How Threats evolve via Espionage & Warfare into Cyber Crime

eEconomy / Cyber Sec

Michael Goedeker - CEO

Our Story…… Business Focused Security

o Our goal is to make threat Intel, and systems capable of providing actionable threat Intel that businesses and nations can use.

o Initial start of Threat Research with Windows and Unix (first mainstream viruses) (Firewalls, Logs,

SNMP, Syslog, packet capture, IDS, IPS, SIEM & DAM o Academic Research into Innovative leadership of Security Teams o Research into Cyber Espionage / Warfare as a factor in Cyber Crime o Creation of Cyber Unit Trainings for Gov. and Corporate Customers o Creation of AIFM – Actionable Intel Focus Methodology o Creation of PSTM – Proactive Security Team Methodology o Creation of SITAM– Secure IT Asset Management Methodology o Creation of ETM – Evolving Threat Methodology

© 2015 · Auxilium Cyber Security GmbH

Our approach to Security

o Creating an accurate picture o Proactive security o Understanding risks / threats o Getting Actionable Intel

Improve

Assessment o Continuous Research / Understanding Threats o Always evolving and dynamic o Creating proactive and tested methods o PSTM o SITAM o ODA

Analyze o Business Focused Security o Security as a “business critical” process with benchmarks & goals o Providing ROI for Security Investments that protect and increase revenue

Actionable

Intel

Classify

Audit


Time for a Hypothesis

o H1 - Attacks are successful because they have become undetectable by current Anti Virus,

Firewalls and other current technology o H2 - Attacks are successful because they are dynamic & complex (spillover of tech) o H3 - Attacks are becoming polymorphic in nature (due to them evolving and tech spillover), which makes them detection averse!

o H4 - Security Teams and Classical security training are not targeted at or teach how to detect spyware and next gen threats (our Proactive Security Team Methodology PTSM) o H5 - Currently security processes, procedures and awareness are not adapted to cooping with Next Gen Threats!

o H6 - When “new” attacks and technology are published or found, they are reverse engineered


The definition of “Cyber”

Definition of Cyber (What does it really mean???) o Origin of cyber and what it meant, how that changed


Introduction to “Cyber” Security

“Cyber” really involves a few core things o The Internet o The eEconomy (how we use inter-connected systems for eCommerce and eBusiness) o The Global Electronic World (Cyberspace) o Traditional Network, Server and Clients that “connect” with each other o Changes in how systems are attacked (Cyber Threats) o Changes in Traditional Security due to new “threats” (Cyber Security) o Changes in Warfare (Cyber War), Espionage (Cyber Espionage) and Crime (Cyber

Crime)



Cyber History 101 o The Internet was never meant to be secure!

o A global system used to communicate with others o The importance was on being able to communicate, even when the network was attacked because of a nuclear bomb o Used to connect military, agencies and universities o Security was originally not impacted by this first version (ARPA) o Security and confidentiality was never part of the equation



o Networks and the protocols of the Internet were not restricted in any real tangible ways because the objective was communication o TCP / IP o HTTP o HTTPS (this came later with ssl) o No one ever thought that this network would be as critical as it is today o Interconnected Systems o Bases for an entirely new type of economy o This open communication is the root of most of the web application, network services and router, firewall hacks and vulnerabilities today o Challenging communication connections o Data-in-transit security o Requests / Responses



o The Internet has formed the basis for eBusiness and eCommerce o Small companies are now global players because of reduced investments needed to deliver goods o Competition is totally different because all nations are part of the economy o All nations are impacted by the eEconomy o National Boarders o The Internet has no national identity or border o 24/7 not closed for any holidays and always on o Nations can not control what comes in or out of their “portion” of the internet o Legal Issues o There is no global law for things “Cyber” o No global police force that monitors who is misbehaving


Why Security is Business Critical..

o Not just about large corporations, SMBs get attacked more and more o SMBs spend less on security but also find less attacks, there is a connection?

o Security is a critical business process, it protects revenue and products


What is going on today in “Cyber”…

o Increase in attacks and complexity on all levels and for all businesses including SMBs!


