cybersecurity landscapeblackhat – defcon security conference § hacker conference discussing new...
TRANSCRIPT
Cybersecurity Landscape
Paul LoveChief Information Security Officer, CO-OP Financial Services
Topics
§ Impact
§ Motivations
§ How
§ The Future
§ Open Q&A
Cybercrime Stats
Cybercrime economy is expected to grow to at least
1.5 Trillion each year
In the past year, security breaches have increased by >11% and by 67% in the
last five years
SMB’s are targeted 43% of the time in cyber attacks
Ransomware attacks to increase 5x by 2021
Ransomware attacks occur every 14 seconds
Cybercrime kits can be purchased for as little as $1 on the dark web and online
marketplaces
Impact
Source: IBM 2018 Cost of a Data Breach
Average cost per record of a breachAverage cost of a malware attack
on a company
Source: Accenture
By 2021, damage related to cybercrime is projected to hit
Source: Cybersecurity VenturesAnnually
Motivations
Vernacular of Hacking
Motivation/SupportSkill LabelsMotivation Labels
§ Hacker (white hat)§ Grey Hat§ Bad Hacker (black hat)§ Blue Hat
§ Elite Hacker§ Script Kiddie§ Neophyte/Noob
§ Lone attacker§ Hacktivist§ Nation State§ Organized Criminal Gangs
(OCG)
History
Late 50’s – Late 70’sPhreaking/System Exploration
Late 80’s – Late 90’sHacking IncreasesNation State
1983Wargames
Movie
1986Computer Fraud
and Abuse Act
1988Morris Worm
1989First Ransomware
detected (PC Cyborg)
19921260 Polymorphic Virus
1993First DEFCON Conference
1994Citibank
1996Cryptovirology (basis of Modern Ransomware)
2000ILOVEYOU
Worm
2001Code Red
2003Blaster
2005CardSystems Solutions
2007TJ Maxx
2009Conficker
2010Stuxnet
2013Target/Yahoo
2014Sony
2015Ashley Madison
2016Bangladesh Bank Robbery
2000’s and BeyondMonetary/Political attacks
1950 1960 1970 1980 1990 2000 2010
Why
§ Money
§ Resources (medical)
§ Impersonation for non monetary (criminal arrest)
§ Extension of Political goals
§ Other (prestige, etc.)
How
Cybercrime Business Model
Individual or small team who created malware, delivered malware and exploited malware.
§ (Cybercrime as a Service or CAAS)§ Project Manager§ Coder/Malware developer§ Bot herder (as needed)§ Intrusion Specialist§ Data Miner§ Money Specialist
These roles can be further specialized to component parts, initial access tools all the way to full service models
PAST CURRENT
High Level Overview
One third of all security incidents began with a phishing email
Source: Trend Micro
Cybercrime as a Service (CAAS)
Can consist of specializations
Malware as a service
Counter AV as a Service
Ransomware as a service
Fraud as a service
Escrow Services
Drop Services
And others
Costs
Type Amount
Server Hacking Approximately $250
Home Computer Hacking Approximately $150
Creating Malware Approximately $200
Bulk Stolen Data depending on gigabytes stolen
Hack Service Rental (depending on size) $200 - $1000
Full project hack (end to end) Varies depend and can include fixed fee or portion of proceeds
Tools
§ Deep Web
§ Dark Web/Darknet
§ Public/Internet/Clearnet
§ Botnets
§ Watering Hole attacks
§ Malvertisements
§ DDOS
§ Ransomware
§ Malware
ApproachesNetworks
BlackHat – DefCon Security Conference
§ Hacker conference discussing new trends, attacks and intelligence sharing
§ Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.
§ Key learnings§ Crime as a Service is growing
§ IoT, Vehicles and Voting Machines can be hacked in minutes
§ Thermostats and other IoT are susceptible to ransomware
§ Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1.
§ Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2.
1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html
Information Sharing
Source: https://www.hackaday.com
Security Testing Tools Available
Source: https://www.hak5.org/
Resource for All Skill Levels
Source: https://www.darknet.org.uk/popular-posts/
The GozNym Criminal Network: How It Worked
1Sourcing the Malware
The leader of the criminal network (from Tbilisi, Georgia) leased access to the malware from a developer.
The developer (from Orenburg, Russia) worked with coders to create GozNym, a sophisticated piece of malware to steal online banking credentials from victims’ computers.
2Recruiting Accomplices
The leader recruited other cybercriminals with specialized skills and services which they advertised on underground, Russian-speaking online criminal forums.
3Covering Their Tracks
The leader and his technical assistant (from Kazakhstan) worked with ’crypters’ (including one in Bali, Moldova) to crypt the malware so antivirus software would not detect it on the victims’ computers.
4Distribution and Infection
Spammers (including one in Moscow, Russia) sent phishing emails to hundreds of thousands of potential victims. The emails were designed to appear as
legitimate business emails and contained a malicious link or attachment
When clicked, the victims’ computer was redirected to a malicious domain on a server hosting a GozNym executable file. This file downloaded GoxNym onto the victims’ computers.
Crypters
Spammers
Many Sites to Support Attackers
Other Services§ Full fledged services (MAAS)§ Marketing services§ Training§ Support
Remote Administration Spreaders
Philadelphia RaaS Example
(criminals) run their business the same way a legitimate software company does to sell its products and services. While it sells Philadelphia on marketplaces hidden on the Dark Web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.
Source: https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/
Phishing as a Service Example
The Fake-Game website offers VIP account for high costs (with more services available)Some statistics from this site were a total of around 60,000 subscribers and almost 680,000 credentials stolen (2016 data)
Source - https://www.fortinet.com/blog/threat-research/fake-game-the-emergence-of-a-phishing-as-a-service-platform.html
Ransomware as a Service Example
Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/free-ransomware-available-dark-web
Emerging Business Models
Source - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/
Tox – is free and only takes 20% of the ransom as it’s business model
Subscription access to popular backdoor services — attacks that get around traditional security mechanisms like firewalls and other forms of authentication — can now be found for as little as 40 or 50 dollars a month. Subscriptions to phishing attacks are even cheaper, with some going for as low as just a few dollars a month.
Source: https://www.recordedfuture.com/crimeware-as-a-service-affordability/
The Future
§ Nation State
§ More sophisticated criminal networks
§ More focus on small to medium sized businesses as targets of opportunity
How to Protect Yourself and Company
§ User education
§ Don’t click on links in emails you weren’t expecting
§ Don’t download or click on attachments in emails
§ If it feels suspicious, assume it is and contact your security team
§ Keep systems and antivirus patched