cyd powerpoint template...this presentation should not be considered or construed as legal advice on...
TRANSCRIPT
UNCLASSIFIED
Cyber ThreatscapeSA Raymond P. Martinez
FBI San Antonio
April 1, 2018
UNCLASSIFIED
Legal Disclaimer
The views and opinions of the presenter is the personal
views of the presenter and do not necessarily reflect the
official policy or position of any agency of the U.S.
government
This presentation should not be considered or construed
as legal advice on any individual matter or circumstance
The contents of this document are intended for general
information purposes only and may not be quoted or
referred to in any other presentation, publication or
proceeding without the prior written consent of the FBI.
2
UNCLASSIFIED
Cyber Threats
5
UNCLASSIFIED
Cyber Threats
6
UNCLASSIFIED
It Takes Time and Resources To Execute…and Recover
2012: Cyber attack wiped 75% of Saudi Aramco’s
workstations (Over 30,000 workstation HDD’s
destroyed)
2013: DarkSeoul attack wiped over 45,000
systems that crippled the financial sector of Korea
2014: Hackers wiped thousands of servers and
computers across the network of Las Vegas Sands
Corp.
2014: Tweet Caused Sony Exec’s Flight to Be
Diverted
2014: Sony Breach
7
UNCLASSIFIED
How Are Organizations Hacked?
8
Source: Mandiant “end-r31.pdf”
UNCLASSIFIED
I’m Not A Target!
9
Only amateurs attack machines;
professionals target people
UNCLASSIFIED
Internet Of Things (IOT)
Internet of Things (IoT) is the
interconnection within the
existing Internet infrastructure
According to Gartner, there
will be nearly 26 billion
devices on the Internet of
Things by 2020
What does this mean for you
in the future?
10
UNCLASSIFIED
Already Too Many Cyber Variables
http://www.insecam.org/
73,011 locations with unsecured security cameras in 256 countries
“Secured” with default usernames and passwords
“Designed in order to show the importance of security settings”
Does every digital device in your organization go through stringent security testing?
11http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html
UNCLASSIFIED
Hackers Don’t Discriminate
12National Retail Foundation
UNCLASSIFIED
Small to Medium Business (SMB)
SMB make up 54 percent of all U.S. sales and about half of all private-sector payrolls*
Why attack SMB?
– Low risk and high returns
– Cyber tools are antiquated
– 38% use personal accounts for business+
According to National Cyber Security Alliance, 60 percent of small firms go out of business within six months of a data breach*
13* U.S. Small Business Administration. “Small Business GDP: Update 2002-2010.” January 2012.
+ http://www.mcafee.com/us/resources/white-papers/wp-combating-smb-threats.pdf
UNCLASSIFIED
“Technical Silver Bullet Solution”
2013 Target Thanksgiving Hack
$1.6M spent on a technical solution
Alerted by the system so their Bangalore team notified the Target Security Operations Center (SOC)
Stole credit card information from 1,797 stores in the US
– 40 million credit card numbers
– 70 million PII
Gained access through a HVAC company in Pennsylvania
14
UNCLASSIFIED
Home Depot – Not Quite An Insider…
A third-party vendor was used to gain access to the internal network
Ricky Joe Mitchell
– Hired by Home Depot in 2012
When Mitchell learned he was going to be fired in 2012 from EnerVestOperating, he
– “remotely accessed EnerVest’scomputer systems … essentially eliminating access to all the company’s data and applications”
In May of 2014, Mitchell was convicted
15
UNCLASSIFIED
How Are They Doing This?
17
UNCLASSIFIED
The Internet
18
UNCLASSIFIED
Why Do Email Scams Work?
19
“The user’s going to pick
dancing pigs over security
every time” Bruce Schneier
UNCLASSIFIED
CEO Fraud or Business Email Compromise
20
UNCLASSIFIED
Easily Manipulated – Case Study
21
Exploiting open
source and
normal business
processes
Social
engineering
– DIRECTV.COM
vs
DlRECTV.COM
– Lowercase “L”
UNCLASSIFIED
Business Email Compromise (BEC)
“Bank robbers don't rob banks
anymore…they hide behind their
computer screens and cover
their digital tracks”
$1.1 Billion loss in two years
Scoular Co, a 800-employee
company, lost $17.2 Million
UNCLASSIFIED
Reported On August 9, 2015
23
UNCLASSIFIED
What Does This All Mean?
