UNCLASSIFIED
Kansas City Terrorism Early Warning
Inter Agency Analysis Center
Cyber Threat Information Program
Missouri City/County
Manager’s Association
CYBER BRIEFING
May 7, 2015
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
• South Carolina DOR. – 3.6 million SSNs
stolen and tax returns exposed. – ( Direct
Cost = $14 million, User fraud loss = $5.2
Billion)
• Shamoon (aka: Wiper) – Steals credentials
wipes boot record from 30,000 to 50,000
computers at Saudi Aramco and RasGas.
• Banking DDOS against JP Morgan/Chase,
PNC, Wells Fargo, Bank Of America. Total
of 8 banks attacked.
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
• TARGET ( 40 MILLION credit cards)
and other retailers.
• City of Wichita ( > 60,000 vendor
financial records)
• 14 banks, 12 cities and 10 police
departments disabled during the
Ferguson unrest.
UNCLASSIFIED
UNCLASSIFIED
VIDEO 1
UNCLASSIFIED
UNCLASSIFIED
So What ?
• Computer network exploitation by threat actors
enables:
• Massive financial losses
• Degradation/disruption of services
• Extortion
• Intellectual property theft
• Counterfeiting
• Theft of proprietary data
• Identity theft (personally identifiable information)
• Access to credit
• Loss of money and credibility
UNCLASSIFIED
UNCLASSIFIED
Agenda
• Threat Landscape
• Actors (Bad Guys)
• Attack types (Bad Stuff that Bad Guys do)
• Vulnerabilities (The things that Bad guys
attack)
• Cyber Threats and Trends (The Future)
• What Can You Do ?
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK
UNCLASSIFIED
UNCLASSIFIED
CYBER THREAT LANDSCAPE
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Landscape
• Cyber Threat Actors
•
•
•
•
•
•
State Sponsored
Terrorist/Violent Extremists
Insider Threat
Hackers
Hacktivists
Criminals / Organized Crime
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Motivations
• Notoriety
• Political Statement
• Money – Banks, Credit Cards,
Extortion, etc.
• Intellectual Property / Trade Secrets
• Information for Negotiating Positions
(competitive advantage)
• Infrastructure Attack – Terrorism
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Motivations
(Intent)
Nation-State Terrorists Insiders
Fun/Curiosity/
Ego
Money
Retaliation/
retribution
Political
Statement
Intellectual
Property
Negotiation
Information
Deny, Disrupt,
Degrade,
Destroy
X
Commercial
Hackers Hacktivists Criminals Espionage
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
UNCLASSIFIED
X
UNCLASSIFIED
Cyber Targets
• Government Networks
• Federal
• State
• Local
• Tribal and Territorial
• Critical Infrastructure and Key Resources
(CIKR) Networks
• Over 85% owned by private sector
• Industrial Control Systems/SCADA
• Embedded systems
• Business and Home Networks
UNCLASSIFIED
UNCLASSIFIED
Cyber Threats
• Supply Chain Exploitation
• Cyber exploitation, manipulation, diversion, or
substitution of counterfeit, suspect, or fraudulent
items impacting US CIKR
• Disruption
• Distributed Denial of Service (DDOS) attack (effort to
prevent site or service from functioning efficiently or
at all, temporarily or indefinitely)
• Cyber Crime
• Criminals seeking sensitive, protected information for
financial gain
UNCLASSIFIED
UNCLASSIFIED
Cyber Threats
• Corporate Espionage
• Threat actors targeting US companies to gather
intelligence and sensitive corporate data for competitive
advantage
• Advanced Persistent Threat
• Stealthy, coordinated cyber activity over long period of
time directed against political, business, and economic
targets
• Industrial Control Systems/SCADA
• Threat actors disrupt ICS/SCADA based processes
UNCLASSIFIED
UNCLASSIFIED
Devices, Systems and Networks
• Desktops/Laptops
• OS/App
• Servers
• OS/App
• Printers
• Routers
• VPN
• DNS system
• PSAPS
• Public Notification
Systems
• Mobile devices
• Household appliances
•
•
•
UNCLASSIFIED
Televisions
Refrigerators
Baby monitors
21
UNCLASSIFIED
Embedded Systems
Computers built into other systems
Examples:
•
•
•
•
•
Digital X-ray Machines, Medical Devices
Computer Controlled Industrial Equipment
Automobiles
ATMs
Printer/copier/fax machines
The underlying computer is likely to have unpatched
vulnerabilities because it is not on the System Administrators
list of “computers,” or the system must be upgraded by the
vendor.
