Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
INTERPOL For official use only
Fighting with friends
INTERPOL For official use only
Transnational Cybercrime Restriction in information
sharing
Legislative harmony Emerging technology & ease of criminal use
Volume of crime
INTERPOL For official use only
So, what does
do
INTERPOL For official use only
Analysis and on-site assistance
Digital Forensics Laboratory (DFL) & Support Team
INTERPOL For official use only
Coordinating and facilitating transnational cybercrime investigations and operations
Digital Crime Investigation Support (DIS)
Police
Police
Police
Police
Police-to-Police Cooperation
Cyber Threat Taskforce
Police Private Sector
Academia Action Plan
Post-Incident Collaboration
INTERPOL For official use only
DIS: Cyber Fusion Centre (CFC) Secure and neutral collaboration workspace to share and develop cyber intelligence & global operational support facility
INTERPOL For official use only
Simda Botnet Takedown (Q2 2015)
INTERPOL For official use only
Simda.AT botnet
Challenging • Hard to analyze • Hard to measure • Hard to take down • Hard-coded IPs
Significant impact • RA & identity theft • Mining & clickfraud • Network hijacking • Slave market
Worldwide • More than 770,000 PCs worldwide • More than 190 countries • Key infrastructure scattered over continents • C2s designed to shift after partial takedown
INTERPOL For official use only
Simda.AT infection vectors How were so many computers compromised?
Mass SQL injection? (compromised sites)
Spam e-mail? (male enhancing drugs)
Social engineering? (fake flash installer)
Scare tactics? (scareware affiliates)
Exploit kits? (Blackhole, Styx, Magnitude, Fiesta)
Other malware? (Kelihos, Waledac, Winwebsec)
BlackHat SEO? (Search Engine Optimization poisoning)
INTERPOL For official use only
Simda.AT infection vectors How were so many computers compromised?
Mass SQL injection! (compromised sites)
Spam e-mail! (male enhancing drugs)
Social engineering! (fake flash installer)
Scare tactics! (scareware affiliates)
Exploit kits! (Blackhole, Styx, Magnitude, Fiesta)
Other malware! (Kelihos, Waledac, Winwebsec)
BlackHat SEO! (Search Engine Optimization poisoning)
INTERPOL For official use only
What triggered the operation?
INTERPOL For official use only
INTERPOL For official use only
Simda Operation Phases
Phase 3 - Execute and Evaluate (Week of April 6th, 2015)
Phase 2 - Process and Preparation (March 30 – April 3rd, 2015)
Legal process filed in
Netherlands
Identification & Remediation
Prep Coordinate with internal and
external partners Communications/PR
Phase 1 – Coordinate, Investigate and Risk Assessment (Jan – March 30th 2015)
Coordinate with Law Enforcement Communications/PR Investigation & Risk Assessment
INTERPOL For official use only
International Public-Private Partnership
- Digital Crimes Unit (DCU) provided targeting to INTERPOL
- Initial & long term Simda analysis
- Provide AV cleaning solution
- PR communications
INTERPOL (FBI, NCA, Dutch High-Tech Crimes Unit)
- Coordinate filing of complaint to seize C&C IP addresses
- Coordinate criminal seizure of physical servers in Europe
- Coordinate identification and remediation of victims with DCU
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
- Provide AV cleaning solution
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
- Provide AV cleaning solution
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
INTERPOL For official use only 28/08/2015
INTERPOL For official use only
Simda Operation – Preliminary Reflection
Success Factors • INTERPOL’s capabilities to coordinate with national police cyber units
• Using Law Enforcement powers to simultaneously take down C2s across the planet
• Industry’s capabilities to track and understand the infrastructure
• Private partners working as a collective to provide complementary solutions
• Leveraging PR via industry and INTERPOL to support notification and remediation
Learnings • The effective dissemination of victim data – need to balance privacy and mitigation
• IP addresses are not treated the same in all jurisdictions – harmonization needed
• Combining data from different sources – both helpful and confusing
Next steps • Take it beyond the one takedown
INTERPOL For official use only
Thank You-Merci-Gracias انتباهكم على الشكر جزيل نشكركم