iia super conference...cyber counterintelligencecyber counterintelligence proprietary / confidential...

Outmaneuver Your Adversary

CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE

™

2016

IIA Super ConferenceCyber Hunt Operations



™Proprietary / CONFIDENTIAL


Utilizingcybercounterintelligencestrategies,SpearTippartnerswithourclientstoprotectshareholdervalue,shield

corporatereputations,andenhancelong-termprofits.






™Outmaneuver Your Adversary


™




Incident Response

Pre-Breach Assessment

ShadowSpear Protection

Service




Cyber Counterintelligence provides the unique combinationof utilizing HUMINT tradecraft, malware reverse engineering,intelligence gathered within an internal network & livebotnets, correlated with an enterprise’s external information.

5

Cyber Counterintelligence




Why and How These Breaches Are Occurring

• Mostorganizationsarecompromisedforanaverageof~130-200days

• No“onesizefitsall”easysolutiontotheproblem

• Falsesenseofsecurity

• AsthecomplexityofattacksprogressasdointernalCIRTteamskillsets

Situational Awareness




• Surveillance within the host & network

• OMA allows for a malware analysis approach that circumvents common “anti-forensic” techniques

• Focuses on “DATA IN EXECUTION”

Observational Malware AnalysisSituational Awareness




• Defeats static analysis methodologies such as encryption and custom packing

• Allows for a “static” analysis of malware behavior in a variety of environments

• “Traces” malware behavior on a memory register and function call level





• Encrypted strings can be viewed as they are decrypted and loaded into active memory

• Allows for accurate and quick identification of malicious encrypted data strings being processed





10




™Proprietary / CONFIDENTIAL 11





Dyreza+ Banking Trojan capable of monitoring web traffic and compromising data prior to being sent via SSL

+ Contains mutexes for banking trojans from 2009





• During a visit to London, a Syrian official received a rootkit, courtesy of the Mossad

• Government files identifying facilities that dealt with the production of fissile material were exfiltrated

• These facilities were visited by the IAF in 2007

13

CyberWarfare– OperationOrchard

Tip of the Spear




Tip of the Spear




Cyber Hunt OperationsTo better understand what your target profile may be for an adversary, you must first understand what your potential adversaries may be looking for, and the methods with which they may use to obtain your information.

HUMAN intelligence collection is the most tried and true method for obtaining information.

HUMINT LIFECYCLE

Tip of the Spear




Cyber Approach Mediums

• Peer-to-Peer• Social Networking• Dating Sites• Dark Web Indexes• Help Wanted

Tip of the Spear




• Malware-related threat intelligence gathered from live botnets – correlated with external IP addresses and external portals accessible by clients and/or partners.

• Combining the power of Big Data with real-time threat monitoring, to provide the most comprehensive pre-attack intelligence against Advanced Persistent Threats (APT), numerous malware variants, and provide insight into:

Ø Potential information leakagesØ Compromised websites and serversØ Compromised internal workstations, PCs, and mobile devicesØ Potential security holes or weaknesses relative to advanced malware

• Go beyond the standard Open Source Intelligence (OSINT) collection methodology by monitoring harvested information for indicators of compromise.

• Passively cross-reference both current and future activity discovered within the criminal/nefarious realms, and notify appropriate organizations.

18

Cyber Hunt Ops – Threat IntelligenceTip of the Spear




• CnC Monitoring• CredentialMonitoring• P2PMonitoring• CyberSourceOps• AdvancedSecurityMonitoring

• Network&HostMalwareAnalysis

Tip of the Spear

Fusion Cell Analysis

TipoftheSpear– CyberHunting




KEYPOINT:“boardsthatchoosetoignore,orminimize,theimportanceofcybersecurityoversightresponsibility,dosoattheirownperil.”SECCommissionerLuisA.Aguilar,June10,2014.

HeartlandPaymentSystems,TJMaxx,Target,HomeDepot,Wyndham

Derivativeclaimspremisedontheharmtothecompanyfromdatabreach.

CaremarkClaims:

Premisedonlackofoversight=breachofthedutyofloyaltyandgoodfaithCannotinsulatetheofficersanddirectors=PERSONALLIABILITY!

Standard:

(1)“utterlyfailed”toimplementreportingsystemorcontrols;or(2)“consciouslyfailed”tomonitororoverseesystem.

$4.8 Billion Deal?

“The Paranoids”

Director & Executive Accountability




Game Changer?





NY Dept of Financial ServicesCyber Security Requirements for Financial Services

• All NY “financial institutions”• Establish Cybersecurity program w/specifics• Adopt Cybersecurity Policies• Designate qualified/responsible CISO• 3rd Party Service Providers - Examine, obligate, and audit• Written Incident Response Plan• Board / Senior Officer Certifying Compliance





Summary+ IncidentResponsePlans- Create&Implement&Train

+ DetermineRiskAppetite– ContinueAudits

+ Businesscontinuityplanthatistestedforeffectivenessintheeventthatitneedstobeimplemented– LIVE

+ Evaluatetheviabilityofadvancedcontinuousmonitoring– duetoresourcelimitations

+ M&A– aretheycurrentlycompromised?Areyou?





ThankYou




SpearTip is uniquely positioned in the market that enables our team to provide a full range of counterespionage services in order to identify, detect, exploit, and neutralize threats leveled against corporations.

Our Fusion Cell Team methodology conducts penetration testing, malware analysis, digital forensics, human intelligence collection (HUMINT), pre-attack intelligence analysis, open source data review, elicitation techniques, and technical surveillance countermeasures (TSCM).

speartip.com linkedin.com/speartip

[email protected]

(800) 236-6550

twitter.com/SpearTipCyberCI

Washington, D.C.Saint Louis

DallasTampa

Atlanta

iia super conference...cyber counterintelligencecyber counterintelligence proprietary / confidential...

Documents