2. //Cyber Security
The interconnection and reliance of physical lifeline
functions over the Internet (cyberspace) that impacts:
– National Security
– Public Health and Safety
– Economic well-being
Most people spend more time and energy going around problems than trying to solve them.
~Henry Ford
2
3. Cyber Security and Cyber Crime
The first step is to admit that there is a problem.
3
4. A computer lets you make more mistakes faster than any
invention in human history - with the possible exceptions
of handguns and tequila.
~Mitch Ratliff
With just a few keystrokes, cybercriminals around the
world can disrupt our economy.
~Ralph Basham, Director of the U.S. Secret Service
The Internet is the crime scene of the 21st Century.
~ Cyrus Vance Jr. , Manhattan District Attorney
4
6. We are all connected
Cyber Security is like
a Public Health Issue
6
We impact
each other.
What are and
who sets safety
protocols?
Sometimes
getting a shot
only treats the
symptoms and
not the cause…
8. • Insulin pumps and pacemakers
• Automobiles
• POS and ATMs
• ORCL – MSFT – SYMC – RSA – VRSN – Bit9
• GOOG – AAPL – FB – AMZN –YHOO – LNKD – GM – NSANY
• US drone fleet
• Internet of Things
8
Vulnerable! Connected!
Cloud
Mobile
Big Data Social
9. Cyber Crime
• Global and growing industry
• Increasing in size and efficiency
• Targets everyone and every company
• Low barrier to entry
• Levels the playing field for many interests
//Are you surprised? Seriously?
9
10. We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACE
APT Attacks
Zero-Day Attacks
Polymorphic Attacks
Targeted Attacks
Source: FireEye 10
12. Basic Cybercrime Organizations
• Fluid and change members frequently
• Will form and disband on a “per project” basis
• Rife with amateurs, take a lot of risk considering the
small payoffs
• Although the most troublesome, they are considered the
bottom feeders
– Think criminal script kiddies
– This is usually who the Feds get, not the big guys
12
13. Professional Hackers
• Paid per the job, usually flat rates
• State-side hackers can earn up to $200K a year
• The work is usually writing tools for others to use,
developing/finding new exploits, and coding up
malware
• Occasionally they will do a black bag job, but
these are rare, unless they are simply looking for
“loot” on easy targets
13
14. Spammers
• They earn millions per year selling their direct mail
services
• They are not picky and do not consider the person
doing the selling is committing fraud, including the
Russia Mafia
• After years of jumping from ISP to ISP, it is much easier
to lease “capacity” from hacker botnets or develop
their own
• They are the main employer of professional hackers
14
15. Traditional Mafia
• They are currently leaving most of the “work”
to others
• Online ventures are sticking close to such
things as pr0n, online gambling, etc.
• They are taking advantage of technology,
using computers heavily, and using reliable
encryption
15
16. Organized…Crime
Different levels of participants in the underground market
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
16
17. Russian Mafia
• Cybercrime elements are considered “divisions”
– The actual hackers themselves are kept
compartmentalized
• Due to protection from a corrupt Russian
government, most “big cases” do not net the big
players, e.g. Operation Firewall
• There are thousands of organized crime gangs
operating out of Russia, although most are not
involved in cybercrime.
• When new hacking talent is needed, they will force
hackers to work for them (or kill them and/or their
families) 17
18. Former Soviet Military
• Military industrial complex in Soviet Russia was even
more corrupt than their USA counterparts
• With the collapse of communism, many upper
military personnel in Russia had few skills that paid
well
– Good at money laundering
– Good at moving goods across borders
– Connections with international crime
18
19. China - Espionage
• Mandiant’s 2013 report on the Chinese (APT1)
– Attacks on 141 organizations since 2006 (115 were in the US)
• Substantial evidence of Chinese sponsored activities
– Report includes photos, forensics, communications, and profiles
• Soon after Mandiant’s report, the US government publishes a 140
page strategy to combat the theft of US trade secrets
• The US government initially attempted to halt the attacks on US
organizations
– But soon resorted to asking China to please stop stealing our stuff
• China’s response to the Mandiant report was that it was
“unprofessional” to publish and make such claims
19
20. China - Espionage
• According to the US Justice Department, of 20 cases of economic espionage
and trade secret criminal cases from January 2009 to January 2013, 16
involved Chinese nationals; i.e. organizations hired foreign nationals to work
on national security level projects (DuPont, NASA, Google, Intel, DoD, etc.)
