1 / 33

The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM

The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM. Contents. Presenters Background The threat Risks to your organization What your organization can / should be doing The role of Cyber counterintelligence. Presenters.

istas
Download Presentation

The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM

  2. Contents • Presenters • Background • The threat • Risks to your organization • What your organization can / should be doing • The role of Cyber counterintelligence

  3. Presenters • Brittany Teare, Weaver • Manager, IT Advisory Services • Brian Thomas, Weaver • Partner, IT Advisory Services • Doug Helton, SpearTip • Director of Counterintelligence

  4. Weaver IT Advisory Services

  5. “Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.” -2013 DBIR, pg. 48

  6. Background • In 2013, there are two kinds of companies – those that have been breached, and those that know they’ve been breached. • Who are the victims of breaches? • 38% larger organizations+ • 37% financial organizations+ • 24% retail and restaurants • 20% manufacturing, transportation, utilities+ • 20% professional services firms+

  7. The Threat • Who are the bad guys? Depends on what information assets or systems you have. Could be: • Nation states like China, Russia, Iran, North Korea • Hacktivists (Anonymous, Wikileaks) • Terrorist organizations • Organized crime

  8. The Threat (cont.) • What do they want? Depends on what information assets or systems you have. Could be: • Defense secrets • Disruption of critical infrastructure • Trade secrets and intellectual property • Confidential information about your organization, your business dealings, or your customers • Exploitable consumer financial information

  9. The Threat (cont.) • How do breaches occur? • 52% some form of hacking • 76% exploitation of weak or stolen credentials • 40% malware • 35% physical attacks+ • 29% social tactics+ • 13% privileged misuse or abuse • What are the commonalities? • Financial motives, targeted user devices, compromised servers, opportunistic attacks, discovery by external parties, time of discovery is multiple months, low difficulty of initial intrusion

  10. Risks to Organizations • Key risks of cyber theft: • Liability for loss of confidential information, loss of private consumer information, business interruption, or even loss of human life • Loss of intellectual property / trade secrets / competitive advantage • Damage from loss of confidentiality • Reputational damage

  11. Risk Impact • Gone are the days when we could bury our heads in the sand. Liability is increasing: • Target • Yahoo • CF Disclosure Guidance: Topic No. 2 - Cybersecurity

  12. What to Do “Prevention is ideal, detection is a must!”

  13. What to Do • Organizations should: • Classify data • Implement an ISMS • Implement tools to identify security events • Perform periodic security assessments based on the specific threats • Consider cyber counterintelligence

  14. Cyber Counterintelligence – Case Studies

  15. Cyber Counterintelligence - Overview • What is cyber counterintelligence (Cyber CI)? - Historical roots - Increased awareness and demand • Who is SpearTip? - Military CI and LE agents - Deep technical expertise • Why is Cyber CI relevant?

  16. Cyber Counterespionage – Chinese Scientist Chinese Scientist • East Coast – NanoTech Research Facility • Accepted position back in Beijing • Gaining elevated access to sensitive information • Copying the hard drive and placing it in new system • Download and use of hacking software • Introducing malware into environment

  17. Cyber Counterespionage – Chinese Scientist • Forensic analysis identified the malicious file “FFE3.CB5” at the following location on the subject system • This file was identified by the malware scanning software Sophos as “Trojan.CycBotCn-A” C:\Documents and Settings\<user>\Application Data\2CB5F\FFE3.CB5 • This particular malware creates a “backdoor” which allows unauthorized remote access to the subject system • This file was located on the subject system at the aforementioned location. Below is a screenshot of this file with its creation date and time • In addition to the malicious file, SpearTip also discovered the presence of an attribute changer • This type of software has the ability to modify date and time stamps within any active file within the file system • Attribute changers are most often used for nefarious purposes, such as to cover one’s tracks following an exploitation or security breach

  18. Cyber Counterespionage – Chinese Scientist • The subject was also conducting research on how to image a hard drive and how to connect two systems via a USB cable • Following this research, subject then searched the Internet in an attempt to locate and purchase a laptop that was identical to his company issued laptop • It was later discovered that he had, indeed, purchased two laptops of the same make and model as HIS company issued laptop • During SpearTip’s malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution • The corporation’s IT staff was completely unaware of subject’s malicious activity or the malware threat within their network environment

  19. Cyber Counterespionage – Chinese Scientist • During malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution • IT staff was completely unaware of the malicious activity of the subject or the malware threat within their network environment

  20. Cyber Counterespionage – Chinese Scientist • Organization’s R&D server was attempting to communicate within the network environment to an Exchange Server

  21. Cyber Counterespionage – Chinese Scientist • Some of the most recent discoveries have identified yet another method of infiltrating sensitive data from corporate environments, such as deploying a remotely accessible cellular device • In order to detect and analyze this new technique specialized hardware and software components are required to process various electronic signals emanating from these devices • This equipment can provide the Cyber Counterintelligence operator a platform that can detect, identify, assess, counter, exploit and/or neutralize this type of threat • The following examples are equipment that could be used for this type of cyber espionage activity • NAC/802.1x Bypass. In addition to supporting both 3G and Wireless connectivity, the plug & play devices can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks

  22. Cyber Counterespionage – Romanian Hack Team • SpearTip personnel were contacted to respond to an intrusion involving a RedHat server that hosted a tremendous amount of proprietary data • It was determined that this information was not compromised, although the point of intrusion still needed to be determined for remediation planning • It was determined that the compromise included the initial exploit, the addition of the “elvis” user, upload of malicious files, and the Romanian attackers then proceeding to utilize this server to carry out their eBay/PayPal phishing scam • On November 19, 2007, the server began sustaining brute force ssh login attacks • This appeared to be a scripted attack, but however related it may have been, it is highly unlikely to have led to the compromise itself, as the attackers had a much easier exploit available • Logs appear to have been manipulated given inexplicable inconsistencies in syslogd timestamps. Syslogd does not log local events out of sequence; therefore information within the log cannot be entirely trusted. Timestamp anomalies are very often a tell-tale sign of rootkits.

