latin american cyber threat landscape and 2011 trends kristen dennesen may 17, 2011

Latin American Cyber Threat Landscape and 2011 Trends Kristen Dennesen May 17, 2011

2 Agenda Overview of Global Trends Comparing Latin America to Global Trends Vulnerabilities Malicious Code Financially Motivated Crime Hacktivism Policy and Defense Strategies 2011 Trend: Shift in the Center of Gravity The Latin American Case: Emergent Cyber Defense Strategies How does Latin America fit in globally? Conclusions and Take-Aways

3 Overview

6 Latin American Cyber Threats in Context

7 2011 Trends in Cyber Policy and Defense Strategies Two events in 2010 engendered cognitive shifts in the way that the industry views cyber security. Nations have integrated cyberspace into their security strategies. Wake-up calls to private sector organizations. Aurora Cyber Attacks Jan. 2010: Google announced that an attack originating from China had compromised its networks and dozens of other US companies. Google and US diplomatic response was unparalleled. Wake up call to the private sector that they are vulnerable to nation-state-sponsored espionage campaigns. Stuxnet Cyber Attacks June 2010: Stuxnet ICS worm first emerged. Targeted, nation-state- sponsored worm to attempt to disrupt the nuclear program of Iran by compromising one of the countrys nuclear facilities. Stuxnet served to make cyber war and cyber weapons real for the general public.

8 Latin America Cyber Threat Landscape Public breaches have not stemmed a cognitive shift in the region Activity focused on cyber crime Major sources of malicious activity: Brazil Mexico Argentina Local cyber criminals spread across the region Distributed among small, medium and large cities

9 Latin America Cyber Threat Landscape Criminal activity is largely self-contained Language and cultural difference Low interaction across the national borders Two separate groups: Brazilian cybercriminals and Spanish-speaking criminal community Incipient interaction Almost no interaction with gangs abroad

10 2011 Vulnerability Trends

11 Technology Trends: Vulnerability Trends Increase in Out-of-Band Patches from Notable Software Vendors This year, iDefense saw a trend of an unusual number of out-of- band (OOB) patch releases from three of the now five vendors (Microsoft, Oracle, Cisco, Adobe and SAP) that follow a scheduled patch release for some or all of their products. In 2010, Microsoft has released four OOB security bulletins, which almost matches the six OOB security bulletins that Microsoft released in a 5-year span from 2004 to 2009:

12 Technology Trends: Vulnerability Trends Three of the four MSFT OOB patches were in response to malware or exploits that malicious actors were using in attacks. The 4 th OOB patch was in response to a 0-day in ASP.net that Argentine researcher Julian Rizzo discovered.

13 Global Security Researchers Source: iDefense VCP Program *Note: More than half of iDefense VCP researchers choose not to identify themselves by region. This may explain the absence of Russian researchers from the data set. 27% 4% 38% 1% 5% 0%* 3%

14 2011 Malware Trends

15 Technology Trends: Malicious Code Trends Anti-analysis Tactics Become More Restrictive More malware samples include anti-analysis tactics to frustrate those analyzing their code. Virtual machine (VM) detection, sandbox detection and hardware-locking mechanisms. Zeus Trojan obtains unique information from local system, writes it to its binary. Upon execution, verifies these are the same and terminates if they are not. Anti-analysis techniques evidence a shift in attackers priorities from spreading quickly to malware with an emphasis on stealth. iDefense 2011 prediction: At least one major malware family will appear in 2011 that uses new, stricter anti- analysis tactics.

16 Tequila Botnet Mexican Botnet discovered in June 2010 Mexican Botnet owner Wrote four botnet versions so far: Tequila botnet, Mariachi botnet, the Alebrije and Mehika Twitter botnets Targeting local victims and local financial institutions Option to change victims host file Chilean users as secondary targets Picture: Trend Micro

17 Malicious Code Trends in Latin America VM-detection techniques are present in Latin American as well: Mariposa botnet authored by a Slovenian; highest infection rates in Brazil and Mexico In 2009, the Mariposa Trojan only checked for artifacts related to a sandbox environment if the Trojan was operating in a debugger By July, 2010, Mariposa checked for video card drivers related to virtual machines

18 Trends in Financial Crime

19 Global Trends in Financial Cyber Crime Regional Trends in Financially Motivated Crime Majority of global cyber criminal organizations in 2010 embraced the notorious Zeus banking Trojan as a Trojan of choice.

