iia super conference...cyber counterintelligencecyber counterintelligence proprietary / confidential...
TRANSCRIPT
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™
2016
IIA Super ConferenceCyber Hunt Operations
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Outmaneuver Your Adversary
Utilizingcybercounterintelligencestrategies,SpearTippartnerswithourclientstoprotectshareholdervalue,shield
corporatereputations,andenhancelong-termprofits.
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Incident Response
Pre-Breach Assessment
ShadowSpear Protection
Service
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Cyber Counterintelligence provides the unique combinationof utilizing HUMINT tradecraft, malware reverse engineering,intelligence gathered within an internal network & livebotnets, correlated with an enterprise’s external information.
5
Cyber Counterintelligence
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Why and How These Breaches Are Occurring
• Mostorganizationsarecompromisedforanaverageof~130-200days
• No“onesizefitsall”easysolutiontotheproblem
• Falsesenseofsecurity
• AsthecomplexityofattacksprogressasdointernalCIRTteamskillsets
Situational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• Surveillance within the host & network
• OMA allows for a malware analysis approach that circumvents common “anti-forensic” techniques
• Focuses on “DATA IN EXECUTION”
Observational Malware AnalysisSituational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• Defeats static analysis methodologies such as encryption and custom packing
• Allows for a “static” analysis of malware behavior in a variety of environments
• “Traces” malware behavior on a memory register and function call level
Observational Malware AnalysisSituational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• Encrypted strings can be viewed as they are decrypted and loaded into active memory
• Allows for accurate and quick identification of malicious encrypted data strings being processed
Observational Malware AnalysisSituational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
10
Situational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL 11
Situational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Dyreza+ Banking Trojan capable of monitoring web traffic and compromising data prior to being sent via SSL
+ Contains mutexes for banking trojans from 2009
Observational Malware AnalysisSituational Awareness
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• During a visit to London, a Syrian official received a rootkit, courtesy of the Mossad
• Government files identifying facilities that dealt with the production of fissile material were exfiltrated
• These facilities were visited by the IAF in 2007
13
CyberWarfare– OperationOrchard
Tip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Tip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Tip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Cyber Hunt OperationsTo better understand what your target profile may be for an adversary, you must first understand what your potential adversaries may be looking for, and the methods with which they may use to obtain your information.
HUMAN intelligence collection is the most tried and true method for obtaining information.
HUMINT LIFECYCLE
Tip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Cyber Approach Mediums
• Peer-to-Peer• Social Networking• Dating Sites• Dark Web Indexes• Help Wanted
Tip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• Malware-related threat intelligence gathered from live botnets – correlated with external IP addresses and external portals accessible by clients and/or partners.
• Combining the power of Big Data with real-time threat monitoring, to provide the most comprehensive pre-attack intelligence against Advanced Persistent Threats (APT), numerous malware variants, and provide insight into:
Ø Potential information leakagesØ Compromised websites and serversØ Compromised internal workstations, PCs, and mobile devicesØ Potential security holes or weaknesses relative to advanced malware
• Go beyond the standard Open Source Intelligence (OSINT) collection methodology by monitoring harvested information for indicators of compromise.
• Passively cross-reference both current and future activity discovered within the criminal/nefarious realms, and notify appropriate organizations.
18
Cyber Hunt Ops – Threat IntelligenceTip of the Spear
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
• CnC Monitoring• CredentialMonitoring• P2PMonitoring• CyberSourceOps• AdvancedSecurityMonitoring
• Network&HostMalwareAnalysis
Tip of the Spear
Fusion Cell Analysis
TipoftheSpear– CyberHunting
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
KEYPOINT:“boardsthatchoosetoignore,orminimize,theimportanceofcybersecurityoversightresponsibility,dosoattheirownperil.”SECCommissionerLuisA.Aguilar,June10,2014.
HeartlandPaymentSystems,TJMaxx,Target,HomeDepot,Wyndham
Derivativeclaimspremisedontheharmtothecompanyfromdatabreach.
CaremarkClaims:
Premisedonlackofoversight=breachofthedutyofloyaltyandgoodfaithCannotinsulatetheofficersanddirectors=PERSONALLIABILITY!
Standard:
(1)“utterlyfailed”toimplementreportingsystemorcontrols;or(2)“consciouslyfailed”tomonitororoverseesystem.
$4.8 Billion Deal?
“The Paranoids”
Director & Executive Accountability
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Game Changer?
Director & Executive Accountability
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
NY Dept of Financial ServicesCyber Security Requirements for Financial Services
• All NY “financial institutions”• Establish Cybersecurity program w/specifics• Adopt Cybersecurity Policies• Designate qualified/responsible CISO• 3rd Party Service Providers - Examine, obligate, and audit• Written Incident Response Plan• Board / Senior Officer Certifying Compliance
Director & Executive Accountability
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Director & Executive Accountability
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Summary+ IncidentResponsePlans- Create&Implement&Train
+ DetermineRiskAppetite– ContinueAudits
+ Businesscontinuityplanthatistestedforeffectivenessintheeventthatitneedstobeimplemented– LIVE
+ Evaluatetheviabilityofadvancedcontinuousmonitoring– duetoresourcelimitations
+ M&A– aretheycurrentlycompromised?Areyou?
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
Outmaneuver Your Adversary
ThankYou
Outmaneuver Your Adversary
CYBER COUNTERINTELLIGENCECYBER COUNTERINTELLIGENCE
™Proprietary / CONFIDENTIAL
SpearTip is uniquely positioned in the market that enables our team to provide a full range of counterespionage services in order to identify, detect, exploit, and neutralize threats leveled against corporations.
Our Fusion Cell Team methodology conducts penetration testing, malware analysis, digital forensics, human intelligence collection (HUMINT), pre-attack intelligence analysis, open source data review, elicitation techniques, and technical surveillance countermeasures (TSCM).
speartip.com linkedin.com/speartip
(800) 236-6550
twitter.com/SpearTipCyberCI
Washington, D.C.Saint Louis
DallasTampa
Atlanta