UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association CYBER BRIEFING May 7, 2015 UNCLASSIFIED UNCLASSIFIED Recent Cyber Events • South Carolina DOR. – 3.6 million SSNs stolen and tax returns exposed. – ( Direct Cost = $14 million, User fraud loss = $5.2 Billion) • Shamoon (aka: Wiper) – Steals credentials wipes boot record from 30,000 to 50,000 computers at Saudi Aramco and RasGas. • Banking DDOS against JP Morgan/Chase, PNC, Wells Fargo, Bank Of America. Total of 8 banks attacked. UNCLASSIFIED UNCLASSIFIED Recent Cyber Events • TARGET ( 40 MILLION credit cards) and other retailers. • City of Wichita ( > 60,000 vendor financial records) • 14 banks, 12 cities and 10 police departments disabled during the Ferguson unrest. UNCLASSIFIED UNCLASSIFIED VIDEO 1 UNCLASSIFIED UNCLASSIFIED So What ? • Computer network exploitation by threat actors enables: • Massive financial losses • Degradation/disruption of services • Extortion • Intellectual property theft • Counterfeiting • Theft of proprietary data • Identity theft (personally identifiable information) • Access to credit • Loss of money and credibility UNCLASSIFIED UNCLASSIFIED Agenda • Threat Landscape • Actors (Bad Guys) • Attack types (Bad Stuff that Bad Guys do) • Vulnerabilities (The things that Bad guys attack) • Cyber Threats and Trends (The Future) • What Can You Do ? UNCLASSIFIED UNCLASSIFIED EVALUATE YOUR RISK. THREAT + VULNERABILITY + CONSEQUENCE = RISK UNCLASSIFIED UNCLASSIFIED CYBER THREAT LANDSCAPE UNCLASSIFIED UNCLASSIFIED Cyber Threat Landscape • Cyber Threat Actors • • • • • • State Sponsored Terrorist/Violent Extremists Insider Threat Hackers Hacktivists Criminals / Organized Crime UNCLASSIFIED UNCLASSIFIED Hacker Evolution UNCLASSIFIED UNCLASSIFIED Hacker Evolution UNCLASSIFIED UNCLASSIFIED Hacker Evolution UNCLASSIFIED UNCLASSIFIED Cyber Threat Motivations • Notoriety • Political Statement • Money – Banks, Credit Cards, Extortion, etc. • Intellectual Property / Trade Secrets • Information for Negotiating Positions (competitive advantage) • Infrastructure Attack – Terrorism UNCLASSIFIED UNCLASSIFIED Cyber Threat Motivations (Intent) Nation-State Terrorists Insiders Fun/Curiosity/ Ego Money Retaliation/ retribution Political Statement Intellectual Property Negotiation Information Deny, Disrupt, Degrade, Destroy X Commercial Hackers Hacktivists Criminals Espionage X X X X X X X X X X X X X X X X X X X UNCLASSIFIED X UNCLASSIFIED Cyber Targets • Government Networks • Federal • State • Local • Tribal and Territorial • Critical Infrastructure and Key Resources (CIKR) Networks • Over 85% owned by private sector • Industrial Control Systems/SCADA • Embedded systems • Business and Home Networks UNCLASSIFIED UNCLASSIFIED Cyber Threats • Supply Chain Exploitation • Cyber exploitation, manipulation, diversion, or substitution of counterfeit, suspect, or fraudulent items impacting US CIKR • Disruption • Distributed Denial of Service (DDOS) attack (effort to prevent site or service from functioning efficiently or at all, temporarily or indefinitely) • Cyber Crime • Criminals seeking sensitive, protected information for financial gain UNCLASSIFIED UNCLASSIFIED Cyber Threats • Corporate Espionage • Threat actors targeting US companies to gather intelligence and sensitive corporate data for competitive advantage • Advanced Persistent Threat • Stealthy, coordinated cyber activity over long period of time directed against political, business, and economic targets • Industrial Control Systems/SCADA • Threat actors disrupt ICS/SCADA based processes UNCLASSIFIED UNCLASSIFIED Devices, Systems and Networks • Desktops/Laptops • OS/App • Servers • OS/App • Printers • Routers • VPN • DNS system • PSAPS • Public Notification Systems • Mobile devices • Household appliances • • • UNCLASSIFIED Televisions Refrigerators Baby monitors 21 UNCLASSIFIED Embedded Systems Computers built into other systems Examples: • • • • • Digital X-ray Machines, Medical Devices Computer Controlled Industrial Equipment Automobiles ATMs Printer/copier/fax machines The underlying computer is likely to have unpatched vulnerabilities because it is not on the System Administrators list of “computers,” or