Weitere ähnliche Inhalte Ähnlich wie Cyber crime v3 (20) Kürzlich hochgeladen (20) Cyber crime v31. 1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2015 Infoblox Inc. All Rights Reserved.
Unlocking Cyber-Crime – The New Cold War
Jamison Utter | Principal Security Consultant
6/15/2016
2. 2 | © 2013 Infoblox Inc. All Rights Reserved.2 | © 2015 Infoblox Inc. All Rights Reserved.
Motive Matters
No one can build his security upon
the nobleness of another person.” *
*Willa Cather, Alexander's Bridge
3. 3 | © 2013 Infoblox Inc. All Rights Reserved.3 | © 2015 Infoblox Inc. All Rights Reserved.
Exponential ROI
1 Year
CD = 1%Money
Market =
0.5%
Average
Stock
Market =
7%
Cyber Crime
= 1425%
4. 4 | © 2013 Infoblox Inc. All Rights Reserved.4 | © 2015 Infoblox Inc. All Rights Reserved.
Breaking it down
What’s the cost of entry?
Item Total Investment
Payload $3000
Infection Vector $500
Traffic Acquisition $1800
Daily Traffic $600
Total Expenses $5,900
5. 5 | © 2013 Infoblox Inc. All Rights Reserved.5 | © 2015 Infoblox Inc. All Rights Reserved.
The Payload
The Challenge:
- Avoid trivial signature detection
The Solution:
- A new hash of a crypto-variant that is identified with
‘good’ programs (by purchasing the source code with
support)
The Cost:
- 10 Bitcoin (or about $3000 USD)
This does not include
source code and support!
6. 6 | © 2013 Infoblox Inc. All Rights Reserved.6 | © 2015 Infoblox Inc. All Rights Reserved.
Commodity Programming
• Criminal elements are in constant
reinvestment cycles expanding both
footprint and technical ability.
• Like real software most malware is
developed in teams by technical coders
specialized in the particular function.
• Customer support, code support, and bug
fix are now table stakes in professional
malware.
7. 7 | © 2013 Infoblox Inc. All Rights Reserved.7 | © 2015 Infoblox Inc. All Rights Reserved.
Economy of Scale
0 200 400 600 800 1000
Poland
Czech Republic
Slovak Republic
Russian Federation
Hungary
Romania
Bulgaria
Ukraine
Average Monthly Income
US Dollars
A Semi-skilled Ukrainian Hacker
can make 5x – 25x their normal
income by switching to a
business model that is illegal (in
the US)
8. 8 | © 2013 Infoblox Inc. All Rights Reserved.8 | © 2015 Infoblox Inc. All Rights Reserved.
The Infection Vector
9. 9 | © 2013 Infoblox Inc. All Rights Reserved.9 | © 2015 Infoblox Inc. All Rights Reserved.
Traffic Acquisition
Getting clicks!
- Often via Phishing (pretty easy)
- Sometimes scare-ware
- Sometimes Ad networks
- Also via Botnets (RATS)
10. 10 | © 2013 Infoblox Inc. All Rights Reserved.10 | © 2015 Infoblox Inc. All Rights Reserved.
Crime as a Service
Professional Crime Software
Technical
Innovators
Reseller/Maintainers
Non-technical Opportunists /
Crimeware-as-a-Service Users
11. 11 | © 2013 Infoblox Inc. All Rights Reserved.11 | © 2015 Infoblox Inc. All Rights Reserved.
Breaking it down
What’s the ROI?
Item Total Investment
Visitors 20,000
Infection Rate 10%
Payout rate 0.5% (Symantec = 3%)
Ransom Amount $300
ROI (Average 30 days)
$3,000/day
($90,000/month)
12. 12 | © 2013 Infoblox Inc. All Rights Reserved.12 | © 2015 Infoblox Inc. All Rights Reserved.
What is the scale of this
The
Black
Market
Georgia
Iceland
AlbaniaHonduras
El
Salvador
The Black market is a 17
Billion dollar economy
13. 13 | © 2013 Infoblox Inc. All Rights Reserved.13 | © 2015 Infoblox Inc. All Rights Reserved.
The Zero Sum Game
Innovation
Development
Deployment
Capitalization
Current
State
Where we need to be
Ceiling Cat FTW!
14. 14 | © 2013 Infoblox Inc. All Rights Reserved.14 | © 2015 Infoblox Inc. All Rights Reserved.
Change the Security Paradigm
“The long term goal of a security strategy cannot be to outsmart
criminals, since that just breeds smarter criminals.”*
*Jarnon Lanier – “Who Owns the Future”
15. 15 | © 2013 Infoblox Inc. All Rights Reserved.15 | © 2015 Infoblox Inc. All Rights Reserved.
Meeting the Challenge
Collaboration
Intelligence
Speed
16. 16 | © 2013 Infoblox Inc. All Rights Reserved.16 | © 2015 Infoblox Inc. All Rights Reserved.
