iia super conference...cyber counterintelligencecyber counterintelligence proprietary / confidential...

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™

2016

IIA Super ConferenceCyber Hunt Operations

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Outmaneuver Your Adversary

Utilizingcybercounterintelligencestrategies,SpearTippartnerswithourclientstoprotectshareholdervalue,shield

corporatereputations,andenhancelong-termprofits.

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Incident Response

Pre-Breach Assessment

ShadowSpear Protection

Service

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Cyber Counterintelligence provides the unique combinationof utilizing HUMINT tradecraft, malware reverse engineering,intelligence gathered within an internal network & livebotnets, correlated with an enterprise’s external information.

5

Cyber Counterintelligence

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Why and How These Breaches Are Occurring

• Mostorganizationsarecompromisedforanaverageof~130-200days

• No“onesizefitsall”easysolutiontotheproblem

• Falsesenseofsecurity

• AsthecomplexityofattacksprogressasdointernalCIRTteamskillsets

Situational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• Surveillance within the host & network

• OMA allows for a malware analysis approach that circumvents common “anti-forensic” techniques

• Focuses on “DATA IN EXECUTION”

Observational Malware AnalysisSituational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• Defeats static analysis methodologies such as encryption and custom packing

• Allows for a “static” analysis of malware behavior in a variety of environments

• “Traces” malware behavior on a memory register and function call level

Observational Malware AnalysisSituational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• Encrypted strings can be viewed as they are decrypted and loaded into active memory

• Allows for accurate and quick identification of malicious encrypted data strings being processed

Observational Malware AnalysisSituational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

10

Situational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL 11

Situational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Dyreza+ Banking Trojan capable of monitoring web traffic and compromising data prior to being sent via SSL

+ Contains mutexes for banking trojans from 2009

Observational Malware AnalysisSituational Awareness

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• During a visit to London, a Syrian official received a rootkit, courtesy of the Mossad

• Government files identifying facilities that dealt with the production of fissile material were exfiltrated

• These facilities were visited by the IAF in 2007

13

CyberWarfare– OperationOrchard

Tip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Tip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Tip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Cyber Hunt OperationsTo better understand what your target profile may be for an adversary, you must first understand what your potential adversaries may be looking for, and the methods with which they may use to obtain your information.

HUMAN intelligence collection is the most tried and true method for obtaining information.

HUMINT LIFECYCLE

Tip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Cyber Approach Mediums

• Peer-to-Peer• Social Networking• Dating Sites• Dark Web Indexes• Help Wanted

Tip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• Malware-related threat intelligence gathered from live botnets – correlated with external IP addresses and external portals accessible by clients and/or partners.

• Combining the power of Big Data with real-time threat monitoring, to provide the most comprehensive pre-attack intelligence against Advanced Persistent Threats (APT), numerous malware variants, and provide insight into:

Ø Potential information leakagesØ Compromised websites and serversØ Compromised internal workstations, PCs, and mobile devicesØ Potential security holes or weaknesses relative to advanced malware

• Go beyond the standard Open Source Intelligence (OSINT) collection methodology by monitoring harvested information for indicators of compromise.

• Passively cross-reference both current and future activity discovered within the criminal/nefarious realms, and notify appropriate organizations.

18

Cyber Hunt Ops – Threat IntelligenceTip of the Spear

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

• CnC Monitoring• CredentialMonitoring• P2PMonitoring• CyberSourceOps• AdvancedSecurityMonitoring

• Network&HostMalwareAnalysis

Tip of the Spear

Fusion Cell Analysis

TipoftheSpear– CyberHunting

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

KEYPOINT:“boardsthatchoosetoignore,orminimize,theimportanceofcybersecurityoversightresponsibility,dosoattheirownperil.”SECCommissionerLuisA.Aguilar,June10,2014.

HeartlandPaymentSystems,TJMaxx,Target,HomeDepot,Wyndham

Derivativeclaimspremisedontheharmtothecompanyfromdatabreach.

CaremarkClaims:

Premisedonlackofoversight=breachofthedutyofloyaltyandgoodfaithCannotinsulatetheofficersanddirectors=PERSONALLIABILITY!

Standard:

(1)“utterlyfailed”toimplementreportingsystemorcontrols;or(2)“consciouslyfailed”tomonitororoverseesystem.

$4.8 Billion Deal?

“The Paranoids”

Director & Executive Accountability

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Game Changer?

Director & Executive Accountability

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

NY Dept of Financial ServicesCyber Security Requirements for Financial Services

• All NY “financial institutions”• Establish Cybersecurity program w/specifics• Adopt Cybersecurity Policies• Designate qualified/responsible CISO• 3rd Party Service Providers - Examine, obligate, and audit• Written Incident Response Plan• Board / Senior Officer Certifying Compliance

Director & Executive Accountability

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Director & Executive Accountability

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Summary+ IncidentResponsePlans- Create&Implement&Train

+ DetermineRiskAppetite– ContinueAudits

+ Businesscontinuityplanthatistestedforeffectivenessintheeventthatitneedstobeimplemented– LIVE

+ Evaluatetheviabilityofadvancedcontinuousmonitoring– duetoresourcelimitations

+ M&A– aretheycurrentlycompromised?Areyou?

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

Outmaneuver Your Adversary

ThankYou

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™Proprietary / CONFIDENTIAL

SpearTip is uniquely positioned in the market that enables our team to provide a full range of counterespionage services in order to identify, detect, exploit, and neutralize threats leveled against corporations.

Our Fusion Cell Team methodology conducts penetration testing, malware analysis, digital forensics, human intelligence collection (HUMINT), pre-attack intelligence analysis, open source data review, elicitation techniques, and technical surveillance countermeasures (TSCM).

speartip.com linkedin.com/speartip

info@speartip.com

(800) 236-6550

twitter.com/SpearTipCyberCI

Washington, D.C.Saint Louis

DallasTampa

Atlanta