• 63% of impacted organizations learn they were breached from an external
source, like law enforcement
• Organizations are being targeted by more than one attack group, sometimes in
succession
• In 2012, 38% of targets were attacked again after the original incident was
remediated, lodging more than one thousand attempts to regain entry to
former victims
• Feb 2013 report (Akamai) shows that 30% of all observed attacks came from
China and 13% originated from within the US
• March 2013 report (Solutionary) states that the majority of attacks on the US
are now originating in the US
20
23. Multi-Vector Analysis of Operation Beebus Attack
1
Key Attack Characteristics
SMTP / HTTP
Backdoor Backdoor
3
Multi-vectored attack
update.exe Apr 2011
UKNOWN Sept 2011
RHT_SalaryGuide_2012.pdf Dec 2011
Feb 2012
Mar 2012
Apr 2012
May 2012
Jul 2012
Aug 2012
Sept 2012
Nov 2012
Jan 2013
install_flash_player.tmp2
Conflict-Minerals-Overview-for-KPMG.doc
dodd-frank-conflict-minerals.doc
update.exe
Boeing_Current_Market_Outlook_…pdf
Understand your blood test report.pdf
RHT_SalaryGuide_2012.pdf
sensor environments.doc
FY2013_Budget_Request.doc
Dept of Defense FY12 …Boeing.pdf
April is the Cruelest Month.pdf
National Human Rights…China.pdf
Security Predictions…2013.pdf
rundll32.exe
UKNOWN
сообщить.doc
install_flash_player.ex
install_flash_player.tmp2
Global_A&D_outlook_2012.pdf
Defense Industry
UAV/UAS Manufacturers
Aerospace Industry
1 – Email/Web with weaponized malware
2 – Backdoor DLL dropped
3 – Encrypted callback over HTTP to C&C
2
C&C Server:
worldnews.alldownloads.ftpserver.biz
Encrypted callback
Timeline of attack – multiple vectors, multiple
campaigns
Weaponized Email
(RHT_SalaryGuide_2012.pdf)
1. Nation state driven attack using multiple vectors & files in campaigns spread over 2 years
2. Exploits known vulnerabilities in several Adobe products such as Reader and Flash Player
3. Targeted attacks - each campaign tried to compromise few specific individuals
4. Encrypted callback communications to hide exfiltrated data
Source: FireEye 23
24. China and the US Economy
Nov 2014
The US - China relationship is the most consequential in the world today period.
And it will do much to determine the shape of the 21st century.
That means we have to get it right.
~John Kerry, Secretary of State
US trade deficit with China is the largest in the world.
US imports more from China than from Canada, Mexico, Japan, and Germany.
US invests more in China, than China does in US.
You could say China is America's banker.
