A Look into Cyber Crime
//Cyber Security
The interconnection and reliance of physical lifeline functions over the Internet (cyberspace) that impacts:
– National Security
– Public Health and Safety
– Economic well-being
Most people spend more time and energy going around problems than trying to solve them. ~Henry Ford
2
Cyber Security and Cyber Crime
The first step is to admit that there is a problem.
3
A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
~Mitch Ratliff With just a few keystrokes, cybercriminals around the world can disrupt our economy.
~Ralph Basham, Director of the U.S. Secret Service
The Internet is the crime scene of the 21st Century. ~ Cyrus Vance Jr. , Manhattan District Attorney
4
5
We are all connected Cyber Security is like
a Public Health Issue
6
We impact each other. What are and who sets safety protocols?
Sometimes getting a shot only treats the symptoms and not the cause…
Why is this happening?
7
• Insulin pumps and pacemakers
• Automobiles
• POS and ATMs
• ORCL – MSFT – SYMC – RSA – VRSN – Bit9
• GOOG – AAPL – FB – AMZN –YHOO – LNKD – GM – NSANY
• US drone fleet
• Internet of Things
8
Vulnerable! Connected!
Cloud
Mobile
Social Big Data
Cyber Crime
• Global and growing industry
• Increasing in size and efficiency
• Targets everyone and every company
• Low barrier to entry
• Levels the playing field for many interests
//Are you surprised? Seriously? 9
We Are Only Seeing the Tip of the Iceberg HEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACE APT Attacks
Zero-Day Attacks Polymorphic Attacks
Targeted Attacks
10 Source: FireEye
Who are the Cyber Crime Actors?
11
Basic Cybercrime Organizations
• Fluid and change members frequently
• Will form and disband on a “per project” basis
• Rife with amateurs, take a lot of risk considering the small payoffs
• Although the most troublesome, they are considered the bottom feeders – Think criminal script kiddies
– This is usually who the Feds get, not the big guys
12
Professional Hackers
• Paid per the job, usually flat rates • State-side hackers can earn up to $200K a year • The work is usually writing tools for others to use,
developing/finding new exploits, and coding up malware
• Occasionally they will do a black bag job, but these are rare, unless they are simply looking for “loot” on easy targets
13
Spammers
• They earn millions per year selling their direct mail services
• They are not picky and do not consider the person doing the selling is committing fraud, including the Russia Mafia
• After years of jumping from ISP to ISP, it is much easier to lease “capacity” from hacker botnets or develop their own
• They are the main employer of professional hackers
14
Traditional Mafia
• They are currently leaving most of the “work” to others
• Online ventures are sticking close to such things as pr0n, online gambling, etc.
• They are taking advantage of technology, using computers heavily, and using reliable encryption
15
Organized…Crime Different levels of participants in the underground market
Markets for Cybercrime Tools and Stolen Data (RAND, 2014) 16
Russian Mafia • Cybercrime elements are considered “divisions”
– The actual hackers themselves are kept compartmentalized
• Due to protection from a corrupt Russian government, most “big cases” do not net the big players, e.g. Operation Firewall
• There are thousands of organized crime gangs operating out of Russia, although most are not involved in cybercrime.
• When new hacking talent is needed, they will force hackers to work for them (or kill them and/or their families) 17
Former Soviet Military
• Military industrial complex in Soviet Russia was even more corrupt than their USA counterparts
• With the collapse of communism, many upper military personnel in Russia had few skills that paid well – Good at money laundering
– Good at moving goods across borders
– Connections with international crime
18
China - Espionage
• Mandiant’s 2013 report on the Chinese (APT1) – Attacks on 141 organizations since 2006 (115 were in the US)
• Substantial evidence of Chinese sponsored activities – Report includes photos, forensics, communications, and profiles
• Soon after Mandiant’s report, the US government publishes a 140 page strategy to combat the theft of US trade secrets
• The US government initially attempted to halt the attacks on US organizations – But soon resorted to asking China to please stop stealing our stuff
• China’s response to the Mandiant report was that it was “unprofessional” to publish and make such claims
19
China - Espionage • According to the US Justice Department, of 20 cases of economic espionage
and trade secret criminal cases from January 2009 to January 2013, 16 involved Chinese nationals; i.e. organizations hired foreign nationals to work on national security level projects (DuPont, NASA, Google, Intel, DoD, etc.)
