Cyber Security Threat Briefing

Transcription

1 Cyber Security Threat Briefing Special Agent Ryan R. Ormond FBI Detroit Cyber Task Force

2 Cyber Threats Cyber is not a thing, it is a vector. Because we as Americans have connected our entire lives to the Internet, the people who do us harm in all aspects of our lives, that s where they come for our children, for our secrets, for our money, and our infrastructure. - FBI Director James Comey

3 Cyber Challenges John Dillinger couldn t do a thousand robberies on the same day in all 50 states in his pajamas from halfway around the world. That s the challenge we now face with the Internet. The challenge we face with cyber is that it blows away all concepts of time and space as a venue and requires us to shrink the world just the way the bad guys have. We re going to treat this as seriously as someone kicking in your door to steal your stuff. - FBI Director James Comey

4 Cyber Threats Cyber Threats We Face Terrorism CounterIntelligence/Espionage Criminal Hacktivism Insider Threat CLASSIFICATION 4

5 Cyber Threats - Terrorism Growing presence of terrorist organizations on the Internet Cyber Jihad Website Defacements Internet being used not to just recruit or radicalize, but to incite (ISIS/ISIL) Growing use of social networking sites to collaborate and promote violence Growing interest in conducting true computer intrusions/attacks

6 Cyber Threats - Counterintelligence Who are they? Nation-State Actors, Mercenaries for Hire, Rogue Hackers, Transnational Criminal Syndicates Targeted and recruited insiders. What are they after? Technology, Intelligence, Intellectual Property, Military Weapons, Military Strategy Negotiation information, network policies, attendees, etc Intelligence (Policy maker decisions) They have everything to gain; we have a great deal to lose.

7 Cyber Threats - Criminal Cyber Criminal Threats Criminal Computer Intrusions Botnets (Resources), ACH Fraud, Extortion, Insider Threats Usually monetarily motivated, after PII, CC # s, etc. Formerly part of Cyber Internet Fraud Innocent Images Intellectual Property Rights Theft Theft of Trade Secrets Infringement on Products Impacting Health and Safety

8 Cyber Threats - Hacktivism Attempt to cause disruption to networks and service and loss of data Actions are non-violent and not usually aimed at individuals, but rather companies or government Hack in retaliation for real or perceived social wrongs Loosely organized Media savvy and able to create the perception that they are more effective than they actually are

9 Cyber Threats The Risk Equation Risk = Threat x Vulnerability x Consequence Threat: Any person, circumstance or event with the potential to cause loss or damage. Vulnerability: Any weakness that can be exploited by an adversary or through accident. Consequence: The amount of loss or damage that can be expected from a successful attack. - Mark Fabro, INL

10 Data Breach Stats ,541 confirmed incidents 1.02 billion records compromised 55% were attributed to malware and hacks Healthcare Stats 391 Incidents 29 million records Criminal intrusions most common cause of data breach 125% Increase in the past 5yrs Breach Level Index & Ponemon Institute 15

11 Data Breach Stats Source:Trend Micro 16

12 Data Breach Cost 2014 Average Cost to a company per data breach in 2014 $3.5 million (+15% from 2013) Total Cost = 1,541 confirmed incidents x $3.5 million = $5.4 billion Healthcare related = 391 x $3.5 million = $1.37 billion Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers. As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company s business continuity management team in dealing with the breach. (Ponemon Institute, 2014 Cost of Data Breach: Global Analysis) CLASSIFICATION 12

13 Defense in Depth You can stop some of the attacks all of the time, You can stop all of the attacks some of the time, But you CAN T stop all of the attacks all of the time No one solution will stop every attack A layered defense is your best bet Remember that if you are under attack by an advanced attacker, there is at least one person whose full-time job is to hack your company. Odds are, they will eventually succeed The key is early detection and quick remediation

14 Traditional Computer Forensics Looking for: Contraband Files Transfer History Evidence of Another Crime Documents Messages Browser History Very Thorough Very Time Consuming Volatile artifacts are lost 14

15 Traditional Computer Forensic Approach Treat the computer as a static crime scene Turn off Take back to the lab Make an exact image Examine the image Keep the computer as evidence Pull out during trial and show to the jury Might be returned long after obsolete 15

16 Modern Computer Forensics Challenges Distributed data storage RAID SAN NAS Cloud??? Virtualization Thousands of possibly affected systems across enterprise You can t seize the Amazon AWS server farm (nor would you want to try) 16

17 Computer Intrusion Response Re-Image First and Ask Questions Later Effective approach against most simple threats Less effective against more advanced threats A virus may have spread to other computers Attacker may be a person whose job is to infiltrate your network, however long it takes You may have only gotten the tip of the iceberg You may have destroyed the best evidence of what else the attackers did on your network Better Approach Try to determine the scope of the intrusion Lateral movement Persistence mechanisms Type of data targeted Central logging Identify attacker IP/Hostnames

18 Intrusion Forensics Who is in your network? How did they get in? What are they after? Where else are they? What did they take? What did they leave behind? How do we get them out? Can they get back in? 18

19 Intrusion Lifecycle Exploitation Intrusion of Hosts Establishing Foothold Reconnaissance Profiling Targets Scanning and Mapping Persistence Backdoors, Obtain valid credentials Denial & Deception Modification of logs, cleanup of staging files Exfiltration Aggregation of Materials Removal of content to Remote network

