Who s Doing the Hacking?

Who s Doing the Hacking? 1

HACKTIVISTS Although the term hacktivist refers to cyber attacks conducted in the name of political activism, this segment of the cyber threat spectrum covers everything from individual hackers seeking thrills and bragging rights to hacker groups conducting distributed denial of service (DDoS) attacks and website defacements against government and corporate entities.

Cybercriminal Services Mirror legitimate business processes Executives Recruiters Ground level forces Provide a robust technical support structure Advertise R&D Rent/Buy/Lease Products and Services Credit Card vs PII/EHR Fortinet 2013 Cybercrime Report

Retail Threat Vectors Sophisticated Botnets Point of Sale Malware Fraudulent Payment Methods Mobile Payments Distributed Denial of Service Business Email Compromise 4

Oregon IC3 Reports for September 2015 Acct pics used for escort 2 Bank Fraud 8 Business Email Compromise 13 Breach 1 Credit Card Fraud 7 Scareware / RA 5 DDoS 3 Email Fraud 7 Email Takeover 3 Facebook Fraud 5 Facebook Takeover 2 Hacking/reshipping 3 WalMart Reshipping 5 Identity Theft 16 Misc. Reports 8 Online Car Scam 2 Online Purchase Fraud 10 PC Repair Fraud 11 Phishing 2 Ransom - Ashly Madison 5 Ransom - misc. 4 Romance Fraud 5 Spam 2 Virus 2 Internet Crime Complain Center on ic3.gov 5

Real Oregon Victims: BEC Registers a domain close to the victim domain Proxy Server @0regonbiz.com @oregonbiz.com The following BEC statistics were reported to the Internet Crime Complaint Center from October 2013 to August 2015: Total U.S. Victims: 7,066 Total U.S. exposed dollar loss: $747,659,840.63 CFO or subordinate accounts managers Spoofed e-mail from CEO to CFO requesting wire transfer Will it be caught?

Real Oregon Victims: Malicious Insider Situation: John, a programmer, believes he is going to be fired and wants to punish his employer Writes a program on the file server to delete the files from the server on Friday night if(curr_datetime >= 06/15/2016 20:00:00 ) { system( delete *.* ); } UNCLASSIFIED 7

Real Oregon Victims: Ransomware Reveton, Crypto Locker, Cryptowall and Tesla Crypt Encrypts files and demands payment in return for decryption The only reliable solution is to restore from a back up CLASSIFICATION 8

Advanced Persistent Threat Foreign adversaries use cyber tools as part of traditional intelligence-gathering and espionage activities. These adversaries conduct computer network operations that target military and governmental organizations intellectual property and insider information. Goal: to stay on your network as long as possible to collect as much information as possible without being discovered.

UNCLASSIFIED Challenges in Addressing the Cyber Threat Serious cyber threat actors are usually overseas. Quality of international law enforcement, laws and priorities. Cyber threat is inherently international, actors affect areas throughout the world at the same time. Cyber investigations require specialized investigators with specialized training and tools.

Cyber Task Forces Leverage Federal, State and Local resources MOU s signed between agencies Full background investigations for TS clearance to work criminal and NatSec Provide O/T funding, training and equipment Build a deeper pool of skilled cyber investigators CLASSIFICATION 11

Law Enforcement Mindset the Environment Understand the victim company s perspective of the complex legal and regulatory environment which currently exists with cybersecurity in the United States. Understand the factors which must be considered by the victim s legal team and company leadership before intelligence can be shared, access provided to compromised networks or hosts, and digital evidence collected by investigators. Be proactive and engage with private sector colleagues before a breach occurs, discuss these matters and build trust.

What Questions Will Be Asked by LE? Names, location, and purpose of operating systems involved; Names and location of programs accessed; Highest classification of information stored in the systems; Impact (compromise of information or dollar loss). How intrusion access was obtained; how attack was carried out. Status of attack; Steps taken to mitigate or remediate. Other organizations affected. Potential suspects, such as outsiders or current or former employees/contractors Available evidence to assist in the investigation (i.e., logs, physical evidence)

What to Expect in Victim Notification Dependent upon how the government obtained the breach information Common to both situations (criminal or NatSec) will the request for log data, access to compromised machines and opportunity to interview key personnel LE may request a Consent Monitor under the Trespasser Statute Trespasser Exception [USC Title 18 Section 2511(I)] provides legal authority for the government to monitor only the specified illicit activity on the network Victim companies can expect assistance from LE in possible attribution of the activity and the provision of indicators/signatures to assist with remediation, but not direct involvement in the remediation/eradication and recovery Focus will be on the intrusion, not the regulatory obligations or compliance aspects of data protection

Incident Preparedness Legal Banner/Computer Use Agreement Network Topography Maps Incident Logs (security, host, IDS, web, database) Archived Network Traffic Proper Access Control Business Continuity Planning Disaster Recovery Procedures 15

NIST Framework

PCI DSS Version 3.1

DHS CDM

ISO / IEC International Organization for Standardization (ISO) International Electrotechnical Commission (IEC) Information Security Management Systems Family of Standards: ISO/IEC 27000 ISO/IEC 27001:2013 ISO/IEC 27002 ISO/IEC 27003 ISO/IEC 27004 ISO/IEC 27005

NERC CIP Standards

NIST Cybersecurity Framework Detailed Matrix

OREGON CYBER TASK FORCE Contact Information: 9109 NE Cascades Parkway Portland, Oregon, 97220 (503) 460-8000 octf.pd@ic.fbi.gov CLASSIFICATION 22