Identify
Collect
AnalyzeDistribute
Act
Collaboration
Security is a system, its
as alive as an
organization or organism.
Without cooperation and
data sharing between
devices,
you will never triangulate
and locate threats already
in your network
17. 17 | © 2013 Infoblox Inc. All Rights Reserved.17 | © 2015 Infoblox Inc. All Rights Reserved.
Intelligence
Securing cyberspace is
shared responsibility -
collecting, analyzing &
disseminating cyber threat
intel” - FBI
18. 18 | © 2013 Infoblox Inc. All Rights Reserved.18 | © 2015 Infoblox Inc. All Rights Reserved.
What’s missing from your Threat Intel?
Risks
Targets and
Assets
Threats
(or Threat Actors)
Movement
Observation and
Restriction
19. 19 | © 2013 Infoblox Inc. All Rights Reserved.19 | © 2015 Infoblox Inc. All Rights Reserved.
What makes “actionable” intelligence?
• Early discovery, appropriate TTLs, sensible
refresh rateTimely
• Applies to your problems, your use casesRelevant
• Reasonable precision, limited false positivesAccurate
• Why a threat, what kind, and what else is it
related toContextual
• Pre-integrated, standard formats, Rest APIsEasy-to-Use
• Consistent in quality and rate/volumeReliable
20. 20 | © 2013 Infoblox Inc. All Rights Reserved.20 | © 2015 Infoblox Inc. All Rights Reserved.
Speed
We must shorten
the Kill Chain, or
we will always be
behind the ball.
21. 21 | © 2013 Infoblox Inc. All Rights Reserved.21 | © 2015 Infoblox Inc. All Rights Reserved.
Changing Security Culture
Wisdom consists in being able to distinguish among dangers and
make a choice of the least harmful.
— Niccolo Machiavelli, The Prince
22. 22 | © 2013 Infoblox Inc. All Rights Reserved.22 | © 2015 Infoblox Inc. All Rights Reserved.
Security is a Culture
Application
Development
Network
Design
End-user
Training
Business
Workflow
23. 23 | © 2013 Infoblox Inc. All Rights Reserved.23 | © 2015 Infoblox Inc. All Rights Reserved.
Insecure Code
Characteristic
I Injectable Code
N Non-Repudiation Mechanisms not Present
S Spoofable
E Exceptions and Errors not Properly Handled
C Cryptographically Weak
U Unsafe/Unused Functions and Routines in Code
R Reversible Code
E Elevated Privileges to Run
(ISC)2 InSecure Code practices
24. 24 | © 2013 Infoblox Inc. All Rights Reserved.24 | © 2015 Infoblox Inc. All Rights Reserved.
Secure Network Design
Know Don’t Guess
Avoid Dangling Networks
Route where needed not where possible
See all manage all
Know when to standardize
Power is important
Embrace Documentation
Jennifer Jabbusch
CISO, Carolina Advanced Digital
25. 25 | © 2013 Infoblox Inc. All Rights Reserved.25 | © 2015 Infoblox Inc. All Rights Reserved.
Secure Environment
Educate
Evaluate
AdjustCultivate
Test
26. 26 | © 2013 Infoblox Inc. All Rights Reserved.26 | © 2015 Infoblox Inc. All Rights Reserved.
Business Workflow
Leadership
Performance
Culture
27. 27 | © 2013 Infoblox Inc. All Rights Reserved.27 | © 2015 Infoblox Inc. All Rights Reserved.
THANK YOU
@jamison_utter
Jamison Utter
Hinweis der Redaktion A Semi-skilled Ukrainian Hacker can make 400x their normal income by switching to a business model that is illegal (in the US)
How do we get that payload on a machine?
Exploit (like Flash, or Java, or Windows)
Use a service to install it (via Zeus or Angler?)
The cybercrime network is expanding, strengthening, and, increasingly, operating like any legitimate, sophisticated business network. Today’s cybercriminal hierarchy is like a pyramid. At the bottom are the nontechnical opportunists and “crimeware-as-a-service” users who want to make money, a statement, or both with their campaigns. In the middle are the resellers and infrastructure maintainers—the “middlemen.” At the top are the technical innovators—the major players who law enforcement seeks most, but struggles to find.
Crimeware’s development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime.
Just as the software industry has spawned a business model in reselling, installing, and maintaining legitimate code, the malware industry has spawned distribution and support networks to assist criminals in successful malware usage.
Developers of crimeware profit from the sale or lease of the malware to third parties who then use it to perpetrate identity theft and account fraud. When individual groups of criminals coordinate their efforts, and the product is Crimeware as a Service (CAAS).
Alternative transition – recommend using additional colors for multiple transition slides Securing cyberspace is shared responsibility - collecting, analyzing & disseminating cyber threat intel” - FBI
Ponemon stats around timeliness expectations
https://www.isc2.org/uploadedfiles/(isc)2_public_content/certification_programs/csslp/csslp-wp-5.pdf SANS
STH.EndUser Security Awareness Training