• 63% of impacted organizations learn they were breached from an external source, like law enforcement
• Organizations are being targeted by more than one attack group, sometimes in succession
• In 2012, 38% of targets were attacked again after the original incident was remediated, lodging more than one thousand attempts to regain entry to former victims
• Feb 2013 report (Akamai) shows that 30% of all observed attacks came from China and 13% originated from within the US
• March 2013 report (Solutionary) states that the majority of attacks on the US are now originating in the US
20
China - Espionage
21 Source: FireEye
Espionage – China and Russia
22 Source: FireEye
Multi-vectored attack
Multi-Vector Analysis of Operation Beebus Attack Apr 2011 update.exe
Sept 2011 UKNOWN
Dec 2011 RHT_SalaryGuide_2012.pdf
Feb 2012
Mar 2012
Apr 2012
May 2012
Jul 2012
Aug 2012
Sept 2012
Nov 2012
Jan 2013
install_flash_player.tmp2
Conflict-Minerals-Overview-for-KPMG.doc
dodd-frank-conflict-minerals.doc
update.exe Boeing_Current_Market_Outlook_…pdf
Understand your blood test report.pdf
RHT_SalaryGuide_2012.pdf sensor environments.doc
FY2013_Budget_Request.doc
Dept of Defense FY12 …Boeing.pdf
April is the Cruelest Month.pdf National Human Rights…China.pdf
Security Predictions…2013.pdf
rundll32.exe
UKNOWN
сообщить.doc
install_flash_player.ex
install_flash_player.tmp2
Global_A&D_outlook_2012.pdf
Defense Industry
UAV/UAS Manufacturers
Aerospace Industry
1 – Email/Web with weaponized malware
2 – Backdoor DLL dropped
3 – Encrypted callback over HTTP to C&C
2
C&C Server:
worldnews.alldownloads.ftpserver.biz
Backdoor Backdoor
Encrypted callback
3
SMTP / HTTP
1
Tim
elin
e o
f a
tta
ck –
mu
ltip
le v
ecto
rs, m
ultip
le
ca
mp
aig
ns
Weaponized Email
(RHT_SalaryGuide_2012.pdf)
Key Attack Characteristics
1. Nation state driven attack using multiple vectors & files in campaigns spread over 2 years
2. Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player
3. Targeted attacks - each campaign tried to compromise few specific individuals
4. Encrypted callback communications to hide exfiltrated data
23 Source: FireEye
China and the US Economy Nov 2014
The US - China relationship is the most consequential in the world today period. And it will do much to determine the shape of the 21st century.
That means we have to get it right.
~John Kerry, Secretary of State
US trade deficit with China is the largest in the world.
US imports more from China than from Canada, Mexico, Japan, and Germany. US invests more in China, than China does in US.
You could say China is America's banker.
