cary e. moore cfe, cissp, ence - fraudconference.com · –remote access sites (logmein,...
TRANSCRIPT
• 12 years of Computer Forensic and InfoOps experience
• Senior Vice President, Emerging Threats Manager
– Cyber Intelligence Analytics Towards Emerging Threats
• Formerly
– Guidance Software Inc.
• Technical Director, Cybersecurity
– Special Agent, Air Force Office of Special Investigations
• Computer Crime Investigations and Operations
• Counterintelligence and Counterespionage Investigations
• (Cyber) Technical Surveillance and Countermeasures (TSCM)
• First computer: TI-99/4A
– With the speech module!
Speaker Cary E. Moore, CFE, CISSP, EnCE
Cyber Thieves: A Crash Course on Getting to Know Them
Agenda
Insiders
External
Customers
& Partners
Insider Threats
You Never Saw It Coming!
Breaking Cyber Barriers
Attribution: The Cyber Holy Grail!
✓
4
3
2
1
• Traitors
– A trusted person
– Makes a decision to betray
– True motive might be unapparent
Insider Threats Profiles
1985 CIA—Larry Wu-Tai Chin
1994 CIA—Aldrich “Rick” Ames
1998 CIA—Douglas Groat
2001 NRO—Brian Regan
2001 DIA—Ana Belen Montes
2003 FBI—Robert Hanssen
2006 USN—PO Ariel Weinmann
• Traitors (continued)
– Distinct warning signs
• Unusual change in work habits
– Seeks out sensitive projects
– Unusual works hours
• Sloppy security habits or scoffs security
• Might rationalize inappropriate actions
• Change in lifestyle
– Living beyond their means
Insider Threats Profiles
• Zealots (a/k/a Hacktivists)
– Ideological
– Motivated by their beliefs
– Believe their actions are just,
no matter how detrimental
– Might pass info. to allies, unaware of the
intelligence threat
Insider Threats Profiles
• Spies
– Intentionally in a situation or
organization to glean intelligence
• Foreign intelligence
• Business intelligence
• Competitive intelligence
Insider Threats Profiles
Operation Ghost Stories
2010 Russian Spy Ring
Anna Chapman, June 2010
• The Browsers
– Those who violate the “need-to-know” principal
– Persons who have required clearance
• But no requirement for
the information
• Search for information with or
without specific intentions
Insider Threats Profiles
• The Browsers (continued)
– Might utilize the activity or information
for personal gain
• Receiving rewards
• Promotion
• Contracts
• Personal advantage
Insider Threats Profiles
• The Well-Intentioned • Victim to social engineering
– Phishing
– Spearphishing
– Whaling
• The Tinkers
– Boredom
– Curiosity
Insider Threats Profiles
• The Well-Intentioned (continued)
– Unwittingly give unauthorized access
• Carelessness
– Unlocked workstations/network rooms
• Ignorance
– P2P and file sharing software
– Dated security practices
Insider Threats Profiles
• The key findings from “The Insider Threat Study”
on Computer System Sabotage in Critical
Infrastructure Sectors are:
– A negative work-related event triggered most insiders’
actions
– 43 percent of the insiders had authorized access to
the system/network at the time of the incident
Insider Threats Case Study 1
Source: www.secretservice.gov/ntac_its.shtml
• Computer System Sabotage in Critical
Infrastructure Sectors (continued)
– 39 percent of the insiders used one or more relatively
sophisticated methods of attack, which included:
• A script or program
• An autonomous agent
• A toolkit
Insider Threats Case Study 1
Source: www.secretservice.gov/ntac_its.shtml
• Computer System Sabotage in Critical
Infrastructure Sectors (continued)
– 63 percent of the incidents were detected because of
an irregularity in the information or system
– 62 percent of the insiders developed plans to harm
the organization
– 47 percent of the cases involved overt behaviors
in preparation for the incident, such as stealing
copies of back-ups
Insider Threats Case Study 1
Source: www.secretservice.gov/ntac_its.shtml
• The key findings from “The Insider Threat Study” on
