ISOIEC 27005, NIST 800-39, ECS RMP • Framework Core - 5 Functions – Identify, Protect, Detect, Respond, Recover – 98 Outcomes (Expectations of Security) • Tiers and Profiles – Partial (Tier 1) to Adaptive (Tier 4) • Criteria for cyber success – Used by Insurance companies – Used in SEC cyber security examination blueprint Security is a journey and not a destination 86
  86. 86. Due Care and Heightened Expectations Refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. Refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances. 87
  87. 87. Cyber Security Framework of Success Risk Management NIST CSF We will bankrupt ourselves in the vain search for absolute security. ~Dwight D. Eisenhower 88
  88. 88. The Defender’s Advantage Learning from the past – Implementing Cyber Kill Chain Should Be Your Infosec Team’s Mindset 89
  89. 89. The Attack Life Cycle – Multiple Stages 1 Exploitation of system 2 Malware executable download 3 Callbacks and control established Compromised Web server, or Web 2.0 site 1 Callback Server IPS 2 3 4 Data exfiltration Malware spreads laterally 5 File Share 2 5 File Share 1 4 Breach detection is critical Assume that you’ve been compromised 90
  90. 90. The Defender’s Advantage One person's "paranoia" is another person's "engineering redundancy.“ ~Marcus J. Ranum 91
  91. 91. What Defenders Need to Know • The type of cyber crime to expect • This is one area where we do have data • Strategy to defend against them • A layered defense 92
  92. 92. Our Users and Current Culture The user's going to pick dancing pigs over security every time. — Bruce Schneier If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran 93 Our Weakest Link
  93. 93. What Leaders Can Do to Help Educate, inspire, and demand real change towards the culture of security Security is Everyone’s Job 94
  94. 94. </What is Needed> • Organization visibility and agility for security • Seek thought leadership (a CISO) – Security needs visibility to senior team and Board • Wisely invest in defensible security • Follow a risk-based approach • Follow a structured methodology like the NIST CSF – Use the data available to fine-tune defenses – Learn from your mistakes and other’s mistakes – Plan and test security operations and response • Knowledge is Power – Getting hacked is a matter of When not If – Security is a Journey, not a Destination – Security is Everyone's Job – Security is a team sport – It takes the village to be successful – Reality-check: A child can be the adversary 95
  95. 95. Security used to be an inconvenience sometimes, but now it's a necessity all the time. ~Martina Navratilova after the stabbing of Monica Seles by a fan of Steffi Graf, 1993 Phil Agcaoili Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) Contributor, NIST Cybersecurity Framework version 1 @hacksec https://www.linkedin.com/in/philA 96

×