20 Financially Motivated Crimes in Latin America Financial crimes dominate local cyber threat environment Cyber criminals use local, targeted malware. Target end users; focus on social engineering, e.g., phishing Little need for zero-days Stolen credentials Banking Trojans Local malicious code developers ATM Skimmers and credit/debit card fraud Little use of Botnets High botnet infection owned by foreign countries Tequila Botnet (MX) rare exception Brazilian malcode has shown increased obfuscation and encryption; serving more malware by infecting websites Brazilian ATM skimmer

21 Phishing Scam Brazilian scam targeting a bank while migrating its online users Argentinean scam targeting a Brazilian bank with local operations

22 2011 Trends in Hacktivism

23 2011 Trends in Hacktivism Deepened Blurring of Criminal and Political Activity: Hacktivism Is Not Just for Hackers Anymore The definition of a political or criminal actor is blurring, as criminals increasingly engage in political activity, and political actors are themselves becoming increasingly integrated with the criminal world.

24 2011 Trends in Hacktivism In terms of regional activity, Russia arguably leads in hacktivism. In 2010, such hacktivist activity in Russia increased noticeably, particularly insomuch as attackers targeted assets within the RuNet itself as opposed to higher-profile international targets. Shortly after the newspaper Vedomosti published an article critical of the pro-Kremlin youth group Nashi, the newspaper also found itself under a DDoS attack.

25 Hacktivism in Latin America Political hacktivism is popular in the region Web site defacement is very popular since the 90s Twitter protests became popular in 2010 Following influence of Twitter protests after Iran elections Brazil, Venezuela Dec. 2010: Anonymous DDoS- based protests starts to influence Latin America hacktivists Picture source: Zone-h.org Argentineans protesting about Falklands Defacement during Brazilian 2010 elections

26 Anonymous Operations in Latin America Recent Hacktivism operations in Mexico, Venezuela and Colombia Anonymous Mexico is very active Focus on ideology Against local Copyright bills Free speach #OpTequila #OpColombia #OpActa #OpVenezuela

27 2011 Trends in Cyber Policy and Defense Strategies

28 2011 Trends in Cyber Policy and Defense Strategies The iDefense 2010 Trends report cited five classes of phenomena as evidence of a shift in the cyber security center of gravity: Immense increases in public spending and resulting contracts Rapid formation of new legislative, policy and strategic initiatives regarding cyber security The instantiation of new major civilian and military organizations and offices Intensified political infighting over huge increases in governmental authority and responsibility A widespread intensification of press coverage and an increase in the extent to which political interests push their agendas through such exposure

29 Movement on International Cooperation Historically, most prominent international agreements on cyber issues have focused on combating cyber crime and on crafting national laws that police activity conduct on the Internet. 2010 saw momentum in the treatment of cyber crime as an international security issue.

30 International Governance Frameworks NATO articulated cyber security as a leading issue in its new Strategic Concept, released at NATOs Lisbon Summit in November 2010 Article V Tenet that an attack on one Alliance member is considered an attack on all members US Secretary of State Hillary Clinton openly suggested that NATO include cyber attacks and attacks on critical infrastructure. (Remains unclear whether NATO will adopt this interpretation.) United Nations (UN) In July a group of experts on Information Security submitted a cyber security agreement to the UN. Comprised of 15 nations including the US, China and Russia, Unprecedented consensus Signaled willingness to consider the UN the primary forum for addressing activities in cyber space Shift in state-to-state relations at the UN occurred between the United States and Russia, enabling the agreement to pass.

31 iDefense Tiered Framework Maturity and Capabilities Brazil Canada Italy Sweden Netherlands Finland Japan Australia Pakistan Iran South Africa India South Korea North Korea Germany Turkey Taiwan Estonia France UK Israel USA China Russia Picture source: Wikimedia

32 Classifying Nation State Capabilities Qualifying NationsAttributes Organizational Scope and MaturityCapability and Activity Tier One United States, China, Russia Nations that drive international policy on cyber security and defense development efforts. These nations have the greatest stake in cyber defense issues,and they have the greatest assets and most human capital dedicated to cyber security policy and defense development. Perception of these nations' force posture drives other states to increase their defense capabilities. Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities Leverage cyber capabilities in the conventional defense sphere. Extensive, continuous, sophisticated offensive and defensive activity against multiple other nations Tier Two France, United Kingdom, Israel Nations that closely follow the first tier nations, fielding "units of excellence" that attain comparable capability, but with fewer personnel and less infrastructure Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities, but with significantly fewer resources dedicated towards the effort than First Tier nations Similarity to First Tier nations in terms of sophistication of offensive and defensive operations, but at a smaller scale ; major operations are fewer in number and directed against fewer entities