~CNN
24
25. You Should Care
Cyber Security and Cyber Crime are
Important Issues
It’s Bad Right Now
25
27. Tyler/Savage Estimate of Global Cost of Cyber Crime
• Cost of genuine cybercrime
• $3.46 billion
• Cost of transitional cybercrime
• $46.60 billion
• Cost of cybercriminal infrastructure
• $24.84 billion
• Cost of traditional crimes going
cyber
• $150.20 billion
• Total = $225.10 billion
Based on 2007-2010 data, authors disinclined to aggregate 27
28. Cyber Crime Costs in 2014
• Cyber attacks on large US companies resulted in an
average of $12.7M in annual damages
– 9.7% Increase from 2013
– $1,601 Cost of damages for smaller companies per worker
– $427 Cost of damages for larger companies per worker
Ponemon Institute 2014 Cost of Cybercrime Survey
28
37. Numbers Show a Harsh Reality
2/3 of U.S. firms
report that
they have been the
victim of cyber attacks
00.01 Every second 14 adults become a
40% of all IT executives
expect a major
cybersecurity incident
115% CAGR
unique malware
since 2009
victim of cyber crime
9,000+
malicious websites
identified per day
6.5x Number of cyber
attacks since 2006
95 new vulnerabilities
discovered each week
Source: FireEye 37
39. Elements of Cyber Crime Operations
• Host an exploit kit on a server
• Put malware on different server
• Send malicious email linked to exploit kit
• Find holes in visiting systems
• Use holes to infect visitors with malware
• Use console on command and control box
• To steal, DDoS, spread more malware
• Use markets to sell/rent infected systems
• Use markets to sell any data you can find
39
40. The Weapons
• Botnets
– Average size is 5000 computers, some have been as large as 500,000
computers
– New command and control software allows botnet capacity leasing of
subsections of the botnet
• Phishing
– You guys *do* know what phishing is, right?
• Targeted Viruses
– Used to create quick one-time-use botnets
– Also used when specifically targeting a single site or organization
• The usual Internet attack tools
40
41. Exploit Toolkits & Malware
• In 2013, Exploit Toolkits cost between $40 and $4k
• The Malware that likely compromised Target’s POS system,
cost less than $3,000.
• 61% of all malware is based on pre-existing toolkits; upgrades
keep them current and provide additional capabilities
(“Value”)
• Toolkits used for Targeted Attacks can create custom Blog
entries, emails, IMs, & web site templates to entice targets
toward malicious links / content. (Blackhole >100k/day)
41
42. Exploit Toolkits & Malware
• Traditional attacks were loud, high volume attacks typically
stopped by threat monitoring tools
• Today’s sniper attacks use specific exploits to get clear shots at
the objective
• The convergence of Social Engineering, Social Profiling, and
Geo-Location improve attack success
• Rogue software (anti-virus, registry cleaner, machine speed
improvement, backup software, etc)
– Increase in MAC Malware (MAC Defender)
– +50% attacks on Social Media sites were Malware
42
43. Cyber Crime Tools are Readily Available
From a chart by DeepEnd Research
• Exploit Kits
• Buy or rent
• A few hundred dollars to
thousands
• Add new exploits over time
• Note all of the Java exploits
43
44. Proliferation and Variety of Exploit Kits Over Time
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
44
45. Attacks: Spam
2013 SPAM Results
• Spam is at 69% of all global email
• Phishing attacks are 1 in every 414
emails
• Email that contained a virus were 1 in
every 291
• Top Industries Attacked:
Manufacturing, Financial, Services,
Government, Energy
• Top Recipients Attacked: R&D, Sales,
C-Suite, Shared Mailbox
45
47. Attacks: Ransomware
• Mobile Internet will continue to increase as it
eventually takes the place of desktop Internet.
• The illegal drug organizations are looking to Cyber
Crime to facilitate their business and expand their
operations. Your organization could be infiltrated by an
insider, socially engineered for identities and social
profiles, and potentially held hostage with
ransomeware.
• Localized Crypto-LNoactikone Srta fter aottmack sR oun Us.sSi. ain cirsea soen e
of the current Threats 47
48. Attacks: Botnets
48
A botnet is a large number of compromised computers that are used to
create and send spam or viruses or flood a network with messages as a
denial of service attack.
The compromised computers are called zombies
49. Attacks: Water Holing
Several attacks in 2013 were conducted by luring
victims to accept malware or follow a link to an
infected site. 4% of all email contained a
Malware or a link to and infected site.
There are 6 stages of the attack:
49
51. Attacks: Water Holing – Facebook
• Typo-Squatting
• Fake Facebook Applications
• Hidden Camera Video Lure
• Celebrity Deaths
• Fake Offers & Gifts
• Browser Plugin Scams
• Fake Profile Creeper
• Blog Spam Attack
51
52. Search Engine Poisoning (SEP)
2013 saw an increase in malware infections as a result of
SEP.
• Hackers crawling current news headlines, creating
related malicious sites and conducting SEP
• Google Images – links to source photo
• Using web analytics to determine what people are
searching for
52
55. DDOS - Amplification Attacks in Practice
55
Cloudflare Blog post, February 2014
Cloudflare Blog post, March 2013
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
57. Attacks: Remote Access Tools (RATs)
• RATs and Remote Server Administration Tools
– Avoid using remote administration tools on point-of-sale devices
• Severely lock them down with strong passwords and use other strong security
controls
– Crooks exploit vulnerabilities or use weak/default credentials
– Verizon and Trustwave findings:
• Remote access tools installed on the point-of-sale device are the leading cause of
card data breaches
• Attackers scan Internet for remote administration software and then use
automated tools to break-in
• Symantec pcAnywhere
– January 2012, Symantec acknowledged that hackers stole the source code
– Urged users to either update the software or remove the program altogether
57
58.
59. Attack: Passwords
//Passwords are the new perimeter
• Passwords are weak
• Use multi-factor authentication as much as you can
• Obey common good practices for administrative
accounts
• Do not reuse passwords on multiple sites
– Utilize a password wallet
– Utilize privileged account vault
• Obey common good practices for passwords
• Be mindful what email account resets account password
59
69. Example - Internet Black Market Pricing Guide
• Exploit code for known flaw
– $100-$500 if no exploit code exists
– Price drops to $0 after exploit code is “public”
• Exploit code for unknown flaw - $1000-$5000
– Buyers include iDefense, Russian Mafia, Chinese and French governments,
etc
• List of 5000 IP addresses of computers infected with spyware/trojan
for remote control - $150-$500
• List of 1000 working credit card numbers - $500-$5000
– Price has increased since Operation Firewall
• Annual salary of a top-end skilled black hat hacker working for
spammers - $100K-$200K
69
71. ~80%
of companies are
compromised!
Contents used with permission from FireEye.
72. Value of a Hacked Email Account
krebsonsecurity.com
Crime shops charge between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com,
bestbuy.com and target.com, to name just a few
72
73. The Scrap Value of a Hacked PC
Your life
commoditized
krebsonsecurity.com 73
75. Problems with Cyber Security
Executive and Business Issues:
• Under investing on Information Security
• Security needs Board and Senior Team visibility
– Boards and Senior Team need cyber education
• Use your CISO (if you have one)
• Need to think more broadly on the ecosystem
– Critical security decisions are missing in Product and
Services Teams
• Associated with revenue
• Where is cyber security thinking pre-launch?
75
76. Problems with Cyber Security
Problems with Infosec:
• The bad guys have the upper hand
– Only need to find one way in
– Mostly exploit the weakest link – People
– Security is not built-in to most products and services by default
• Security is a People, Process, and then Technology problem
– Security is not a Product
• Focus misplaced on Compliance only
– Problem is shared with Audit and Compliance teams
• Need to learn from others’ mistakes
– Lots of examples
• Breaches - Root Cause Analysis and Post Incident Review
– Information Sharing & Analysis Centers (ISACs)
76
77. Learning From Other’s Mistakes
• Target breach clean up estimated at $100M
• The Home Depot breach clean up estimated at $62M
“If I only got a fraction of that annually.”
~anonymous CISO 77
78. Learning From Other’s Mistakes
Root Cause / Post Incident Review
• How did these companies get hacked?
• What did the intruders do once in?
• Did they take anything?
//Who knows what really happened?
78
83. Problems with Detection
Verizon 2014 DBIR 170 days to detect an attack
31 days on average to resolve cyber attacks
• $21,000 cost per day to resolve
• Insider attacks took the longest time to resolve
2014 Cost of Cybercrime Survey
Ponemon Institute
There is data is out there.
There is a lot of data that is not collected.
There is a lot of data that is not out there and stays protected.
83
Verizon appears to have more solid data on merchant/commercial attacks
84. What Can You Do About This
• Be Better Prepared
• Acknowledge You’re Not Doing Enough
• Acknowledge You Need Help
84
85. Doomsday and Naked and Afraid Criteria
0-100 Scale:
1- Food (renewable)
2- Water
3- Shelter
4- Security
5- X-Factor
0-10 Rating Scale:
Primitive Survival Rating (PSR)
Novice--Intermediate--Expert
85
5 Functions Low, Medium, and High
Notice a Pattern Forming?
86. Framework for Defensible Cyber Security
NIST Cyber Security Framework
• Highlights 5 security standards
– ISOIEC 27001, COBIT, NIST 800-53, CCS SANS 20, ISAIEC 62443
• Risk-based
– ISO 31000, ISOIEC 27005, NIST 800-39, ECS RMP
• Framework Core - 5 Functions
– Identify, Protect, Detect, Respond, Recover
– 98 Outcomes (Expectations of Security)
• Tiers and Profiles
– Partial (Tier 1) to Adaptive (Tier 4)
• Criteria for cyber success
– Used by Insurance companies
– Used in SEC cyber security examination blueprint
Security is a journey
and not a destination
86
87. Due Care and Heightened Expectations
Refers to the effort made by an ordinarily prudent or reasonable
party to avoid harm to another, taking the circumstances into
account.
Refers to the level of judgment, care, prudence, determination,
and activity that a person would reasonably be expected to do
under particular circumstances.
87
88. Cyber Security Framework of Success
Risk Management
NIST CSF
We will bankrupt ourselves in the vain search for absolute security. ~Dwight D. Eisenhower
88
89. The Defender’s Advantage
Learning from the past – Implementing Cyber Kill Chain
Should Be Your Infosec Team’s Mindset
89
90. The Attack Life Cycle – Multiple Stages
1 Exploitation of system
2 Malware executable download
3 Callbacks and control established
Compromised
Web server, or
Web 2.0 site
1
Callback Server
IPS
2 3
4 Data exfiltration
Malware spreads laterally
5
File Share 2
5
File Share 1
4
Breach detection is critical
Assume that you’ve been compromised
90
91. The Defender’s Advantage
One person's "paranoia" is another person's "engineering redundancy.“
~Marcus J. Ranum
91
92. What Defenders Need to Know
• The type of cyber crime to expect
• This is one area where we do have data
• Strategy to defend against them
• A layered defense
92
93. Our Users and Current Culture
The user's going to pick dancing pigs over security every time.
— Bruce Schneier
If you reveal your secrets to the wind, you should not blame the wind for
revealing them to the trees.
— Kahlil Gibran
93
Our Weakest Link
94. What Leaders Can Do to Help
Educate, inspire, and demand
real change towards the culture of security
Security is Everyone’s Job
94
95. </What is Needed>
• Organization visibility and agility for security
• Seek thought leadership (a CISO)
– Security needs visibility to senior team and Board
• Wisely invest in defensible security
• Follow a risk-based approach
• Follow a structured methodology like the NIST CSF
– Use the data available to fine-tune defenses
– Learn from your mistakes and other’s mistakes
– Plan and test security operations and response
• Knowledge is Power
– Getting hacked is a matter of When not If
– Security is a Journey, not a Destination
– Security is Everyone's Job
– Security is a team sport – It takes the village to be successful
– Reality-check: A child can be the adversary 95
96. Security used to be an inconvenience sometimes, but now it's a necessity all the time.
~Martina Navratilova after the stabbing of Monica Seles by a fan of Steffi Graf, 1993
Phil Agcaoili
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
Contributor, NIST Cybersecurity Framework version 1
@hacksec
https://www.linkedin.com/in/philA
96