330 likes | 421 Views
The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM. Contents. Presenters Background The threat Risks to your organization What your organization can / should be doing The role of Cyber counterintelligence. Presenters.
E N D
The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM
Contents • Presenters • Background • The threat • Risks to your organization • What your organization can / should be doing • The role of Cyber counterintelligence
Presenters • Brittany Teare, Weaver • Manager, IT Advisory Services • Brian Thomas, Weaver • Partner, IT Advisory Services • Doug Helton, SpearTip • Director of Counterintelligence
“Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.” -2013 DBIR, pg. 48
Background • In 2013, there are two kinds of companies – those that have been breached, and those that know they’ve been breached. • Who are the victims of breaches? • 38% larger organizations+ • 37% financial organizations+ • 24% retail and restaurants • 20% manufacturing, transportation, utilities+ • 20% professional services firms+
The Threat • Who are the bad guys? Depends on what information assets or systems you have. Could be: • Nation states like China, Russia, Iran, North Korea • Hacktivists (Anonymous, Wikileaks) • Terrorist organizations • Organized crime
The Threat (cont.) • What do they want? Depends on what information assets or systems you have. Could be: • Defense secrets • Disruption of critical infrastructure • Trade secrets and intellectual property • Confidential information about your organization, your business dealings, or your customers • Exploitable consumer financial information
The Threat (cont.) • How do breaches occur? • 52% some form of hacking • 76% exploitation of weak or stolen credentials • 40% malware • 35% physical attacks+ • 29% social tactics+ • 13% privileged misuse or abuse • What are the commonalities? • Financial motives, targeted user devices, compromised servers, opportunistic attacks, discovery by external parties, time of discovery is multiple months, low difficulty of initial intrusion
Risks to Organizations • Key risks of cyber theft: • Liability for loss of confidential information, loss of private consumer information, business interruption, or even loss of human life • Loss of intellectual property / trade secrets / competitive advantage • Damage from loss of confidentiality • Reputational damage
Risk Impact • Gone are the days when we could bury our heads in the sand. Liability is increasing: • Target • Yahoo • CF Disclosure Guidance: Topic No. 2 - Cybersecurity
What to Do “Prevention is ideal, detection is a must!”
What to Do • Organizations should: • Classify data • Implement an ISMS • Implement tools to identify security events • Perform periodic security assessments based on the specific threats • Consider cyber counterintelligence
Cyber Counterintelligence - Overview • What is cyber counterintelligence (Cyber CI)? - Historical roots - Increased awareness and demand • Who is SpearTip? - Military CI and LE agents - Deep technical expertise • Why is Cyber CI relevant?
Cyber Counterespionage – Chinese Scientist Chinese Scientist • East Coast – NanoTech Research Facility • Accepted position back in Beijing • Gaining elevated access to sensitive information • Copying the hard drive and placing it in new system • Download and use of hacking software • Introducing malware into environment
Cyber Counterespionage – Chinese Scientist • Forensic analysis identified the malicious file “FFE3.CB5” at the following location on the subject system • This file was identified by the malware scanning software Sophos as “Trojan.CycBotCn-A” C:\Documents and Settings\<user>\Application Data\2CB5F\FFE3.CB5 • This particular malware creates a “backdoor” which allows unauthorized remote access to the subject system • This file was located on the subject system at the aforementioned location. Below is a screenshot of this file with its creation date and time • In addition to the malicious file, SpearTip also discovered the presence of an attribute changer • This type of software has the ability to modify date and time stamps within any active file within the file system • Attribute changers are most often used for nefarious purposes, such as to cover one’s tracks following an exploitation or security breach
Cyber Counterespionage – Chinese Scientist • The subject was also conducting research on how to image a hard drive and how to connect two systems via a USB cable • Following this research, subject then searched the Internet in an attempt to locate and purchase a laptop that was identical to his company issued laptop • It was later discovered that he had, indeed, purchased two laptops of the same make and model as HIS company issued laptop • During SpearTip’s malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution • The corporation’s IT staff was completely unaware of subject’s malicious activity or the malware threat within their network environment
Cyber Counterespionage – Chinese Scientist • During malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution • IT staff was completely unaware of the malicious activity of the subject or the malware threat within their network environment
Cyber Counterespionage – Chinese Scientist • Organization’s R&D server was attempting to communicate within the network environment to an Exchange Server
Cyber Counterespionage – Chinese Scientist • Some of the most recent discoveries have identified yet another method of infiltrating sensitive data from corporate environments, such as deploying a remotely accessible cellular device • In order to detect and analyze this new technique specialized hardware and software components are required to process various electronic signals emanating from these devices • This equipment can provide the Cyber Counterintelligence operator a platform that can detect, identify, assess, counter, exploit and/or neutralize this type of threat • The following examples are equipment that could be used for this type of cyber espionage activity • NAC/802.1x Bypass. In addition to supporting both 3G and Wireless connectivity, the plug & play devices can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks
Cyber Counterespionage – Romanian Hack Team • SpearTip personnel were contacted to respond to an intrusion involving a RedHat server that hosted a tremendous amount of proprietary data • It was determined that this information was not compromised, although the point of intrusion still needed to be determined for remediation planning • It was determined that the compromise included the initial exploit, the addition of the “elvis” user, upload of malicious files, and the Romanian attackers then proceeding to utilize this server to carry out their eBay/PayPal phishing scam • On November 19, 2007, the server began sustaining brute force ssh login attacks • This appeared to be a scripted attack, but however related it may have been, it is highly unlikely to have led to the compromise itself, as the attackers had a much easier exploit available • Logs appear to have been manipulated given inexplicable inconsistencies in syslogd timestamps. Syslogd does not log local events out of sequence; therefore information within the log cannot be entirely trusted. Timestamp anomalies are very often a tell-tale sign of rootkits.
