Bot-Trek Cyber Intelligence (CI)

Transcription

1 (CI) a platform which allows customers the ability to monitor, analyze and predict potential threats to information security relevant to the company, its partners and customers

2 Examples of Incidents Home Depot's 56 Million Card Breach Bigger Than Target's Chinese Hackers Target srael s Iron Dome Massive Sony breach sheds light on murky hacker universe Home Depot Inc. said 56 million cards may have been compromised in a five-month attack on its payment terminals, making the breach much bigger than the holiday attack at Target Corp. Three Israeli defense contractors responsible for building the Iron Dome missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology. Last week Sony admitted to having suffered a major cybersecurity breach; hackers not only erased data from its systems, but also stole, and released to the public, pre-release movies, people s private information, and sensitive documents. Data Breach at Health Insurer Anthem Could Impact Millions, Banks: Card Thieves Hit White Lodging Again, FBI: Businesses Lost $215M to Scams, Home Depot: 56M Cards Impacted, Malware Contained, Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm, Sony Breach May Have Exposed Employee Healthcare, Salary Data, Malware Based Credit Card Breach at Kmart, Dairy Queen Confirms Breach at 395 Stores, Huge Data Leak at Largest U.S. Bond Insurer, Hackers Plundered Israeli Defense Firms that Built Iron Dome Missile Defense System, ebay Urges Password Changes After Breach, Target: Names, s, Phone Numbers on Up To 70 Million Customers Stolen 2

3 Targeted Attacks in 2014 Anunak Hacking of more than 50 Russian banks, 5 payment systems, and 16 retail companies. Access to isolated banking systems, ATMs, , and payment gateways. Regin Hacking of telecom operators, state-owned companies, research institutions, and political organizations. Access to confidential information, tracking of GSM networks. Energetic Bear Hacking of energy, pharmaceutical, construction and educational institutions. Careto Hacking of government, diplomatic, energy, oil, investment companies and research institutes. 3

4 Data on Damage (HP, PWC, Group-IB) Reacting to the incident after it has already occurred is very expensive in terms of both the management of consequences and the eradication of attacker from the internal infrastructure $ 40 mln is earned by one criminal group by stealing in Internet banking information Damage amount, 2013 Damage amount, 2014 Large organizations Income: over $ 1 bln $ 3.9 mln $ 5.9 mln * Group-IB data Medium-sized organizations Income: over $ 100 mln to $ 1 bln $ 1 mln $ 1.3 mln Small organizations Income: less than $ 100 mln $ 0.65 mln $ 0.41 mln $ 1.5 mln is direct damage caused by the targeted attack < $ 1.2 mln is сamount of direct steals we prevent per year Incidents cause great damage to large organizations The average amount of financial losses due to information security incidents, * PWC data Average damage due to cyber attacks per $ 12.7 mln In Russia, $ 3.3 mln *HP, Ponemon data 4

5 Incident Development Time Seconds Minutes Hours Days Weeks Months Years From attack to discredit 10% 75% 12% 2% 0% 1% 1% Hacking takes minutes From discredit to leakage 10% 38% 14% 25% 8% 8% 0% From leakage to detection 0% 0% 2% 13% 29% 54% 2% Detection and elimination take weeks and months From detection to localization and elimination 0% 1% % 17% 4% Time scale of events in % of the total number of hackings * Source: 2012 Verizon Data Breach Investigations 5

6 Why do Incidents Happen? Means of protection do not provide information on attackers, used tools and attack tactics Accidentally intercepted password can be the beginning of the targeted attack It is not possible to distinguish among thousands of events those that are really important The event importance can not be adequately estimated without the knowledge of the hacking target No indicators to identify interesting incidents 6

7 Be Proactive Forecast possible attacks Identify attacks in preparation Preparation 1. Exploration Collection of s, confidential information, etc. 2. Arming Collection exploits and backdoors Hours-months Study attack tactics based on other incidents Be prepared to resist threats in advance Hacking 5. Installation of malicious programs in victim s devices 4. Exploitation of vulnerabilities by using malicious programs in victim s devices 3. Delivery of arms to the victim via , Web, USB, etc. Seconds Suppress attack at the very beginning Data leakage 6. Management Sending commands for remote control of victim s device 7. Impact on the facilities, access to needed data Months 7

8 What is Needed for Proactive Protection? Cyber Intelligence makes it possible to prevent the incident at the preparation stage and to become proactive Be constantly involved in the analysis of various incidents Track data leakage outside the protection perimeter Identify hacked accounts in botnets and phishing pages Be provided with the infrastructure for data processing and receive information on new threats Track attack on partners and customers Study data on new threats Analyze connections between events 8

9 Bot-Trek Сyber Intelligence a platform enabling the customer to monitor, analyze and predict potential threats to information security that are relevant to the company, its partners and customers SaaS-solution: no installation required Integration with antifraud systems and IDS/IPS/SIEM Stix/Taxii support 9

10 CI Operation Initial data Intelligence Bank cards Analysis and trends Compatible with Stix/Taxii Botnets Investigations Sandboxes Correlation Analysis and check Risk notifications Cracked passwords, databases, etc. API for Enterprise security Deep Web Hacktivism analysis SPAM traps CERT Intelligence exchange Additional data c ollection DDoS, Deface, Phishing, Malvertising feeds Dashboard Malware Suspect IP Social networks Forensic Relation to regions and business areas Дропы/Mules 10

