SlideShare a Scribd company logo

"Giving the bad guys no sleep"

Christiaan Beek
Christiaan Beek

Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.

Internet
1 of 32
Download to read offline
SESSION ID: #RSAC Raj Samani Disrupting Adversarial Success— Giving the Bad Guys No Sleep SPO1-T09 VP, CTO for EMEA Intel Security Christiaan Beek ATR Lead – Office of the CTO Intel Security
#RSAC Agenda 2 Introduction When the power shuts down…. Using botnets for insider trading Giving the bad guys no sleep What’s next?
#RSAC 3 Christiaan Beek Director Strategic Intelligence & Operations Intel Security – Office of the CTO Raj Samani CTO for Europe, Middle East, and Africa Intel Security
#RSAC When the power shuts down 4 Ukrainian Power Grid attack
#RSAC 5 Dec 23, 2015: Two Ukrainian power-companies, Prykarpattyaoblenergo and Kyivoblenergo were hit by a coordinated cyber-attack. As a result of this attack, eight provinces of the Ivan-Frakivk region were impacted, resulting in a power-outage for approximately six hours affecting over 80,000 customers. The affected company reported to be operating in “manual’ mode, an indicator that their network was impacted. At the same time a DDoS attack was launched against assets of the energy company. When the power shuts down….
#RSAC Stage 1 of the attack: Flow of events Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Excel/Word exploits – hidden dropper in Macro Spear-phishing email in Ukrainian language with weaponized attachment Execution of macro Installation of dropper Connect to C2 and download stage 2 malware Gather intel of landing point in the target’s network Cbeek-2016
#RSAC Stage 2 of the attack: Establish control Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Using backdoor created by malware to upload tooling Installation of SSH backdoor or Shells Connect to Attacker(s) Lateral movement to find machines controlling the HMI layer Cbeek-2016
#RSAC Stage 3 of the attack: Execution time Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Installation of Kill-disk component machines controlling HMI layer Connect to the HMI machines Use the HMI software to shutdown the power-grid followed by wiping the systems
#RSAC At the same time… 9 While the attackers were shutting down the services, a coordinated DDoS attack was launched against the phone systems so that operators didn’t know that remote sites were out.
#RSAC 10 To be continued……
#RSAC Using botnets for insider trading
#RSAC Botnets Traditionally: Remote control, Denial of Service,Pii theft Today a managed service with: • Anonymous communications • Access management to subscribed networks/systems • Help desk Services • Payment Services
#RSAC Botnets used for insider trading 13 https://blogs.mcafee.com/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet/ https://blogs.mcafee.com/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet-part-2/
#RSAC Giving the bad guys no sleep 1 4
#RSAC Where to Hit Them? 15 Delay Degrade Disrupt Deny Destroy Defeat The six Ds of Cyber Defense
#RSAC Examples of recent Operations 16 CryptoWall v3.0 Beebone
#RSAC #CryptoWall 3.0 Source: CTA Report CryptoWall 3 operation
#RSAC #CryptoWall 3.0 Campaign-ID Infrastructure Bitcoin Wallets
#RSAC #OpBeebone
#RSAC Evasion Capabilities
#RSAC What Does This Mean? The McAfee Labs zoo contains more than five million unique W32/Worm-AAEH samples. It infected over 23,000 systems in 2014. In April 2015, a global law enforcement action took down the control servers for this botnet.
#RSAC What Does This Mean?
#RSAC Telemetry Analysis Total systems infected by W32/Worm-AAEH in 2013-2014
#RSAC Cracking the Code First DGA: 6 TopLevelDomains Then to 3 TLDs
#RSAC The Plan DGA Elements Previous DGA (dnsfor) Older DGAs Current DGA (timecheck) Number Suffix Start range 0 (numbers optional) dnsfor.net is acceptable domain in DGA Numbers optional 1 (must have number in domain) Number Suffix End Range Sample-dependent. does not exceed 29. Most samples 15. None/99 29 TLDs net/com/org net/com/org/info/biz com/net/org bug in code prevents checking net/org Samples may exist that check all 3 Active Period 2013-Sep 2014 2009-2013 Oct 2014-present
#RSAC Identify the Command and Control Servers All of the worm’s control servers detected by McAfee Labs between March 14, 2014, and September 14, 2014, were based in Europe Sinkholing operation Source: McAfee Labs
#RSAC Sinkhole A botnet sinkhole is a target machine used by researchers to gather information about a particular botnet. Sinkholing is the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole. The name is a reference to a physical sinkhole, into which items apparently disappear.
#RSAC Sinkhole Regular Expression for DGA prior to September 22 2014: ^ns1.dnsfor[0-9]{1,2}.(com|org|net)$ Numbers after “ns1.dnsfor” range from 1 to 30 Examples: ns1.dnsfor9.com ns1.dnsfor27.net ns1.dnsfor1.org The last known IP for this DGA is 188.127.249.119 at ns1.dnsfor9.com Regular Expression for DGA after September 22 2014: ^ns1.timechk[0-9]{1,2}.(com|org|net)$ Numbers after “ns1.timechk” range from 1 to 30 Examples: ns1.timechk7.org ns1.timechk3.com ns1.timechk19.net The last known IP for this DGA is 91.231.87.184 at ns1.timechk23.com
#RSAC The Results Country Total Iran, Islamic Republic of 8,403 Peru 6,548 Kazakhstan 3,212 Uzbekistan 2,947 Indonesia 2,051 Vietnam 1,838 Guatemala 1,643 India 1,533 Thailand 1,218 Philippines 879 Mexico 685 Ecuador 677 Bolivia 518 Kyrgyzstan 375 Afghanistan 354 Tajikistan 306 United States 250 Algeria 204 Russian Federation 170 Sudan 168 Region Current total Average from prior 7 days Difference from average 30 day trend Africa 1267 1304 -2.84% Eastern Africa 224 232 -3.51% Middle Africa 92 91 0.94% Northern Africa 560 571 -2.05% Southern Africa 124 122 1.64% Western Africa 267 287 -6.97 Americas 11006 10441 5.41% Caribbean 64 64 -1.11% Central America 2421 2305 4.99% Northern America 265 256 3.40% South America 8256 7814 5.65% Asia 23915 23160 3.26% Central Asia 6844 6759 1.26% Eastern Asia 203 199 1.65% South-Eastern Asia 6093 5728 6.37% Southern Asia 10383 10091 2.89% Western Asia 392 382 2.50% Europe 651 669 -2.71% Eastern Europe 312 316 -1.27% Northern Europe 14 17 -20.97% Southern Europe 117 125 -6.40% Western Europe 208 210 -1.15 Source: McAfee Labs
#RSAC Remediation https://www.us-cert.gov/ncas/alerts/TA15-098A
#RSAC Final thoughts…
#RSAC Summary 32 Intel Security is actively participating in operations against malware, botnets and actors cooperating with Law Enforcement around the globe and peers. We respect our customer’s privacy and go for protection first before considering press attention. You and your organization can participate too!