33 Classifying Nation State Capabilities Qualifying NationsAttributes Organizational Scope and MaturityCapability and Activity Tier One United States, China, Russia Nations that drive international policy on cyber security and defense development efforts. These nations have the greatest stake in cyber defense issues,and they have the greatest assets and most human capital dedicated to cyber security policy and defense development. Perception of these nations' force posture drives other states to increase their defense capabilities. Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities Leverage cyber capabilities in the conventional defense sphere. Extensive, continuous, sophisticated offensive and defensive activity against multiple other nations Tier Two France, United Kingdom, Israel Nations that closely follow the first tier nations, fielding "units of excellence" that attain to comparable capability, but with fewer personnel and less infrastructure Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities, but with significantly fewer resources dedicated towards the effort than First Tier nations Similarity to First Tier nations in terms of sophistication of offensive and defensive operations, but at a smaller scale ; major operations are fewer in number and directed against fewer entities

34 Classifying Nation State Capabilities Qualifying NationsAttributes Organizational Scope and MaturityCapability and Activity Tier One United States, China, Russia Nations that drive international policy on cyber security and defense development efforts. These nations have the greatest stake in cyber defense issues,and they have the greatest assets and most human capital dedicated to cyber security policy and defense development. Perception of these nations' force posture drives other states to increase their defense capabilities. Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities Leverage cyber capabilities in the conventional defense sphere. Extensive, continuous, sophisticated offensive and defensive activity against multiple other nations Tier Two France, United Kingdom, Israel Nations that closely follow the first tier nations, fielding "units of excellence" that attain comparable capability, but with fewer personnel and less infrastructure Multiple, Well-defined, functionally differentiated organizations in military and intelligence capacities, but with significantly fewer resources dedicated towards the effort than First Tier nations Similarity to First Tier nations in terms of sophistication of offensive and defensive operations, but at a smaller scale ; major operations are fewer in number and directed against fewer entities

35 Classifying Nation State Capabilities Qualifying NationsAttributes Organizational Scope and MaturityCapability and Activity Tier Three India, South Korea, Taiwan, Germany, North Korea, Turkey Nations that are dedicating considerable resources to the development cyber security policy and defense capabilities, but they do not lead the field. In many cases, these nations emulate the practices of first tier nations. Some well-defined organizations, but with significant institution- building remaining Extensive and continuous defensive activity but less offensive activity, usually against far fewer targets Tier Four Sweden, Japan, Australia, Netherlands, Iran, Pakistan, Finland Nations that have dedicated limited resources to cyber security policy and defense capabilities. Few dedicated organizations with significant development remaining Strong but incomplete defensive activity and limited offensive activity. These nations focus on protecting domestic resources.

36 Classifying Nation State Capabilities Qualifying NationsAttributes Organizational Scope and MaturityCapability and Activity Tier Three India, South Korea, Taiwan, Germany, North Korea, Turkey Nations that are dedicating considerable resources to the development cyber security policy and defense capabilities, but they do not lead the field. In many cases, these nations emulate the practices of first tier nations. Some well-defined organizations, but with significant institution- building remaining Extensive and continuous defensive activity but less offensive activity, usually against far fewer targets Tier Four Sweden, Japan, Australia, Netherlands, Iran, Pakistan, Finland Nations that have dedicated limited resources to cyber security policy and defense capabilities. Few dedicated organizations with significant development remaining Strong but incomplete defensive activity and limited offensive activity. These nations focus on protecting domestic resources.

37 Development of Cyber Defense Units United States Cyber Command declared fully operational on Oct. 31, 2010 Deeply bound on many levels to None Such Agency

38 Development of Cyber Defense Units United Kingdom Cyber Security Operations Centre (CSOC) opened this year According to the UKs Oct 2010 Strategic Defence and Security Review, the government will invest 650 million in cyber defense over the next four years

39 Development of Cyber Defense Units Russia Announced that it is opening an official cyber defense center 2010 Military Doctrine included information-control and modernization on information warfare capabilities as a priority for the first time

40 Development of Cyber Defense Units China Announced the establishment of its first official entity dedicated to cyber war under the auspices of the PLA. PLA has since taken steps forward in formalizing the entitys command structure around its cyber warfare activities.