~CNN 24
You Should Care
Cyber Security and Cyber Crime are Important Issues
It’s Bad Right Now
25
26
Tyler/Savage Estimate of Global Cost of Cyber Crime
• Cost of genuine cybercrime
• $3.46 billion
• Cost of transitional cybercrime
• $46.60 billion
• Cost of cybercriminal infrastructure
• $24.84 billion
• Cost of traditional crimes going
cyber
• $150.20 billion
• Total = $225.10 billion
Based on 2007-2010 data, authors disinclined to aggregate 27
Cyber Crime Costs in 2014
• Cyber attacks on large US companies resulted in an
average of $12.7M in annual damages
– 9.7% Increase from 2013
– $1,601 Cost of damages for smaller companies per worker
– $427 Cost of damages for larger companies per worker Ponemon Institute 2014 Cost of Cybercrime Survey
28
Cost Framework for Cyber Crime
10/7/14 Ponemon Institute© presentation 29
Cost Framework for Cyber Crime
Detection
Investigation & escalation
Containment
Recovery
Ex-post response
Information loss or theft
Business disruption
Equipment damage
Revenue loss
Direct, indirect and opportunity costs
associated with cyber crimes
Internal cost activity centres
External consequences
and costs
Average annualized cost by industry sector $1,000,000 omitted
10/7/14 Ponemon Institute© presentation 30
$5.9
$6.0
$6.8
$8.1
$8.1
$8.3
$8.6
$9.3
$10.6
$12.7
$14.5
$20.8
$21.9
$26.5
$4.2
$5.9
$4.7
$9.0
$6.4
$5.7
$4.2
$6.3
$6.9
$9.0
$9.2
$17.6
$20.6
$20.6
$- $5.0 $10.0 $15.0 $20.0 $25.0 $30.0
Hospitality
Healthcare
Consumer products
Education & research
Public sector
Industrial
Retail
Services
Transportation
Communications
Technology
Financial services
Defense
Energy & utilities
Five-year average FY 2014
Average annualized cyber crime cost weighted by attack frequency
10/7/14 Ponemon Institute© presentation 31
$933
$1,166
$1,690
$18,915
$20,507
$120,519
$146,005
$182,025
$226,449
$1,166
$1,495
$1,819
$22,631
$25,110
$131,254
$121,725
$150,539
$207,527
$- $50,000 $100,000 $150,000 $200,000 $250,000
Malware
Viruses, worms, trojans
Botnets
Stolen devices
Phishing & social engineering
Web-based attacks
Malicious code
Malicious insiders
Denial of service
Five-year average FY 2014
Percentage cost for external consequences
10/7/14 Ponemon Institute© presentation 32
40% 38%
18%
2% 2%
42%
31%
17%
7%
4%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Information loss Business disruption Revenue loss Equipment damages Other costs
FY 2014 Five-year average
Percentage cost by activities conducted to resolve a cyber attack
10/7/14 Ponemon Institute© presentation 33
30%
19%
16% 15%
11% 9%
26%
21%
14% 14% 15%
9%
0%
5%
10%
15%
20%
25%
30%
35%
Detection Recovery Investigation Containment Ex-post response Incident mgmt
FY 2014 Five-year average
Budgeted or earmarked spending according to six IT security layers
10/7/14 Ponemon Institute© presentation 34
38%
17% 16%
12% 11%
6%
40%
17% 15%
13%
10%
5%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Network layer Data layer Application layer Human layer Physical layer Host layer
FY 2014 FY 2013
Dollar Losses from Computer Fraud Cases
IC3 report, mainly US, mainly cases referred for investigation 35
7,644 7,720 6,957 7,272
6,182 6,071 6,062 5,628 5,086
$10,086
$8,268 $9,254
$9,996
$11,787
$10,198
$7,585 $7,643 $7,539
-
2,000
4,000
6,000
8,000
10,000
12,000
14,000
2003 2004 2005 2006 2007 2008 2009 2010 2011
Contrast with FBI non-cyber crime stats: Fewer bank robberies, less loot
Average loot
Incidents
36
Numbers Show a Harsh Reality
2/3 of U.S. firms
report that
they have been the
victim of cyber attacks
40% of all IT executives expect a major cybersecurity incident
115% CAGR unique malware
since 2009
9,000+ malicious websites identified per day
00.01 Every second 14 adults become a victim of cyber crime
6.5x Number of cyber attacks since 2006
95 new vulnerabilities
discovered each week
37 Source: FireEye
The Attacks and Weapons
38
Elements of Cyber Crime Operations
• Host an exploit kit on a server
• Put malware on different server
• Send malicious email linked to exploit kit
• Find holes in visiting systems
• Use holes to infect visitors with malware
• Use console on command and control box
• To steal, DDoS, spread more malware
• Use markets to sell/rent infected systems
• Use markets to sell any data you can find
39
The Weapons
• Botnets – Average size is 5000 computers, some have been as large as 500,000
computers – New command and control software allows botnet capacity leasing of
subsections of the botnet
• Phishing – You guys *do* know what phishing is, right?