Illicit Cyber Activity in the Banking and Finance Sector
are:
– Required minimal technical skill to execute
– Involved the simple exploitation of inadequate
practices, policies, or procedures
– 78 percent of the cases involved the modification
and/or deletion of information
Insider Threats Case Study 2
Source: www.secretservice.gov/ntac_its.shtml
Insider Impact
• Email Servers
• Communication Systems
• Security Systems
• Database Operations
• Accounting Operations
• Research and Development
• Maintenance and Monitoring Systems
• Critical Operation Systems
Mission Impact
Everything That Is
Connected
Insider Impact
• Intellectual Property
• Design Documents
• Source Code
• Trade Secrets
• Government Data
• War Plans
• Intelligence
• Law Enforcement
Information
• Customer Data
• Personal Data
• Credit Card Numbers
• Customer Financial
Data
• Corporate Data
• Financial Data
• Mergers and Acquisition
• HR Data
• Marketing and Sales
Information at Risk
Insider Detection
• Test scripts and/or techniques
• Try multitude of tools (i.e., port scanners, network probes, war driving)
• Rogue systems
• Bogus accounts
• Odd hour activity
• Undue curiosity
• Hiding screen data
• Positions screen to hinder view
Insider Indications
Insider Detection
• Joking and bragging
• Installs unauthorized software • Duty associated software
• Dreamweaver, Nero, Photoshop, programming software
• Unassociated harmless software • WinAmp, ICQ, games
• Suspicious Software • L0phtCrack, key generators, rootkits
• Escalated privileges
• No fear of getting caught
Insider Indications (continued)
Insider Threats Investigation Techniques
and
Account Records
GPS
and
Print Servers
Logs
-Firewall
-IDS
-A/V
-Sniffers
-Proxy
-System
Create a Timeline
• When indicators arise, review for:
– Unusual processes
– TCP/UDP connections
– Website activity (local/proxy)
– Unauthorized devices
Insider Threats Investigation Indicators and Leads
• When indicators arise, review for:
– Remote access sites (Logmein,
PCAnywhere, WebEx, etc.)
– Unauthorized websites
– Use of anonymity sites or
installation of >>>TOR<<<
– Accounts and their rights
Insider Threats Investigation Indicators and Leads
• Monitor help desk tickets for trends.
– Insiders do call for help when their attempts
to circumvent security measures messes
things up.
• Monitor for unusual logon times.
• Scan for bogus accounts.
Insider Threats Proactive Efforts
• Review scans for unauthorized software,
file, and folder access and compile trends.
• Train security to monitor contractors and
visitors and report suspicious activities.
• Deactivate access following termination.
Insider Threats Proactive Efforts
Insider Threats The Comparative
• Given access
• Uses access to:
• Misuse equipment and
network access
• Escalate privileges
• Affect the business operations
• Compromise systems and
corporate data
• Install Malware
• Etc.
Insider
• Gains access by whatever means
necessary
• Once access is achieved,
GAME ON!
Hacker
Cyber Thieves: A Crash Course on Getting to Know Them
Agenda
Insiders
External
Customers
& Partners
Insider Threats
You Never Saw It Coming!
Breaking Cyber Barriers
Attribution: The Cyber Holy Grail!
✓
4
3
2
1
• 2011 Report to Congress on Foreign Spies
Stealing U.S. Economic Secrets in
Cyberspace
– China and Russia are pursuing American
technology and industrial secrets,
jeopardizing an estimated $398 billion in U.S.
research spending.
– In 2010, the FBI prosecuted more Chinese
espionage cases than at any time in our
nation’s history.
Breaking the Cyber Barriers
Source: www.ncix.gov/issues/economic/index.php
• 2011 Report to Congress on Foreign Spies
Stealing U.S. Economic Secrets in
Cyberspace
– For example, a DuPont chemist in October
2010 pled guilty to stealing research from the
company on organic light-emitting diodes.
– The chemist intended to commercialize in
China with financial help from the Chinese
Government.