41 Development of Cyber Defense Units South Korea Expediting hiring and capability building for its cyber command Initially had planned to train 3,000 cyber security specialists by the end of 2011 Planned to establish a cyber command under the Ministry of Defense by 2012 Japan Began preparations for a new Special Unit for cyber defense, which will launch in 2012 Finland Planning to launch a cyber war unit, tasked with protecting government information systems in 2011 Australia Established the Cyber Security Operations Centre (CSOC) within its Defence Signals Directorate (DSD)

42 Brazil Dec. 2008: Ministry of Defenses National Strategy of Defense Brazilian Presidencys Security Department (DSIC) and army forces are developing a cyber warfare strategy May 2010: Brazil and Russia signed a "Non-Aggression Agreement for Information Weapons pact Brazilian army Cyber-Warfare and Communication Center Partnership with Panda Security CISSP training

43 Legislation and CSIRTS in Latin America Most countries already have legislation regarding cyber crime (except Brazil) Strong password technologies mandatory in Mexico and Chile Lack of official statistics in most countries Few countries have national CSIRT organizations Total of 43 public and private CSIRTs Countries with National CSIRTs Percent of Countries with National CSIRTs North America2100% Latin America412% Europe (and Russia) 2042% Africa24% Asia and Pacific 4231% Middle East529% World Total4624% National CSIRTs in the World and Their Distributions per Geographic Region (Source: CERT/CC)

44 Conclusions and Calls to Action

45 Calls to Action Malicious activity in Latin America is generally at a lower level of development than the rest of the world. Malware is indigenously developed; Attackers have not turned to zero-day exploits or complex malware because they can rely on uneducated users who can be reliably socially engineered. The low complexity level of malware is not an indication of lack of skill in the region. Indeed, Latin America is home to world class vulnerability researchers. Latin American governments generally do not view cyber security as an international security issue as it has become in the view of other nations These gaps in development are not excuse for inaction but an opportunity: Latin America can look to developing trends elsewhere to predict, prepare and prevent for threats before they migrate south.

Thank You 2010 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Back up Slides

48 Consolidation of Authority in the Intelligence

49 Consolidation of Authority in the Intelligence Agencies An organizations competence in undertaking intelligence functions correlates strongly to the advantages necessary to assume responsibility for state- level cyber security initiatives. Insofar as cyber security is a national security issue, it is, in equal measure, an intelligence or espionage issue.

50 Consolidation of Authority in the Intelligence Agencies Three typical stages of a new technological paradigms introduction into a national security context: The awakening phase: a few visionaries or champions build initial awareness The gold rush phase: once a critical mass of interest is reached, a profusion of organizations vie for authority, funding and personnel The crystallization phase: clear leaders emerge as the preponderant guiding forces, usually with inter-departmental alliances and fiefdoms emerging around these leaders.

51 Consolidation of Power in the Intelligence Agencies In the US, a years-long turf war over control of cyber security affairs has resolved NSAs assertion of supremacy over the Department of Homeland Security Alignment of individual military services cyber commands under the new joint US Cyber Command. US Cyber Command Deeply bound structurally and functionally to the NSA. Cyber Security Operations Centre (CSOC) opened this year. Based at Government Communications Headquarters (GCHQ) CSOC represents a major cyber security- focused institution tying the military, the intelligence community, and government together

52 Consolidation of Authority in the Intelligence Agencies Binding is exemplified most clearly in the dual-hat appointment of Gen. Keith Alexander as both the head of the NSA and of Cyber Command.

53 Consolidation of Authority in the Intelligence Agencies Russia Three organizations are relevant for cyber security: FSB (core intelligence organization) Department K of the Interior Ministry police (MVD) GRU (Main Intelligence Directorate [military]) Evidence of Consolidation: FSB drawing a higher proportion of the best talent and conducting the most consequential functions In late 2010, the FSB has made a strong overture to assume control over the MVDs Department K

54 Consolidation of Authority in the Intelligence Agencies France Cyber security responsibility in France accrues heavily to General Department of Exterior Security(DGSE) Central Directorate of Interior Intelligence (DCRI) Evidence of Consolidation: DGSEs initiation in 2010 of a new hiring drive to add 600 ICT engineers to its ranks by 2014 Greater personnel increase than for any other job classification in any other organizations with responsibility for cyber security

55 Consolidation of Authority in the Intelligence Agencies China Most important cyber security players are, overwhelmingly, PLAs military intelligence units and technical reconnaissance bureaus Ministry of State Security (an intelligence agency) Ministry of Public Security (an internal police force with some intelligence functions)

56 Consolidation of Authority in the Intelligence Agencies Australia The Defence Signals Directorate (DSD) Home of the countrys new Cyber Security Operations Centre (CSOC) Collects intelligence specific to cyber threats against Australian interests Coordinates government response to critical incidents India The government announced in July 2010 that it would begin developing offensive cyber capabilities Primary intelligence agencies are behind this effort, including: The National Technical Research Organization (NTRO) Defense Intelligence Agency

57 Consolidation of Authority in the Intelligence Agencies 2010 was the year in which it became clear that, within most nation-states, intelligence communities are emerging, or have already emerged, as the dominant loci of capability and authority for cyber security policy.

