Cybersecurity Landscape

Paul LoveChief Information Security Officer, CO-OP Financial Services

Topics

§ Impact

§ Motivations

§ How

§ The Future

§ Open Q&A

Cybercrime Stats

Cybercrime economy is expected to grow to at least

1.5 Trillion each year

In the past year, security breaches have increased by >11% and by 67% in the

last five years

SMB’s are targeted 43% of the time in cyber attacks

Ransomware attacks to increase 5x by 2021

Ransomware attacks occur every 14 seconds

Cybercrime kits can be purchased for as little as $1 on the dark web and online

marketplaces

Impact

Source: IBM 2018 Cost of a Data Breach

Average cost per record of a breachAverage cost of a malware attack

on a company

Source: Accenture

By 2021, damage related to cybercrime is projected to hit

Source: Cybersecurity VenturesAnnually

Motivations

Vernacular of Hacking

Motivation/SupportSkill LabelsMotivation Labels

§ Hacker (white hat)§ Grey Hat§ Bad Hacker (black hat)§ Blue Hat

§ Elite Hacker§ Script Kiddie§ Neophyte/Noob

§ Lone attacker§ Hacktivist§ Nation State§ Organized Criminal Gangs

(OCG)

History

Late 50’s – Late 70’sPhreaking/System Exploration

Late 80’s – Late 90’sHacking IncreasesNation State

1983Wargames

Movie

1986Computer Fraud

and Abuse Act

1988Morris Worm

1989First Ransomware

detected (PC Cyborg)

19921260 Polymorphic Virus

1993First DEFCON Conference

1994Citibank

1996Cryptovirology (basis of Modern Ransomware)

2000ILOVEYOU

Worm

2001Code Red

2003Blaster

2005CardSystems Solutions

2007TJ Maxx

2009Conficker

2010Stuxnet

2013Target/Yahoo

2014Sony

2015Ashley Madison

2016Bangladesh Bank Robbery

2000’s and BeyondMonetary/Political attacks

1950 1960 1970 1980 1990 2000 2010

Why

§ Money

§ Resources (medical)

§ Impersonation for non monetary (criminal arrest)

§ Extension of Political goals

§ Other (prestige, etc.)

How

Cybercrime Business Model

Individual or small team who created malware, delivered malware and exploited malware.

§ (Cybercrime as a Service or CAAS)§ Project Manager§ Coder/Malware developer§ Bot herder (as needed)§ Intrusion Specialist§ Data Miner§ Money Specialist

These roles can be further specialized to component parts, initial access tools all the way to full service models

PAST CURRENT

High Level Overview

One third of all security incidents began with a phishing email

Source: Trend Micro

Cybercrime as a Service (CAAS)

Can consist of specializations

Malware as a service

Counter AV as a Service

Ransomware as a service

Fraud as a service

Escrow Services

Drop Services

And others

Costs

Type Amount

Server Hacking Approximately $250

Home Computer Hacking Approximately $150

Creating Malware Approximately $200

Bulk Stolen Data depending on gigabytes stolen

Hack Service Rental (depending on size) $200 - $1000

Full project hack (end to end) Varies depend and can include fixed fee or portion of proceeds

Tools

§ Deep Web

§ Dark Web/Darknet

§ Public/Internet/Clearnet

§ Botnets

§ Watering Hole attacks

§ Malvertisements

§ DDOS

§ Ransomware

§ Malware

ApproachesNetworks

BlackHat – DefCon Security Conference

§ Hacker conference discussing new trends, attacks and intelligence sharing

§ Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.

§ Key learnings§ Crime as a Service is growing

§ IoT, Vehicles and Voting Machines can be hacked in minutes

§ Thermostats and other IoT are susceptible to ransomware

§ Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1.

§ Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2.

1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html

Information Sharing

Source: https://www.hackaday.com

Security Testing Tools Available

Source: https://www.hak5.org/

Resource for All Skill Levels

Source: https://www.darknet.org.uk/popular-posts/

The GozNym Criminal Network: How It Worked

1Sourcing the Malware

The leader of the criminal network (from Tbilisi, Georgia) leased access to the malware from a developer.

The developer (from Orenburg, Russia) worked with coders to create GozNym, a sophisticated piece of malware to steal online banking credentials from victims’ computers.

2Recruiting Accomplices

The leader recruited other cybercriminals with specialized skills and services which they advertised on underground, Russian-speaking online criminal forums.

3Covering Their Tracks

The leader and his technical assistant (from Kazakhstan) worked with ’crypters’ (including one in Bali, Moldova) to crypt the malware so antivirus software would not detect it on the victims’ computers.

4Distribution and Infection

Spammers (including one in Moscow, Russia) sent phishing emails to hundreds of thousands of potential victims. The emails were designed to appear as

legitimate business emails and contained a malicious link or attachment

When clicked, the victims’ computer was redirected to a malicious domain on a server hosting a GozNym executable file. This file downloaded GoxNym onto the victims’ computers.

Crypters

Spammers

Many Sites to Support Attackers

Other Services§ Full fledged services (MAAS)§ Marketing services§ Training§ Support

Remote Administration Spreaders

Philadelphia RaaS Example

(criminals) run their business the same way a legitimate software company does to sell its products and services. While it sells Philadelphia on marketplaces hidden on the Dark Web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.

Source: https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/

Phishing as a Service Example

The Fake-Game website offers VIP account for high costs (with more services available)Some statistics from this site were a total of around 60,000 subscribers and almost 680,000 credentials stolen (2016 data)

Source - https://www.fortinet.com/blog/threat-research/fake-game-the-emergence-of-a-phishing-as-a-service-platform.html

Ransomware as a Service Example

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/free-ransomware-available-dark-web

Emerging Business Models

Source - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/

Tox – is free and only takes 20% of the ransom as it’s business model

Subscription access to popular backdoor services — attacks that get around traditional security mechanisms like firewalls and other forms of authentication — can now be found for as little as 40 or 50 dollars a month. Subscriptions to phishing attacks are even cheaper, with some going for as low as just a few dollars a month.

Source: https://www.recordedfuture.com/crimeware-as-a-service-affordability/

The Future

§ Nation State

§ More sophisticated criminal networks

§ More focus on small to medium sized businesses as targets of opportunity

How to Protect Yourself and Company

§ User education

§ Don’t click on links in emails you weren’t expecting

§ Don’t download or click on attachments in emails

§ If it feels suspicious, assume it is and contact your security team

§ Keep systems and antivirus patched

Thank You.

Paul LoveChief Information Security Officer

Paul.Love@coop.org