The Cyber Holy Grail! - Global Fraud Conference

Transcription

Cyber Thieves:
A Crash Course on Getting to Know Them
Cary E. Moore, CFE, CISSP, EnCE
Speaker
• 12 years of Computer Forensic and InfoOps experience
• Senior Vice President, Emerging Threats Manager
– Cyber Intelligence Analytics Towards Emerging Threats
• Formerly
– Guidance Software Inc.
• Technical Director, Cybersecurity
– Special Agent, Air Force Office of Special Investigations
• Computer Crime Investigations and Operations
• Counterintelligence and Counterespionage Investigations
• (Cyber) Technical Surveillance and Countermeasures (TSCM)
• First computer: TI-99/4A
– With the speech module!
Agenda
Cyber Thieves: A Crash Course on Getting to Know Them
External
✓
1
Insider Threats
2
Breaking Cyber Barriers
3
You Never Saw It Coming!
4
Attribution: The Cyber Holy Grail!
Insiders
Customers
& Partners
Insider Threats
Profiles
• Traitors
– A trusted person
– Makes a decision to betray
– True motive might be unapparent
1985
1994
1998
2001
2001
2003
2006
CIA—Larry Wu-Tai Chin
CIA—Aldrich “Rick” Ames
CIA—Douglas Groat
NRO—Brian Regan
DIA—Ana Belen Montes
FBI—Robert Hanssen
USN—PO Ariel Weinmann
Insider Threats
Profiles
• Traitors (continued)
– Distinct warning signs
• Unusual change in work habits
– Seeks out sensitive projects
– Unusual works hours
• Sloppy security habits or scoffs security
• Might rationalize inappropriate actions
• Change in lifestyle
– Living beyond their means
Insider Threats
Profiles
• Zealots (a/k/a Hacktivists)
– Ideological
– Motivated by their beliefs
– Believe their actions are just,
no matter how detrimental
– Might pass info. to allies, unaware of the
intelligence threat
Insider Threats
Profiles
• Spies
– Intentionally in a situation or
organization to glean intelligence
• Foreign intelligence
• Business intelligence
• Competitive intelligence
Operation Ghost Stories
2010 Russian Spy Ring
Anna Chapman, June 2010
Insider Threats
Profiles
• The Browsers
– Those who violate the “need-to-know” principal
– Persons who have required clearance
• But no requirement for
the information
• Search for information with or
without specific intentions
Insider Threats
Profiles
• The Browsers (continued)
– Might utilize the activity or information
for personal gain
•
•
•
•
Receiving rewards
Promotion
Contracts
Personal advantage
Insider Threats
Profiles
• The Well-Intentioned
• Victim to social engineering
– Phishing
– Spearphishing
– Whaling
• The Tinkers
– Boredom
– Curiosity
Insider Threats
Profiles
• The Well-Intentioned (continued)
– Unwittingly give unauthorized access
• Carelessness
– Unlocked workstations/network rooms
• Ignorance
– P2P and file sharing software
– Dated security practices
Insider Threats
Case Study 1
• The key findings from “The Insider Threat Study”
on Computer System Sabotage in Critical
Infrastructure Sectors are:
– A negative work-related event triggered most insiders’
actions
– 43 percent of the insiders had authorized access to
the system/network at the time of the incident
Source: www.secretservice.gov/ntac_its.shtml
Insider Threats
Case Study 1
• Computer System Sabotage in Critical
Infrastructure Sectors (continued)
– 39 percent of the insiders used one or more relatively
sophisticated methods of attack, which included:
• A script or program
• An autonomous agent
• A toolkit
Insider Threats
Case Study 1
• Computer System Sabotage in Critical
Infrastructure Sectors (continued)
– 63 percent of the incidents were detected because of
an irregularity in the information or system
– 62 percent of the insiders developed plans to harm
the organization
– 47 percent of the cases involved overt behaviors
in preparation for the incident, such as stealing
copies of back-ups
Insider Threats
Case Study 2
• The key findings from “The Insider Threat Study” on
Illicit Cyber Activity in the Banking and Finance Sector
are:
– Required minimal technical skill to execute
– Involved the simple exploitation of inadequate
practices, policies, or procedures
– 78 percent of the cases involved the modification
and/or deletion of information
Insider Impact
Mission Impact
• Email Servers
• Communication Systems
• Security Systems
• Database Operations
• Accounting Operations
• Research and Development
• Maintenance and Monitoring Systems
• Critical Operation Systems
Everything
That Is
Connected
Insider Impact
Information at Risk
• Intellectual Property
• Design Documents
• Source Code
• Trade Secrets
• Government Data
• War Plans
• Intelligence
• Law Enforcement
Information
• Customer Data
• Personal Data
• Credit Card Numbers
• Customer Financial
Data
• Corporate Data
• Financial Data
• Mergers and Acquisition
• HR Data
• Marketing and Sales
Insider Detection
Insider Indications
• Test scripts and/or techniques