11 The Data We Provide Strategic data: Analysis of the actions of criminal groups Assessment of attacks in various countries/ business segments Forecasting new threats Information on the most relevant threats Tactical/operational data: Information on threats and analysis Information on current attacks Information on criminal groups/their tools/tactics Technical indicators: IP and URL addresses Names of malicious attachments Themes of letters with targeted attacks Hacked legitimate web-sites spreading malware CChanges in the operating system Abnormal signs Information on logins/passwords of the company, its partners and customers 11

12 Who Can Use the Data As the Security/Risk Manager You can: As the Marketing Director You can: Prevent accidents and fraud Correctly assess risks to the company Develop tactical and strategic security plans Track trends, global and local threats Assess the effectiveness of military protection processes Improve the effectiveness of the marketing tools you use Always be aware of the threats your company could be exposed to and have the tools for rapid counteraction. If necessary, add new channels to interact with potential customers of your company Respond effectively to current challenges As the Director of Human Resources (HR) You can: Track unlawful activity of your employees Adjust the policy of the Company depending on the identified threats As the Chief Executive Office (CEO) You can: Always be aware of the most dangerous threats your company could be exposed to Assess the effectiveness of protected investments Be aware of potential financial losses 12

13 How to Manage the Large Amounts of Data? API for integration with your SIEM, IPS, and Firewall Individual notifications of targeted attacks on you for you, your partners, and clients Tactic information can be filtered for countries and business areas We support the STIX format upon submission of threat data 24x7 support 13

14 Data Sources and Information Storage Security Confidential data is available only to those companies which they belong to We process data in 11 languages Data on different countries are stored on servers in those countries: storage devices are currently deployed in the USA, Germany, Russia, the Netherlands, and Great Britain 14

15 Analytics and Trends Data flow Content Possibilities Analysis of hacking companies Company Damage evaluation Analytics and trends Quarterly digests Statistical data Invest expediently Adjust the risk map Identify your enemy Forecasting of threats Prioritize threats 15

16 Discredited Data Data flow Content Possibilities Logins/passwords Company IMEI / IMSI Discredited data Card data Files: SMS, screen images, logs Ensure against corporate leakage Ensure against fraud of customers Stop targeted attacks Drops (Mules) Get confirmation of hacking Identify the hacking source 16

17 Threats Data flow Content Possibilities Hacking tools Company Tactics Threats Data leakage Hiring of insiders Correlate with your incidents Forecast the risks Identify an insider Warn the personnel and directorate Adapt the response plan 17

18 Daily Attacks Data flow Content Possibilities DDoS Company Deface Attacks Phishing Malvertising Trace the bursts Forecast Identify the infections Estimate the risks 18

19 Hacktivists and Cyberterrorists Data flow Content Possibilities Operations Company Groups Hacktivists Interrelations Experience Trace the leakages Study the attack tactics Estimate the risks Tools Eliminate the attack consequences Forecast 19

20 Targeted attacks Data flow Content Possibilities Tactics Company Tools Targeted attacks Indicators Identify the attack Adjust the protection tools Estimate the risks Protect the partners 20

21 Suspect IP Addresses Data flow Content Possibilities TOR nodes Company Open proxy IP addresses Private SOCKS proxy Compromised servers Identify the attacks Integrate with antifraud systems 21

22 Quick Start 1. Convenient WEB-interface for data search and analysis 2. Simple and quick connection process 3. API for integration with existing protection systems 22

23 Russia is the Source of the Most Interesting Threats Bank trojans Zeus SpyEye Carberp Tinba Dyre/Dyreza DDoS trojans Black Energy Optima Darkness Dirt Jumper Drive Revolution Rovnix Gozi/ISFB Targeted attacks Red October Energetic bear Anunak Exploit Kits BlackHole Angler Rig Nuclear Neutrino Styx 23

24 Group-IB in Russia CERT-GIB is the first day-and-night accredited center for monitoring and detecting cyber threats Group-IB has the largest computer forensics lab in Eastern Europe Customers with daily existing incidents Competent in operation with domains such as RU, RF, SU, ТАТАР, ДЕТИ Infrastructure of analysis of network traffic Virus analysts, criminal experts, response team, own R&D 24

25 Why Group-IB? Group-IB is one of 7 most influential information security companies One of 7 companies included in the Gartner report in Cyber Intelligence section 80% of all huge legal cases in a field of cybercrime involve Group-IB s expertise and research 12 YEARS of experience in a field of computer forensics cyber crime prevention and brand protection Europol signed an agreement with Group-IB to cooperate in combating cybercrime on a global scale Group-IB s experts release detailed report on cyber crime trends every year Rostec has chosen Bot-Trek as one of the main solutions that help create corporate security system 25

26 Participation of Group-IB in Notable Investigations Arrest of the author of Blackhole exploits: 40% of infections in the world occurred with the use of his exploits Arrest of Leonid Kuvaev: According to SPAMHOUSE, he is one of three most dangerous spammers of the world Anunak/Carbanak Attacks: successfully hacked over 50 banks Arrest of the Carberp group: botnet of more than 6 million computers, hundreds of millions of dollars stolen Arrest of the owner of the first bank mobile botnet 26

27 Ask about all possibilities of Manager Alexander Tushkanov Head, International Sales Group-IB ext. 575 (Moscow landline) +44 (0) (UK mobile)