  23. Cyber Counterespionage – Romanian Hack Team • On December 18, 2007 at 1012 hours an account and group were created under the username “elvis” • This server was accessed via the elvis username throughout the Internet from December 18 through December 21, ending only after Source1 deleted the user account • Not only does the fact that elvis came from so many IPs stand out, it may be noteworthy to mention that their backdoored sshd server can bind as many ports as are open • In an effort to determine further activity of the attackers, an exhaustive search for all and any remnants of the “.bash_history” file was undertaken • As shown below, once the attacker gained ssh access, he downloaded and ran multiple exploits and backdoors

  24. Cyber Counterespionage – Romanian Hack Team • According to the information contained within the attacker’s .bash_history file, it appears that the attack vector that SUBJECTS utilized is a file called windmilk.jpg or windmilk.tgz • Both files are simple gzipped tar files containing the superwu binary. A screenshot of the attack tool can be seen below • Further analysis led not only to the determination of the attacker’s tools, but references to some of their friends as well • These friends steered the investigation to look into other members of the hacker group • The “brains” of the operation seemed to be Claudiu Catalin, seen below with another member of the team, Iordache:

  25. Cyber Counterespionage – AnonymouSTL • SpearTip personnel were contacted to respond to an incident involving an employee utilizing corporate assets to conduct numerous high-profiled intrusions to US government and international websites in the name of AnonymouSTL • A forensic analysis of email activity on SUBJECT’s system was conducted that identified several emails that demonstrate that HE specifically sought and requested Structured Query Language (SQL) training, paid for by the corporation • While this type of training is not out of the ordinary for someone with subject’s professional responsibilities, training and knowledge of this programming language could be useful for an individual who intentions are to launch website and network-based attacks using SQL Injections • A SQL Injection is an attack using SQL statements on a poorly designed website, with the intention of compromising a database of information on the website, often exposing that information to the attacker • During the forensic analysis, several “session” folders were located for the application “W3AF”. This software is used for penetrating and finding weaknesses in web applications • These session folders were found in the “C:\Users\Administrator\.w3af\sessions\” directory on the subject system • Below is a screenshot of the folder structure from the aforementioned “sessions” directory

  26. Cyber Counterespionage – AnonymouSTL www.bankofamerica.com December 8, 2011 www.winningtech.comDecember 8, 2011 www.mayorslay.comDecember 13, 2011 • An analysis of these session folders was conducted • It was determined from this analysis that scanning, using this application was conducted on the following dates: • An analysis of the history of websites visited was conducted on subject’s system, focusing on the timeframe following the LogMeIn logon activity at 10:56PM CST • Below is a listing of this Internet activity • The dates associated with this listing represent the last time the respective URL was visited • The listing below shows subject accessing several websites with the domain “.ir” • The domain “.ir” is a Top Level Domain Country Code for the country of Iran • The text “func=download” in the Uniform Resource Locators (URLs) for “http://tehran.mim.gov.ir” indicates there were download attempts made from this website

  27. Cyber Counterespionage – AnonymouSTL • The aforementioned download files contain sensitive information such as usernames, credit card numbers and the senders, recipients, and body of various emails • Below is a screenshot of a single instance of the contents of these .html files, with sensitive information removed CREDICCARDS.html • SpearTip’s analysis found that these attacks occurred on the following websites on the following dates: http://albayan.co.il 1/9/2012 www.avicom.co.il1/9/2012 home.geoenv.biu.ac.il1/9/2012 www.salt.co.il1/9/2012 www.IAPE.org.il1/10/2012 www.IAPP.org.il1/10/2012 www.tamar.co.il1/10/2012 www.isratim.co.il1/11/2012

  28. Cyber Counterespionage – AnonymouSTL • This forensic analysis included the correlation of data on the subject system with suspected Twitter postings by subject using the screen name “AnonymouSTL” • The subject system was analyzed to determine if a Twitter account using this username was accessed from this system data-screen-name="_AnonymouSTL_" data-user-id="424567950“ You can take my life, you can take my freedom, but you will NEVER TAKE MY PASTEBIN! THIS IS ACCOUNT #6... BETTER LUCK THIS TIME?!?!? #freespeech=shit • The following twitter posting was located on www.twitter.com for the user “AnonymouSTL” • This posting further corroborates the SUBJECTS involvement in the compromising of websites with “.il” domains

  29. Cyber Counterespionage – AnonymouSTL These postings are also just prior to the SQL Injection attacks launched by subject on the websites within the “.il” domain, on January 9, 10 and 11

  30. Cyber CI – Key Focus Areas • Intelligence - driven risk management • Evaluate program effectiveness • Validate internal threat and risk assessment

  31. Cyber CI – Application Recent examples from SpearTip clients • Assess info sec and data classification policies effectiveness • Develop and refine fraud controls • Assess access management program

  32. Conclusion Questions/Discussion

  33. Contacts g Douglas G. Helton Director of Counterintelligence Tel: 469.601.7564 Email:dhelton@speartip.com Brian J. Thomas, CISA, CISSP Partner, Advisory Services Tel: 713.800.1050 Email: Brian.Thomas@WeaverLLP.com : @IT_Risk Brittany George Teare, CISA Manager, Advisory Services Tel: 972.448.9299 Email: Brittany.Teare@WeaverLLP.com

More Related