• Try multitude of tools (i.e., port scanners, network probes, war driving)
• Rogue systems
• Bogus accounts
• Odd hour activity
• Undue curiosity
• Hiding screen data
• Positions screen to hinder view
Insider Detection
Insider Indications (continued)
• Joking and bragging
• Installs unauthorized software
• Duty associated software
•
Dreamweaver, Nero, Photoshop, programming software
• Unassociated harmless software
•
WinAmp, ICQ, games
• Suspicious Software
•
L0phtCrack, key generators, rootkits
• Escalated privileges
• No fear of getting caught
Insider Threats
Investigation Techniques
and
Account Records
Logs
-Firewall
-IDS
-A/V
-Sniffers
-Proxy
-System
Create a Timeline
GPS
and
Print Servers
Insider Threats
Investigation Indicators and Leads
• When indicators arise, review for:
– Unusual processes
– TCP/UDP connections
– Website activity (local/proxy)
– Unauthorized devices
Insider Threats
• When indicators arise, review for:
– Remote access sites (Logmein,
PCAnywhere, WebEx, etc.)
– Unauthorized websites
– Use of anonymity sites or
installation of >>>TOR<<<
– Accounts and their rights
Insider Threats
Proactive Efforts
• Monitor help desk tickets for trends.
– Insiders do call for help when their attempts
to circumvent security measures messes
things up.
• Monitor for unusual logon times.
• Scan for bogus accounts.
Insider Threats
Proactive Efforts
• Review scans for unauthorized software,
file, and folder access and compile trends.
• Train security to monitor contractors and
visitors and report suspicious activities.
• Deactivate access following termination.
Insider Threats
The Comparative
Insider
Hacker
• Given access
• Uses access to:
• Misuse equipment and
network access
• Escalate privileges
• Affect the business operations
• Compromise systems and
corporate data
• Install Malware
• Etc.
• Gains access by whatever means
necessary
• Once access is achieved,
GAME ON!
Agenda
External
✓
1
Insider Threats
2
3
4
Insiders
Customers
& Partners
Breaking the Cyber Barriers
• 2011 Report to Congress on Foreign Spies
Stealing U.S. Economic Secrets in
Cyberspace
– China and Russia are pursuing American
technology and industrial secrets,
jeopardizing an estimated $398 billion in U.S.
research spending.
– In 2010, the FBI prosecuted more Chinese
espionage cases than at any time in our
nation’s history.
Source: www.ncix.gov/issues/economic/index.php
• 2011 Report to Congress on Foreign Spies
Stealing U.S. Economic Secrets in
Cyberspace
– For example, a DuPont chemist in October
2010 pled guilty to stealing research from the
company on organic light-emitting diodes.
– The chemist intended to commercialize in
China with financial help from the Chinese
Government.
Source: www.ncix.gov/issues/economic/index.php
Governments Under Attack
• Solar Sunrise (1998)
– Cyber attack on the Pentagon
• Under the guidance of an Israeli hacker, he
coordinated two kids from California to hack
multiple targets, including the Pentagon
• Attacking unpatched Solaris Systems
• Basic hacking techniques:
Recon, Probe, Exploit, Gather Data, Exfiltrate
Source: www.wired.com/threatlevel/2008/09/video-solar-sun/
• Moonlight Maze (1998)
– U.S. officials accidentally discovered (during
Eligible Receiver) a pattern of probing of
computer systems at the Pentagon, NASA,
Energy Department, private universities, and
research labs.
– Began in March 1998 and had been going on
for nearly two years.
Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
• Moonlight Maze (1998)
– Tens of thousands of files included:
• Maps of military installations
• Troop configurations
• Military hardware designs
– The DOD traced the attack back to a
mainframe computer in the former USSR.
– The true attacker is unknown, and Russia
denies any involvement.
Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
• Titan Rain (2003–2005)
– A group of about 20 hackers, believed to be
based in the Chinese province of Guangdong
– Thought to have stolen U.S. military secrets,
including aviation specifications and flightplanning software
– “China has downloaded 10 to 20 terabytes of
data from the NIPRNet”–Maj. Gen. William Lord
Sources: www.zdnet.com/news/security-experts-lift-lid-on-chinese-hack-attacks/145763
http://gcn.com/Articles/2006/08/17/Red-storm-rising.aspx?p=1
• The Target?
– R&D
– Intellectual
Property
• For?
– Economic
Advantages
– Geopolitical
Advantages
Images from:
http://en.wikipedia.org/wiki/File:F22a3view.png
http://en.wikipedia.org/wiki/File:Chengdu_J-20.svg
• Rep. Michael McCaul (R–TX, April 24, 2012)
– “When I look at countries like China, who
have stolen our Joint Strike Fighters, F-35
and F-22s, stolen those blueprints so they can
manufacture those planes…”
– “You know when I look at the theft of
intellectual property to the tune of $1 trillion,