the system must be upgraded by the vendor. UNCLASSIFIED 22 UNCLASSIFIED Industrial Control Systems (ICS) Controls processes such as manufacturing, product handling, production, and distribution. Industrial Control Systems include Supervisory Control and Data Acquisition systems (SCADA). Examples Robotic assembly lines Water treatment Electric Power Grid Building controls UNCLASSIFIED 23 UNCLASSIFIED Internet Connected Communications Communications systems that are not typically considered computer networks that are, none the less, connected to external networks such as the Internet. Examples: • Telephone switching – PBX, VOIP • Emergency notification systems • First responder communications (Trunked voice/data terminals) UNCLASSIFIED UNCLASSIFIED Targeting and Attack Techniques • Social engineering • Spear phishing • Spoofing e-mail accounts • Exploiting vulnerabilities • Malware • Downloaders, Trojans, Keyloggers, etc. • External memory devices (USB) • Supply-chain exploitation • Leveraging trusted insiders • Denial of Service • Mobile Device Attacks UNCLASSIFIED UNCLASSIFIED Advanced Persistent Threat (APT) • Category of cyber attack against political, business, or economic targets • Federal agencies • State agencies • City governments • Commercial and non-profit organizations • Actors use full spectrum of computer intrusion techniques and technology • Characterized by focus on specific information objectives rather than immediate financial gain • Stealthy, coordinated, focused activity over a long period of time Operators are skilled, motivated, organized, well-funded UNCLASSIFIED UNCLASSIFIED Advanced Persistent Threat (APT) • Information objectives include: • Gov’t policy/planning • Corporate proprietary data • Contract data • International meetings (G20, IMF, Climate Change) • Sabotage • Espionage • Use of compromised computers as intermediate hop points in future compromises UNCLASSIFIED UNCLASSIFIED Advanced Persistent Threat (APT) Methodology • Reconnaissance • Initial intrusion into network • Establish backdoor into the network • Obtain user credentials (login ID, passwords) • Escalate privileges, move laterally through the network • Search for and exfiltrate data • Maintain persistence UNCLASSIFIED UNCLASSIFIED Advanced Persistent Threat (APT) Examples of APT in open reporting • Operation Aurora – Damballa • • Finance, Technology, Media – 30+ Countries LURID APT – Trend Micro • Diplomatic, Government, Space-related agencies and companies – 61 Countries • Nitro – Symantec • Gas, Oil, Energy, Chemical Sectors – 8 countries • Shady Rat – Symantec • Governments, corporations, nonprofits, 14 countries • FLAME – Kaspersky • Mid-eastern countries UNCLASSIFIED UNCLASSIFIED VIDEO 2 UNCLASSIFIED UNCLASSIFIED Cyber Threats and Trends UNCLASSIFIED UNCLASSIFIED Trends • ENORMOUS increase in Cyber Attacks/Crime both in numbers and sophistication. • State sponsored attacks likely to increase. (Cyber Warfare is real now.) • Cyberweapon toolkits are common place utilized by not only state sponsored attackers, but by any entity with medium/high skills. • Cyber Crime As a Service is a full fledged business model. • Anyone can use point and click services to deliver a devastating attack. UNCLASSIFIED UNCLASSIFIED Trends Nation-States That Have Declared Offensive Cyber Capability • Iran • Australia • India • Italy • UK • France • China • Syria • Russia • Germany • U.S.A. • Israel UNCLASSIFIED UNCLASSIFIED Trends Hactivists / Jihadists • Alliances with ideologically similar groups • More Skilled • More Organized • More Aggressive • More of them UNCLASSIFIED UNCLASSIFIED Trends Cyber Criminals • Can occasionally approach the sophistication if not the endurance of State sponsored attackers • Adding much more emphasis to mobile devices. • Adds a physical dimension to the Cyber realm. UNCLASSIFIED UNCLASSIFIED Trends Shift in targeting preferences • State / Local • State networks • Local Municipalities / Agencies • FD, PD, Cities, NGOs • Universities, Colleges, Votech • Businesses UNCLASSIFIED UNCLASSIFIED COMMON ATTACK TYPES / MITIGATION STRATEGIES UNCLASSIFIED UNCLASSIFIED Attacks from outside the firewall UNCLASSIFIED