trusselsbilledet - dau.dk · relationswith european lea, *certs, intelligence! trusted advisor for...

1Copyright © 2015, FireEye, Inc. All rights reserved. Copyright © 2015, FireEye, Inc. All rights reserved.

TrusselsbilledetFra phishing og malware til industrispionage og statsterrorisme

2Copyright © 2015, FireEye, Inc. All rights reserved.

Introductions

§ Who am I?§ Jens Christian Høy Monrad (@jenschm)

- E-‐mail: [email protected]§ Consulting Systems Engineer§ Global Intelligence Liaison

§ Monitor European cyber threat activities§ Relations with European LEA, *Certs, Intelligence

§ Trusted Advisor for European Fortune 500 / Global 2000 Enterprises§ ENISA Threat Landscape Stakeholder§ IT-‐Branchens sikkerhedsudvalg

§ Previous experience at§ Team Lead Security Intelligence Operations (EMEAR) – Global Enterprise§ Abuse / Incident HandlingLead – Nordic Teleco´s & ISP´s


Agenda

§ The Cyber Threat Landscape§ Anatomy of a Targeted Attack§ Examples


Breakthrough? – What about Europe?

25th September 2015 - The U.S. and China have agreed that neither government would support or conductcyber-enabled theft of intellectual property, U.S. President Barack Obama said in a joint media conferencewith Chinese President Xi Jinping on Friday.


Nuisance Data Theft Cyber Crime Hacktivism Network Attack

ObjectiveAccess & Propagation

Economic, Political Advantage

Financial Gain

Defamation, Press & Policy Escalation, Destruction

Example Botnets & Spam Advanced Persistent Threat Credit Card Theft Website

DefacementsDestroy Critical Infrastructure

Targeted ý þ þ þ þ

Character Automated Persistent Opportunistic Conspicuous Conflict Driven

The Cyber Threat Landscape


Crimeware Actors (Cyber crime gangs)

Hacktivists(Anonymous, LulzSec)

APT Actors(Nation State threats)

Threat actors – The Traditional View


Hacktivists(Anonymous)

APT Actors(Nation-‐State

threats)

CrimewareActors

(Cyber crime gangs)

The reality - A Rainbow of Threat Actors


Dropper (or Loader. Bootkits / Rootkits

Malware Delivery)

C2

2nd Dropper

C2

Payload(VPN, Proxy, RDP, Spam, Bitcoin, Data

stealer, PPC, DDoS)

3rd Monetisation Layer

Payload(VPN, Proxy, RDP, Spam, Bitcoin, Data

stealer, PPC, DDoS)

2nd Monetisation Layer

C2

Exploit(Social Eng / Drive-‐by / Targeted

Email – KIT!)

1st Monetisation Layer

Source: “Measuring Pay-‐per-‐Install: The Commoditization of Malware Distribution” –Caballero, J et al

Supply chain economics of a compromised host


ANATOMY OF A TARGETED ATTACK

Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission

MoveLaterally

MaintainPresence

§ Custom malware§ Command and Control§ 3rd-‐party application

exploitation

§ Credential theft§ Password cracking§ “Pass-‐the-‐hash”

§ Critical system recon§ System, active directory &

user enumeration

§ Staging servers§ Data consolidation§ Data theft

§ Social engineering§ Spear phishing e-‐mail

with custom malware

§ Strategic Web Compromises

§ Net use commands

§ Reverse shell access

§ Backdoor variants§ VPN subversion§ Sleeper malware


Examples


1. Check for the right

environment

2. Store encoded

malware in browser cache

3. Perform heap spray to load shellcode in memory

4. Load text file, decode to

Javascript and execute

5. Exploit IE8 vulnerability & execute the shellcode

6. Shell code runs and

decodes the malware

7. Final malware

exposed and executed

Other Advanced attacks (e.g. Aurora, Deputy Dog, Ephemeral Hydra, Miniduke) follow a similar approach

Dissecting an advanced attack – cfr.org


Political Motivated Cyber Attacks


Advanced Groups and techniques


APT Groups Using Political Themes in Spearphishing Attempts


AP Attack


RSA Attack


ICS


The Stuxnet Era

0

50

100

150

200

250

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

Public ICS Vulnerabilities per Year

vulnsexploitsmalware

Data Sources:ics-cert.us-cert.govosvdb.orgrapid7.comgleg.netscadavulns.com

STUXNET

HAVEX& BLACK ENERGY2


Why don’t we hear about more ICS attacks?

1Lack of Data

2Lack of visibility


Finding Potential Targets

§ Scada: 4000+ People on LinkedIn

§ ICS: 500+ People on LinkedIn

§ PLC: 8000+ People On LinkedIn

§ HMI: 900+ People on LinkedIn

§ DCS: 1000+ People on LinkedIn


Finding Potential Targets

”Scada Technician” ”Scada Engineering” ”Hardware Lead Engineer” ”Technology Specialist” ”ICS Operations” ”Process Tester” ”Project Management” ”Engineer” ”Team Lead” ”Applied Manufacturing” ”Dicipline Manager” ”DCS Programmer” ”Test Manager” ”Hardware Manager” ”Specialist”


Network Security Monitoring for ICS

ICS is becoming more, not less, connected

1

2

3

Security breaches are inevitable

ICS vulnerabilities will exist indefinitely

DETECTICS network

instrumented and monitored by security

personnel

RESPONDEffective process for response to ICS

cybersecurity incidents

CONTAINBusiness continuity and DR planning consider ICS asset compromise

Realities

Vision


Resources

§ Nordic Threat Report - https://www.fireeye.com/blog/threat-research/2015/05/cyber_threats_tocou.html

§ Utilities Security - https://www.fireeye.com/solutions/utilities.html

§ Highly Recommended - http://www.scadaandme.com

trusselsbilledet - dau.dk · relationswith european lea, *certs, intelligence! trusted advisor for...

Documents