What's going on in the Cyber World

o Here are some attacks in April..


What's going on in the Cyber World

o Here are some attacks in April..


What’s going on in the Cyber World

“Cyber” really involves a few core things



“Cyber” really involves a few core things



The CAPEC Website and CybOx initiative


“Cybernetic” Definitions

o Cyber Espionage – This is the term that is used to refer to using computers, computer technology such as malware, viruses and more complex spyware for spying. Recently the lines that separate espionage from cyber crime, warfare and terrorism are very thin if not diluted o Cyber has introduced a move from HUMINT to computer based espionage o Think of the old classical phone taps and transpose this onto network devices, cables and connections


“Cybernetic” Definitions

o Cyber Crime – This is essentially using criminal tactics that use computer systems to steal data and also implant espionage technology In order to bypass security systems and personnel. Cyber crime can involve espionage tech as well as warfare tech (and often does). This is a newer type of

“crime” and also has the more traditional crime approaches that use electronic means in an effort to lower risk of capture and higher return on investment of the criminal or gang.

o Traditional criminal acts by electronic means (i.e. cracking, card skimmers, interception).

o Leveraging criminal groups for espionage or hacktivisim o Cyber Terrorism


Cyber Threats – Security Evolves

o Open systems lead to new architecture, network services, new protocols and network devices that were created to enable global communication o Based on the global nature of internet connected systems and potential attacks, security teams need a new approach to security o New threats are also classified as “Cyber Threats” and can target anything and anyone 24/7


Cyber Threats

As new technology and access to otherwise closed systems was opened, so do we also have new types of attacks and technologies that are used to attack those systems o Botnets o Social Botnets o Espionage based attacks that steal data and information o DOS / DDOS o Drive-by-downloads o Last Mile Interceptions o Transmission Bugs / Intercepts o Critical Infrastructure o Cyber Kidnapping o Cyber Extortion o Hacktivisim


How new threats enter the eEconomy

o When “new” attacks and technology are published or found, they are reverse engineered o New attacks are then “rewritten” for cyber crime based attacks o Stolen data is also purchases from (crackers) by nations o Espionage is also done on a corporate level by nations o New attacks lead to the need for better defenses and protection o Security Teams as a result need to be dynamic, up to date, knowledgeable in Cyber

Threats

New Cyber Crime

/ War attack

Cyber Criminals modify technology

Nation Develops

Technology

Military Hacker uses attack on target

Target reverse engineers technology


The eEconomy and Cyber Threats

o Everything connected to the Internet and its network of systems and businesses is a separate economy o As discussed in the introduction, cyberspace has no traditional borders and so it spans the entire world o Any attack on the internet such as a DOS (Denial Of

Service) or DDOS (Distributed DOS) can potentially impact all businesses connected to the Internet o Any Cyber War, Espionage and Crime can also impact this “Economy”

New Cyber Crime

/ War attack


Nation Develops

Technology




The eEconomy and Cyber Threats

o The Internet is global, has its own economy and in some cases its own currency (aka BitCoin, etc.) o If someone attacks the Internet, they also attack this separate economy o Does an attack on the Internet endanger local economies?

o Does Espionage make this economy more or less trusted and used?

o Who is responsible for governing the Internet and its economy?