that’s a serious economic issue for the
United States.”
Source: cnsnews.com/news/article/chinese-hackers-stole-plans-americas-new-joint-strike-fighter-plane-says-investigations
Corporations Under Attack
• Operation Aurora (2009–2010)
– Cyber attack to multiple high profile companies
• Google, Adobe, Yahoo, Symantec, Northrop
Grumman, Morgan Stanley, Dow Chemical, etc.
– Purported intent to access and alter software
source code and other intellectual property
– Link in email to malicious JavaScript
– Created a backdoor into their networks
Source: www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf
• RSA Attack (2011)
– Spearphishing attack with an Adobe Flash
vulnerability in an Excel spreadsheet
•
•
•
•
“2011 Recruitment plan.xls”
Zero-day exploit opened a backdoor into RSA
Poison-Ivy—Remote Access Tool (RAT)
Focus was believed to be the inner working of their
SecurID product, used to secure some of the
world’s most sensitive networks
Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
RSA Attack (continued)
Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
• RSA Attack (2011)
– The stolen SecurID data was used to
compromise additional companies.
• Lockheed Martin (confirmed)
• L-3 Communications (confirmed)
• Northrop Grumman (unconfirmed)
Sources: http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx/
www.wired.com/threatlevel/2011/05/l-3/
www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/
• The Result?
– “Inspiration”
Images from:
http://commons.wikimedia.org/wiki/File:Martin_Motors_CEO_Rear.JPG
http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101155.jpg
• The Result?
– “Naturally, our cars are
inspired by European
carmakers,” said Karl
Schlössl, a German who
is the chief executive of
China Automobile. “But
we reject the charge that
they are copies.”
www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vsshuanghuan/
www4.pictures.gi.zimbio.com/62nd+International+Motor+Show+Cars+IAA+cc0QC1ZxBxyl.jpg
Image from: sunboar.files.wordpress.com/2006/10/bmw-vs-byd-logo.jpg
• Knock it off!
BMW X5
Shuanghuan CEO
Toyota Land Cruiser
Images from:
http://images.forbes.com/images/2002/07/08/test_int_415x308.jpg
http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101102.jpg
http://www.sobrecoches.com/var/plain_site/storage/images/coches/toyota/land_cruiser/novedad_r_edition/interior/toyota_land_cruiser_r_edition/313114-1-esl-ES/toyota_land_cruiser_r_edition1.jpg
Physical Data Exfiltration
Source: Cyber Threat Presentation, SA Doris Gardner, FBI
• Responsive Legislation (CISPA)
– Rep. Mike Rogers (R–MI, May 3, 2012)
• “It began with China stealing hard-copy business
plans and sensitive research-and-development
…when (our) executives traveled to China.”
• “U.S. companies soon began noticing a surge in
counterfeit products as their innovations were
being stolen, re-engineered, and sold by Chinese
companies on global markets.”
Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA
• “With the Internet boom, China turned its focus to
cyber espionage and began stealing the hard work
and innovations of U.S. companies…”
• “Thousands of highly-trained computer spies now
work…to steal U.S. research and development
information that the Chinese can use to further
their economic growth and compete against us in
the global marketplace.”
• “China is literally trying to steal our prosperity and
our way of life out from under us.”
• “Other nation-states such as Russia and Iran also
are getting in on the act, rapidly becoming
insatiable cyber predators.”
• Follow same leads as an insider threat
– Create a timeline
– Review logs (Firewall, IDS, Proxy, etc.)
– Work with IT to determine “Subject Zero”
• Email
• USB Drive
• Remote User Access
• Be Proactive
– Monitor Help Desk ticket
• Compromised systems might show signs
– Slow processing, strange issues, program crashes, etc.
– Unusual network connections and unauthorized
programs
– Bogus accounts
– Strange websites (proxy logs)
• Employee Training
– Examples of malicious site indicators
– Have employees report unauthorized devices
• Hotline?
– Run an internal Phishing training exercise
– Even if it’s an email from someone you trust,
was the email/attachment expected?
Agenda
External
✓
1
Insider Threats
2
3
4
Insiders
Customers
& Partners
Partners Are the Focus
• Subcontractors
• Partner Suppliers and Supply Chain
• Service Providers
(ISP, Telecom, Teleconference providers, facility management)
• Service Contractors
(Incident responders, IT Support, security guards)
• Partner Network/Systems
– Low IT resources
– Unable to focus on security over services
– Might connect via VPN or bring a system into
your organization
– Once connected they bring “everything” along
• Malware, vulnerabilities, backdoors