UNCLASSIFIED Big Three Most Common Attacks DDoS – Distributed Denial of Service SQL-I - Structured Query Language Injection Defacements UNCLASSIFIED UNCLASSIFIED Commonly Seen Attacks Attack Type (TTP – Tactics, Techniques, Procedures) What is it? Who uses them? Preferred targets? Consequences? Prevention / Mitigation. UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) WHAT IS IT? A DDOS attack tries to render a website either inoperable or inaccessible by using large numbers of computers sending overwhelming numbers of requests at a computer. The target can become so busy trying to answer bogus requests that it cannot answer valid user requests and the website is unusable. UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) WHO USES IT ? Used to be well resourced adversaries (state sponsored, cyber crime enterprise) More recently seen from Hactivists, (Anonymous Affiliates) Anyone with $200 - $800 can rent a botnet with 10,000 computers for a day to attack anyone. UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) Examples? During unrest associated with Ferguson MO shooting. 15 Banking institutions State, Counties, Cities, Police departments (at least 12) Educational institutions UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) Prevention Can’t be prevented – Plan for it Establishing connections with multiple ISPs. Ensure that service level agreements (SLA) with ISPs contain provisions for DDoS prevention (such as IP address rotation) Assure the network has redundant systems and sufficient excess capacity UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) Prevention • Enable rate limiting at the network perimeter • Create backup remote site networks with multiple address capability • Segment web services across multiple machines and networks • Host public facing websites with ISPs having capability to withstand significant DDoS attacks UNCLASSIFIED UNCLASSIFIED Distributed Denial of Service (DDoS) MITIGATION Executing ISP address rotation Block source IP addresses that are generating DDoS traffic at the network boundary or within the ISP infrastructure. ( DDoS attacks can come from tens of thousands of addresses that rotate randomly, making this strategy difficult to implement.) Acquire increased bandwidth from the ISP (This solution is limited by your own servers ability to handle the increased traffic.) UNCLASSIFIED UNCLASSIFIED SQL Injection (SQL-I) WHAT IS IT? A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure bypassing the firewall. Used to steal information from a database and/or to gain access to an organization's host computers through the computer that is hosting the database. UNCLASSIFIED UNCLASSIFIED SQL Injection (SQL-I) Who uses it? State sponsored, cyber criminals, Hackers, Hacktivists, Jihadists, Anonymous, script-kiddies Very effective tools are freely available Recipes for finding targets (call google dorks) are all over the open internet. UNCLASSIFIED UNCLASSIFIED SQL Injection (SQL-I) Local Examples? KCKPD Release of Accident records and related personal information Wichita Release of vendor/personal financial information UNCLASSIFIED UNCLASSIFIED SQL Injection (SQL-I) Prevention Limit databased services Assure all applications and operating systems are patched to current level Keep an eye for announced vulnerabilities Dynamic monitoring at the firewall or application server Threat detection services Applications configuration security ( Passwords ) UNCLASSIFIED UNCLASSIFIED SQL Injection (SQL-I) MITIGATION Watch for “breach” announcements Notification process Prevent further breaches (turn off access till it’s fixed) Aggressively pursue disclosures Where applicable, get outside help (FBI, DHS, USSS, Commercial services) UNCLASSIFIED UNCLASSIFIED DEFACEMENT WHAT IS IT? Any unauthorized changes made to the appearance of either a single webpage, or an entire site. In some cases, a website is completely taken down and replaced by something new. UNCLASSIFIED UNCLASSIFIED DEFACEMENT Who uses it? Plethora of Jihadists “Anonymous” Affiliates Syrian Electronic Army POH (Plain old hackers) UNCLASSIFIED UNCLASSIFIED DEFACEMENT Examples? Akron OH Marines.com Huffington MO.GOV Check