group-ib: prevention and investigation of high-tech crimes

PREVENTION AND INVESTIGATIONOF HIGH-TECH CRIMES

2

Damage caused to the global economy by cyber criminals

® THE CLASSICAL MEANS OF SECURING INFORMATION

IS NO LONGER ABLE TO PREVENT INCIDENTS

2014

2013

2012

3

Group-IB's mission

IS TO PROTECT OUR CLIENTS IN CYBERSPACE BY CREATING AND USING INNOVATIVE PRODUCTS, SOLUTIONS AND SERVICES

4

Group-IB

Main activities:

® ONE OF THE LEADING INTERNATIONAL COMPANIES THAT SPECIALIZE ON PREVENTION AND INVESTIGATION OF CYBER CRIMES AND HIGH-TECH CRIMES

1 2 3 4 5

® Cyber Intelligence, monitoring and prevention of cyber threats

® Investigation of cyber crimes and high-tech theft

® Computer forensics and examination

® Information security audit and security analysis

® Development of innovative information security products

5

GROUP-IB’s expansion phases

GROUP-IB CREATED

2003 2009 2010 2011 2015

ENTERS THE INTERNATIONAL MARKET

BECOMES THE LARGEST COMPUTER FORENSICS LABORATORY IN EASTERN EUROPE

CERT-GIBCREATED

BECOMES AN ORGANIZATION WITH UNIQUE COMPETENCIES

20+

30+

100+EMPLOYEES

6

Our customers

Financial sector Energy, industry, IT

MEDIA

7

8

Examples of

investigations

carried out:

Carberp

1 2 3

® Russia’s biggest organized online crime gang (in 2012)

® Investigation was carried out in close cooperation with the Russian Federal Security Service (FSB) and the Russian Ministry of Internal Affairs, with assistance from Sberbank of Russia

® This was the first case in Russian law-enforcement practice, where all the members of the online crime gang were arrested

9

Examples of

investigations

carried out:

Hodprot

1 2 3

® One of the oldest groups involved in online banking theft

® Measures were taken in several regions of Russia and CIS

® Investigation led to the arrest of the 7 members of the criminal group

10

Examples of

investigations

carried out:

Hameleon

1 2 3

® The first botnet designed to steal money from personal bank accounts

® The criminal used replaced SIM cards to carry out attacks against bank customers

® More than 1 billion rubles were prevented from being stolen

11

Examples of

investigations

carried out:

Germes

12 3

® An international criminal gang that provides an opportunity for illegal earnings through principles similar to those of an affiliate program

® Investigation led to the arrest of the organizer of the criminal gang

® The largest botnet in Russia was dismantled. At the time of the arrest, the botnet had more than 6 million compromised computers. The botnet was designed for online banking theft

12

Examples of

investigations

carried out :

Dragon – DDoS botnet

1 2

® A DDoS attack against one of the TOP 10 largest Russian banks. The attack was carried out using a previously unknown botnet

® The organizer of the attack was arrested on December 2012 in close cooperation with the Russian Ministry of Internal Affairs

13

Examples of

investigations

carried out :

BlackHole

1 2 3

® Author of BlackHole Exploit Kit, Cool Exploit Kit, as well as Crypt.am, a service for obfuscating mailware code to prevent its detection by antivirus programs

® 40% of infections recorded worldwide were carried out using Paunch’s tools

® This was the first case in Russian law-enforcement practice, where author of Exploit Kit was arrested as a theft accomplice