UNCLASSIFIED
22
UNCLASSIFIED
Industrial Control Systems (ICS)
Controls processes such as manufacturing, product
handling, production, and distribution. Industrial
Control Systems include
Supervisory Control and Data Acquisition systems
(SCADA).
Examples
 Robotic assembly lines
 Water treatment
 Electric Power Grid
 Building controls
UNCLASSIFIED
23
UNCLASSIFIED
Internet Connected Communications
Communications systems that are not typically considered computer
networks that are, none the less, connected to external networks such
as the Internet.
Examples:
• Telephone switching – PBX, VOIP
• Emergency notification systems
• First responder communications (Trunked
voice/data terminals)
UNCLASSIFIED
UNCLASSIFIED
Targeting and Attack
Techniques
• Social engineering
• Spear phishing
• Spoofing e-mail accounts
• Exploiting vulnerabilities
• Malware
• Downloaders, Trojans, Keyloggers, etc.
• External memory devices (USB)
• Supply-chain exploitation
• Leveraging trusted insiders
• Denial of Service
• Mobile Device Attacks
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
• Category of cyber attack against political, business, or economic
targets
• Federal agencies
• State agencies
• City governments
• Commercial and non-profit organizations
• Actors use full spectrum of computer intrusion techniques and
technology
• Characterized by focus on specific information objectives rather
than immediate financial gain
• Stealthy, coordinated, focused activity over a long period of time
Operators are skilled, motivated, organized, well-funded
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
• Information objectives
include:
• Gov’t policy/planning
• Corporate proprietary data
• Contract data
• International meetings (G20,
IMF, Climate Change)
• Sabotage
• Espionage
• Use of compromised
computers as intermediate
hop points in future
compromises
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Methodology
• Reconnaissance
• Initial intrusion into network
• Establish backdoor into the network
• Obtain user credentials (login ID, passwords)
• Escalate privileges, move laterally through the network
• Search for and exfiltrate data
• Maintain persistence
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Examples of APT in open reporting
•
Operation Aurora – Damballa
•
•
Finance, Technology, Media – 30+ Countries
LURID APT – Trend Micro
• Diplomatic, Government, Space-related agencies and companies – 61
Countries
•
Nitro – Symantec
• Gas, Oil, Energy, Chemical Sectors – 8 countries
•
Shady Rat – Symantec
• Governments, corporations, nonprofits, 14 countries
•
FLAME – Kaspersky
• Mid-eastern countries
UNCLASSIFIED
UNCLASSIFIED
VIDEO 2
UNCLASSIFIED
UNCLASSIFIED
Cyber Threats and Trends
UNCLASSIFIED
UNCLASSIFIED
Trends
• ENORMOUS increase in Cyber Attacks/Crime both
in numbers and sophistication.
• State sponsored attacks likely to increase. (Cyber Warfare
is real now.)
• Cyberweapon toolkits are common place utilized by not
only state sponsored attackers, but by any entity with
medium/high skills.
• Cyber Crime As a Service is a full fledged business model.
• Anyone can use point and click services to deliver a
devastating attack.
UNCLASSIFIED
UNCLASSIFIED
Trends
Nation-States That Have Declared
Offensive Cyber Capability
• Iran
• Australia
• India
• Italy
• UK
• France
• China
• Syria
• Russia
• Germany
• U.S.A.
• Israel
UNCLASSIFIED
UNCLASSIFIED
Trends
Hactivists / Jihadists
• Alliances with ideologically similar
groups
• More Skilled
• More Organized
• More Aggressive
• More of them
UNCLASSIFIED
UNCLASSIFIED
Trends
Cyber Criminals
• Can occasionally approach the
sophistication if not the endurance of
State sponsored attackers
• Adding much more emphasis to mobile
devices.
• Adds a physical dimension to the
Cyber realm.