• Targeted Viruses – Used to create quick one-time-use botnets – Also used when specifically targeting a single site or organization
• The usual Internet attack tools
40
Exploit Toolkits & Malware
• In 2013, Exploit Toolkits cost between $40 and $4k
• The Malware that likely compromised Target’s POS system, cost less than $3,000.
• 61% of all malware is based on pre-existing toolkits; upgrades keep them current and provide additional capabilities (“Value”)
• Toolkits used for Targeted Attacks can create custom Blog entries, emails, IMs, & web site templates to entice targets toward malicious links / content. (Blackhole >100k/day)
41
Exploit Toolkits & Malware
• Traditional attacks were loud, high volume attacks typically stopped by threat monitoring tools
• Today’s sniper attacks use specific exploits to get clear shots at the objective
• The convergence of Social Engineering, Social Profiling, and Geo-Location improve attack success
• Rogue software (anti-virus, registry cleaner, machine speed improvement, backup software, etc)
– Increase in MAC Malware (MAC Defender) – +50% attacks on Social Media sites were Malware
42
From a chart by DeepEnd Research
Cyber Crime Tools are Readily Available
• Exploit Kits
• Buy or rent
• A few hundred dollars to
thousands
• Add new exploits over time
• Note all of the Java exploits
43
Proliferation and Variety of Exploit Kits Over Time
Markets for Cybercrime Tools and Stolen Data (RAND, 2014) 44
Attacks: Spam 2013 SPAM Results
• Spam is at 69% of all global email
• Phishing attacks are 1 in every 414 emails
• Email that contained a virus were 1 in every 291
• Top Industries Attacked: Manufacturing, Financial, Services, Government, Energy
• Top Recipients Attacked: R&D, Sales, C-Suite, Shared Mailbox
45
Attacks: Phishing / Spearing Phishing
46
Attacks: Ransomware
• Mobile Internet will continue to increase as it eventually takes the place of desktop Internet.
• The illegal drug organizations are looking to Cyber Crime to facilitate their business and expand their operations. Your organization could be infiltrated by an insider, socially engineered for identities and social profiles, and potentially held hostage with ransomeware.
• Localized Nation State attacks on U.S. increase Crypto-Locker from Russia is one of the current Threats 47
Attacks: Botnets
48
A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack.
The compromised computers are called zombies
Attacks: Water Holing
Several attacks in 2013 were conducted by luring victims to accept malware or follow a link to an infected site. 4% of all email contained a Malware or a link to and infected site.
