Espionage
&
The Law
Speakers
Jarrett Kolthoff, President / CEO
SpearTip
800.236.6550
jkolthoff@speartip.com
@SpearTipCyberCI
web: speartip.com
Jarrett Kolthoff, President / CEO of SpearTip, has 20 years of experience in
the Information Security field. As a former Special Agent – U.S. Army
Counterintelligence, he has experience in cyber investigations,
counterintelligence, and Fusion Cell analysis that assist SpearTip’s clients to
identify, assess, neutralize, and exploit threats leveled against their
corporation. His civil case work includes investigations in anti-trust
lawsuits, embezzlement, collusion, theft of intellectual property, and
corporate espionage. He has testified in civil cases as an expert computer
forensic witness in depositions in the U.S. Federal Court – Eastern District
of Missouri, and has acted as a liaison between companies and law
enforcement agencies.
 Board Member, National Forensic Science Technology Center (NFSTC)
 Adjunct Professor, Washington University in St. Louis – Cyber Security
Master’s Program
 Member, Association of Former Intelligence Officers (AFIO)
 Member, Espionage Research Institute International (ERII)
 Board Member & Past-President, St. Louis InfraGard Chapter
 Board Member & Past-President, St. Louis Chapter of the International
High Technology Crime Investigation Association (HTCIA)
Speakers
Shawn Tuma, Partner
BrittonTuma
469.635.1335
stuma@brittontuma.com
@shawnetuma
blog: shawnetuma.com
web: brittontuma.com
Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and
information law and includes issues like helping businesses defend their data
and intellectual property against computer fraud, data breaches, hacking,
corporate espionage, and insider theft. Shawn stays very active in the cyber
and information law communities:
 Chair, Collin County Bar Association Civil Litigation & Appellate Law
Section
 College of the State Bar of Texas
 Privacy and Data Security Committee of the State Bar of Texas
 Computer and Technology, Litigation, Intellectual Property Law, and
Business Sections of the State Bar of Texas
 Information Security Committee of the Section on Science & Technology
Committee of the American Bar Association
 Social Media Committee of the American Bar Association
 North Texas Crime Commission, Cybercrime Committee
 International Association of Privacy Professionals
The information provided is for educational purposes only, does not constitute legal
advice, and no attorney-client relationship is created by this presentation.
Cyber Counterespionage
Competitive & State-Sponsored Threats
Outline
•
•
•
•
•
•
•
Emerging Threats / Market Analysis
Insider Threats
Malware Analysis
Fusion Cell Analysis
Espionage Case Studies
Computer Fraud & Abuse Act
Federal and Texas Law
5
Emerging Threats – Hacking Groups
Rapidly Emerging Underground
Industry (Several Examples Of
Successful Large Scale Operations)
• Organization: High
• Capability: High
• Intent
• “Hacktivisim”
• Financial / Political Gain
• Terrorist Organization Funding
6
U.S. DOJ – OIG Audit Division
April 2011
•
•
•
•
Compares Technical vs. Counterintelligence
Proper Use of Fusion Cell Analysis
Practical Experience Over Just Training
Intrusion Cases vs. Other Cyber Crimes
̶
Specialization – Forensics, Intrusion, Malware Analysis
7
Office of the National Counterintelligence Executive
•
Report to Congress on Foreign Economic / Industrial Espionage
̶
̶
̶
Governments of China & Russia
“Hacktivist” – Political & Social Agendas
Theft of Intellectual Property & Dual Use Technology
8
Forrester Research – Value of Corporate Secrets
• Current Data Security Strategies
̶
Identify the Most Valuable Information Assets
̶
Create a “Risk Register” – Compliance / Corporate Secrets
̶
Assess Balance Between Compliance & Protecting Secrets
• Establish Baseline
̶
Reprioritize Enterprise Security Investment
̶
Increase 3rd Party Vigilance
̶
Measure Effective – Key Performance Indicators (KPIs) and
“Audit the Auditor”
9
U.S. Intelligence Community
10
Insider Threat
NON-CYBER COLLECTION EFFORTS
•
Requests for Information (RFI). Foreign collectors make unsolicited direct and indirect requests for information
via personal contacts, telephone, e-mail, fax, and other forms of communication and often seek classified, sensitive, or exportcontrolled information.
•
Solicitation or Marketing of Services. Foreign companies seek entrée into US firms and other targeted
institutions by pursuing business relationships that provide access to sensitive or classified information, technologies, or
projects.
•
Conferences, Conventions, and Trade Shows. These public venues offer opportunities for foreign adversaries to gain access to
US information and experts in dual-use and sensitive technologies.
•
Official Foreign Visitors and Exploitation of Joint Research. Foreign government organizations,
including intelligence services, use official visits to US Government and cleared defense contractor facilities, as well as joint
research projects between foreign and US entities, to target and collect information.