out www.zone-h.com (database of 180,000) UNCLASSIFIED UNCLASSIFIED DEFACEMENT Prevention / Mitigation Keep Server systems and CMS apps up-to-date Better passwords Don’t share system accounts outside organization Reputation monitoring services Good backups UNCLASSIFIED UNCLASSIFIED Attacks That Get Through The Firewall UNCLASSIFIED UNCLASSIFIED APT – The Really Bad Stuff • Computer network exploitation by threat actors enables: • Massive financial losses • Degradation/disruption of services • Extortion • Intellectual property theft • Counterfeiting • Theft of proprietary data • Identity theft (personally identifiable information) • Access to credit • Loss of money and credibility UNCLASSIFIED UNCLASSIFIED Computer Network Exploitation The Bad Guys are INSIDE the computer now. (Try to stay on the left side of the Cyber “Kill Chain”) UNCLASSIFIED UNCLASSIFIED Spear-Phishing • Targeted e-mails containing malicious attachments or links • E-mails forged to look as if they came from a legitimate source and have a subject that the victim is likely to open. • Target e-mail addresses can be harvested from Web sites, social networks, etc. • Targeting of CEOs, executives is called “whaling”. UNCLASSIFIED 63 UNCLASSIFIED Sample Phishing Website (Via fsecure.com) UNCLASSIFIED 64 UNCLASSIFIED Sample Phishing Website Compromised police academy server in India (Via fsecure.com) UNCLASSIFIED 65 UNCLASSIFIED (Via nytimes.com) UNCLASSIFIED 66 UNCLASSIFIED Prevention Constant Education Information Sharing between agencies OPSEC Cyber Hygiene PASSWORDS!!!!!!!!!!!!! Response plans Cyber Tabletop Exercises Test Your Capabilities Figure Out Roles and Responsibilities UNCLASSIFIED UNCLASSIFIED What is your plan? How to recover? WHO ? COST ? How to mitigate CRITICAL SERVICES How to deal with the public PUBLIC CONFIDENCE LIABILITY UNCLASSIFIED UNCLASSIFIED EVALUATE YOUR RISK. THREAT + VULNERABILITY + CONSEQUENCE = RISK UNCLASSIFIED UNCLASSIFIED WHO CAN YOU CALL? Fusion Center: KC Regional Terrorism Early Warning Cyber Threat Intelligence Program kctew@kcpd.org (816) 413-3588 Missouri Information Analysis Center St Louis Terrorism Early Warning UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED Troy Campbell – Co-Chair – KCTEW Devin King – Co-Chair – LA-SAFE NFCA Cyber Intelligence Network (CIN) AK WA Western Regional Coordinator Dana Kilian - NCRIC MT ND OR MN ID WY Central Regional Coordinator John Burrell - MATIC WI SD NY MI IN OH UT IL CO WV KS MO KY NM OK AR NJ DE DC MD Northeast Regional Coordinator Brett Paradis (CTIC) MA National Capital Regional Coordinator Fleming Campbell (WRTAC) Midwest Regional Coordinator – Kelley Goldblatt (MC3) SC MS TX VA NC TN AZ NH CT RI PA IA NE NV CA ME VT AL Southeast Regional Coordinator – Heather Perez (CFIX) GA LA FL UNCLASSIFIED WHO CAN YOU CALL? The Department of Homeland Security (DHS) The National Cybersecurity & Communications Integration Center (NCCIC) The U.S. Computer Emergency Readiness Team (US-CERT) The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) The National Coordinating Center for Telecommunications (NCC) UNCLASSIFIED 74 UNCLASSIFIED WHO CAN YOU CALL? The USSS – US SECRET SERVICE Your Nearest field office usually has a local Electronic Crimes Task Force Has Critical Incident Response Teams UNCLASSIFIED 75 UNCLASSIFIED WHO CAN YOU CALL? The Federal Bureau of Investigations (FBI) Your Local FBI Cyber Division FBI CyWatch FBI Critical Incident Response Group (CIRG) Strategic Information and Operations Center (SIOC) UNCLASSIFIED 76 UNCLASSIFIED WHO CAN YOU CALL? KC Regional Terrorism Early Warning Cyber Threat Intelligence Program kctew@kcpd.org (816) 413-3588 UNCLASSIFIED UNCLASSIFIED Discussion UNCLASSIFIED UNCLASSIFIED Contact: Troy Campbell KCTEW Cyber Threat Intelligence Program tcampbell@kcpd.org (816) 413-3588 UNCLASSIFIED UNCLASSIFIED Cyber Information Sharing Issues UNCLASSIFIED UNCLASSIFIED Cyber Information Sharing –A Challenging Process UNCLASSIFIED UNCLASSIFIED Issues in Intelligence Information Sharing • No Cross Community Standards • Formats • Flow Paths • • • • Classification Downgrades Identity requests Standard terminology Two-way information Flows UNCLASSIFIED