UNCLASSIFIED
UNCLASSIFIED
Trends
Shift in targeting preferences
• State / Local
• State networks
• Local Municipalities / Agencies
• FD, PD, Cities, NGOs
• Universities, Colleges, Votech
• Businesses
UNCLASSIFIED
UNCLASSIFIED
COMMON
ATTACK TYPES /
MITIGATION
STRATEGIES
UNCLASSIFIED
UNCLASSIFIED
Attacks from outside the
firewall
UNCLASSIFIED
UNCLASSIFIED
Big Three Most Common Attacks
DDoS – Distributed Denial of Service
SQL-I - Structured Query Language
Injection
Defacements
UNCLASSIFIED
UNCLASSIFIED
Commonly Seen Attacks
Attack Type (TTP – Tactics, Techniques,
Procedures)
What is it?
Who uses them?
Preferred targets?
Consequences?
Prevention / Mitigation.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHAT IS IT?
A DDOS attack tries to render a website either
inoperable or inaccessible by using large numbers of
computers sending overwhelming numbers of
requests at a computer.
The target can become so busy trying to answer
bogus requests that it cannot answer valid user
requests and the website is unusable.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHO USES IT ?
Used to be well resourced adversaries
(state sponsored, cyber crime enterprise)
More recently seen from Hactivists,
(Anonymous Affiliates)
Anyone with $200 - $800 can rent a botnet
with 10,000 computers for a day to attack
anyone.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Examples?
During unrest associated with Ferguson MO
shooting.
15 Banking institutions
State, Counties, Cities, Police departments (at
least 12)
Educational institutions
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
Can’t be prevented – Plan for it
Establishing connections with multiple ISPs.
Ensure that service level agreements (SLA) with
ISPs contain provisions for DDoS prevention
(such as IP address rotation)
Assure the network has redundant systems and
sufficient excess capacity
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
• Enable rate limiting at the network perimeter
• Create backup remote site networks with multiple
address capability
• Segment web services across multiple machines
and networks
• Host public facing websites with ISPs having
capability to withstand significant DDoS attacks
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
MITIGATION
Executing ISP address rotation
Block source IP addresses that are generating
DDoS traffic at the network boundary or within
the ISP infrastructure. ( DDoS attacks can come
from tens of thousands of addresses that rotate
randomly, making this strategy difficult to implement.)
Acquire increased bandwidth from the ISP (This
solution is limited by your own servers ability to handle
the increased traffic.)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
WHAT IS IT?
A form of attack on a database-driven Web site
in which the attacker executes unauthorized
SQL commands by taking advantage of
insecure bypassing the firewall.
Used to steal information from a database
and/or to gain access to an organization's
host computers through the computer that is
hosting the database.
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Who uses it?
State sponsored, cyber criminals,
Hackers, Hacktivists, Jihadists,
Anonymous, script-kiddies
Very effective tools are freely available
Recipes for finding targets (call google
dorks) are all over the open internet.
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Local Examples?
KCKPD
Release of Accident records and related personal
information
Wichita
Release of vendor/personal financial information
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Prevention
Limit databased services
Assure all applications and operating systems are
patched to current level
Keep an eye for announced vulnerabilities
Dynamic monitoring at the firewall or application
server
Threat detection services
Applications configuration security ( Passwords )
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
MITIGATION
Watch for “breach” announcements
Notification process
Prevent further breaches (turn off access till it’s
fixed)
Aggressively pursue disclosures
Where applicable, get outside help (FBI, DHS,
USSS, Commercial services)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
WHAT IS IT?
Any unauthorized changes made to the
appearance of either a single webpage,
or an entire site. In some cases, a
website is completely taken down and
replaced by something new.
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Who uses it?
Plethora of Jihadists
“Anonymous” Affiliates
Syrian Electronic Army
POH (Plain old hackers)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Examples?
Akron OH
Marines.com
Huffington
MO.GOV
Check out www.zone-h.com
(database of 180,000)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Prevention / Mitigation
Keep Server systems and CMS apps up-to-date
Better passwords
Don’t share system accounts outside
organization
Reputation monitoring services
Good backups
UNCLASSIFIED
UNCLASSIFIED
Attacks That Get
Through The Firewall
UNCLASSIFIED
UNCLASSIFIED
APT – The Really Bad Stuff
• Computer network exploitation by threat actors
enables:
• Massive financial losses
• Degradation/disruption of services
• Extortion
• Intellectual property theft
• Counterfeiting
• Theft of proprietary data
• Identity theft (personally identifiable information)
• Access to credit
• Loss of money and credibility
UNCLASSIFIED
UNCLASSIFIED
Computer Network Exploitation
The Bad Guys are INSIDE the computer now.