New Cyber Crime

/ War attack


Nation Develops

Technology




Threats and Critical Infrastructure

o A term that only recently has come up in the cyber world o Started in its more modern form in 1998 with the US Presidential directive PDD-63 of

May 1998 o Listed vital and important assets that were critical to the country o Was updated by President Bush in December 17 th , 2003 by Homeland Security

Presidential Directive HSPD-7 for “Critical Infrastructure Identification, Prioritization and Protection


Critical Infrastructure Protection

Protecting Critical Infrastructure (audits, assessments, defense & threat / infection detection) o National Borders o Utilities o Financial Industry and “Economy Critical” o Global and National Corporations o National and Local Government, Law enforcement, Agencies o Military and Defense Industry o Educational, Cultural, Parks, Museums o Telecommunications , Transport and Agriculture


Treats and Critical Infrastructure

Water o Some of the “assets” deemed important to a nation’s stability and well-being are listed on the right o The EU also has something similar called

EUCOM 2006 o Another term is “Infracritical” and can be referenced at: http://www.infracritical.com/images/cipsectors5.jpg

o http://www.sciencedirect.com/science/article

/pii/S1040619014000268

Power

Banking & Financial Institutions

Transportation, Logistics &

Shipping

Information & Communications

Federal & Municipal services

Emergency Services

Fire Departments

Public Works

Agriculture & Food

National Monuments & Icons


Attack Chain for Critical Infrastructure


Cyber Defense

o Understanding in writing Malware, Virus, Worms and Rootkits o Understanding of OS and Application Vulnerabilities o Understanding of defensive technologies o Interception methods (network, communications systems) o Usage of OSINT against targets o Understanding and reverse engineering previous attack technologies to understand how to defend o Usage of executive buy-in o Using Awareness and Awareness Campaigns o Integration of ITIL Processes like Asset Management, Change Management,

Incident Management, Problem Management, etc.

o Integration of ISO2700X o Looking at and integrating SANs


Cyber Defense and Hacking

o Hackers are not Crackers (Criminal Hackers) o Hackers understand technology, improve on it o Find holes so that people are aware, ask for fixes o Crackers are the criminals o Crackers use vulnerabilities to exploit and break into systems o Disrupt systems for financial gain or Lulz o Hacktivists o Like Crackers but have political motivations o Can in extreme cases turn into Cyber Terrorists



o Hacking is a science o The reason or motivation tends to point to a narrow set of profiles o Intel and Recon are vital to hacking



o The reason for a hack defines the hacker profile o Also points to possible goal o Cyber Warfare o Cyber Espionage / Corp Espionage o Cyber Crime o Cyber Terrorism



o Intel o Gathering information about the target and scoping out how the company is, are vitial to successful hacking o Good hackers will spend a majority of their time here (80%+)



o After getting intel and noting down any interesting pieces of information, we move on to the next phase which is Identifying and looking for potential systems and vulnerabilities o This includes using tools like google dorks, shodan and other tools that search but do not leave an imprint or trail



o After identifying potential target systems its now time to look at specific exploits and prepare them for testing o We take the information from previous phases to select low hanging fruits and then match these with zero day attacks or CVEs



o After accessing a system it is then time to look around in the system for more important data, information or planting malware or rootkits o While injecting or installing tools, it also becomes important to keep access by deleting important logs, alerts, etc.

o This phase is also were additional users are added to maintain access if activity is detected



o Here we are close to the goal or have achieved the goal o Data and information are saved and stored off-site o Depending on the goal the website was defaced, the server was corrupted, a rookit installed or systems disrupted


Cyber Threats – Botnets

One of the biggest threats today in cyberspace is the Botnet o Botnets are used in cyber war, espionage and crime o Botnets can have very complex structures o Are typically used for DOS/DDOS attacks and can have attack bandwidths over 100GBS!

o Are created very quickly and are very economical

Command & Control Server

BotNet Owner

Cybil Creator

Social Media

Monitor

Target 1

Target 2

Target ….