BANK ROBBERY LOSS IS $3.19 MILLION NATIONALLY…
PER MONTH (2011)
INTERNET FRAUD LOSS IS $14.6 MILLION IN LOS
ANGELES AREA…
PER MONTH (2015)24
UNCLASSIFIED
Social Engineering and Social Media
Non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures
ALMOST ALL businesses and executives have web presence
Results of Social Engineering
– 78% of ex-burglars believe modern thieves use Facebook, Twitter, and Foursquare to find empty homes to rob
– 15% of Americans use social media to report when they have left the home*
25
UNCLASSIFIED
Indirect and Direct Targeting
Targeting a community service group
– Leaders listed their jobs
LinkedIn targeting
– Profession-based group targeting
Online Dating
– Targeting based on location and jobs
Activities on WORK networks
– Victim let them in through the front door and bypassed ALL defense
“60% of profile pictures on Internet dating site contains GPS coordinates” – James Lynn
26
UNCLASSIFIED
Robin Sage
Mid-20s
Degree from MIT
Interned at the NSA
Current position at the Naval Network Warfare Command
300 friends on LinkedIn
27
UNCLASSIFIED
“Getting In Bed with Robin Sage” - BlackHat
Special Forces training exercise
Social Network Connections
– Employee of the Joint Chiefs of Staff
– CIO of the NSA
– Intelligence director for the U.S. Marines
– Chief of staff for the House of Rep
– Northrop Grumman
– Booz Allen Hamilton
What did she get?
– Job offer from Lockheed Martin
– Dinner and dates
Someone wrote this message to her…“I am a Senior Business Development…with 20 years+ in the Federal Government Homeland Security/Civilian/DoD Security Marketplace” with “expertise in the Cyber‐Security”
28
UNCLASSIFIED
But I Use Apple…So I’m Okay
According to GFI, top three most vulnerable operating system are: Apple Mac OS X, Apple iOS, Linux kernel
– Mac OS X - Total 147 vulnerabilities were reported, 64 of which were rated as high-severity
– Apple’s iOS - Total 127 vulnerabilities were reported, 32 of which were rated as highly-severity
– Linux Kernel - Total 119 vulnerabilities were reported, 24 of which were rated as high-severity
Microsoft’s Windows 7, 8 and 8.1 Operating Systems were the least vulnerable OS,
29
UNCLASSIFIED
App Store malware 'infected 4,000 apps’
30
UNCLASSIFIED
Cyber Defense
31
UNCLASSIFIED
SUNWALKRAINDRIVE
34
UNCLASSIFIED
But Don’t Use the Same Password
If one website was hacked and its credentials were posted online, hackers can try your password on other services
Have different emails & passwords for critical services such as financial services (banks, PayPal, etc.) versus online shopping, stores, and other non-essential services
55% use the same password for most, if not all, websites*
37https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/
UNCLASSIFIED
LastPass Hacked
38
"We are confident that our encryption measures are sufficient to protect the vast majority of users," Joe Siegrist CEO
UNCLASSIFIED
Check Yourself!
39
UNCLASSIFIED
Keep Your Systems Updated
One of the easiest ways to protect your systems
Applies to EVERY devices
– Computer systems
– Tablets
– Smartphones
Each application will have updates
– Office
– Adobe
– Anti-virus
Many of the compromises can be avoided with this simple step
40
UNCLASSIFIED
Backup Your Data!
Where is your backup Hard Drive?
– Mother Nature
– Hardware failure
– Compromised systems
– Ransomware
Photographs and memories are irreplaceable
Use online backup services
– Most of them have a monthly subscription fees
– Multi-device backup solutions41
UNCLASSIFIED
Who Are These “SOPHISTICATED” Hackers?
42
UNCLASSIFIED
Sextortion | “Mistah X”
Luis Mijangos a paraplegic wounded in a gang shooting
Victims: 230 (mostly women), of those 44 were under age
Tools:
– Email, OUTDATED Malware, Intimidation
What did the Trojan do?