(Try to stay on the left side
of the Cyber “Kill Chain”)
UNCLASSIFIED
UNCLASSIFIED
Spear-Phishing
• Targeted e-mails containing malicious attachments
or links
• E-mails forged to look as if they came from a
legitimate source and have a subject that the victim
is likely to open.
• Target e-mail addresses can be harvested from
Web sites, social networks, etc.
• Targeting of CEOs, executives is called “whaling”.
UNCLASSIFIED
63
UNCLASSIFIED
Sample Phishing Website
(Via fsecure.com)
UNCLASSIFIED
64
UNCLASSIFIED
Sample Phishing Website
Compromised police academy server in India
(Via fsecure.com)
UNCLASSIFIED
65
UNCLASSIFIED
(Via nytimes.com)
UNCLASSIFIED
66
UNCLASSIFIED
Prevention
Constant Education
Information Sharing between agencies
OPSEC
Cyber Hygiene
PASSWORDS!!!!!!!!!!!!!
Response plans
Cyber Tabletop Exercises
Test Your Capabilities
Figure Out Roles and Responsibilities
UNCLASSIFIED
UNCLASSIFIED
What is your plan?
How to recover?
WHO ?
COST ?
How to mitigate
CRITICAL SERVICES
How to deal with the public
PUBLIC CONFIDENCE
LIABILITY
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
Fusion Center:
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
kctew@kcpd.org
(816) 413-3588
Missouri Information Analysis Center
St Louis Terrorism Early Warning
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Troy Campbell – Co-Chair – KCTEW
Devin King – Co-Chair – LA-SAFE
NFCA Cyber Intelligence Network (CIN)
AK
WA
Western Regional
Coordinator Dana Kilian - NCRIC
MT
ND
OR
MN
ID
WY
Central Regional
Coordinator John Burrell - MATIC
WI
SD
NY
MI
IN OH
UT
IL
CO
WV
KS
MO
KY
NM
OK
AR
NJ
DE
DC
MD
Northeast Regional
Coordinator Brett Paradis (CTIC)
MA
National Capital Regional
Coordinator Fleming Campbell (WRTAC)
Midwest Regional
Coordinator –
Kelley Goldblatt (MC3)
SC
MS
TX
VA
NC
TN
AZ
NH
CT RI
PA
IA
NE
NV
CA
ME
VT
AL
Southeast Regional
Coordinator –
Heather Perez (CFIX)
GA
LA
FL
UNCLASSIFIED
WHO CAN YOU CALL?
The Department of Homeland Security (DHS)
The National Cybersecurity & Communications Integration
Center (NCCIC)
The U.S. Computer Emergency Readiness Team (US-CERT)
The Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT)
The National Coordinating Center for Telecommunications
(NCC)
UNCLASSIFIED
74
UNCLASSIFIED
WHO CAN YOU CALL?
The USSS – US SECRET SERVICE
Your Nearest field office usually has a local
Electronic Crimes Task Force
Has Critical Incident Response Teams
UNCLASSIFIED
75
UNCLASSIFIED
WHO CAN YOU CALL?
The Federal Bureau of Investigations
(FBI)
Your Local FBI Cyber Division
FBI CyWatch
FBI Critical Incident Response Group
(CIRG) Strategic Information and
Operations Center (SIOC)
UNCLASSIFIED
76
UNCLASSIFIED
WHO CAN YOU CALL?
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
kctew@kcpd.org
(816) 413-3588
UNCLASSIFIED
UNCLASSIFIED
Discussion
UNCLASSIFIED
UNCLASSIFIED
Contact:
Troy Campbell
KCTEW
Cyber Threat Intelligence Program
tcampbell@kcpd.org
(816) 413-3588
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing Issues
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing –A Challenging Process
UNCLASSIFIED
UNCLASSIFIED
Issues in Intelligence
Information Sharing
• No Cross Community Standards
• Formats
• Flow Paths
•
•
•
•
Classification Downgrades
Identity requests
Standard terminology
Two-way information Flows
UNCLASSIFIED