14

Main activities

Group-IBPREVENTION AND MONITORING

COMPUTER FORENSICS AND INVESTIGATION

SOFTWARE DEVELOPMENT

CERT-GIB: MONITORING AND RESPONSE

BRAND PROTECTION

INFORMATION SECURITY AUDIT

BOT-TREK: CYBER INTELLIGENCE & THREAT

ANALYSIS

BOT-TREK TDS

COMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY

INCIDENT INVESTIGATION

INDEPENDENT FINANCIAL AND

CORPORATE INVESTIGATIONS

ANTIPIRACY

15

Company’s structure

ANTIPIRACY

BOT-TREK TDS NEW YORK

MOSCOW

SINGAPORE

COMPUTER FORENSICS

MOBILE GROUPS

MALWARE INVESTIGATION

COMPUTER INVESTIGATION DEPARTMENT

FINANCIAL INVESTIGATION DEPARTMENT

CERT-GIBCOMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY

AUDIT AND CONSULTING DEPARTMENT

PERSONAL SECURITY SERVICE

ANALYTICS DEPARTMENT

LEGAL DEPARTMENT


BOT-TREK

PREVENTION AND MONITORING

17

CERT-GIBcomputer

security incident

response team

1 2 3 4

® The first 24/7 CERT in Eastern Europe

® Transcontinental support ® Countermeasures against the following types of threats :

® .RU, .РФ, .SU: a competent organization on combating cyber threats

NEW YORK

SINGAPORE

MOSCOW

CERT-GIB is the first round-the-clock computer security incident response teamin Eastern Europe

Monitoring and response groups are present in different parts of the globe :North America Europe Asia

Phishing, spam, DDoS attacks, malware, botnets

An expert organization of the Coordination Center for TLD RU/РФ

18

CERT-GIBwork methodology


1 2 3 4

® Active monitoring ® Gathering information about an incident

® Incident classification

® Incident neutralization

• Monitoring of information security incidents: phishing, spam emails, malware, etc.

• Accepting requests through

a form on its website, through e-mail, and by a hotline

• Monitoring of professional communities

• Establishing the source of a threat

• Threat analysis

• Identifying the persons involved in the threat

• Conducting forensic investigations

• Phishing

• Malware

• Dissemination of confidential information

• DoS/DDoS attack

• Spam

• Other threats

• Suppressing the causes of the incident

• Contacting foreign CERTs and CSIRTs for cooperation (if necessary)

• Reporting to the requesting party

• Transfer of materials to law enforcement agencies (if necessary)

19

CERT-GIB

® Monitoring of

information

security events

1 2 3 4 5

® Immediate response

to information

security incidents

® Conducting internal

and external

investigations

® Providing legal

support to the entire

complex of measures

and their outcome

An independent unit at Group-IB, which monitors and

responds to information security incidents

® Collection,

investigation and

processing of digital

evidence and event logs

Customer

ISIRT №1

ISIRT №2

ISIRT №3

ISIRT №…

VPN

20

CERT-GIBcases


Slenfbot takedown Virut takedown Grum takedown

21

antiphishing.ruPREVENTION AND MONITORING

1 2 3

® A form for accepting reports about suspicious sites used for targeted attacks against Internet users. The project has been existing since 2012 with the participation of CERT-GIB experts

® Information acquired is immediately sent to CERT-GIB analysts, who quickly process the incoming report and take necessary measures to neutralize the malicious web resources

® A socially oriented project –after sending in a report, users are given the opportunity to share information about the antiphishing.ru project on social networks

22

Brand Point ProtectionA range of services on online brand protection

1 2 3 4 5

® Protection against phishing

® Protection of intellectual property

® Protection of business reputation

® Monitoring counterfeit product markets

® Monitoring the mobile app market


A system for an early detection of phishing incidents and other incidents involving illegal use of brands on the Internet

A package of measures aimed at preventing illegal distribution of digital content and elements of intellectual property on the Internet

Monitoring the electronic media, blogs, forums and other resources on the Internet to identify information distorting or tarnishing a business reputation

Finding and identifying sales channels and sources of counterfeit products in order to stop such illegal activities

Identifying and responding to cases of illegal use of a brand in stores selling mobile apps that violate copyrights and/or intended to attack our customer’s clients

23

AntipiracyIntellectual property protection on the Internet

1 2 3 4 5

® Protecting Movies, software, music, e-books, computer games

® Service contains both automatic and manual monitoring

® Unique competenciesand strong relationship with various authorities

® Supporting legal platforms

® Protecting your revenue


Group-IB protects all kinds of digital content that can be found on the Internet.