– Control the victim’s webcam
• Surreptitiously obtain naked photos
– Control the girl's microphone
• Recorded conversations
Why did the victims open the email?
– Trojan appeared to be files of popular songs or videos
43
UNCLASSIFIED
Operation Hackerazzi
44
“Man hacked into numerous celebrity phones and then distributed the ill-gotten photos to third parties, never asking for any money. He did it because he got a charge out of it.
The FBI says the investigation was dubbed, ‘Operation Hackerazzi.’” 6*
TMZ, 10/12/2011
http://www.tmz.com/2011/10/12/fbi-operation-hackerazzi-phone-hacking-arrest-scarlett-johansson-jessica-alba-vanessa-hudgens/
UNCLASSIFIED
The Beginning
In December 2010, semi-nude photos of Christina Aguilera was leaked on the Internet
– Photos were PRIVATE
Initial news reported that her CELL PHONE was hacked
No malware or suspicious activity on her phone…but
45
UNCLASSIFIED
Initial Investigation
Additional “hacked” photographs appeared online of other celebrities including Scarlett Johansson
All the victims stated that their “cell phones” were hacked
Based on victim statements, the FBI initially focused on mobile devices
– Super malware?
46
UNCLASSIFIED
Investigation Continues
After additional interviews, the FBI discovered that the subject “hacked” into the victims’ email and entered a forwarding email address in the victims’ email account
Essentially an illegal wire/data – tapping
FBI identified various celebrity victims with the same forwarding address!
47
UNCLASSIFIED
Challenges
The subject used a Virtual Private Network (VPN) to hide his true location
FBI began tracking his login information
The subject made a mistake and logged in from his home computer
– Tracked the IP address to Florida
48
UNCLASSIFIED
Search Warrant
In 2011, the FBI conducted a search warrant at the subject’s residence based on the IP addresses
Investigation identified the subject as Christopher Chaney
During the search warrant Chaney confessed to the FBI that he hacked into emails
49
UNCLASSIFIED
Operation Hackerazzi – Who Is This Hacker?
Christopher Chaney, 35, of Jacksonville, Florida
Once he “hacked” one celebrity, his target list grew from their contact list
Tools:
– VPN Service
– Intelius, Peoplefinder, Google, etc
How the heck did he hack the victims?
50
UNCLASSIFIED
Technical Skills?
No TECHNICAL SKILL
He simply guessed their secret questions!
– Birthday, Spouse’s name, Anniversary date, etc
51
UNCLASSIFIED
Email Hacking Services
UNCLASSIFIED
Anatomy of the Hack
UNCLASSIFIED
Hacker for Hire
Needapassword.com
FBI Los Angeles arrested 5 subjects from Arkansas, China and India
$100 - $500 per hack
Customers motivation included revenge, stalking, and jealousy
“Technical skills” of the customers?
54
UNCLASSIFIED
What Can I Do?
55
UNCLASSIFIED
Is This Your Cyber Defense
56
UNCLASSIFIED
Information Security Industry Scape (04/2015)
57
https://digitalguardian.com/blog/information-security-industryscape
UNCLASSIFIED
Planning For A Cyber Attack
Easy for me to theorize and recommend…so
Have a plan!
Identify the company’s crown jewels and most critical systems
– Organizational versus C-Suites’ perceptions
Rise in cyber attacks
– Incident Response Plan
Plan for disruptions
– Malicious attacks and accidental
Technical communication plan
– Cell phone, social media, email, etc.?
Tabletop exercise
– Practiced, realistic, and tested
58
UNCLASSIFIED
Sometimes…No Matter How Much You Plan..
59
UNCLASSIFIED
Working With Law Enforcement?
Establish a working relationship with your Law Enforcement before the breach
Legal Concerns
– Disclosure to LE or public?
– Brand Protection?
Goals are different between your organization and the FBI
– Cooperate
– Leave actors in place for intelligence collection
60
UNCLASSIFIED
Questions?SA Raymond P. Martinez
FBI San Antonio
Telephone: 310.650-6250
Email: [email protected]