cary e. moore cfe, cissp, ence - fraudconference.com · –remote access sites (logmein,...

Cary E. Moore, CFE, CISSP, EnCE

Cyber Thieves: A Crash Course on Getting to Know Them

• 12 years of Computer Forensic and InfoOps experience

• Senior Vice President, Emerging Threats Manager

– Cyber Intelligence Analytics Towards Emerging Threats

• Formerly

– Guidance Software Inc.

• Technical Director, Cybersecurity

– Special Agent, Air Force Office of Special Investigations

• Computer Crime Investigations and Operations

• Counterintelligence and Counterespionage Investigations

• (Cyber) Technical Surveillance and Countermeasures (TSCM)

• First computer: TI-99/4A

– With the speech module!

Speaker Cary E. Moore, CFE, CISSP, EnCE


Agenda

Insiders

External

Customers

& Partners

Insider Threats

You Never Saw It Coming!

Breaking Cyber Barriers

Attribution: The Cyber Holy Grail!

✓

4

3

2

1

• Traitors

– A trusted person

– Makes a decision to betray

– True motive might be unapparent

Insider Threats Profiles

1985 CIA—Larry Wu-Tai Chin

1994 CIA—Aldrich “Rick” Ames

1998 CIA—Douglas Groat

2001 NRO—Brian Regan

2001 DIA—Ana Belen Montes

2003 FBI—Robert Hanssen

2006 USN—PO Ariel Weinmann

• Traitors (continued)

– Distinct warning signs

• Unusual change in work habits

– Seeks out sensitive projects

– Unusual works hours

• Sloppy security habits or scoffs security

• Might rationalize inappropriate actions

• Change in lifestyle

– Living beyond their means


• Zealots (a/k/a Hacktivists)

– Ideological

– Motivated by their beliefs

– Believe their actions are just,

no matter how detrimental

– Might pass info. to allies, unaware of the

intelligence threat


• Spies

– Intentionally in a situation or

organization to glean intelligence

• Foreign intelligence

• Business intelligence

• Competitive intelligence


Operation Ghost Stories

2010 Russian Spy Ring

Anna Chapman, June 2010

• The Browsers

– Those who violate the “need-to-know” principal

– Persons who have required clearance

• But no requirement for

the information

• Search for information with or

without specific intentions


• The Browsers (continued)

– Might utilize the activity or information

for personal gain

• Receiving rewards

• Promotion

• Contracts

• Personal advantage


• The Well-Intentioned • Victim to social engineering

– Phishing

– Spearphishing

– Whaling

• The Tinkers

– Boredom

– Curiosity


• The Well-Intentioned (continued)

– Unwittingly give unauthorized access

• Carelessness

– Unlocked workstations/network rooms

• Ignorance

– P2P and file sharing software

– Dated security practices


• The key findings from “The Insider Threat Study”

on Computer System Sabotage in Critical

Infrastructure Sectors are:

– A negative work-related event triggered most insiders’

actions

– 43 percent of the insiders had authorized access to

the system/network at the time of the incident

Insider Threats Case Study 1

Source: www.secretservice.gov/ntac_its.shtml

• Computer System Sabotage in Critical

Infrastructure Sectors (continued)

– 39 percent of the insiders used one or more relatively

sophisticated methods of attack, which included:

• A script or program

• An autonomous agent

• A toolkit



• Computer System Sabotage in Critical

Infrastructure Sectors (continued)

– 63 percent of the incidents were detected because of

an irregularity in the information or system

– 62 percent of the insiders developed plans to harm

the organization

– 47 percent of the cases involved overt behaviors

in preparation for the incident, such as stealing

copies of back-ups



• The key findings from “The Insider Threat Study” on

Illicit Cyber Activity in the Banking and Finance Sector

are:

– Required minimal technical skill to execute

– Involved the simple exploitation of inadequate

practices, policies, or procedures

– 78 percent of the cases involved the modification

and/or deletion of information



Insider Impact

• Email Servers

• Communication Systems

• Security Systems

• Database Operations

• Accounting Operations

• Research and Development

• Maintenance and Monitoring Systems

• Critical Operation Systems

Mission Impact

Everything That Is

Connected

Insider Impact

• Intellectual Property

• Design Documents

• Source Code

• Trade Secrets

• Government Data

• War Plans

• Intelligence

• Law Enforcement

Information

• Customer Data

• Personal Data

• Credit Card Numbers

• Customer Financial

Data

• Corporate Data

• Financial Data

• Mergers and Acquisition

• HR Data

• Marketing and Sales

Information at Risk

Insider Detection

• Test scripts and/or techniques

• Try multitude of tools (i.e., port scanners, network probes, war driving)