Breaking the Cyber Barriers
Source: www.ncix.gov/issues/economic/index.php
• Solar Sunrise (1998)
– Cyber attack on the Pentagon
• Under the guidance of an Israeli hacker, he
coordinated two kids from California to hack
multiple targets, including the Pentagon
• Attacking unpatched Solaris Systems
• Basic hacking techniques:
Recon, Probe, Exploit, Gather Data, Exfiltrate
Breaking the Cyber Barriers Governments Under Attack
Source: www.wired.com/threatlevel/2008/09/video-solar-sun/
• Moonlight Maze (1998)
– U.S. officials accidentally discovered (during
Eligible Receiver) a pattern of probing of
computer systems at the Pentagon, NASA,
Energy Department, private universities, and
research labs.
– Began in March 1998 and had been going on
for nearly two years.
Breaking the Cyber Barriers Governments Under Attack
Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
• Moonlight Maze (1998)
– Tens of thousands of files included:
• Maps of military installations
• Troop configurations
• Military hardware designs
– The DOD traced the attack back to a
mainframe computer in the former USSR.
– The true attacker is unknown, and Russia
denies any involvement.
Breaking the Cyber Barriers Governments Under Attack
Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
• Titan Rain (2003–2005)
– A group of about 20 hackers, believed to be
based in the Chinese province of Guangdong
– Thought to have stolen U.S. military secrets,
including aviation specifications and flight-
planning software
– “China has downloaded 10 to 20 terabytes of
data from the NIPRNet”–Maj. Gen. William Lord
Breaking the Cyber Barriers Governments Under Attack
Sources: www.zdnet.com/news/security-experts-lift-lid-on-chinese-hack-attacks/145763
http://gcn.com/Articles/2006/08/17/Red-storm-rising.aspx?p=1
• The Target?
– R&D
– Intellectual
Property
• For?
– Economic
Advantages
– Geopolitical
Advantages
Breaking the Cyber Barriers Governments Under Attack
Images from:
http://en.wikipedia.org/wiki/File:F22a3view.png
http://en.wikipedia.org/wiki/File:Chengdu_J-20.svg
• Rep. Michael McCaul (R–TX, April 24, 2012)
– “When I look at countries like China, who
have stolen our Joint Strike Fighters, F-35
and F-22s, stolen those blueprints so they can
manufacture those planes…”
– “You know when I look at the theft of
intellectual property to the tune of $1 trillion,
that’s a serious economic issue for the
United States.”
Breaking the Cyber Barriers Governments Under Attack
Source: cnsnews.com/news/article/chinese-hackers-stole-plans-americas-new-joint-strike-fighter-plane-says-investigations
• Operation Aurora (2009–2010)
– Cyber attack to multiple high profile companies
• Google, Adobe, Yahoo, Symantec, Northrop
Grumman, Morgan Stanley, Dow Chemical, etc.
– Purported intent to access and alter software
source code and other intellectual property
– Link in email to malicious JavaScript
– Created a backdoor into their networks
Breaking the Cyber Barriers Corporations Under Attack
Source: www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf
• RSA Attack (2011)
– Spearphishing attack with an Adobe Flash
vulnerability in an Excel spreadsheet
• “2011 Recruitment plan.xls”
• Zero-day exploit opened a backdoor into RSA
• Poison-Ivy—Remote Access Tool (RAT)
• Focus was believed to be the inner working of their
SecurID product, used to secure some of the
world’s most sensitive networks
Breaking the Cyber Barriers Corporations Under Attack
Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
• RSA Attack (2011)
– The stolen SecurID data was used to
compromise additional companies.
• Lockheed Martin (confirmed)
• L-3 Communications (confirmed)
• Northrop Grumman (unconfirmed)
Breaking the Cyber Barriers Corporations Under Attack
Sources: http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx/
www.wired.com/threatlevel/2011/05/l-3/
www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/
Breaking the Cyber Barriers Corporations Under Attack
• The Result?
– “Inspiration”
Images from:
http://commons.wikimedia.org/wiki/File:Martin_Motors_CEO_Rear.JPG
http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101155.jpg
Breaking the Cyber Barriers Corporations Under Attack
• The Result?