There are 6 stages of the attack:
49
Attacks: Water Holing
50
Attacks: Water Holing – Facebook
• Typo-Squatting • Fake Facebook Applications • Hidden Camera Video Lure • Celebrity Deaths • Fake Offers & Gifts • Browser Plugin Scams • Fake Profile Creeper • Blog Spam Attack
51
Search Engine Poisoning (SEP) 2013 saw an increase in malware infections as a result of SEP. • Hackers crawling current news headlines, creating
related malicious sites and conducting SEP • Google Images – links to source photo • Using web analytics to determine what people are
searching for
52
Attacks: Amplification DDoS
53 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Victim Attacker Amplifier
DDOS - 14 Network Protocols Vulnerable to Amplification
54
‘87
’90
‘88
‘87
‘99 ‘83
‘83 ‘99
2003
2001
2002
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
DDOS - Amplification Attacks in Practice
55
Cloudflare Blog post, March 2013
Cloudflare Blog post, February 2014
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
November 2014 Massive Website Attack on One Company
56
Attacks: Remote Access Tools (RATs) • RATs and Remote Server Administration Tools
– Avoid using remote administration tools on point-of-sale devices
• Severely lock them down with strong passwords and use other strong security controls
– Crooks exploit vulnerabilities or use weak/default credentials
– Verizon and Trustwave findings:
• Remote access tools installed on the point-of-sale device are the leading cause of card data breaches
• Attackers scan Internet for remote administration software and then use automated tools to break-in
• Symantec pcAnywhere
– January 2012, Symantec acknowledged that hackers stole the source code
– Urged users to either update the software or remove the program altogether
57
Attack: Passwords //Passwords are the new perimeter • Passwords are weak • Use multi-factor authentication as much as you can • Obey common good practices for administrative
accounts • Do not reuse passwords on multiple sites
– Utilize a password wallet – Utilize privileged account vault
• Obey common good practices for passwords • Be mindful what email account resets account password
59
Underground Dump store - McDumpals
krebsonsecurity.com 60
61
62
63
64
Underground Stolen Medical Records for Sale
9/14 Medical records being sold in bulk for as little as $6.40 apiece
krebsonsecurity.com 65
Imperial Russia: Ad selling medical and financial records stolen
66
ID Theft Service - Superget.info
krebsonsecurity.com 67
Fraud Forum: Point-and-Click Tools for Sale
krebsonsecurity.com 68
Example - Internet Black Market Pricing Guide
• Exploit code for known flaw – $100-$500 if no exploit code exists
– Price drops to $0 after exploit code is “public”
• Exploit code for unknown flaw - $1000-$5000 – Buyers include iDefense, Russian Mafia, Chinese and French governments,
etc
• List of 5000 IP addresses of computers infected with spyware/trojan for remote control - $150-$500
• List of 1000 working credit card numbers - $500-$5000 – Price has increased since Operation Firewall
• Annual salary of a top-end skilled black hat hacker working for spammers - $100K-$200K
69
Contents used with permission from FireEye.
~80% of companies are
compromised!
Contents used with permission from FireEye.
Value of a Hacked Email Account
Crime shops charge between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few
krebsonsecurity.com
72
The Scrap Value of a Hacked PC
Your life commoditized
krebsonsecurity.com 73
Value of a Hacked Smart Mobile Device
74
Problems with Cyber Security Executive and Business Issues:
• Under investing on Information Security
• Security needs Board and Senior Team visibility – Boards and Senior Team need cyber education
• Use your CISO (if you have one)
• Need to think more broadly on the ecosystem – Critical security decisions are missing in Product and
Services Teams
• Associated with revenue
• Where is cyber security thinking pre-launch?
75
Problems with Cyber Security
Problems with Infosec: • The bad guys have the upper hand
– Only need to find one way in – Mostly exploit the weakest link – People – Security is not built-in to most products and services by default
• Security is a People, Process, and then Technology problem – Security is not a Product
• Focus misplaced on Compliance only – Problem is shared with Audit and Compliance teams
• Need to learn from others’ mistakes – Lots of examples
• Breaches - Root Cause Analysis and Post Incident Review
– Information Sharing & Analysis Centers (ISACs) 76
Learning From Other’s Mistakes
• Target breach clean up estimated at $100M
• The Home Depot breach clean up estimated at $62M
“If I only got a fraction of that annually.” ~anonymous CISO 77
Learning From Other’s Mistakes Root Cause / Post Incident Review
• How did these companies get hacked?
• What did the intruders do once in?
• Did they take anything?
//Who knows what really happened?