– Disgruntled employees, poor practices, etc.
– Your organization was the true target, but the
vector was your partner organization.
– Could be industry focused, take oil and gas…
– Logic bomb?
Customers in the Crosshairs
• How easy is it to rob a bank?
Customers in the Crosshairs
• How easy is it to rob a bank’s customers?
– The bank will likely reimburse the customer
for stolen funds.
• So, who’s really being robbed here?
Online Banking Trojans
Social Spaces
Phase 1
Social Engineering
1010001010101101
1010001010101101
Fraudster deploys
multiple tools
Man-in-The-Phone
& Vishing
Phishing/Spear Phishing
OLB Account Access
Phase 2
Account Take Over
Out-of-band Passcode
SMS Alerts
SafePass
OTP
Security Questions
during a Call center
conversation
Fraudster gathers
all collected info
Wrap-Up
• Be aware of the security implications
posed by your business partners and the
threats to your customers.
– Education is the start.
– Consider offering tools to your customers,
such as AV, or at least recommendations.
– Ask your business partners about their
security posture.
Wrap-Up
• Don’t let anyone attach a system to your
network without scanning or assurance.
• Don’t give contractors unsupervised
access into your network.
– Monitor physically and electronically.
Wrap-Up
• Have contractors sign the same network
access agreement as employees.
– Privacy issues
– Unauthorized use
– Legal recourse
Agenda
External
✓
1
Insider Threats
2
3
4
Insiders
Customers
& Partners
Attribution
The Cyber Holy Grail!
• Can a Word document call home?
• Can a PowerPoint presentation let you
know it was just opened?
Attribution
• Yes!
– It all starts with a very small image.
– The Tracker.gif
– Can you see it?
Attribution
• Let’s make it a little bigger:
– Transparent .gif image
– Used by Web Designers as a “spacer.gif”
1pixel
Hi!
I’m Tracker.gif!
1pixel
So, how does it work?
Tracker enlarged:
Attribution
• But, the document is accessing the
Internet…
– Isn’t the user notified?
• No
– Will the user get an error if the document can’t
get the tracker?
• No
Attribution
• But, you have the tracker in the text and
the user can easily delete it.
– Headers and footers are your friends!!!
– PowerPoint Slide Master
– Excel—Be creative…
The key is “embedding” the image
as a link:
This is a view of the document
in the recovery text view.
We can see the image being pulled from the Web server.
The Tracker.gif can reside anywhere on your
public Web server:
Covertforensics.com is an actual domain for testing.
Attribution
• So, what will you see from your server logs?
– 2009-05-09 14:15:09 GET Word_tracker.gif - 80 –
>>Your Public IP Address<<
– HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+Tablet+PC+1.7;+
.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
– The document was opened on 2009-05-09 19:15:09
– From Windows XP Tablet PC Edition (Windows+NT+5.1;+SV1;+Tablet+PC)
– Which has Internet Explorer 7.0 and FireFox (Mozilla 4.0)
Sounds cool, but how is it applied?
ABC Inc. is concerned Steve
is giving info. to XYZ Inc.
Steve takes the files without
knowing they have trackers.
Steve accesses them from his house:
Steve sends them to
his buddy at XYZ Inc.
XYZ Inc. opens the files within
their corporate network.
Web logs show the documents
opened from two IPs:
The files are now considered
compromised.
ABC Inc. identifies Steve to the
authorities for a formal criminal investigation.
ABC Inc. files an Intellectual Property
Theft Complaint against XYZ Inc.
- During the discovery process, the judge orders
eDiscovery on XYZ Inc.
Attribution
• XYZ Inc. Tries to hide data by removing
“ABC Inc.” and any logos belonging to ABC Inc.
• But, ABC Inc. was ready for that…
Attribution
• ABC Inc. injected a specific
keyword “tag” into every
electronic file created in
the company.
– To include templates!
Attribution
• The search revealed three files
on XYZ’s network similar to
the compromised files,
except the company names
and logos were changed
to XYZ Inc.
• By tagging the document,
it was present even if the
user changes the document
text.
Attribution
• The likeliness of
“@BC-1NC0RP0R@T10N”
happening by accident
is VERY low.
Attribution
• Any document created by
a template (.dot) will also
have the tag.
Questions?
Cyber Thieves:
A Crash Course on Getting to Know Them
Image From: http://dilbert.com/strips/comic/2007-09-13/

The Cyber Holy Grail! - Global Fraud Conference

Transcription

Similar documents

ENCORE: Studio: When State Actors and Cybercriminals Join Hands

James D. Bourie_Nisos Group - Long Island Chapter of the Institute

Register Now!

Web Safety

The Role of a Cyber Test Range in Stress Testing the Security of

KennethGeers

VOITTAVA KYBERSTRATEGIA Jarno Limnéll

- Telefonica Business Solutions

Supertel

Cyber liability DL October 2012.indd