Cyber Threats – Botnets (Normal)

There are different types of Botnets, we will talk about two o “Traditional” or normal o Social Media BotNet


Cyber Threats – Botnets (Social Media)

There are different types of Botnets, we will talk about two o “Traditional” or normal o Social Media BotNet


Cyber Threats - Botnet Attack Case Study

Here is an example of a Botnet attack case that we see and resolve on a regular basis o Attack Case $Random Company


How Cyber Threats have emerged

o Initially we dealt with “typical” threats o Malware, Virus, Worms o Less from Nations o More from Groups o Increase in Hacktivisim o Emerging of Espionage as a way to steal corporate data o Emerging of the “Military Hacker”


Threat Evolution Methodology

How Threats evolve via Espionage

& Warfare into Cyber Crime o Cyber Warfare Technology develops o Cyber Espionage develops o Developed technology finds its way into Cyber Crime groups o Technology is reverse engineered



New Threats evolve from old o Old Attacks are developed and tested o Old technology improved o New Types of attacks are developed o New variants turn into completely new threats o Traditional Security got “stuck”



How Threats evolve via Espionage & Warfare into Cyber Crime o Cyber Warfare Technology develops



How Threats evolve via Espionage & Warfare into Cyber Crime o Cyber Warfare Technology develops


Cyber Defense / Anti Espionage

Defense o Creation, Training, Implementation o Support, Audits, Assessments o Cyber Defense Systems

Offense o Creation, Training, Implementation o Support, Audits, Assessments o Cyber Offense Systems

Products/Services o Interception Detection / Blocking o Secure Infrastructure



Impact factors of Cyber Defense o Creation, Training, Implementation o Support, Audits, Assessments o Cyber Defense Systems



Social Engineering o Drive-By- Downloads o Phishing / Emails o PDF or Email Attachments o Dumpster Diving o Tailgating o Intel o Traditional o Social Media o Maltego o Web Leaks



Web Applications / Web2.0, 3.0

o MitM o SQLi (Sql injection) o XSS – Cross Site Scripting o Authentication (Verification) o Weak Passwords (Cracking)



Hardware Hacking o Baseband – Telephones o Only 2 manufacturers o Supply-Chain-Hacking/Espionage o Firmware o Out-of-Band Management o AMT / Intel o Out of band protocol used to spy on people via chipset o Signals Hacking o Signals Interception o GSM, 3 and 4G o Sat



Next Generation Hacking o Combining old tech with new features o Using Hostile Encryption (Ransom) o Solutions that proactively intercept traffic and signals (Heat, Wifi, Sound) o Application Backdoors o Cloud Backdoors (AWS & Co.) o Critical Infrastructure o Cyber War / Espionage


SOC – Security Operations Center

Core ITIL Processes o Incident & Problem Management (*) o Change Management (*) o Risk Management (*) o Service Desk, Service Level Management (*) o IT Asset, Configuration Mgmt. / CMDB (*) o Application, Test and Development Mgmt.

o IT / Strategic Planning (*) o Release, Deployment, capacity, & Availability Mgmt.

o Demand & Service Continuity Mgmt.

o Vendor / Supplier / Partner Management o (*) = Minimal Requirements



Basic Level (logs, files, Agents, Monitoring) o LAN / WAN / VPN / Proxy o Firewall / IDS / IPS o AV (Client, Server and Mobile Devices) o Data Base Monitoring / Access & ID Management o Service Desk

Advanced Level o Software Catalogue, CMDB o NAC o SIEM o Threat Intel (sensors & system) o Proactive Security Tools and Lab



Personnel o Manager o SIEM / Monitoring Engineer o Analyst o Incident Response / Blue / Red(?) Teams

Technology o Software o Hardware o Facilities / Data Center

Services o Event Monitoring, Correlation, Incident Response/Management o Consulting, Training o Penetration Testing, Audits, Assessments



In-house o Own staff & technology (larger companies) o Higher Costs o All Skills in house

Outsourced o Outsourced staff & systems (SMB’s) o Skills purchased externally o Lower Costs (depending on levels)

Hybrid o Mixture of in-house and external staff & technologies o Services via long term contracts possible o Mixed costs (in some cases cheapest option)



SOC Reasons: Laws, Regulations o Based on National & International Laws o High fines for non compliance or breaches

Protecting Revenue o High Risk of attacks o High Risk of lost revenue due to downtime, IP theft or disruption

Critical Infrastructure / National Defense o National Security o Economical or Cultural Collapse o Cyber War and Espionage Defense



Business Case o Assessment on what is in place for SOC o Business Case for SOC

Classify Security Service Catalogue needed o Catalogue of security services needed

Audit o Build Management / Ops pieces to support SOC

Actionable Intel o Build Technology in place for Event Mgmt. etc.

