Understanding the Invisible Internet Cyber Threats Simplified

Chase Cunningham
Chief of Cyber Analytics

The Cyber Threat

Define Defend Defeat Questions

Defining Cyber Threats

Simplifying Cyber Threats

Three categories 1. Social Engineering 2. Malware/Exploits
Help Desk calling whats your password? Stuxnet, Flame, Zeus, etc Employee gets fired and downloads company information into Pastebin

3. Insider & Hidden Threat

Social Engineering Trickery or deception for the purpose of information gathering, fraud, or computer system access.

Ripped from the Headlines

Stratfor to settle class action suit over hack Reuters - Jun 27, 2012 NEW YORK (Reuters) - The global security analysis company Strategic Forecasting Inc will settle a class action lawsuit brought by one of its ... Local: Stratfor settles hacking class action lawsuit MyBroadband Stratfor settles with clients over major Anonymous hack RT Stratfor settles class-action over Anon megahack with freebies www.pcworld.com/.../fake_netflix_app_poses_datastealing... by Brennon Slattery - in 9,932 Google+ circles - More by Brennon Slattery Oct 13, 2011 Symantec discovered the Trojan, dubbed Android.Fakeneflic, and assessed it as a "very low-level risk." However, placing the sneaky malware ... Fake Netflix Android App Steals Your Data | News & Opinion ...

Social Engineering
Accepting LinkedIn invite with bogus HTML tag
From: "Ian Rainey" <xeniatw46@linkedin.com> Subject: [dm] LinkedIn Notification Date: May 14, 2012 12:42:31 PM EDT To: icannalerts@daqus.com LinkedIn REMINDERS Invitation notifications: From Colton Alston (Your co-worker) PENDING MESSAGES There are a total of 3 messages awaiting your response. Visit your InBox now. Don't want to receive email notifications? Adjust your message settings. LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. ) 2010, LinkedIn Corporation.

Social Engineering
Dumpster Diving

Social Engineering
Acting like a superior on the phone

Social Engineering
Phishing: Acquiring information such as usernames, passwords, SSN, accounts, by masquerading as a trustworthy entity.
Hello Dear , I am Miss Gloria Uzoka. A computer scientist with central bank of Nigeria. I am 26 years old, just started work with C.B.N. I came across your file which was marked X and your released disk painted RED, I took time to study it and found out that you have paid VIRTUALLY all fees and certificate but the fund has not been release to you

Social Engineering
Spearphishing A form of phishing targeting specific users. Trojans Sneak in under the networks security posture.

Malware/Exploit Software that is written to cause harm, damage, or covert action against a network by exploiting the algorithms and operations of the system itself.

Ripped from the Headlines

Shared code indicates Flame, Stuxnet creators worked together CNET - Jun 11, 2012 Researchers at Kaspersky Lab say code is shared in the two threats and that there was an exploit in Stuxnet that was previously unknown. by Elinor Mills - More by Elinor Mills In-Depth: Researchers Connect Flame to US-Israel Stuxnet Attack Wired News Blog: Flame cyberweapon is tied to Stuxnet program New Scientist (blog) Flame and Stuxnet teams worked together, researchers report Fox News New Zeus Variant Targets Facebook and Google Users PC Magazine - 4 days ago You wouldn't click a link in email and enter your credit card details; you know better. But a new Zeus variant waits until after you've logged into ... Zeus: How to Fight Back BankInfoSecurity.com Action Fraud warns of a Zeus malware strain that puts Facebook and ... Inquirer ThreatMetrix detects new strain of Zeus Trojan Computer Business Review

Malware/Exploit
Zero-day: An exploit for a vulnerability for which there is no remedy either due to its new discovery of lack of industry understanding.

Zero-day

By definition there is no known defense against a Zero-day. Live in fear!

Malware/Exploit
Worm: Program designed to replicate and crawl through the network.

Malware/Exploit
DNS Cache Poisoning: Changing a servers Domain Name System (DNS) settings which leads to an exploited page or compromise.

Malware/Exploit
Botnet: Group of host computers used as zombies to accomplish any action.

Insider or Hidden Threat

Anyone who has or had authorized access to an organizations network or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or systems.

Ripped from the Headlines

Philip Cummings was a help desk staffer at TeleData Communication, Inc. (TCI), 1999 to 2000. 30,000 identities stolen At least $2.7-million loss (FBI data) Cummings sentenced to 14 years in prison and $1-million fine Biggest identity theft in US history

Insider Threats
Internal spy sending out company secrets to competitors, nation states, criminals. Former employees hacking and selling information. Hactivism. Good employees making errors.

Defending Against Cyber Threats

Defend
Firewall: A device or software that blocks internet connections based on a set of rules.
Firewalls a device (hardware or software) that blocks connections per a set

Defend
Darknet: Routed, allocated IP space in which no active services or servers reside.

Defend
Honey Pot: A system or data that appears to be part of a network, but is isolated and monitored. Often appears to contain information or a resource of value to attackers.

Defend
Access Control: Allowing or denying modification of items based on a set of rules. External Security: Anything else used to defend or protect the network via outside agents.

Defeating Cyber Threats

Defeat
1. 2. 3. 4. 5. Identify activity outside baseline norms Isolate the action/program Quarantine Remove & Destroy (Hack Back?) Research the intrusion and its origin. Where the traffic was being directed? 6. Set up future defense 7. Train users or victims (if applicable)

IM NOT A REPORTER

I JUST PLAY ONE ON TV

Question Cheat Sheet

Who was targeted? Specific person or user targeted? Why? What allowed the malicious action to succeed? What did they do about it? When was the malicious activity first noticed? How long was it in place before that point? Did the activity progress? Are they sure they totally fixed it?

Question Cheat Sheet

Where did the attack come from? What indications do they have to show its origin? Can the attack be geographically identified? What is the extent of known damage caused by the compromise? What steps did the organization take during the response? What have they done to prevent future attacks like this?

Question Cheat Sheet

If the attack is the result of social engineering. How did they lure the victim that resulted in the attack? (malware, url, attachment, emails, etc..) Who was targeted? Why?

Question Cheat Sheet

If the attack is the result of malware. What is the type of malware used? Is it a known type of malware? Whats the MD5 or hash associated with it? Is it noted in the National Vulnerability Database or by the hacker community? Can it be typed to a specific actor or group? Where was the system calling out to once exploited? Who was answering?

Question Cheat Sheet

If the attack is the result of an insider threat What was the actors background, position in the company, etc..? Was the attack sophisticated or simple? Was it noted internally or were they notified from an external source? What are the legal ramifications? Any outside parties affiliated with the malicious behavior?

Closing Thoughts

Espionage anyone?
Look Familiar?

IP Theft, Global Impact

The Black Death

Troubling Statistics Then

25 million infected by Black Death 20 million infected by Spanish flu

Troubling Statistics Now

22 million computers infected with top three most popular exploit kits 3 Internet devices on earth for each human Internet of things

See where this is going?

Understanding the Invisible Internet Cyber Threats Simplified CHASE CUNNINGHAM CHIEF OF CYBER ANALYTICS DECISIVE ANALYTICS CORPORATION (703) 682-0620 CHASE.CUNNINGHAM@DAC.US