•
Foreign Targeting of US Visitors Overseas. Whether traveling for business or personal reasons, US travelers
overseas—businesspeople, US Government employees, and contractors—are routinely targeted by foreign collectors, especially
if they are assessed as having access to some sensitive information.
•
Open Source Information. Foreign collectors are aware that much US economic and technological information is
available in professional journals, social networking and other public websites, and the media.
Fusion Cell Analysis
• Building Diverse Team – Tech/JD/GRC/Biz/Linguist
• HUMINT / Network & Host Forensic / OSINT / TSCM
• Combination of disk forensics and memory forensics can
paint a more complete picture.
• Time-Event Charts / Association Matrices / Link Analysis
• Analysis of Diverse Data – Mature Methodology
12
Malware Analysis
• Contains information that may not be found on disk
• Can locate keyloggers running on the system
• Can reveal malware that may not leave traces on disk
• Attackers making more use of “on the fly” memory
modifications to foil disk forensics and antivirus
• Lsass.exe was trying to talk within the network environment on
port 6666 (Process Injection)
13
Introduction
It has become the industry standard, and a
necessity for enterprises, to defend their external
perimeter with the latest firewalls and most
advanced intrusion prevention systems (IPS).
Although these devices play an important role in
any enterprise network, they all lack one crucial
capability and functionality:
Cyber Pre-Attack Intelligence
Cyber Threats
• SpearTip has identified a number of organizations,
consisting of loose networks of hackers, who
communicate through forums, social networks and
more established communities
• The following are individual analyses of the players
identified in the context of cyber-attacks against
financial institutions
Advanced Cyber Threat Detection - Analysis Summary
Cyber Counterintelligence provides the unique combination of up-todate malware-related threat intelligence gathered from live botnets,
correlated with an enterprise’s external IP addresses
•
•
•
•
•
•
•
•
Information Stealers
Worms
DDoS Malware
Remote Access Tools
Downloaders
Spammers
HTTP-Proxy Malware
Exploit Kits (Currently Active)
THE FOLLOWING INFORMATION WAS ETHICALLY COLLECTED WHILE CONDUCTING CYBER SOURCE OPERATIONS
ON THOUSANDS OF CRIMINAL NETWORKS.
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
17
Computer Fraud = Fraud 2.0
•
Deception, through the use of a computer
•
“old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
•
computer hacking, data theft, theft of money, breaches
of data security, corporate espionage, privacy breaches,
computer worms, Trojan horses, viruses, malware, denial
of service attacks
•
mouse and keyboard = modern fraudster tools of choice
18
Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)
19
The CFAA says
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic,
optical, electrochemical, or other high speed data
processing device performing logical, arithmetic, or
storage functions, and includes any data storage facility
or communications facility directly related to or
operating in conjunction with such device, but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
20
What about . . .
21
The Fourth Circuit says
“’That category can include coffeemakers,
microwave ovens, watches, telephones,
children’s toys, MP3 players, refrigerators,
heating and air-conditioning units, radios, alarm
clocks, televisions, and DVD players, . . . .”
-United States v. Kramer
22
The CFAA applies only to “protected” computers
This may limit the problem of applying it to
alarm clocks, toasters, and coffee makers – for
now?
Protected = connected to the Internet
Any situations where these devices are connected?
23
The CFAA access of or transmission to a
protected computer that is
 Without authorization, or
 Exceeds authorized access
24
Where the person accessing







Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
25
More Federal Laws for Combating Fraud 2.0
•
•
Electronic Communications Privacy Act - 18 U.S.C. § 2510
•
Wiretap Act ≠ intercept communications
•
Stored Communications Act ≠ comm. at rest
Fraud with Access Devices - 18 U.S.C. § 1029
•
•
devices to obtain passwords, phishing, counterfeit
devices, scanning receivers, drive through swipe cards
Identity Theft – 18 U.S.C. § 1028
26
Texas Laws for Combating Fraud 2.0
•
Breach of Computer Security Act (Tx. Penal Code § 33.02)
•
•
•
•
•
•
•
•
knowingly access a computer without effective consent of owner
Notification Required Following Breach of Security of
Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
amended by SB 1610 (eff. 6/14/13)
Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
Unlawful Interception, Use, or Disclosure of Wire, Oral or
Electronic Communications (TPC § 16.02)
Unlawful Access to Stored Communications (TPC § 16.04)
Identity Theft Enforcement and Protection Act (BCC § 48.001)
Consumer Protection Against Computer Spyware Act (BCC §
48.051)
Anti-Phishing Act (BCC § 48.003)
27
• Welcome to the world of Cyber Espionage
• CFAA is very broad and covers all kinds of
computer fraud (sometimes) – evolving!
• Data Breaches – be prepared – it will happen!
• Many other Federal and Texas laws also
available for combating computer fraud
• Cyber Insurance
28