20 Incident Response Process Detection/ Identification Preparation Containment Recovery Eradication

21 How an Intrusion Works Compromised US Hop Point Spear Phishing Attacker (Foreign Country) Victim Desktop Victim Domain Controller

22 How an Intrusion Works Compromised US Hop Point Spear Phishing Attacker (Foreign Country) Victim Desktop Victim Domain Controller

23 How an Intrusion Works Compromised US Hop Point Beacon Attacker (Foreign Country) Victim Desktop Victim Domain Controller

24 How an Intrusion Works Compromised US Hop Point Reverse Shell Attacker (Foreign Country) Lateral Movement Victim Victim Desktop Domain Controller

25 How an Intrusion Works Compromised US Hop Point Reverse Shell Gather Data Attacker (Foreign Country) Victim Desktop Victim Domain Controller

26 How an Intrusion Works Beacons Compromised US Hop Point Reverse Shell Your Data Attacker (Foreign Country) FTP/http/etc Victim Desktop Victim Domain Controller Compromised US Hop Point

27 How an Intrusion Works Beacons Compromised US Hop Point Attacker Still Has Access Attacker (Foreign Country) Victim Desktop (Mitigated) Victim Domain Controller

28 Evidence Sources Firewall Logs DNS Query Logs Network Traffic Capture SMB Logs Memory Hard Drive Live Response Data Windows System Logs Unix syslog

29 Primary Intrusion Vectors The exploitation of Trust The trusted inbound . The publicly available trusted web site of appropriate business interest. The download of trusted code from a trusted and authorized vendor. The trusted outward facing server. The necessary trust of the internal network The connections with trusted business partners.

30 Common Malware Characteristics Custom designed to target victim company Tends to send frequent outbound beacons Often uses common ports (80, 443, etc) Opens reverse connection on command from controller Malicious domains are usually dynamic DNS that can be pointed to various compromised hop points Often have full featured command and control functions including file upload and download

31 Indicators of Compromise Network Based Remote Desktop sessions from external IP s Non-HTTP traffic on port 80 Traffic that does not conform to known protocols Unexplained outgoing FTP sessions RAR data transfers Connections on wrong/unusual ports Host (Computer) Based Executables in wrong directory c:\windows vs c:\windows\system32 Executables with similar filenames service.exe vs services.exe Staged.rar files Unexpected services running

32 Know What Normal Looks Like System Configuration Software Baselines Digital Signatures Cryptographic Hashes Network Traffic Types Protocols Traffic Volumes Different for different systems Server vs. workstation Legitimate Processes Patch Levels

33 General Principles Triage systems to be examined Work in order of volatility Try to cause the least possible impact on the evidence Understand that you will alter the system Document what you did What tools were run What output you got What artifacts were located What conclusions you reached You may have to testify if the case goes to court

34 Live Response Acquire the most volatile information first Run from external device if possible Run from trusted command prompt ipconfig all displaydns net view localgroup localgroup_admins netstat.exe ano (established connections/processes) R (routing table)

35 Live Response Sysinternals Tools autoruns psloggedon tcpvcon Process Hacker Very powerful interactive tool View process information View network information for processes View usage statistics (look for outliers) Can dump process memory Can modify running processes

36 FBI Response What the FBI can do Investigate National and global Combine technical skills and investigative experiences Consensual monitoring of intruder activity Victim Notification Provide information for network defense and mitigation of compromises Forensics Intrusion Response Malware Analysis Patterns and Links Access to classified indicators of compromise Bring national security concerns to intelligence community Joint outreach/response (DHS, internal, partner agencies)

37 FBI Cyber Capabilities Cyber Task Forces in all 56 FBI Field Offices FBI Other Federal Agencies State/Local Law Enforcement Michigan State University Police Michigan State Police 75 FBI Legal Attaché Offices around the world Dedicated Cyber Assistant Legal Attachés National Cyber Investigative Joint Task Force Ways to share information. InfraGard IC3.GOV (Internet Crime Complaint Center) CYWATCH Focal point for cyber threat prevention, protection, response and recovery for the nation s state, local, territorial, and tribal governments. 24x7 cyber operations center. iguardian Allows private sector to submit cyber security incidents directly to FBI

38 FBI Response What the FBI won t do Take over your systems Voluntary vs Legal Process Repair your systems. Share proprietary information with competitors. Provide investigation-related information to the media or shareholders. In essence we will not further victimize the victim.

39 Cooperation and Vigilance The most effective weapon against crime is cooperation... The efforts of all law enforcement agencies with the support and understanding of the American people.» J. Edgar Hoover There are only two types of companies: Those that have been hacked, and those that will be.» Former FBI Director Mueller

40 Resources and Links SANS Digital Forensics Cheat Sheets SIFT Workstation Logstash VM SysInternals Process Hacker MoonSols Dumpit Mandiant Redline FTK Imager Volatility Rekall Log2Timeline/Plaso RegRipper SleuthKit Digital Forensics Framework Open Computer Forensics Architecture Bulk Extractor Wireshark Dshell Malwr Anubis Virus Total None of these tools/sites are endorsed by the FBI I ve just used them at one point or another

41 Questions? FBI Detroit SA Ryan Ormond Cyber Task Force