• Rogue systems

• Bogus accounts

• Odd hour activity

• Undue curiosity

• Hiding screen data

• Positions screen to hinder view

Insider Indications

Insider Detection

• Joking and bragging

• Installs unauthorized software • Duty associated software

• Dreamweaver, Nero, Photoshop, programming software

• Unassociated harmless software • WinAmp, ICQ, games

• Suspicious Software • L0phtCrack, key generators, rootkits

• Escalated privileges

• No fear of getting caught

Insider Indications (continued)

Insider Threats Investigation Techniques

and

Account Records

GPS

and

Print Servers

Logs

-Firewall

-IDS

-A/V

-Sniffers

-Proxy

-System

Create a Timeline

• When indicators arise, review for:

– Unusual processes

– TCP/UDP connections

– Website activity (local/proxy)

– Unauthorized devices

Insider Threats Investigation Indicators and Leads

• When indicators arise, review for:

– Remote access sites (Logmein,

PCAnywhere, WebEx, etc.)

– Unauthorized websites

– Use of anonymity sites or

installation of >>>TOR<<<

– Accounts and their rights

Insider Threats Investigation Indicators and Leads

• Monitor help desk tickets for trends.

– Insiders do call for help when their attempts

to circumvent security measures messes

things up.

• Monitor for unusual logon times.

• Scan for bogus accounts.

Insider Threats Proactive Efforts

• Review scans for unauthorized software,

file, and folder access and compile trends.

• Train security to monitor contractors and

visitors and report suspicious activities.

• Deactivate access following termination.

Insider Threats Proactive Efforts

Insider Threats The Comparative

• Given access

• Uses access to:

• Misuse equipment and

network access

• Escalate privileges

• Affect the business operations

• Compromise systems and

corporate data

• Install Malware

• Etc.

Insider

• Gains access by whatever means

necessary

• Once access is achieved,

GAME ON!

Hacker


Agenda

Insiders

External

Customers

& Partners

Insider Threats




✓

4

3

2

1

• 2011 Report to Congress on Foreign Spies

Stealing U.S. Economic Secrets in

Cyberspace

– China and Russia are pursuing American

technology and industrial secrets,

jeopardizing an estimated $398 billion in U.S.

research spending.

– In 2010, the FBI prosecuted more Chinese

espionage cases than at any time in our

nation’s history.

Breaking the Cyber Barriers

Source: www.ncix.gov/issues/economic/index.php

• 2011 Report to Congress on Foreign Spies

Stealing U.S. Economic Secrets in

Cyberspace

– For example, a DuPont chemist in October

2010 pled guilty to stealing research from the

company on organic light-emitting diodes.

– The chemist intended to commercialize in

China with financial help from the Chinese

Government.

Breaking the Cyber Barriers

Source: www.ncix.gov/issues/economic/index.php

• Solar Sunrise (1998)

– Cyber attack on the Pentagon

• Under the guidance of an Israeli hacker, he

coordinated two kids from California to hack

multiple targets, including the Pentagon

• Attacking unpatched Solaris Systems

• Basic hacking techniques:

Recon, Probe, Exploit, Gather Data, Exfiltrate

Breaking the Cyber Barriers Governments Under Attack

Source: www.wired.com/threatlevel/2008/09/video-solar-sun/

• Moonlight Maze (1998)

– U.S. officials accidentally discovered (during

Eligible Receiver) a pattern of probing of

computer systems at the Pentagon, NASA,

Energy Department, private universities, and

research labs.

– Began in March 1998 and had been going on

for nearly two years.


Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

• Moonlight Maze (1998)

– Tens of thousands of files included:

• Maps of military installations

• Troop configurations

• Military hardware designs

– The DOD traced the attack back to a

mainframe computer in the former USSR.

– The true attacker is unknown, and Russia

denies any involvement.


Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

• Titan Rain (2003–2005)

– A group of about 20 hackers, believed to be

based in the Chinese province of Guangdong

– Thought to have stolen U.S. military secrets,

including aviation specifications and flight-

planning software

– “China has downloaded 10 to 20 terabytes of

data from the NIPRNet”–Maj. Gen. William Lord


Sources: www.zdnet.com/news/security-experts-lift-lid-on-chinese-hack-attacks/145763

http://gcn.com/Articles/2006/08/17/Red-storm-rising.aspx?p=1

• The Target?

– R&D

– Intellectual

Property

• For?