Recommended

Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 

Recommended

Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionCymmetria
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Cymmetria
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 

More Related Content

What's hot

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionCymmetria
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Cymmetria
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 

What's hot (20)

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber Deception
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Ransomware
Ransomware Ransomware
Ransomware
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Shamoon
ShamoonShamoon
Shamoon
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 

Similar to "Giving the bad guys no sleep"

Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Infradata
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Hacking from the Inside
Hacking from the InsideHacking from the Inside
Hacking from the InsideClaranet UK
 
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisRSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisFelipe Prado
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...Amazon Web Services
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 

Similar to "Giving the bad guys no sleep" (20)

Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Hacking from the Inside
Hacking from the InsideHacking from the Inside
Hacking from the Inside
 
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisRSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
20150909_network_security_lecture
20150909_network_security_lecture20150909_network_security_lecture
20150909_network_security_lecture
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 

Recently uploaded

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 

Recently uploaded (20)

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 

"Giving the bad guys no sleep"

  • 1. SESSION ID: #RSAC Raj Samani Disrupting Adversarial Success— Giving the Bad Guys No Sleep SPO1-T09 VP, CTO for EMEA Intel Security Christiaan Beek ATR Lead – Office of the CTO Intel Security
  • 2. #RSAC Agenda 2 Introduction When the power shuts down…. Using botnets for insider trading Giving the bad guys no sleep What’s next?
  • 3. #RSAC 3 Christiaan Beek Director Strategic Intelligence & Operations Intel Security – Office of the CTO Raj Samani CTO for Europe, Middle East, and Africa Intel Security
  • 4. #RSAC When the power shuts down 4 Ukrainian Power Grid attack
  • 5. #RSAC 5 Dec 23, 2015: Two Ukrainian power-companies, Prykarpattyaoblenergo and Kyivoblenergo were hit by a coordinated cyber-attack. As a result of this attack, eight provinces of the Ivan-Frakivk region were impacted, resulting in a power-outage for approximately six hours affecting over 80,000 customers. The affected company reported to be operating in “manual’ mode, an indicator that their network was impacted. At the same time a DDoS attack was launched against assets of the energy company. When the power shuts down….
  • 6. #RSAC Stage 1 of the attack: Flow of events Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Excel/Word exploits – hidden dropper in Macro Spear-phishing email in Ukrainian language with weaponized attachment Execution of macro Installation of dropper Connect to C2 and download stage 2 malware Gather intel of landing point in the target’s network Cbeek-2016
  • 7. #RSAC Stage 2 of the attack: Establish control Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Using backdoor created by malware to upload tooling Installation of SSH backdoor or Shells Connect to Attacker(s) Lateral movement to find machines controlling the HMI layer Cbeek-2016
  • 8. #RSAC Stage 3 of the attack: Execution time Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives Installation of Kill-disk component machines controlling HMI layer Connect to the HMI machines Use the HMI software to shutdown the power-grid followed by wiping the systems
  • 9. #RSAC At the same time… 9 While the attackers were shutting down the services, a coordinated DDoS attack was launched against the phone systems so that operators didn’t know that remote sites were out.