– “Naturally, our cars are
inspired by European
carmakers,” said Karl
Schlössl, a German who
is the chief executive of
China Automobile. “But
we reject the charge that
they are copies.” www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vs-
shuanghuan/ www4.pictures.gi.zimbio.com/62nd+International+Motor+Show+Cars+IAA+cc0QC1ZxBxyl.jpg
Breaking the Cyber Barriers Corporations Under Attack
• Knock it off!
Image from: sunboar.files.wordpress.com/2006/10/bmw-vs-byd-logo.jpg
BMW X5 Toyota Land Cruiser Shuanghuan CEO Images from:
http://images.forbes.com/images/2002/07/08/test_int_415x308.jpg
http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101102.jpg
http://www.sobrecoches.com/var/plain_site/storage/images/coches/toyota/land_cruiser/novedad_r_edition/interior/toyota_land_cruiser_r_edition/313114-1-esl-ES/toyota_land_cruiser_r_edition1.jpg
Breaking the Cyber Barriers Physical Data Exfiltration
Source: Cyber Threat Presentation, SA Doris Gardner, FBI
• Responsive Legislation (CISPA)
– Rep. Mike Rogers (R–MI, May 3, 2012)
• “It began with China stealing hard-copy business
plans and sensitive research-and-development
…when (our) executives traveled to China.”
• “U.S. companies soon began noticing a surge in
counterfeit products as their innovations were
being stolen, re-engineered, and sold by Chinese
companies on global markets.”
Breaking the Cyber Barriers Governments Under Attack
Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA
• Responsive Legislation (CISPA)
– Rep. Mike Rogers (R–MI, May 3, 2012)
• “With the Internet boom, China turned its focus to
cyber espionage and began stealing the hard work
and innovations of U.S. companies…”
• “Thousands of highly-trained computer spies now
work…to steal U.S. research and development
information that the Chinese can use to further
their economic growth and compete against us in
the global marketplace.”
Breaking the Cyber Barriers Governments Under Attack
Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA
• Responsive Legislation (CISPA)
– Rep. Mike Rogers (R–MI, May 3, 2012)
• “China is literally trying to steal our prosperity and
our way of life out from under us.”
• “Other nation-states such as Russia and Iran also
are getting in on the act, rapidly becoming
insatiable cyber predators.”
Breaking the Cyber Barriers Governments Under Attack
Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA
• Follow same leads as an insider threat
– Create a timeline
– Review logs (Firewall, IDS, Proxy, etc.)
– Work with IT to determine “Subject Zero”
• USB Drive
• Remote User Access
Breaking the Cyber Barriers Investigation Indicators and Leads
• Be Proactive
– Monitor Help Desk ticket
• Compromised systems might show signs
– Slow processing, strange issues, program crashes, etc.
– Unusual network connections and unauthorized
programs
– Bogus accounts
– Strange websites (proxy logs)
Breaking the Cyber Barriers Investigation Indicators and Leads
• Employee Training
– Examples of malicious site indicators
– Have employees report unauthorized devices
• Hotline?
– Run an internal Phishing training exercise
– Even if it’s an email from someone you trust,
was the email/attachment expected?
Breaking the Cyber Barriers Investigation Indicators and Leads
Cyber Thieves: A Crash Course on Getting to Know Them
Agenda
Insiders
External
Customers
& Partners
Insider Threats
You Never Saw It Coming!
Breaking Cyber Barriers
Attribution: The Cyber Holy Grail!
✓
4
3
2
1
• Subcontractors
• Partner Suppliers and Supply Chain
• Service Providers (ISP, Telecom, Teleconference providers, facility management)
• Service Contractors (Incident responders, IT Support, security guards)
You Never Saw It Coming! Partners Are the Focus
• Partner Network/Systems
– Low IT resources
– Unable to focus on security over services
– Might connect via VPN or bring a system into
your organization
You Never Saw It Coming! Partners Are the Focus
• Partner Network/Systems
– Once connected they bring “everything” along
• Malware, vulnerabilities, backdoors
– Disgruntled employees, poor practices, etc.
You Never Saw It Coming! Partners Are the Focus
• Partner Network/Systems
– Your organization was the true target, but the
vector was your partner organization.
– Could be industry focused, take oil and gas…
– Logic bomb?
You Never Saw It Coming! Partners Are the Focus
• How easy is it to rob a bank’s customers?