Analyze o Start Operations and gather metrics

Improve o Tweak Operations and Tech to achieve goals


Proactive Threat Intelligence

Standard Components of a SIEM or Event Management System

Interpreting and unifying threat Intel that’s usable o Firewall, SIEM, IDS/IPS from multiple InfoSec Event &

Info Systems into actionable Intel o Planning, Configuring, Implementing and Tweaking o Threat Research into Cyber Espionage, War and Crime o Turning systems into proactive threat and cyber threat management systems (also using PSTM and SITAM) o Providing NOC, SOC and Detailed Security Analysis via team of globally experienced Forensics and InfoSec professionals o Additional Threats Intel via Partners and Social Media Analysis

Solution

Installation and con figuration of credentials for console/dashboard

Installation and con figuration of appliance

(Data Collection, Retention, Reporting, Access Control)

(Con figuration of Rules, Alerts, Reports, Actions, CSIRT)

Installation and con figuration of appliance

(Data Collection, Retention, Reporting, Access Control)

(Con figuration of Rules, Alerts, Reports, Actions, CSIRT)

(Rollout of Agents, data capture, forwarding)

SIEM Dashboard/Console

SIEM Collection Appliance

(can also contain multiple reporting servers depending on freq of events)

Enterprise Management Server

(policies, deployment of sensors, etc.)

Messages, Alerts, Information of Login, Logoff, Failed Access, Traf fic Flow, Dropped Packets, etc.

(SNMP, SYSLOG, LOGFILES, Scripts, Commands, Queries, NAC Messages, VFlow, JFlow, NetFlow, SFlow)

Additional Data collected by IPS, IDS, NAC is forwarded to SIEM Appliance

NAC - Network Access Control


IPS/IDS - Network Intrussion / Detection System


Data collected by agents, messages, log files and defined in policy push to EMS, IPS, NAC,

SIEM


SOC 2.5

Proactive Monitoring

Alert & Event Reporting

Incident / Problem

Management

Event Correlation

Change / Risk Management

API, Agents, Logs, Other

Proactive Intel (security posture & status) Dashboard


Governance & Actionable Intel

Governance

ITSM

ITAM

Apps, Data & Info, IP

FW, Net, IDS, IPS, LM, SIEM, TI

Hardware, Firmware, Baseband


Attack Case Studies


The Big Picture

Threatbutt o Attacks going on in real Time


The Big Picture

Norse o Attacks going on in real Time


How Threats evolve via Espionage & Warfare into Cyber Crime

eEconomy / Cyber Sec

Michael Goedeker - CEO

Our Story…… Business Focused Security

Our approach to Security

Time for a Hypothesis

The definition of “Cyber”

Introduction to “Cyber” Security

Introduction to “Cyber” Security

Introduction to “Cyber” Security

Introduction to “Cyber” Security

Why Security is Business Critical..

What is going on today in “Cyber”…

What's going on in the Cyber World

What's going on in the Cyber World

What’s going on in the Cyber World

What’s going on in the Cyber World

What’s going on in the Cyber World

“Cybernetic” Definitions

“Cybernetic” Definitions

Cyber Threats – Security Evolves

Cyber Threats

How new threats enter the eEconomy

The eEconomy and Cyber Threats

The eEconomy and Cyber Threats

Threats and Critical Infrastructure

Treats and Critical Infrastructure

Cyber Defense

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Defense and Hacking

Cyber Threats – Botnets

Cyber Threats – Botnets (Normal)

Cyber Threats – Botnets (Social Media)

Cyber Threats - Botnet Attack Case Study

How Cyber Threats have emerged

The Big Picture

The Big Picture

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib