Keynote: FBI Wednesday, February 4 noon 1:10 p.m. Speaker: Leo Taddeo Special Agent in Change, Cyber/Special Operations Division Federal Bureau of Investigation Biography: Leo Taddeo Leo Taddeo is the Special Agent in Charge of the Special Operations/Cyber Division of the FBI. He leads more than 400 agents and support personnel in cyber investigations, surveillance operations, information technology support and crisis management. His previous responsibilities focused on FBI international operations, including service as a section chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Mr. Taddeo also served overseas from 2005 to 2009 as the FBI Legal Attaché in Rome, Italy. In this role, he worked closely with Italian authorities on counterterrorism and criminal investigations. Mr. Taddeo began his FBI career in 1995 as a criminal investigator in New York, where he led investigations into Russian and Italian organized crime influence in the securities industry. Mr. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force, and serving as the Assistant Special Agent in Charge of the Baltimore Field Office. Mr. Taddeo received his degree in applied physics in 1987 from Rensselaer Polytechnic Institute. After completing his studies at Rensselaer, He served as a tank officer in the U.S. Marine Corps. Following his service in the Marines, Mr. Taddeo earned a law degree from St. John s University. Upon graduation, he joined the law firm of Mound, Cotton & Wollan in New York, where he practiced in the field of civil litigation until entering on duty with the FBI.
Who are the Adversaries? Sophistication Expertise Funding Patience Target Value Threat Level 1 Inexperienced Limited funding Opportunistic behavior Target known vulnerabilities Use viruses, worms, rudimentary trojans, bots In it for thrills, bragging rights Easily detected Threat Level 2 Higher order skills Well-financed Target known vulnerabilities Use viruses, worms, trojans, bots to introduce more sophisticated tools Target and exploit valuable data Detectable, but hard to attribute Threat Level 3 Very sophisticated tradecraft Foreign Intel Agencies Very well financed Target technology as well as info Use wide range of tradecraft Establish covert presence on sensitive networks Undetectable? SECRET//NOFORN
l1 l2 Individuals Organized Crime Syndicates Hacktivist Groups Nation States Nation States Individuals Industry Law Enforcement & Government Infrastructure
Slide 3 l1 ltaddeo, 10/29/2014 l2 ltaddeo, 10/29/2014
GameOver Zeus
People s Liberation Army (PLA)
National Cybersecurity Framework DHS (Protection, Prevention, Mitigation, & Recovery) Coordinate the national protection, prevention, mitigation of, and recovery from cyber events Disseminate domestic cyber threat and vulnerability analysis Protect critical infrastructure Secure federal civilian systems Investigative cyber crimes under DHS jurisdiction FOREIGN DOMESTIC DOJ/FBI (Detection Investigation, Attribution, & Disruption) DOD/NSA (Defense, Prevention, & Overseas Intelligence) Investigate, attribute, disrupt, and prosecute cyber crimes Lead domestic national security operations Conduct domestic collection, analysis, and dissemination of cyber threat intelligence Support the national protection, prevention, mitigation of, and recovery from cyber incidents Coordinate cyber threat investigations
FBI Cyber Mission To proactively protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber based attacks & high technology crimes As the only United States agency with the authority to investigate both criminal and national security computer intrusions, the FBI is following a number of emerging cyber threats.
External Breaches Source: Verizon 2014 Data Breach Investigations Report
Create Task Forces
Complaints to Internet Crime Complaint Center
When to Call Law Enforcement Public Safety Potential impact to critical infrastructure National security matters Defense contractor Classified databases Origin of attack Criminal or nation-state Sophistication/Skill level of attacker Potential impact to other networks Potential financial loss to victim
FBI Cyber Incident Response Teams Capabilities/Skill Sets Network Traffic Analysis Analysis of network traffic (netflow and pcap) Router configuration files and other network related log files Host Based Forensics Collect forensic host images and live memory capture Analyze images for indicators of compromise Malware Analyze samples of malicious code Legal Process legal documentation (consent/trespasser) Intelligence Research evidence in FBI/USIC databases and disseminate to partners
FBI Objectives in Responding to Cyber Incident Investigate and prosecute Cyber crimes Work with victim to Continue operations System owner retains control of systems System owner (not Special Agent) produces logs, memory images, etc. No crime scene tape around your networks Protect data Not advance team for regulators or plaintiffs lawyers Maintain confidentiality of PII and other protected data Maintain confidentiality of incident Assist in mitigation and recovery Provide signatures, TTPs Provide classified information as needed
Lessons Learned From Prior Incidents - Technical No accurate map of the network No accurate list of authorized devices on the network Insufficient logs Not logging the right activity Not maintaining logs for sufficient period of time Personnel not trained to retrieve or analyze logs Insufficient backups Inability to restore operations Proprietary software - Not secure/not patched
Lessons Learned From Prior Incidents - Legal No prior consideration of key legal issues Privacy issues data sharing Operations in foreign jurisdictions Engaging experienced outside counsel Third party agreements Third party liabilities Insurance policies
Working with Law Enforcement Do you have a contact in FBI or Secret Service? Consent to search/monitor? How much will you share? Maintaining privilege Preservation of evidence
Conclusion Questions?