Download presentation
Presentation is loading. Please wait.
Published byFelicity Horton Modified over 7 years ago
1
1 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top business secrets in the digital enterprise: A case study from Deutsche Telekom AG Dr. Rüdiger Peusquens © DoD, Joe Hendricks, U.S. Navy
2
2 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 An E-Mail from our IT-Security Department? Fake!
3
3 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Disclaimer This talk presents the analysis of a real attack. The results contain only facts found in an IT forensic investigation. Any company or organization mentioned in the presentation is referenced to based on technical evidence such as IP addresses or server names. The evidence only supports the claim that the attackers misuse properties of these companies or organizations. There is no indication that any company or organization mentioned on the following slides supported the attack.
4
4 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis & Response
5
5 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Similar Incidents show it’s a Campaign Incident #1Incident #2Incident #3 StoryMicrosoft patchAnti-Virus updateAdobe Flash-Player update Sender n/a "It Security" Received (helo=info15.gawab.com) [66.220.20.13] 1) mailhost19.gawab.com (HELO info33.gawab.com) ([66.220.20.19]) mailhost17.gawab.com (HELO info5.gawab.com) ([66.220.20.17]) 1st Received (j.andy@63.216.153.53) by gawab.com with SMTP (r.hook@gawab.com@64.85. 15.10) (adobea3@64.85.15.10) X-mailerhzp4p 10.40.1836drufy 10.40.18361mrnkn2 10.40.1836 This looks like a campaign. 1) There is no indication that gawab.com supports the attack in any way.
6
6 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Mail User Agent There is no indication that the manufacturer of the above software supports the attack in any way.
7
7 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Mail User Agent = Mass Mailer There is no indication that the manufacturer of the above software supports the attack in any way.
8
8 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: What happens if the user clicks? -- Poison Ivy! „ Remote Administration Tool” infects standard browser for communication system data collector screen shots audio / video capture keylogger registry editor process monitor communication tunnels file transfer proxy to intranet systems plugin API live updates w/o restart manage „ clients” on server Once in place PoisonIvy takes over your system.
9
9 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Command and Control Servers Server Address 204.74.216.146173.252.207.71222.255.28.27 Internet Service Provider TAKE2 – Take 2 Hosting 1) VNPT-AS-VN Vietnam Posts and Telecommunications 1) Binary analysis identifies the command and control servers of this campaign. Infected PCs are under control of these servers: Software Updates Further Attacks Information Leakage 1) There is no indication that the companies mentioned above support the attack in any way.
10
10 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Host 204.74.216.146 There is no indication that the owner of the above website supports the attack in any way.
11
11 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Response: Disrupting the Attack 1. Use SPAM filter logic to suppress incoming mails Ruleset based on comparison of 3 incidents: – mail received from gawab.com – Received: contains (HELO -.net) – Message-ID: ends with @-.net – X-mailer: ends with 10.40.1836 2. Suppress known command & control servers Interrupt attackers’ communication infrastructure Enemy looses control of (unidentified) zombies, prevents data leakage 3. Observe campaign and keep track of changes IT forensics and research public sources Exchange information with agencies, CERTs and other organizations / companies update
12
12 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Understanding Targeted Attacks
13
13 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Exfiltration Spreading Asset Identification Malware Infection Social Engineering Target & Context Identification Complete Picture of a Targeted Attack Command & Control Server Company WWW, Social Networks, News,… Attacker Emails Contracts Customer Data Engineering Plans Patents …
14
14 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Kill-Chain: Know your Enemy & Fight their Tactics Collect Information Detect Attacks Fight Attacks Identify Potential Targets Modus Operandi Threat Vectors Raise Awareness of potential victims Monitor Threat Vectors Identify Targeted Attacks Analyze the Attack Understand Extent Initiate Countermeasures Exfiltration Command and Control ExploitationDeliveryWeaponizationReconnaissance What the Attackers do: What we can do:
15
15 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Other potential Information Leaks
16
16 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Smartphones: Who else knows what you did last summer?
17
17 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Protecting Top Business Secrets
18
18 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top Business Secret Model less than 5% of information is top business secrets focus on “crown jewels”, avoid security overkill, most top business secrets are critical for a given period of time use a project based approach top business secrets are about handling information protect data and communication Fundamentals technology solves nothing without the human factor combine technical and non-technical solutions top business secrets are not necessarily handled by the bosses focus on information not on hierarchy 1. Have a standard set of highly secure solutions ready. 2. Establish a fast process to support top business secret projects. 3. Nominate a Counter Espionage Officer. 4. Spread the news to units that have top business secrets. Approach 12345
19
19 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Plan: Acquire a company Plan: Acquire a company Risk and threat analysis by Counter Espionage Officer Selection of protection measures from the toolbox Selection of protection measures from the toolbox Board : “This is a Top Business Secret” Head of M&A (project lead) contacts Counter Espionage Officer Example Who handles what information how? What are the concrete threats? Top Business Secret Process Train the people involved. Hand out / install / check technical protection.
20
20 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top Business Secrets Protection Toolbox High secure notebooks Secure end-to-end voice communications Secure end-to-end data communications Eavesdropping protection Technical counter-measures Training on handling Top Business Secrets Physically and logically restricted access Non-disclosure agreements Total clean desk Anti social engineering advice Labels for document, files and computers (watermarks, numbering of copies, etc.) Non-technical counter-measures
21
21 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Dr. Rüdiger Peusquens Vice President Testing Group Information Security Deutsche Telekom AG ruediger.peusquens@telekom.de +49 228 181 75113 Dr. Rüdiger Peusquens Vice President Testing Group Information Security Deutsche Telekom AG ruediger.peusquens@telekom.de +49 228 181 75113 Targeted attacks can hit you anytime. Defend yourselves. Thank you!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.