– Economic

Advantages

– Geopolitical

Advantages


Images from:

http://en.wikipedia.org/wiki/File:F22a3view.png

http://en.wikipedia.org/wiki/File:Chengdu_J-20.svg

• Rep. Michael McCaul (R–TX, April 24, 2012)

– “When I look at countries like China, who

have stolen our Joint Strike Fighters, F-35

and F-22s, stolen those blueprints so they can

manufacture those planes…”

– “You know when I look at the theft of

intellectual property to the tune of $1 trillion,

that’s a serious economic issue for the

United States.”


Source: cnsnews.com/news/article/chinese-hackers-stole-plans-americas-new-joint-strike-fighter-plane-says-investigations

• Operation Aurora (2009–2010)

– Cyber attack to multiple high profile companies

• Google, Adobe, Yahoo, Symantec, Northrop

Grumman, Morgan Stanley, Dow Chemical, etc.

– Purported intent to access and alter software

source code and other intellectual property

– Link in email to malicious JavaScript

– Created a backdoor into their networks

Breaking the Cyber Barriers Corporations Under Attack

Source: www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf

• RSA Attack (2011)

– Spearphishing attack with an Adobe Flash

vulnerability in an Excel spreadsheet

• “2011 Recruitment plan.xls”

• Zero-day exploit opened a backdoor into RSA

• Poison-Ivy—Remote Access Tool (RAT)

• Focus was believed to be the inner working of their

SecurID product, used to secure some of the

world’s most sensitive networks


Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

RSA Attack (continued)

Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

• RSA Attack (2011)

– The stolen SecurID data was used to

compromise additional companies.

• Lockheed Martin (confirmed)

• L-3 Communications (confirmed)

• Northrop Grumman (unconfirmed)


Sources: http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx/

www.wired.com/threatlevel/2011/05/l-3/

www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/


• The Result?

– “Inspiration”

Images from:

http://commons.wikimedia.org/wiki/File:Martin_Motors_CEO_Rear.JPG

http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101155.jpg


• The Result?

– “Naturally, our cars are

inspired by European

carmakers,” said Karl

Schlössl, a German who

is the chief executive of

China Automobile. “But

we reject the charge that

they are copies.” www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vs-

shuanghuan/ www4.pictures.gi.zimbio.com/62nd+International+Motor+Show+Cars+IAA+cc0QC1ZxBxyl.jpg


• Knock it off!

Image from: sunboar.files.wordpress.com/2006/10/bmw-vs-byd-logo.jpg

BMW X5 Toyota Land Cruiser Shuanghuan CEO Images from:

http://images.forbes.com/images/2002/07/08/test_int_415x308.jpg

http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101102.jpg

http://www.sobrecoches.com/var/plain_site/storage/images/coches/toyota/land_cruiser/novedad_r_edition/interior/toyota_land_cruiser_r_edition/313114-1-esl-ES/toyota_land_cruiser_r_edition1.jpg

Breaking the Cyber Barriers Physical Data Exfiltration

Source: Cyber Threat Presentation, SA Doris Gardner, FBI

• Responsive Legislation (CISPA)

– Rep. Mike Rogers (R–MI, May 3, 2012)

• “It began with China stealing hard-copy business

plans and sensitive research-and-development

…when (our) executives traveled to China.”

• “U.S. companies soon began noticing a surge in

counterfeit products as their innovations were

being stolen, re-engineered, and sold by Chinese

companies on global markets.”


Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA



• “With the Internet boom, China turned its focus to

cyber espionage and began stealing the hard work

and innovations of U.S. companies…”

• “Thousands of highly-trained computer spies now

work…to steal U.S. research and development

information that the Chinese can use to further

their economic growth and compete against us in

the global marketplace.”





• “China is literally trying to steal our prosperity and

our way of life out from under us.”

• “Other nation-states such as Russia and Iran also

are getting in on the act, rapidly becoming

insatiable cyber predators.”



• Follow same leads as an insider threat

– Create a timeline

– Review logs (Firewall, IDS, Proxy, etc.)

– Work with IT to determine “Subject Zero”

• Email

• USB Drive

• Remote User Access

Breaking the Cyber Barriers Investigation Indicators and Leads

• Be Proactive

– Monitor Help Desk ticket

• Compromised systems might show signs

– Slow processing, strange issues, program crashes, etc.

– Unusual network connections and unauthorized

programs

– Bogus accounts

– Strange websites (proxy logs)


• Employee Training

– Examples of malicious site indicators

– Have employees report unauthorized devices

• Hotline?

– Run an internal Phishing training exercise

– Even if it’s an email from someone you trust,

was the email/attachment expected?



Agenda

Insiders

External

Customers

& Partners

Insider Threats




✓

4

3

2

1

• Subcontractors

• Partner Suppliers and Supply Chain

• Service Providers (ISP, Telecom, Teleconference providers, facility management)

• Service Contractors (Incident responders, IT Support, security guards)

You Never Saw It Coming! Partners Are the Focus

• Partner Network/Systems

– Low IT resources

– Unable to focus on security over services

– Might connect via VPN or bring a system into

your organization



– Once connected they bring “everything” along

• Malware, vulnerabilities, backdoors

– Disgruntled employees, poor practices, etc.



– Your organization was the true target, but the

vector was your partner organization.

– Could be industry focused, take oil and gas…

– Logic bomb?


• How easy is it to rob a bank?

You Never Saw It Coming! Customers in the Crosshairs

• How easy is it to rob a bank’s customers?

– The bank will likely reimburse the customer

for stolen funds.

• So, who’s really being robbed here?

You Never Saw It Coming! Customers in the Crosshairs

Social SpacesOnline Banking Trojans

Phishing/Spear PhishingMan-in-The-Phone

& Vishing

Social Engineering

Phase 1

Fraudster deploys

multiple tools

1010001010101101

1010001010101101

OLB Account Access

Security Questions

during a Call center

conversation

Out-of-band PasscodeAccount Take Over

Phase 2

Fraudster gathers

all collected info

SMS Alerts

SafePassOTP

• Be aware of the security implications

posed by your business partners and the

threats to your customers.

– Education is the start.

– Consider offering tools to your customers,

such as AV, or at least recommendations.

– Ask your business partners about their

security posture.

You Never Saw It Coming! Wrap-Up

• Don’t let anyone attach a system to your

network without scanning or assurance.

• Don’t give contractors unsupervised

access into your network.

– Monitor physically and electronically.


• Have contractors sign the same network

access agreement as employees.

– Privacy issues

– Unauthorized use

– Legal recourse



Agenda

Insiders

External

Customers

& Partners

Insider Threats



Attribution: The Cyber Holy Grail! ✓ 4

3

2

1

• Can a Word document call home?

• Can a PowerPoint presentation let you

know it was just opened?

Attribution The Cyber Holy Grail!

• Yes!

– It all starts with a very small image.

– The Tracker.gif

– Can you see it?


• Let’s make it a little bigger:

– Transparent .gif image

– Used by Web Designers as a “spacer.gif”


1pixel

1pixel

Hi! I’m Tracker.gif!

So, how does it work?

Tracker enlarged:

• But, the document is accessing the

Internet…

– Isn’t the user notified?

• No

– Will the user get an error if the document can’t

get the tracker?

• No


• But, you have the tracker in the text and

the user can easily delete it.

– Headers and footers are your friends!!!

– PowerPoint Slide Master

– Excel—Be creative…


The key is “embedding” the image

as a link:

This is a view of the document

in the recovery text view.

We can see the image being pulled from the Web server.

The Tracker.gif can reside anywhere on your

public Web server:

Covertforensics.com is an actual domain for testing.

• So, what will you see from your server logs?

– 2009-05-09 14:15:09 GET Word_tracker.gif - 80 –

>>Your Public IP Address<<

– HTTP/1.1 Mozilla/4.0+

(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+Tablet+PC+1.7;+

.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

– The document was opened on 2009-05-09 19:15:09

– From Windows XP Tablet PC Edition (Windows+NT+5.1;+SV1;+Tablet+PC)

– Which has Internet Explorer 7.0 and FireFox (Mozilla 4.0)


Sounds cool, but how is it applied?

ABC Inc. is concerned Steve

is giving info. to XYZ Inc.

Steve takes the files without

knowing they have trackers.

Steve accesses them from his house:

Steve sends them to

his buddy at XYZ Inc.

XYZ Inc. opens the files within

their corporate network.

Web logs show the documents

opened from two IPs:

The files are now considered

compromised.

ABC Inc. identifies Steve to the

authorities for a formal criminal investigation.

ABC Inc. files an Intellectual Property

Theft Complaint against XYZ Inc.

- During the discovery process, the judge orders

eDiscovery on XYZ Inc.

• XYZ Inc. Tries to hide data by removing

“ABC Inc.” and any logos belonging to ABC Inc.

• But, ABC Inc. was ready for that…


• ABC Inc. injected a specific

keyword “tag” into every

electronic file created in

the company.

– To include templates!


• The search revealed three files

on XYZ’s network similar to

the compromised files,

except the company names

and logos were changed

to XYZ Inc.

• By tagging the document,

it was present even if the

user changes the document

text.


• The likeliness of

“@BC-1NC0RP0R@T10N”

happening by accident

is VERY low.


• Any document created by

a template (.dot) will also

have the tag.


Cary E. Moore, CFE, CISSP, EnCE


Questions?

Image From: http://dilbert.com/strips/comic/2007-09-13/