2. Group-IB history
Group-IB is Acquisition International Creation of Dedicated Certified
founded by Leta Group Expansion CERT-GIB Professionals
60+
employees 2012
2003 2010 2011 2011
Stages of Company Development
Leader on the Russian Various service packages Skolkovo resident First 24/7 CERT in
market Pre-incident consulting; The CyberCop project, an Eastern Europe
The first and only company Response; integrated system for CERT-GIB is the first private
in the CIS providing Forensics; counteracting cybercrime. Computer Emergency
comprehensive services in Investigation; Response Team in Russia.
investigation of the security Legal support;
incidents. Post-incident consulting.
3. Our key Customers
* completed project samples are available per customer request
5. Banking & E-Commerce vulnerabilities specifics
As a result of PCI DSS / PA DSS is rarely facing a "classical" WEB-
application vulnerabilities (SQL Injection, XSS, Local File Inclusion)
WAF (WEB-Application Firewall) is widely used, however it is rarely
set up and maintained properly;
Complicated applications, large dynamic changes, the use of third-
party and borrowed applications and plugins;
Various attacks on the client, initially located in the untrusted
environment (ActiveX-objects vulnerabilities at the client-side,
client-side vulnerabilities, inefficient Information protection
measures)
6. Penetration testing
Traditional approaches
«Black box» model
«Grey box» mode
«White box» model
Informal testing options and qualification
- Developing exploits for vulnerabilities in online-banking software
- Using of «zero-day» vulnerabilities in client-side / server-side
- Own software security lab with more then 20 public advisories in bugtracks
- Use of social engineering and individual tactical approaches
- We provide detailed report and free of charge consulting services
7. «PCI Compliance does not equal security»
HDFC Bank / Blind SQL-Injection;
(CVSS Base Score - 9.0)
http://www.hdfcbank.com
8. XSS exotics – RBS customer is under attack
HTML5 Canvas capabilities / JQuery and XSS vectors vulnerabilities
(taking a screenshot + keystrokes interception in the context of the session)
9. Analysis of the protection measures
A trusted environment - may also contain a vulnerability
( ZTIC detachable devices - Zone Trusted Information Channel)
Checkpoint Abra Multiple Vulnerabilities
http://www.exploit-db.com/exploits/19716/ - Group-IB’s Advisory
Sample built-in ACL-list (F:PWCdatasandbox-persistence.ref ):
<Execute OriginalName="calc.exe" PathName="calc.exe" AppName="Microsoft
Calculator" UIDescription="Microsoft Calculator" id="134"/>
«Dirty» security trick (after shutting of the Windows File Protection ):
takeown /f <file_name>
icacls <file_name> /grant %username%:F
icacls <file_name> /grant *S-1-1-0:(F)
11. Network architecture misconfiguration errors
Gathering information from the internal infrastructure of the bank
Line format: <STX><message><ETX><checksum_character>
Tixi HSM-HNG Modem for Mitsubishi FX Remote Access
12. Information security integration services
Security Information and Event Management solutions
(SEM, SIM and SIEM)
Implementation of Intrusion Detection and Prevention
systems (IDS/IPS)
Implementation of Data Leakage Prevention systems (DLP)
and their legal support
SOC’s & Managed security services (MSS)
13. Computer Forensics
Forensic examination:
Restores the chronology of
security events
Reveals signs of internal
employees involvement
Disclose details of the
committed theft in online
banking
14. Investigations
Typical cases:
Theft involving employees of
the affected organizations
Theft with the use of malicious
software (Trojans)
Theft involving the substitution
of the transaction details sent by
e-mail
15. Investigations
Steps of the RBS incident investigation:
Search for signs of involvement (gathering evidence) of internal staff (based on
the results of forensic investigations)
Identify bot network control panels and search for links to other information
security incidents
Identification of individuals providing additional services to the attacker
Getting detailed information about the structure of the control panel bot
network and to obtain evidence of its use in a particular fraud in online banking
Defining a person controlling the bot-network, and its actual location
Gathering data in the form of a set of documents to be sent to law enforcement
and legal authorities
16. Investigations
Resources used and sources of information gathering:
Distributed network of HoneyNet traps
Forensic investigation cases database
Malicious software research database
All time theft cases database, collected by Group-IB staff
Details on phishing sources
Previous investigation outcomes
Operational information & OSINT
Links to organizations involved in investigations in 48 countries
17. DDoS attacks investigations
As part of the investigation you get a detailed report on progress, as
well as all necessary information and documentation:
Get the exact location of the botnet’s control center;
Malicious code sample reversing;
Details on individuals involved in a DDoS attack;
A set of documents to hand the case over the law enforcement.
18. Successful cases and projects
«Grum botnet shutdown, kills 20 percent of worldwide spam»
http://blog.fireeye.com/research/2012/07/grum-botnet-no-longer-safe-havens.html
19. Successful cases and projects
Joint operation with Microsoft on arrest of Leo Kuvaev
http://krebsonsecurity.com/tag/group-ib/
20. Successful cases and projects
«Russian Authorities Arrest 6 More Members of the Carberp Gang»
http://www.sbrf.ru/en/presscenter/all/index.php?id114=11018427
23. Security Incident response & MSS
The response to an information security incident is carried out by highly qualified
professionals who are confronted daily with a variety of incidents, such as attacks on a web
site, online banking system, or another information asset. Each incident is unique and requires
an individualized approach, that’s why we have a dedicated forensic team of professionals and
a certified CERT to meet the most exacting customer requirements.
Our 24/7 CERT-GIB Team respond to all sort of threats:
• Denial of services attacks (DoS, DDoS);
• Unauthorized use of data processing and storage systems;
• Data compromise;
• Asset compromise;
• Internal/external unauthorized access;
• Creation and distribution of malicious software;
• Breach of information security policies;
• Phishing and unlawful brand use online;
• Online banking fraud and electronic payment systems.
24. CERT-GIB Europe - North America - Asia
CERT-GIB
CERT-GIB Vladivostok:
Moscow: GMT+10
CERT-GIB GMT+4
New York:
GMT-5
CERT-GIB
Singapore:
GMT+7
First 24/7 CERT in Expanding global presence Immediate response to all .RU, .РФ, .SU: unique
Eastern Europe Europe North America Asia types of security threats: capabilities
CERT-GIB is the first Eastern – for smooth and comprehensive Phishing, Spam, Scam, DDoS Official ccTLD.ru-assigned
European 24/7 Computer incident handling attacks, malware, etc. expert organization to fight
Emergency Response Team, phishing, malware, and
and the first private CERT in botnets, authorized to take
Russia actions against suspicious
activities in RU, РФ and SU
domain zones.