Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM.

Similar presentations

Presentation on theme: "The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM."— Presentation transcript:

1 The Great Data Robbery Cyber theft and the risks to your organization February 11, :45AM – 11:30AM

2 2 Contents 1.Presenters 2.Background 3.The threat 4.Risks to your organization 5.What your organization can / should be doing 6.The role of Cyber counterintelligence

3 3 Presenters Brittany Teare, Weaver – Manager, IT Advisory Services Brian Thomas, Weaver – Partner, IT Advisory Services Doug Helton, SpearTip – Director of Counterintelligence

4 4 Weaver IT Advisory Services IT Audit (IT internal audit, external audit support, SOX, SOC reporting) Information Security - Penetration testing - Vulnerability assessment - ISO Data privacy IT Consulting - Independent verification & validation - IT assessments and planning - Project risk management Analytics - Audit preparation - Audit support - Forensics support - Management analytics - Continuous monitoring

5 5 Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go DBIR, pg. 48

6 6 Background In 2013, there are two kinds of companies – those that have been breached, and those that know theyve been breached. – Who are the victims of breaches? 38% larger organizations + 37% financial organizations + 24% retail and restaurants 20% manufacturing, transportation, utilities + 20% professional services firms +

7 7 The Threat Who are the bad guys? Depends on what information assets or systems you have. Could be: – Nation states like China, Russia, Iran, North Korea – Hacktivists (Anonymous, Wikileaks) – Terrorist organizations – Organized crime

8 8 The Threat (cont.) What do they want? Depends on what information assets or systems you have. Could be: – Defense secrets – Disruption of critical infrastructure – Trade secrets and intellectual property – Confidential information about your organization, your business dealings, or your customers – Exploitable consumer financial information

9 9 The Threat (cont.) – How do breaches occur? 52% some form of hacking 76% exploitation of weak or stolen credentials 40% malware 35% physical attacks + 29% social tactics + 13% privileged misuse or abuse – What are the commonalities? Financial motives, targeted user devices, compromised servers, opportunistic attacks, discovery by external parties, time of discovery is multiple months, low difficulty of initial intrusion

10 10 Risks to Organizations Key risks of cyber theft: – Liability for loss of confidential information, loss of private consumer information, business interruption, or even loss of human life – Loss of intellectual property / trade secrets / competitive advantage – Damage from loss of confidentiality – Reputational damage

11 11 Risk Impact Gone are the days when we could bury our heads in the sand. Liability is increasing: – Target – Yahoo – CF Disclosure Guidance: Topic No. 2 - Cybersecurity

12 12 What to Do Prevention is ideal, detection is a must!

13 13 What to Do Organizations should: – Classify data – Implement an ISMS – Implement tools to identify security events – Perform periodic security assessments based on the specific threats – Consider cyber counterintelligence

14 14 Cyber Counterintelligence – Case Studies

15 15 Cyber Counterintelligence - Overview What is cyber counterintelligence (Cyber CI)? - Historical roots - Increased awareness and demand Who is SpearTip? - Military CI and LE agents - Deep technical expertise Why is Cyber CI relevant?

16 16 Cyber Counterespionage – Chinese Scientist Chinese Scientist East Coast – NanoTech Research Facility Accepted position back in Beijing Gaining elevated access to sensitive information Copying the hard drive and placing it in new system Download and use of hacking software Introducing malware into environment

17 17 Cyber Counterespionage – Chinese Scientist Forensic analysis identified the malicious file FFE3.CB5 at the following location on the subject system This file was identified by the malware scanning software Sophos as Trojan.CycBotCn-A This particular malware creates a backdoor which allows unauthorized remote access to the subject system This file was located on the subject system at the aforementioned location. Below is a screenshot of this file with its creation date and time In addition to the malicious file, SpearTip also discovered the presence of an attribute changer This type of software has the ability to modify date and time stamps within any active file within the file system Attribute changers are most often used for nefarious purposes, such as to cover ones tracks following an exploitation or security breach C:\Documents and Settings\ \Application Data\2CB5F\FFE3.CB5

18 18 Cyber Counterespionage – Chinese Scientist The subject was also conducting research on how to image a hard drive and how to connect two systems via a USB cable Following this research, subject then searched the Internet in an attempt to locate and purchase a laptop that was identical to his company issued laptop It was later discovered that he had, indeed, purchased two laptops of the same make and model as HIS company issued laptop During SpearTips malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution The corporations IT staff was completely unaware of subjects malicious activity or the malware threat within their network environment

19 19 Cyber Counterespionage – Chinese Scientist During malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution IT staff was completely unaware of the malicious activity of the subject or the malware threat within their network environment

20 20 Cyber Counterespionage – Chinese Scientist Organizations R&D server was attempting to communicate within the network environment to an Exchange Server

21 21 Cyber Counterespionage – Chinese Scientist Some of the most recent discoveries have identified yet another method of infiltrating sensitive data from corporate environments, such as deploying a remotely accessible cellular device In order to detect and analyze this new technique specialized hardware and software components are required to process various electronic signals emanating from these devices This equipment can provide the Cyber Counterintelligence operator a platform that can detect, identify, assess, counter, exploit and/or neutralize this type of threat The following examples are equipment that could be used for this type of cyber espionage activity NAC/802.1x Bypass. In addition to supporting both 3G and Wireless connectivity, the plug & play devices can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC- restricted networks

22 22 Cyber Counterespionage – Romanian Hack Team SpearTip personnel were contacted to respond to an intrusion involving a RedHat server that hosted a tremendous amount of proprietary data It was determined that this information was not compromised, although the point of intrusion still needed to be determined for remediation planning It was determined that the compromise included the initial exploit, the addition of the elvis user, upload of malicious files, and the Romanian attackers then proceeding to utilize this server to carry out their eBay/PayPal phishing scam On November 19, 2007, the server began sustaining brute force ssh login attacks This appeared to be a scripted attack, but however related it may have been, it is highly unlikely to have led to the compromise itself, as the attackers had a much easier exploit available Logs appear to have been manipulated given inexplicable inconsistencies in syslogd timestamps. Syslogd does not log local events out of sequence; therefore information within the log cannot be entirely trusted. Timestamp anomalies are very often a tell-tale sign of rootkits.

23 23 Cyber Counterespionage – Romanian Hack Team On December 18, 2007 at 1012 hours an account and group were created under the username elvis This server was accessed via the elvis username throughout the Internet from December 18 through December 21, ending only after Source1 deleted the user account Not only does the fact that elvis came from so many IPs stand out, it may be noteworthy to mention that their backdoored sshd server can bind as many ports as are open In an effort to determine further activity of the attackers, an exhaustive search for all and any remnants of the.bash_history file was undertaken As shown below, once the attacker gained ssh access, he downloaded and ran multiple exploits and backdoors

24 24 Cyber Counterespionage – Romanian Hack Team According to the information contained within the attackers.bash_history file, it appears that the attack vector that SUBJECTS utilized is a file called windmilk.jpg or windmilk.tgz Both files are simple gzipped tar files containing the superwu binary. A screenshot of the attack tool can be seen below Further analysis led not only to the determination of the attackers tools, but references to some of their friends as well These friends steered the investigation to look into other members of the hacker group The brains of the operation seemed to be Claudiu Catalin, seen below with another member of the team, Iordache:

25 25 Cyber Counterespionage – AnonymouSTL SpearTip personnel were contacted to respond to an incident involving an employee utilizing corporate assets to conduct numerous high-profiled intrusions to US government and international websites in the name of AnonymouSTL A forensic analysis of activity on SUBJECTs system was conducted that identified several s that demonstrate that HE specifically sought and requested Structured Query Language (SQL) training, paid for by the corporation While this type of training is not out of the ordinary for someone with subjects professional responsibilities, training and knowledge of this programming language could be useful for an individual who intentions are to launch website and network-based attacks using SQL Injections A SQL Injection is an attack using SQL statements on a poorly designed website, with the intention of compromising a database of information on the website, often exposing that information to the attacker During the forensic analysis, several session folders were located for the application W3AF. This software is used for penetrating and finding weaknesses in web applications These session folders were found in the C:\Users\Administrator\.w3af\sessions\ directory on the subject system Below is a screenshot of the folder structure from the aforementioned sessions directory

26 26 Cyber Counterespionage – AnonymouSTL An analysis of these session folders was conducted It was determined from this analysis that scanning, using this application was conducted on the following dates: An analysis of the history of websites visited was conducted on subjects system, focusing on the timeframe following the LogMeIn logon activity at 10:56PM CST Below is a listing of this Internet activity The dates associated with this listing represent the last time the respective URL was visited The listing below shows subject accessing several websites with the The is a Top Level Domain Country Code for the country of Iran The text func=download in the Uniform Resource Locators (URLs) for indicates there were download attempts made from this website 8, , , 2011

27 27 Cyber Counterespionage – AnonymouSTL The aforementioned download files contain sensitive information such as usernames, credit card numbers and the senders, recipients, and body of various s Below is a screenshot of a single instance of the contents of these.html files, with sensitive information removed SpearTips analysis found that these attacks occurred on the following websites on the following dates: CREDICCARDS.html

28 28 Cyber Counterespionage – AnonymouSTL This forensic analysis included the correlation of data on the subject system with suspected Twitter postings by subject using the screen name AnonymouSTL The subject system was analyzed to determine if a Twitter account using this username was accessed from this system The following twitter posting was located on for the user AnonymouSTL This posting further corroborates the SUBJECTS involvement in the compromising of websites domains data-screen-name="_AnonymouSTL_" data-user-id=" You can take my life, you can take my freedom, but you will NEVER TAKE MY PASTEBIN! THIS IS ACCOUNT #6... BETTER LUCK THIS TIME?!?!? #freespeech=shit data-screen-name="_AnonymouSTL_" data-user-id=" You can take my life, you can take my freedom, but you will NEVER TAKE MY PASTEBIN! THIS IS ACCOUNT #6... BETTER LUCK THIS TIME?!?!? #freespeech=shit

29 29 Cyber Counterespionage – AnonymouSTL These postings are also just prior to the SQL Injection attacks launched by subject on the websites within domain, on January 9, 10 and 11

30 30 Cyber CI – Key Focus Areas Intelligence - driven risk management Evaluate program effectiveness Validate internal threat and risk assessment

31 31 Cyber CI – Application Recent examples from SpearTip clients Assess info sec and data classification policies effectiveness Develop and refine fraud controls Assess access management program

32 32 Conclusion Questions/Discussion

33 33 Contacts g Douglas G. Helton Director of Counterintelligence Tel: Brian J. Thomas, CISA, CISSP Partner, Advisory Services Tel: Brittany George Teare, CISA Manager, Advisory Services Tel:

Download ppt "The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM."

Similar presentations

Ads by Google