FBI And Cyber Crime | Crime Stoppers International

Download FBI And Cyber Crime | Crime Stoppers International

Post on 08-May-2015

1.130 views

Category:

Education

1 download

Embed Size (px)

DESCRIPTION

Crime Stoppers International 32nd Training Conference Presentation October 25, 2011 by Cyber Crime FBI Unit Chief David Wallace in Montego Bay, Jamaica

TRANSCRIPT

  • 1.FBI and Cyber Security Unit Chief David Wallace Cyber Division Federal Bureau of Investigation

2. Overview

  • FBI Mission
  • Cyber Threats
  • FBI Response

3. Mission

  • Protect the United States from Terrorist Attack.
  • Protect the United States against foreign intelligence operations and espionage.
  • Protect the United States against cyber based attacks and high technology crimes.
  • Proactive vs. Reactive

4.

  • Identify and neutralize the most significant individuals or groups conducting computer intrusions, the dissemination of malicious code, and/or other computer-supported operations.
  • The FBI is the only U.S. agency charged with the authority to investigate both criminal and national security computer intrusions.

Mission 5. Mission HQ Mission : Coordinate, supervise and facilitate the FBI's investigation of those federal violations in which the Internet, computer systems, or networks are exploited as targets of terrorist organizations, foreign government sponsored intelligence operations, or criminal activity; 6.

  • The Threats to General Public on the Internet
  • The Threats to Corporate and/or Financial Entities from Motivated Hackers

Cyber Criminal Threat 7. Criminal Threats to Internet Users

  • Cyber Extortion
    • Individuals threaten to use Social Networking power
    • Extortion-based DDoS attacks
    • Scareware/Fraudulent Antivirus Software
  • Phishing
    • Ongoing case with major bank, 350 subjects identified, over 50 in a cooperating foreign country
    • 2000 phishing transactions totaling $4 million
  • Botnets
    • Enable other criminal activity, Spam, distribution of additional Malware (Keyloggers, DNSChanger etc.)

8. One type of Cyber Extortion

  • These things, unless you honor the below claim, WILL HAPPEN on March 8, 2010.
  • As you have denied my claim I can only respond in this way. You no longer have a choice in the matter, unless of course you want me to continue with this outlined plan. I have nothing to lose, you have everything to lose.
  • My demand is now for $198,303.88. This amount is NOT negotiable, you had your chance to make me an offer, now I call the shots.
  • I have 6 MILLION e-mails going out to couples with children age 25-40, this e-mail campaign is ordered and paid for. 2 million go out on the 8th and every two days 2 million more for three weeks rotating the list. Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.
  • I am a huge social networker, and I am highly experienced. 200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.
  • I think you get the idea, I am going to drag your company name and reputation, through the muddiest waters imaginable. This will cost you millions in lost revenues, trust and credibility not to mention the advertising you will be buying to counter mine. Sad thing is its almost free for me!
  • The process is in motion and will be released on March 8th, 2010. If you delay and the site goes live, The price will then be $3,000,000.00.

9. DDoS Extortions

  • Recent trend targeting online product retailers
    • Company receives an extortion threat via email, online chat or their 1-800 telephone number
    • Demand to pay $,$$$ within five minutes or your website will be shut down
    • Many go unreported
    • Victims appear to be targets of opportunity
    • These tend to roll into Botnet investigations

10. Scareware also a form of Cyber Extortion 11. Criminal Threats to Internet Users

  • Cyber Extortion
    • Individuals threaten to use Social Networking power
    • Extortion-based DDoS attacks
    • Scareware/Fraudulent Antivirus Software
  • Phishing
    • Ongoing case with major U.S. banks, 350 subjects identified, over 50 in a cooperating foreign country
    • 2000 phishing transactions totaling $4 million
  • Botnets
    • Enable other criminal activity, Spam, distribution of additional Malware (Keyloggers, DNSChanger etc.)

12. Example of Phishing Emails Sent to Customers of U.S.-based Bank 13. Criminal Threats to Internet Users

  • Cyber Extortion
    • Recent trend in Health Care Services Industry
    • Threatening to use Social Networking power
    • Scareware/Fraudulent Antivirus Software
  • Phishing
    • Ongoing case with major U.S. banks, 350 subjects identified, over 50 in a cooperating foreign country
    • 2000 phishing transactions totaling $4 million
  • Botnets
    • Enable other criminal activity, Spam, distribution of additional Malware (Keyloggers, DNSChanger etc.)

14. Conficker Botnet

  • Estimated to Have Infected 7 to 15 million computers as of February 2010
  • Requires ongoing maintenance to keep caged
  • Could be any Botnet (Torpig, Coreflood, Mariposa) which drops malware

15. Example of Pervasive Malware Keylogger

  • Distributed via spam email, scareware or video codecs using social engineering techniques
  • Records all keystrokes of victim
  • Captures usernames, passwords, credit card numbers that victims type into webpages
  • Information is stored in a hidden text file, compressed and retrieved by hacker

16. Example of Non-Pervasive Malware DNS Changer

  • Also can be distributed via spam email, scareware or social engineering techniques
  • Modifies victims trusted Domain Name System (DNS) settings
  • Victim computers then unwittingly get their domain name resolution from a DNS server controlled by the badguy
  • Badguy then directs victim computers tohisservers running lookalike webpages (i.e., a counterfeit online banking webpage)
  • Victim unknowingly enters his banking credentials to what he thinks is the real webpage

17. Criminal Threats to Internet Users

  • ACH Transaction Fraud
    • Anyone with authority to pay, transfer funds, manage, control, or effect banking activity can be a victim
    • New attack vectors such as Malvertising
    • JabberZeus variant to compromise Two-Factor Authentication
  • Confederation of Cyber Criminal Organizations
    • The Web within the Web
    • Exchange of Tools for Criminal Activity
    • Distributed expertise among group members

18. Threats to Corporate Entities

  • Companies with financial databases are the targets of criminal hacker groups
  • Why?Thats where the money is!
  • andbetter work hours, large potential for return vs. risk, less chance of getting caught and/or shot than, say, being a drug dealer
  • Criminals perception that they can hide behind complex international laws

19.

  • 15,730 attempted transactions worth $10.2M
  • 14,544 successful transactions worth $9.7M
  • $9.4M (97%) was withdrawn on Nov 8 2008
  • 2,136 ATM terminals were accessed in over 28 countries

Scope of the Scheme Financial Services Intrusion 20. Cyber Terrorism

  • No full-scale cyber attacks.
    • DDoS
    • Defacements
  • Growing presence of terrorist organizations on the internet.
    • Internet being used not to just recruit or radicalize, but to incite.
  • Growing use of social networking sites tocollaborate and promote violence.

21. Counterintelligence and Economic Espionage

  • Espionage used to be spy vs. spy.
    • Today our adversaries can sit on the other side of the globe and have access to an entire network at their fingertips.
  • Who are they?
    • Nation-State Actors
    • Mercenaries for Hire
    • Rogue Hackers
    • Transnational Criminal Syndicates

22. Counterintelligence and Economic Espionage

  • What are they after?
    • Technology
    • Intelligence (Policy-maker decisions)
    • Intellectual Property
    • Military Weapons
    • Military Strategy
  • They have everything to gain; we have a great deal to lose.

23. Primary Intrusion Vectors The exploitation of Trust

  • Thetrustedinbound e-mail.
  • The publicly availabletrusted web site of appropriate business interest.
  • The download oftrustedcode from atrustedand authorized vendor.
  • Thetrustedoutward facing server.
  • The necessarytrustof the internal network
  • The connections withtrustedbusinesspartners.

24. Trusted E-mail

  • Email contains attachment or link which recipient is likely to open.
  • Crafted to appear to come from a trusted source
  • Attachments tailored to recipients likely interest
  • Broad address and personnel information are available open source.

25. Trusted Web Site

  • Intrusion into web site with an identifiable user base.
  • Modification of lead web page
  • Redirection to poorly administered web site for code download.
  • Deployment of tool through browser begins beaconing activity.

26. Trusted Applications

  • Intrusion into software vendor or other trusted site
  • Modification of code which is otherwise trusted and authorized
  • Tool deploys when authorized software package is installed
  • Again, tool supports beaconing activity.

27. Trusted Server

  • Intrusion through a Web Server to a backend server like a database (SQL Injection).
  • Server is trusted, and often improperly located within internal network.
  • Excess trust granted because server is internal.

28. Trusted Relationships

  • Intrusion through a trusted business partner
  • Friendly party is intruded -- access is likely to appear to have valid credentials
  • Daisy-chain of trusts -- Problem exacerbated by promiscuity of business networks

29.

  • What the FBI can do
  • Investigate
    • National and global
    • Combine technical skills and investigative experiences
    • Long-term commitment of resources
  • Forensics (RCFLs)
  • Pattern and Link Analysis
  • Bring national security concerns to intelligence community

FBI Response 30.

  • 56 Field Offices with Cyber Squads.
  • 61 FBI Legal Attach Offices around the world, with an addl 14 Sub-offices.
  • Cyber Trained Agents embedded with foreign police agencies.

FBI Response 31.

  • National Cyber Investigative Joint Task Force
  • Cyber Action Team
  • Threat Focus Cells that are focusing on key threats and trends.
    • These groups consist of agents, officers, and analysts from different agencies.
    • Financial TFC, SCADA TFC, Romanian TFC, Botnet TFC

FBI Response 32. Threat Focus Cells

  • FBI-led government-level working groups targeting high-threat issues, with a view towards the following:
    • Identify the Infrastructure Understand the mechanics behind the Cyber threat
    • Victim Profiling Assess how and why specific victims are targeted
    • Subject Identification Identify malicious actors, methods, criminal histories
    • Consumer Identification Malicious actors may be sub-contractors
    • Operational Development Mitigation strategies

33. Botnet Threat Focus Cell Coreflood Takedown

  • Assistance from various network security partners and A/V companies to reverse engineer the infection and develop detection/removal signatures.
  • Multi-pronged approach to take over the C&C network, mitigate infection, and provide victim notification.
  • The first instance of DoJ approval of a minimal intrusion upon victim computers for the greater good of end-users.
  • Concerns for potential negative unforeseen consequences, claims of privacy violations against the Govt.
  • Careful tonotcollect any personal information from victim PCs.

34. Botnet Threat Focus Cell Coreflood Takedown 35. Botnet Threat Focus Cell Coreflood Takedown 36. Intelligence Sharing At All Levels

  • Government Agencies - Threat Focus Cells
    • Share Intel and Mitigation Strategies
  • Government to Corporate InfraGard
    • Developed in 1996
    • 1000 Intelligence Reports Disseminated in the past year.
  • Government to Public Internet Crime Complaint Center
    • IC3.gov
    • LooksTooGoodToBeTrue.com

37. InfraGard.net 38. Intelligence Sharing At All Levels

  • Government Agencies - Threat Focus Cells
    • Share Intel and Mitigation Strategies
  • Government to Corporate InfraGard
    • Developed in 1996
    • 1000 Intelligence Reports Disseminated in the past year.
  • Government to Public Internet Crime Complaint Center
    • IC3.gov
    • LooksTooGoodToBeTrue.com

39.

  • What the FBI wont do
  • Take over your systems.
  • Repair your systems.
  • Share proprietary information with competitors.
  • Provide investigation-related information to the media or shareholders.
  • In essence we will not further victimize the victim.

FBI Response 40. Director Mueller at RSA

  • FBI Director Mueller at RSA: No one country, company, or agency can stop cyber crime. A bar the windows and bolt the doors mentality will not ensure our collective safety. Fortresses will not hold forever; walls will one day fall down. We must start at the source; we must find those responsible. The only way to do that is by standing together. Together we can find better ways to safeguard our systems and stop those who would do us harm. For ultimately, we face the same threat. We both serve the American people. And we must continue to do everything we can, together, to minimize these attacks.