  • 11. #RSAC Using botnets for insider trading
  • 12. #RSAC Botnets Traditionally: Remote control, Denial of Service,Pii theft Today a managed service with: • Anonymous communications • Access management to subscribed networks/systems • Help desk Services • Payment Services
  • 13. #RSAC Botnets used for insider trading 13 https://blogs.mcafee.com/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet/ https://blogs.mcafee.com/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet-part-2/
  • 14. #RSAC Giving the bad guys no sleep 1 4
  • 15. #RSAC Where to Hit Them? 15 Delay Degrade Disrupt Deny Destroy Defeat The six Ds of Cyber Defense
  • 16. #RSAC Examples of recent Operations 16 CryptoWall v3.0 Beebone
  • 17. #RSAC #CryptoWall 3.0 Source: CTA Report CryptoWall 3 operation
  • 21. #RSAC What Does This Mean? The McAfee Labs zoo contains more than five million unique W32/Worm-AAEH samples. It infected over 23,000 systems in 2014. In April 2015, a global law enforcement action took down the control servers for this botnet.
  • 23. #RSAC Telemetry Analysis Total systems infected by W32/Worm-AAEH in 2013-2014
  • 24. #RSAC Cracking the Code First DGA: 6 TopLevelDomains Then to 3 TLDs
  • 25. #RSAC The Plan DGA Elements Previous DGA (dnsfor) Older DGAs Current DGA (timecheck) Number Suffix Start range 0 (numbers optional) dnsfor.net is acceptable domain in DGA Numbers optional 1 (must have number in domain) Number Suffix End Range Sample-dependent. does not exceed 29. Most samples 15. None/99 29 TLDs net/com/org net/com/org/info/biz com/net/org bug in code prevents checking net/org Samples may exist that check all 3 Active Period 2013-Sep 2014 2009-2013 Oct 2014-present
  • 26. #RSAC Identify the Command and Control Servers All of the worm’s control servers detected by McAfee Labs between March 14, 2014, and September 14, 2014, were based in Europe Sinkholing operation Source: McAfee Labs
  • 27. #RSAC Sinkhole A botnet sinkhole is a target machine used by researchers to gather information about a particular botnet. Sinkholing is the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole. The name is a reference to a physical sinkhole, into which items apparently disappear.
  • 28. #RSAC Sinkhole Regular Expression for DGA prior to September 22 2014: ^ns1.dnsfor[0-9]{1,2}.(com|org|net)$ Numbers after “ns1.dnsfor” range from 1 to 30 Examples: ns1.dnsfor9.com ns1.dnsfor27.net ns1.dnsfor1.org The last known IP for this DGA is 188.127.249.119 at ns1.dnsfor9.com Regular Expression for DGA after September 22 2014: ^ns1.timechk[0-9]{1,2}.(com|org|net)$ Numbers after “ns1.timechk” range from 1 to 30 Examples: ns1.timechk7.org ns1.timechk3.com ns1.timechk19.net The last known IP for this DGA is 91.231.87.184 at ns1.timechk23.com
  • 29. #RSAC The Results Country Total Iran, Islamic Republic of 8,403 Peru 6,548 Kazakhstan 3,212 Uzbekistan 2,947 Indonesia 2,051 Vietnam 1,838 Guatemala 1,643 India 1,533 Thailand 1,218 Philippines 879 Mexico 685 Ecuador 677 Bolivia 518 Kyrgyzstan 375 Afghanistan 354 Tajikistan 306 United States 250 Algeria 204 Russian Federation 170 Sudan 168 Region Current total Average from prior 7 days Difference from average 30 day trend Africa 1267 1304 -2.84% Eastern Africa 224 232 -3.51% Middle Africa 92 91 0.94% Northern Africa 560 571 -2.05% Southern Africa 124 122 1.64% Western Africa 267 287 -6.97 Americas 11006 10441 5.41% Caribbean 64 64 -1.11% Central America 2421 2305 4.99% Northern America 265 256 3.40% South America 8256 7814 5.65% Asia 23915 23160 3.26% Central Asia 6844 6759 1.26% Eastern Asia 203 199 1.65% South-Eastern Asia 6093 5728 6.37% Southern Asia 10383 10091 2.89% Western Asia 392 382 2.50% Europe 651 669 -2.71% Eastern Europe 312 316 -1.27% Northern Europe 14 17 -20.97% Southern Europe 117 125 -6.40% Western Europe 208 210 -1.15 Source: McAfee Labs
  • 32. #RSAC Summary 32 Intel Security is actively participating in operations against malware, botnets and actors cooperating with Law Enforcement around the globe and peers. We respect our customer’s privacy and go for protection first before considering press attention. You and your organization can participate too!