Cyber Counterespionage – Romanian Hack Team • On December 18, 2007 at 1012 hours an account and group were created under the username “elvis” • This server was accessed via the elvis username throughout the Internet from December 18 through December 21, ending only after Source1 deleted the user account • Not only does the fact that elvis came from so many IPs stand out, it may be noteworthy to mention that their backdoored sshd server can bind as many ports as are open • In an effort to determine further activity of the attackers, an exhaustive search for all and any remnants of the “.bash_history” file was undertaken • As shown below, once the attacker gained ssh access, he downloaded and ran multiple exploits and backdoors
Cyber Counterespionage – Romanian Hack Team • According to the information contained within the attacker’s .bash_history file, it appears that the attack vector that SUBJECTS utilized is a file called windmilk.jpg or windmilk.tgz • Both files are simple gzipped tar files containing the superwu binary. A screenshot of the attack tool can be seen below • Further analysis led not only to the determination of the attacker’s tools, but references to some of their friends as well • These friends steered the investigation to look into other members of the hacker group • The “brains” of the operation seemed to be Claudiu Catalin, seen below with another member of the team, Iordache:
Cyber Counterespionage – AnonymouSTL • SpearTip personnel were contacted to respond to an incident involving an employee utilizing corporate assets to conduct numerous high-profiled intrusions to US government and international websites in the name of AnonymouSTL • A forensic analysis of email activity on SUBJECT’s system was conducted that identified several emails that demonstrate that HE specifically sought and requested Structured Query Language (SQL) training, paid for by the corporation • While this type of training is not out of the ordinary for someone with subject’s professional responsibilities, training and knowledge of this programming language could be useful for an individual who intentions are to launch website and network-based attacks using SQL Injections • A SQL Injection is an attack using SQL statements on a poorly designed website, with the intention of compromising a database of information on the website, often exposing that information to the attacker • During the forensic analysis, several “session” folders were located for the application “W3AF”. This software is used for penetrating and finding weaknesses in web applications • These session folders were found in the “C:\Users\Administrator\.w3af\sessions\” directory on the subject system • Below is a screenshot of the folder structure from the aforementioned “sessions” directory
Cyber Counterespionage – AnonymouSTL www.bankofamerica.com December 8, 2011 www.winningtech.comDecember 8, 2011 www.mayorslay.comDecember 13, 2011 • An analysis of these session folders was conducted • It was determined from this analysis that scanning, using this application was conducted on the following dates: • An analysis of the history of websites visited was conducted on subject’s system, focusing on the timeframe following the LogMeIn logon activity at 10:56PM CST • Below is a listing of this Internet activity • The dates associated with this listing represent the last time the respective URL was visited • The listing below shows subject accessing several websites with the domain “.ir” • The domain “.ir” is a Top Level Domain Country Code for the country of Iran • The text “func=download” in the Uniform Resource Locators (URLs) for “http://tehran.mim.gov.ir” indicates there were download attempts made from this website
Cyber Counterespionage – AnonymouSTL • The aforementioned download files contain sensitive information such as usernames, credit card numbers and the senders, recipients, and body of various emails • Below is a screenshot of a single instance of the contents of these .html files, with sensitive information removed CREDICCARDS.html • SpearTip’s analysis found that these attacks occurred on the following websites on the following dates: http://albayan.co.il 1/9/2012 www.avicom.co.il1/9/2012 home.geoenv.biu.ac.il1/9/2012 www.salt.co.il1/9/2012 www.IAPE.org.il1/10/2012 www.IAPP.org.il1/10/2012 www.tamar.co.il1/10/2012 www.isratim.co.il1/11/2012
Cyber Counterespionage – AnonymouSTL • This forensic analysis included the correlation of data on the subject system with suspected Twitter postings by subject using the screen name “AnonymouSTL” • The subject system was analyzed to determine if a Twitter account using this username was accessed from this system data-screen-name="_AnonymouSTL_" data-user-id="424567950“ You can take my life, you can take my freedom, but you will NEVER TAKE MY PASTEBIN! THIS IS ACCOUNT #6... BETTER LUCK THIS TIME?!?!? #freespeech=shit • The following twitter posting was located on www.twitter.com for the user “AnonymouSTL” • This posting further corroborates the SUBJECTS involvement in the compromising of websites with “.il” domains
Cyber Counterespionage – AnonymouSTL These postings are also just prior to the SQL Injection attacks launched by subject on the websites within the “.il” domain, on January 9, 10 and 11
Cyber CI – Key Focus Areas • Intelligence - driven risk management • Evaluate program effectiveness • Validate internal threat and risk assessment
Cyber CI – Application Recent examples from SpearTip clients • Assess info sec and data classification policies effectiveness • Develop and refine fraud controls • Assess access management program
Conclusion Questions/Discussion
Contacts g Douglas G. Helton Director of Counterintelligence Tel: 469.601.7564 Email:dhelton@speartip.com Brian J. Thomas, CISA, CISSP Partner, Advisory Services Tel: 713.800.1050 Email: Brian.Thomas@WeaverLLP.com : @IT_Risk Brittany George Teare, CISA Manager, Advisory Services Tel: 972.448.9299 Email: Brittany.Teare@WeaverLLP.com