View
430
Download
0
Category
Preview:
DESCRIPTION
Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.
Citation preview
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Not Science Fiction
Copyright © 2013. Accuvant, Inc. All Rights Reserved
The Need for a Security Ally
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Agenda
Accuvant:
• Who am I?
• Operation: High Roller
• Debrief
• Soldiers win the Battles, Allies win the wars
Tactics & techniques:
• Issues currently seen from the field
• Prediction time!
Conclusions
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Jeff Danielson
Computer Forensics specialist since 2003 and is a Security Evangelist for a large national research-driven security partner.
Previously, Jeff was a Principal Solutions Consultant for a leading Computer Forensics/eDiscovery and Cybersecurity software solutions corporation as well as a lead investigator at a Large financial services organization.
Certifications
•SANS GIAC Certified Forensic Analyst (GCFA)
•GIAC Certified Incident Handler (GCIH)
•EnCase certified Forensic Examiner (EnCE)
•EnCase certified eDiscovery Practitioner (EnCEP).
In the blink of an eye
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Operation High-Roller
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Old Tricks
The usual suspects:
• Multiple Attack Strategies
• Phish/Spear Phishing email
• Utilization of Past Malware
• Zeus
• SpyEye
• Man-in-the-browser
Non-patched systems was
the biggest culprit.
Definition Spear Phishing: A type of attack
that focuses on a single user or department
within an organization, addressed from someone
within the company in a position of trust.
Definition Spyeye: A proxy Trojan horse that infects a
web browser by taking advantage of vulnerabilities
in browser security to modify web pages, modify
transaction content or insert additional transactions, all in a completely covert fashion
invisible to both the user and host web application.
Definition Man-in-the-Browser: Process to harvest
credentials for online accounts and also initiate transactions as a person is logged into their account,
literally making it possible to watch their bank balance
drop by the second.
Definition Zues: A Trojan horse that steals banking
information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is
spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used
to steal information from the United States Department of
Transportation
Copyright © 2013. Accuvant, Inc. All Rights Reserved
New Skewl
New and Improved:
• Server-side components
• Heavy automation
• Targeted to Large accounts (1M+ balance) with heavy utilization.
• Automated Bypass of Two-Factor Physical Authentication
• Links and code are obfuscated
• Small Population
• Avoid Fraud Detection and Hide Evidence
Fraudulent Server: A server that interacts
with the banking portal to process
the actual transaction (including
account login). Normally located in a crime-
friendly ISP, and moved frequently.
Automation allowed repeated thefts once the
system has been launched at a given bank or for a banking platform. The account data is always
updated and current
Theclient-side malware kills the
links to printable statements. It also searches for and erases confirmationemails and email copies of
the statement. Finally, it also changes the
transactions, transaction values,
and account balance in the statement displayed on the
victim’s screen so the amounts are what the
account holder expects to see.
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Debrief
Fast Moving
Highly Knowledgeable of Banking processes
Focused and targeted
Hybrid Automation
• Spear Phishing
• Bank Account Usage Analysis
Highly Creative techniques, no new code.
The Focus is on small to medium-sized businesses and wealthy consumers
A Storm Is Here
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Why Security Consultants?
15
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Soldiers Win Battles
• Specialists are key.
• Tools and Weapons
• “Thin and wide” vs “Deep and Narrow”
• Internal Battles should not be overlooked.
“Soldiers win the battle, the generals get the credit for them”
-Napoleon Bonaparte
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Allies Win The War
• Cyber Threat Intelligence
• Attribution “Who is attacking you”
• Regional and Vertical Partners
• Maturity of Weapons
• Can you
• Communicate Risk?
• Value of Weapons?
• Free or Commercial Intelligence?
• Be open to Trusted Advisors
• Get a good understanding of what is working, and what is not in the industry
• Build a good relationship with local, state, and federal Law Enforcement.
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Debrief
Targeted Attacks increasing
• Red October
• Stuxnet
• Watering Hole attacks
• Gauss
Current Global IT Security spend is 60 Billion
Visibility and Maturity of IT Security programs is necessary.
Everyone is now a target, not just highly visible targets.
Operation started in 2007 and was found in Dec 2012.
Infiltrated over 1K+ High level government computers and was focused specifically
on government esponiage, most likely from Hactivist
groups, but could be supported by a private firm
or rogue nation.
First detected in 2010, yet believe to be older than
2009*, Stuxnet was aimed at Iran’s Natanz nucleur plant. Most likely from a
Nation/State
Discovered in June 2012, Focused on middle-east online banking records,
capable of stealing specific data such as passwords,
banking credentials, cookies and specific configurations.
Made popular by the recent attacks on Twitter, Facebook
and Apple. This attack focused on specific users browser habits and were
infected by malware downloaded when the user clicked on normally trusted
links.
Together We Win*Or have a Chance
Issues Seen in the Field
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Issues
• Time
• Vet Security Partner (s)
• References
• External Vendors
• Vertical Professionals
• Why only one?
• Daily security vs Security projects
• Vice-versa
• Money
• Talk to the Asset owner
• Executive Buy-In program
• Threat Intelligence Report
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Predictions for 2013
• Legal will be put on “notice”
• IT Security will be brought under the Legal umbrella
• Fundamental Shifting
• The Bad Actors
• Containment
• Push to Pull
• Security is a Critical Business Function
2015 The Internet will no longer be a right, it will be a privilege
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Questions & Answers
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Thank You
Jeff Danielson
Security Evangelist
GCIH, GCFA, EnCE, EnCEP
970-407-8307
jdanielson@ Accuvant.com
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Copyright © 2013. Accuvant, Inc. All Rights Reserved
Recommended