Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top business secrets in the digital enterprise: A case study from Deutsche Telekom AG Dr.

Published byFelicity Horton Modified over 7 years ago

Similar presentations

Presentation on theme: "1 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top business secrets in the digital enterprise: A case study from Deutsche Telekom AG Dr."— Presentation transcript:

1 1 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top business secrets in the digital enterprise: A case study from Deutsche Telekom AG Dr. Rüdiger Peusquens © DoD, Joe Hendricks, U.S. Navy

2 2 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 An E-Mail from our IT-Security Department? Fake!

3 3 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Disclaimer This talk presents the analysis of a real attack. The results contain only facts found in an IT forensic investigation. Any company or organization mentioned in the presentation is referenced to based on technical evidence such as IP addresses or server names. The evidence only supports the claim that the attackers misuse properties of these companies or organizations. There is no indication that any company or organization mentioned on the following slides supported the attack.

4 4 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis & Response

5 5 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Similar Incidents show it’s a Campaign Incident #1Incident #2Incident #3 StoryMicrosoft patchAnti-Virus updateAdobe Flash-Player update Sender n/a "It Security" Received (helo=info15.gawab.com) [66.220.20.13] 1) mailhost19.gawab.com (HELO info33.gawab.com) ([66.220.20.19]) mailhost17.gawab.com (HELO info5.gawab.com) ([66.220.20.17]) 1st Received (j.andy@63.216.153.53) by gawab.com with SMTP (r.hook@gawab.com@64.85. 15.10) (adobea3@64.85.15.10) X-mailerhzp4p 10.40.1836drufy 10.40.18361mrnkn2 10.40.1836 This looks like a campaign. 1) There is no indication that gawab.com supports the attack in any way.

6 6 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Mail User Agent There is no indication that the manufacturer of the above software supports the attack in any way.

7 7 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Mail User Agent = Mass Mailer There is no indication that the manufacturer of the above software supports the attack in any way.

8 8 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: What happens if the user clicks? -- Poison Ivy! „ Remote Administration Tool”  infects standard browser for communication  system data collector  screen shots  audio / video capture  keylogger  registry editor  process monitor  communication tunnels  file transfer  proxy to intranet systems  plugin API  live updates w/o restart  manage „ clients” on server Once in place PoisonIvy takes over your system.

9 9 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Command and Control Servers Server Address 204.74.216.146173.252.207.71222.255.28.27 Internet Service Provider TAKE2 – Take 2 Hosting 1) VNPT-AS-VN Vietnam Posts and Telecommunications 1) Binary analysis identifies the command and control servers of this campaign. Infected PCs are under control of these servers:  Software Updates  Further Attacks  Information Leakage 1) There is no indication that the companies mentioned above support the attack in any way.

10 10 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Analysis: Host 204.74.216.146 There is no indication that the owner of the above website supports the attack in any way.

11 11 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Response: Disrupting the Attack 1. Use SPAM filter logic to suppress incoming mails Ruleset based on comparison of 3 incidents: – mail received from gawab.com – Received: contains (HELO -.net) – Message-ID: ends with @-.net – X-mailer: ends with 10.40.1836 2. Suppress known command & control servers Interrupt attackers’ communication infrastructure Enemy looses control of (unidentified) zombies, prevents data leakage 3. Observe campaign and keep track of changes IT forensics and research public sources Exchange information with agencies, CERTs and other organizations / companies update

12 12 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Understanding Targeted Attacks

13 13 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Exfiltration Spreading Asset Identification Malware Infection Social Engineering Target & Context Identification Complete Picture of a Targeted Attack Command & Control Server Company WWW, Social Networks, News,… Attacker Emails Contracts Customer Data Engineering Plans Patents …

14 14 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Kill-Chain: Know your Enemy & Fight their Tactics Collect Information Detect Attacks Fight Attacks Identify  Potential Targets  Modus Operandi  Threat Vectors  Raise Awareness of potential victims  Monitor Threat Vectors  Identify Targeted Attacks  Analyze the Attack  Understand Extent  Initiate Countermeasures Exfiltration Command and Control ExploitationDeliveryWeaponizationReconnaissance What the Attackers do: What we can do:

15 15 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Other potential Information Leaks

16 16 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Smartphones: Who else knows what you did last summer?

17 17 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Protecting Top Business Secrets

18 18 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top Business Secret Model less than 5% of information is top business secrets  focus on “crown jewels”, avoid security overkill, most top business secrets are critical for a given period of time  use a project based approach top business secrets are about handling information  protect data and communication Fundamentals technology solves nothing without the human factor  combine technical and non-technical solutions top business secrets are not necessarily handled by the bosses  focus on information not on hierarchy 1. Have a standard set of highly secure solutions ready. 2. Establish a fast process to support top business secret projects. 3. Nominate a Counter Espionage Officer. 4. Spread the news to units that have top business secrets. Approach 12345

19 19 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Plan: Acquire a company Plan: Acquire a company Risk and threat analysis by Counter Espionage Officer Selection of protection measures from the toolbox Selection of protection measures from the toolbox Board : “This is a Top Business Secret” Head of M&A (project lead) contacts Counter Espionage Officer Example Who handles what information how? What are the concrete threats? Top Business Secret Process Train the people involved. Hand out / install / check technical protection.

20 20 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top Business Secrets Protection Toolbox  High secure notebooks  Secure end-to-end voice communications  Secure end-to-end data communications  Eavesdropping protection Technical counter-measures  Training on handling Top Business Secrets  Physically and logically restricted access  Non-disclosure agreements  Total clean desk  Anti social engineering advice  Labels for document, files and computers (watermarks, numbering of copies, etc.) Non-technical counter-measures

21 21 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Dr. Rüdiger Peusquens Vice President Testing Group Information Security Deutsche Telekom AG ruediger.peusquens@telekom.de +49 228 181 75113 Dr. Rüdiger Peusquens Vice President Testing Group Information Security Deutsche Telekom AG ruediger.peusquens@telekom.de +49 228 181 75113 Targeted attacks can hit you anytime. Defend yourselves. Thank you!

Download ppt "1 Dr. Rüdiger Peusquens, Deutsche Telekom AG eCrime 2013-02-13 Top business secrets in the digital enterprise: A case study from Deutsche Telekom AG Dr."

Similar presentations

TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Threats To A Computer Network

Threats To A Computer Network
1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.

1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Network security policy: best practices

Network security policy: best practices
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.

PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Information Dissemination EENet Maria Ristkok Rhodes, 2004.

Information Dissemination EENet Maria Ristkok Rhodes, 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Surveillance Equipment For Internet Activities It is a Internet activities surveillance equipment designed for sniffer package from networking, converter.

Surveillance Equipment For Internet Activities It is a Internet activities surveillance equipment designed for sniffer package from networking, converter.
AtomPark Software is founded in 2001. The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.

AtomPark Software is founded in The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail (email) Electronic Mail (email) Domain mail server collects incoming mail.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

Similar presentations

Ads by Google