Group-IB anti-piracy software automatically monitors the Internet (Russian and English-speaking segments) finds all links with illegal content. A team of operators process this data and take measures

Group-IB is a competent organization with the Coordination center for tld RU/РФ and cooperate with top hosting-providers and domain name registrars

We redirect the audience from pirate web-sites to legal platforms

A number of pirate web-sites are ready to comply and operate legally

Up to 90% of all illegal links are removed from the Internet

The popularity of official platforms grows as well as the revenue

The image is proteсted

24

Information security audit

1 2 3 4

® Application security audit in source codes

® Web application security audit

® Industrial control systems and SCADA systems security audit

® Penetration tests


Investigation helps to reveal vulnerabilities and gaps that can lead to information security threats

Web applications are analyzed for the presence of vulnerabilities. After the analysis, the customer receives recommendations on how to address such vulnerabilities and improve security

Investigation helps to evaluate the level of security of key elements of an industrial network infrastructure against possible malicious internal and external impacts

A method of controlling the security of applications and AISs (automated information systems) by exploring the feasibility of an unauthorized access to the customer’s information by potential attackers

25

Benefits

1 2 3 4 5

®Increased market value for your company

®Increased sales revenues

®Improved business reputation

®Increased trust in the brand

® Compensation for damages caused


By managing the security and volume of your company’s intangible assets, such as copyrights, know-how, trademarks, and business reputation

Removal of sources of illegal spread of counterfeit goods and confidential information. Interruption of cash flows to attackers’ projects

Wiping out false and untrue reviews negatively affecting your company’s business image from search results

Timely detection of unauthorized use of your brand and notifying you to ensure the safety of that brand. Customer centricity prompts positive feedback from current customers and attracts new ones

Legally prosecuting criminals illegally using your brand, and subsequently receiving compensation for damages caused by their activities

Cyber crime investigation


NETWORK ATTACKS

® ONLINE BANKING THEFT® DDOS ATTACK® VOIP HACKING

® UNAUTHORIZED ACCESS TO WEBSITES, DATABASES, SERVERS,

AND MAIL® NETWORK BLACKMAIL / EXTORTION

TARGETED ATTACKS / INDUSTRIAL ESPIONAGE

® TARGETED VIRUS ATTACKS® WIRETAPPING OF NETWORK

CHANNELS® INSTALLATION OF MALICIOUS

LOGICS® INSTALLATION OF DIGITAL

BACKDOORS

SABOTAGE AND INSIDE

® INFORMATION LEAKAGE® INFORMATION DESTRUCTION® DATA MANIPULATION TO COMMIT

FRAUD® ACCESS DENIAL

ECONOMIC CRIMES

® HIGH-TECH FRAUD® EXTORTION® DISCLOSURE OF TRADE SECRETS

AND CONFIDENTIAL INFORMATION® ILLEGAL USE OF TRADEMARKS AND

BRANDS

CYBER CRIME INVESTIGATION

27

28

Computer forensics and malwareinvestigation

1 2 3 4

® Digital evidence collection

® Forensic investigation ® Express forensics

® Participation of experts in special investigation activities


Gathering information about an incident and determining the for evidential information storage sources. Preserving and presenting evidential information in accordance with state laws

To analyze the incident, obtain and secure evidence admissible in court proceedings

Conducting forensic investigations in a very short time

Minimizing the possibility of evidence being destroyed due to unskilled actions, and providing proper legal status to technical measures

29

Computer forensics and malware investigation

1 2 3 4

® Malware investigation

® Comparison of source codes with software products

® Mobile device investigation

® Outsourcing of services


Identifying the functional capabilities of executable files and establishing network addresses. Analyzing and decoding configuration files and other ancillary data

Conducting computer investigations into modern plagiarism in the field of IT

Investigating mobile devices at logical and physical levels, as well as at the file system level

Combining services into a single complex, thus enabling to efficiently manage incidents and minimize time and financial costs

Independent financial

and corporate

investigationsProtection of a company’s financial and economic interests against various internal and external abuses

1 2 3 4 5

® Investigation of violations within a company and verification of the facts of a probable fraud

® Independent and objective assessment of potential abuses by employees

® Investigation of misappropriation of assets and property; returning such assets and property and/or taking measures established by law

® Revealing cases of hidden conflict of interests and relationships that are contrary to business ethics