78
The REAL Big Data for Infosec, BUT need more
79
Percentage annualized cyber crime cost by attack type
10/7/14 Ponemon Institute© presentation 80
4%
4%
6%
8%
10%
13%
14%
18%
23%
4%
6%
5%
9%
12%
10%
13%
19%
24%
0% 5% 10% 15% 20% 25% 30%
Botnets
Viruses, worms, trojans
Malware
Malicious insiders
Stolen devices
Phishing & social engineering
Web-based attacks
Denial of services
Malicious code
Five-year average FY 2014
Verizon 2014 Data Breach Investigations Report
81
82 Mandiant appears to have more solid data on nation-state attacks
Problems with Detection
Verizon 2014 DBIR 170 days to detect an attack 31 days on average to resolve cyber attacks • $21,000 cost per day to resolve • Insider attacks took the longest time to resolve
2014 Cost of Cybercrime Survey Ponemon Institute
There is data is out there. There is a lot of data that is not collected.
There is a lot of data that is not out there and stays protected. 83
Verizon appears to have more solid data on merchant/commercial attacks
Problems with Detection
What Can You Do About This
• Be Better Prepared
• Acknowledge You’re Not Doing Enough
• Acknowledge You Need Help
84
Doomsday and Naked and Afraid Criteria
0-100 Scale: 1- Food (renewable) 2- Water 3- Shelter 4- Security 5- X-Factor
0-10 Rating Scale: Primitive Survival Rating (PSR) Novice--Intermediate--Expert
85
5 Functions Low, Medium, and High
Notice a Pattern Forming?
Framework for Defensible Cyber Security NIST Cyber Security Framework • Highlights 5 security standards
– ISO\IEC 27001, COBIT, NIST 800-53, CCS SANS 20, ISA\IEC 62443
• Risk-based
– ISO 31000, ISO\IEC 27005, NIST 800-39, ECS RMP
• Framework Core - 5 Functions
– Identify, Protect, Detect, Respond, Recover
– 98 Outcomes (Expectations of Security)
• Tiers and Profiles
– Partial (Tier 1) to Adaptive (Tier 4)
• Criteria for cyber success
– Used by Insurance companies
– Used in SEC cyber security examination blueprint
Security is a journey and not a destination
86
Due Care and Heightened Expectations
Refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.
Refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
87
Risk Management
NIST CSF
Cyber Security Framework of Success
88 We will bankrupt ourselves in the vain search for absolute security. ~Dwight D. Eisenhower
Should Be Your Infosec Team’s Mindset
The Defender’s Advantage
Learning from the past – Implementing Cyber Kill Chain
89
The Attack Life Cycle – Multiple Stages
Exploitation of system 1
3 Callbacks and control established
2 Malware executable download
Compromised Web server, or
Web 2.0 site
1 Callback Server
IPS
3 2 Malware spreads laterally
4 Data exfiltration
5
File Share 2
File Share 1
5
4
Breach detection is critical
Assume that you’ve been compromised
90
One person's "paranoia" is another person's "engineering redundancy.“ ~Marcus J. Ranum
The Defender’s Advantage
91
What Defenders Need to Know
• The type of cyber crime to expect • This is one area where we do have data
• Strategy to defend against them • A layered defense
92
Our Users and Current Culture
The user's going to pick dancing pigs over security every time.
— Bruce Schneier
If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.
— Kahlil Gibran
93
Our Weakest Link
What Leaders Can Do to Help
Educate, inspire, and demand real change towards the culture of security
Security is Everyone’s Job
94
</What is Needed> • Organization visibility and agility for security • Seek thought leadership (a CISO)
– Security needs visibility to senior team and Board
• Wisely invest in defensible security • Follow a risk-based approach • Follow a structured methodology like the NIST CSF
– Use the data available to fine-tune defenses – Learn from your mistakes and other’s mistakes – Plan and test security operations and response
• Knowledge is Power – Getting hacked is a matter of When not If – Security is a Journey, not a Destination – Security is Everyone's Job – Security is a team sport – It takes the village to be successful – Reality-check: A child can be the adversary 95
Phil Agcaoili
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
Contributor, NIST Cybersecurity Framework version 1
@hacksec
https://www.linkedin.com/in/philA
Security used to be an inconvenience sometimes, but now it's a necessity all the time. ~Martina Navratilova after the stabbing of Monica Seles by a fan of Steffi Graf, 1993
96