Download - LIFARS - Financial Cybercrime
![Page 1: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/1.jpg)
![Page 2: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/2.jpg)
Financial CybercrimeOndrej KREHEL
Dusan PETRICKO
![Page 3: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/3.jpg)
ONDREJ KREHEL CISSP, CEH, CEI, EnCECEO & FounderLIFARS LLC
![Page 4: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/4.jpg)
4
DUSAN PETRICKOCISSP, CEHIncident Response ManagerLIFARS, LLC
![Page 5: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/5.jpg)
Major Data Breaches Visualized
![Page 6: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/6.jpg)
The Cost of Cybercrime
The average annualized cost of cybercrime in millions of US dollars per company across multiple sectors.
Source: Ponemon Institute
![Page 7: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/7.jpg)
Types of Cyberattacks Experienced
Source: Ponemon Institute
![Page 8: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/8.jpg)
Are Companies Ready?
![Page 9: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/9.jpg)
Source: Ponemon Institute
of companies experienced a security breach in the past 24 months
of companies say another incident is imminent and could happen within the next 6 months
of companies said they did not have a fully functional CSIRT in place today to respond to those incidents
68%
46%
34%
Organizations That Face Cyber-attacks Need To Be Prepared To Respond To Them
Not Really – The Current State of Incident Response
![Page 10: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/10.jpg)
Current State
InvestigationDetectionPreventionNo silver bullets
“We are living in the dark ages of security”
Amit Yoran, President of RSA
Average of 7 months to discover
Limited to log data
![Page 11: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/11.jpg)
What to do when breached?
![Page 12: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/12.jpg)
Existing Forensics Tools
Highly complicatedRequires dedicated team of experts
Too slowPrecious time wasted gluing bits and bytes
Limited history+100TB to store a single day of a 10G network
What’s Holding The Security team Back?
Still In The Dark
Only large enterprises can afford it
Only a few “gurus” can operateOnly 5% of alerts are being investigated
CostsExpensive – show boxs
![Page 13: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/13.jpg)
Key Element of Most Cyberattacks
![Page 14: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/14.jpg)
Social Engineering Lifecycle
Source: McAfee Labs
![Page 15: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/15.jpg)
What Types of Attacks Do Financial Institutions Face ?
• Cyber Fraud
• Targeted Attacks (APT)
![Page 16: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/16.jpg)
What is APT?• Advanced
• Attacker is advanced adversary• Persistent
• Attacker is heavily focused on target – snipper style• Threat
• Toolkit used are main stream, however modified to perfection
• Most attacks are targeted and very specific
![Page 17: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/17.jpg)
Major APT Campaigns
![Page 18: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/18.jpg)
APT Lifecycle
![Page 19: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/19.jpg)
Case Study: AlienSpy at Wall Street
![Page 20: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/20.jpg)
AlienSpy: Hacking-as-a-Service Evolved• Hacking-as-a-Service platform • Plans starting at $19.99• Highly customer-oriented, easy-to-use tool• Allowed anyone to perform sophisticated attacks• Evolved over time from the Frutas > Adwind > Unrecom • AlienSpy malware adopted by organized cybercrime
gangs
![Page 21: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/21.jpg)
AlienSpy Interface
• Easy to navigate and very user-friendly AlienSpy interface makes it a very attractive and easy-to-use tool (even for non-tech savvy criminals)
https://www.youtube.com/watch?v=k3oZEJyWHBw
![Page 22: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/22.jpg)
Evolution of the AlienSpy RAT
![Page 23: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/23.jpg)
AlienSpy: Adoption by APT Groups• AlienSpy RAT heavily obfuscated using well-known tools
and cannot be detected by Antiviruses• Distributed by well-crafted spear phishing campaigns• Used in attacks against well-known global money
transfer firms • Often multiple attackers detected inside their systems
at the same time
![Page 24: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/24.jpg)
Spear Phishing Example
• Real phishing email example
• Discovered leaked on PasteBin
![Page 25: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/25.jpg)
Observed AlienSpy Attack Process
![Page 26: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/26.jpg)
Observed AlienSpy Forensic Analysis
![Page 27: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/27.jpg)
Observed AlienSpy Forensic Analysis
![Page 28: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/28.jpg)
Observed AlienSpy Forensic Analysis• Obfuscated files
cannot be detected by antiviruses
• TRE.jar – unobfuscated payload
![Page 29: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/29.jpg)
Observed AlienSpy Forensic Analysis• Malware loaded into
memory • AlienSpy malware
loaded from the buffer
![Page 30: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/30.jpg)
Cost to the Victim
• A global money-transfer company present in over 100 countries was attacked by up to 15 parallel attackers
• Average loss - $28,000/month per attacker• Overall losses in excess of $5 million annually
![Page 31: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/31.jpg)
The Worst Part?
AlienSpy is not alone – there are many others:
![Page 32: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/32.jpg)
How to Handle Breaches?
![Page 33: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/33.jpg)
Next-Gen Incident Response• Time = money• Use of Next-Gen automation tools to speed up the IR
process• Specialized external teams help reduce costs and increase effectiveness of response
• Taking down advanced threats of today requires military-style “cybersnipers”
![Page 34: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/34.jpg)
Incident Response Lifecycle:
![Page 35: LIFARS - Financial Cybercrime](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a6dc301a28abef698b5a59/html5/thumbnails/35.jpg)
Q&AFor cybersecurity news, sign up for our weekly
newsletter: LIFARS.com/cybernews