® Comprehensive analysis of the reliability of suppliers, manufacturers, business partners, sales agents, own employees, and other parties


30

31

Benefits

1 2 3 4 5

® May be compensated for damages when the perpetrators are identified and prosecuted

® Increased business stability brought about by lower financial costs on information security

® Minimizing existing risks by promptly obtaining information about an incident that occurred and preventing such risks from existing in the future

® Increased speed of responding to incidents thanks to the use of advanced forensic and e-discovery practices

® Reduced financial costs of building your own infrastructure and training forensic and e-discovery experts


SPECIALIZED SOFTWARE DEVELOPMENT

AND DEPLOYMENT

33

SOFTWARE DEVELOPMENTBot-Trek

® Intelligent self-learning self-filling full-cycle

proprietary Ecosystem

® Functional unity of knowledge, experience

and technology

Bot-Trek Ecosystem provides companies software for identification, strategic planning and rapid response to current global risks and security threats

34

Bot-Trek

Bot-Trek helps protecting against zero-day attacks, prevent or prepare for further attacks or threats

Bot-Trek products allow:

® Real-time monitoring of permanently changing cyber threats environment

® Usage of specific indicators to assess level of business threats

® Acquiring new knowledge which is necessary to protect company today and in future

Depending on your business risksBot-Trek provides:

® Protection against theft in payment systems, online banking and mobile devices

® Protection against targeted attacks (APT’s)

® Identification and rapid response to actual global risks and security threats

® Tools for strategic security planning and risk assessment


35

Bot-Trek СI

Bot-Trek Cyber Intelligence (CI) – is the platform which is providing companies around the world with real-time personalized analytical information for strategic planning, identification and rapid response to urgent global risks and threats to security.

1 2 3

Impacts of changes in external ‘Cybercrud’ are monitored and assessed

Additional information is correlated and collected so that Bot-Trek CI can provide global sector information of various types of high-tech threats

Processing huge volumes of raw data, Bot-Trek CI provides the customer with only reliable and relevant information for your decision making process


36

Bot-Trek СI Bot-Trek CI performs research, processes and correlates information frommultiple private and public resources


37

Bot-Trek СI

Group-IB uses it’s own unique development for collecting and correlating dataEach block of data complement the next, providing better coverage and level of protection for our clients


38

Bot-Trek TDS The system is designed to identify Trojans, spyware, illegal remote administration tools, exploits for workstations and mobile botnets.

Delivered as a “device + service” model, Bot-Trek TDS is an effective tool for outsourcing routine processes, such as server administration, signature updating and log analysis.

1 2 3 4

Bot-Trek TDScomplementsother intrusionDetection systems, already installed atthe customer’sinfrastructure

The standard complete set has low demand for hardware platform and can be deployed on thecustomer’s own platformremotely and easily integrated with the SIEM and IPS systems

There are almost no false positives. Hence, each incident detected is a reason for specific actions and not just a “practice alert”

Confidentialityof corporateinformationispreserved becausetraffic does not gobeyond the customer’sinfrastructure.

5There is no need to hire and certify a separate highly-paid employee because the CERT-GIB takes full charge of expert analysis of detected events 24/7/365


39

Bot-Trek

Intelligent Bank (IB)

Protects online payments from fraud without installationon the endpoint devices

Bot-Trek IB was designed as a SaaS solution and does not require changes in an enterprise infrastructure or online banking software. The client part is loaded together with the online banking website.

1 2 3 4

Identifies newtypes of attacksand malicious codes

Identifies clientdevices infected by malicious codes by detecting web injects

Protects againstphishing andpharming attacks

Identifies remoteconnections toa client device

5

Classifiesmalicious codes


40

Benefits

1 2 3

® Minimization of financial losses due to real-time fraud prevention, rapid response to incidents and reduction in the costs of supporting victims

® Minimization of reputational risks due to reduced number of victims

® Compensation for financial losses due to comprehensive investigation with possible lawsuit after


41

www.group-ib.com [email protected]

facebook.com/groupib twitter.com/groupib

youtube.com/groupib linkedin.com/company/group-ib

group-ib: prevention and investigation of high-tech crimes

Technology