– The bank will likely reimburse the customer
for stolen funds.
• So, who’s really being robbed here?
You Never Saw It Coming! Customers in the Crosshairs
Social SpacesOnline Banking Trojans
Phishing/Spear PhishingMan-in-The-Phone
& Vishing
Social Engineering
Phase 1
Fraudster deploys
multiple tools
1010001010101101
1010001010101101
OLB Account Access
Security Questions
during a Call center
conversation
Out-of-band PasscodeAccount Take Over
Phase 2
Fraudster gathers
all collected info
SMS Alerts
SafePassOTP
• Be aware of the security implications
posed by your business partners and the
threats to your customers.
– Education is the start.
– Consider offering tools to your customers,
such as AV, or at least recommendations.
– Ask your business partners about their
security posture.
You Never Saw It Coming! Wrap-Up
• Don’t let anyone attach a system to your
network without scanning or assurance.
• Don’t give contractors unsupervised
access into your network.
– Monitor physically and electronically.
You Never Saw It Coming! Wrap-Up
• Have contractors sign the same network
access agreement as employees.
– Privacy issues
– Unauthorized use
– Legal recourse
You Never Saw It Coming! Wrap-Up
Cyber Thieves: A Crash Course on Getting to Know Them
Agenda
Insiders
External
Customers
& Partners
Insider Threats
You Never Saw It Coming!
Breaking Cyber Barriers
Attribution: The Cyber Holy Grail! ✓ 4
3
2
1
• Can a Word document call home?
• Can a PowerPoint presentation let you
know it was just opened?
Attribution The Cyber Holy Grail!
• Yes!
– It all starts with a very small image.
– The Tracker.gif
– Can you see it?
Attribution The Cyber Holy Grail!
• Let’s make it a little bigger:
– Transparent .gif image
– Used by Web Designers as a “spacer.gif”
Attribution The Cyber Holy Grail!
1pixel
1pixel
Hi! I’m Tracker.gif!
• But, the document is accessing the
Internet…
– Isn’t the user notified?
• No
– Will the user get an error if the document can’t
get the tracker?
• No
Attribution The Cyber Holy Grail!
• But, you have the tracker in the text and
the user can easily delete it.
– Headers and footers are your friends!!!
– PowerPoint Slide Master
– Excel—Be creative…
Attribution The Cyber Holy Grail!
This is a view of the document
in the recovery text view.
We can see the image being pulled from the Web server.
The Tracker.gif can reside anywhere on your
public Web server:
Covertforensics.com is an actual domain for testing.
• So, what will you see from your server logs?
– 2009-05-09 14:15:09 GET Word_tracker.gif - 80 –
>>Your Public IP Address<<
– HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+Tablet+PC+1.7;+
.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
– The document was opened on 2009-05-09 19:15:09
– From Windows XP Tablet PC Edition (Windows+NT+5.1;+SV1;+Tablet+PC)
– Which has Internet Explorer 7.0 and FireFox (Mozilla 4.0)
Attribution The Cyber Holy Grail!
ABC Inc. identifies Steve to the
authorities for a formal criminal investigation.
ABC Inc. files an Intellectual Property
Theft Complaint against XYZ Inc.
- During the discovery process, the judge orders
eDiscovery on XYZ Inc.
• XYZ Inc. Tries to hide data by removing
“ABC Inc.” and any logos belonging to ABC Inc.
• But, ABC Inc. was ready for that…
Attribution The Cyber Holy Grail!
• ABC Inc. injected a specific
keyword “tag” into every
electronic file created in
the company.
– To include templates!
Attribution The Cyber Holy Grail!
• The search revealed three files
on XYZ’s network similar to
the compromised files,
except the company names
and logos were changed
to XYZ Inc.
• By tagging the document,
it was present even if the
user changes the document
text.
Attribution The Cyber Holy Grail!
• The likeliness of
“@BC-1NC0RP0R@T10N”
happening by accident
is VERY low.
Attribution The Cyber Holy Grail!
• Any document created by
a template (.dot) will also
have the tag.
Attribution The Cyber Holy Grail!