58 Response and Emergent Governance Frameworks

59 Movement on International Cooperation Historically, most prominent international agreements on cyber issues have focused on combating cyber crime and on crafting national laws that police activity conduct on the Internet. 2010 saw momentum in the treatment of cyber crime as an international security issue.

60 International Governance Frameworks NATO articulated cyber security as a leading issue in its new Strategic Concept, released at NATOs Lisbon Summit in November 2010 Article V Tenet that an attack on one Alliance member is considered an attack on all members US Secretary of State Hillary Clinton openly suggested that NATO include cyber attacks and attacks on critical infrastructure. (Remains unclear whether NATO will adopt this interpretation.) United Nations (UN) In July a group of experts on Information Security submitted a cyber security agreement to the UN. Comprised of 15 nations including the US, China and Russia, Unprecedented consensus Signaled willingness to consider the UN the primary forum for addressing activities in cyber space Shift in state-to-state relations at the UN occurred between the United States and Russia, enabling the agreement to pass.

61 Frameworks For Cyber Security Governance Framework Council of Europe Convention on Cyber crime signatories ( = Ratified) NATOs Cooperative Cyber Defence Centre of Excellence Participating States (* = Currently joining) UN Group of Experts on Information Security Participating States (2010) Purpose Harmonizing National Legal Frameworks for Cyber Crime Collective Defense/ Military CooperationUN Advisory Group Participating States Albania, Armenia, Austria Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Canada, Croatia Cyprus, Czech Republic Denmark, Estonia, Finland France, Georgia, Germany Greece, Hungary, Iceland Ireland, Italy, Japan, Latvia Liechtenstein, Lithuania Luxembourg, Macedonia Malta, Moldova, Montenegro Netherlands, Norway, Poland Portugal, Romania, Serbia Slovakia, Slovenia, South Africa Spain, Sweden, Switzerland Ukraine, UK, USA EstoniaBelarus GermanyBrazil ItalyBritain LatviaChina LithuaniaEstonia SlovakiaFrance SpainGermany Hungary *India Turkey *Israel USA *Italy Qatar Russia South Africa South Korea USA

62 Other International Bodies with Influence Asia-Pacific Economic Cooperation (APEC) Association of Southeast Asian Nations (ASEAN) Council of Europe European Union Forum of Incident Response and Security Teams G8 Institute of Electrical and Electronic Engineers International Electro technical Commission International Organization for Standardization International Telecommunication Union (ITU) Internet Corporation for Assigned Names and Numbers Internet Engineering Task Force Internet Governance Forum (IGF) INTERPOL Meridian NATO Organization of American States (OAS) Organization for Economic Cooperation and Development (OECD) United Nations

63 Public/Private Partnerships Generalized Models for Public-Private Engagement DescriptionExemplar Nations Model 1: Liberal Economies Nations that emphasize partnerships as a model for public-private engagement. Governments must secure buy-in from the commercial sector and develop frameworks for public-private cooperation and information sharing. United States, United Kingdom, Australia, Canada Model 2: Autocratic States and Planned Economies Nations in which the state has sufficient powers to exert its security priorities over private companies without establishing a framework for doing so or gaining buy-in from relevant stake-holders. China, North Korea, Iran Model 3: Shared Decision Making Nation where the country's largest and most powerful companies, which are often conglomerates, have a seat at the decision- making table, and they wield influence government policy Korea, Japan Hybrid Approaches Nations that combine engagement models. These countries often share many features of the Shared Decision Making model, but also have qualities of either Model 1 or Model 2 in addition. In these countries, the relationship between industry and government is often more collusive than in liberal economies. France, Germany, Russia

64 Government Technology Policy Under the New Center of Gravity

latin american cyber threat landscape and 2011 trends kristen dennesen may 17, 2011

Documents

overview slide

context slide

aways slide

cyber policy

cyber weapons

cyber war

technology trends

vulnerability trends