Operation High Roller: The need for a security ally!

Copyright © 2013. Accuvant, Inc. All Rights Reserved


Not Science Fiction


The Need for a Security Ally


Agenda

Accuvant:

• Who am I?

• Operation: High Roller

• Debrief

• Soldiers win the Battles, Allies win the wars

Tactics & techniques:

• Issues currently seen from the field

• Prediction time!

Conclusions


Jeff Danielson

Computer Forensics specialist since 2003 and is a Security Evangelist for a large national research-driven security partner.

Previously, Jeff was a Principal Solutions Consultant for a leading Computer Forensics/eDiscovery and Cybersecurity software solutions corporation as well as a lead investigator at a Large financial services organization.

Certifications

•SANS GIAC Certified Forensic Analyst (GCFA)

•GIAC Certified Incident Handler (GCIH)

•EnCase certified Forensic Examiner (EnCE)

•EnCase certified eDiscovery Practitioner (EnCEP).

In the blink of an eye


Operation High-Roller


Old Tricks

The usual suspects:

• Multiple Attack Strategies

• Phish/Spear Phishing email

• Utilization of Past Malware

• Zeus

• SpyEye

• Man-in-the-browser

Non-patched systems was

the biggest culprit.

Definition Spear Phishing: A type of attack

that focuses on a single user or department

within an organization, addressed from someone

within the company in a position of trust.

Definition Spyeye: A proxy Trojan horse that infects a

web browser by taking advantage of vulnerabilities

in browser security to modify web pages, modify

transaction content or insert additional transactions, all in a completely covert fashion

invisible to both the user and host web application.

Definition Man-in-the-Browser: Process to harvest

credentials for online accounts and also initiate transactions as a person is logged into their account,

literally making it possible to watch their bank balance

drop by the second.

Definition Zues: A Trojan horse that steals banking

information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is

spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used

to steal information from the United States Department of

Transportation


New Skewl

New and Improved:

• Server-side components

• Heavy automation

• Targeted to Large accounts (1M+ balance) with heavy utilization.

• Automated Bypass of Two-Factor Physical Authentication

• Links and code are obfuscated

• Small Population

• Avoid Fraud Detection and Hide Evidence

Fraudulent Server: A server that interacts

with the banking portal to process

the actual transaction (including

account login). Normally located in a crime-

friendly ISP, and moved frequently.

Automation allowed repeated thefts once the

system has been launched at a given bank or for a banking platform. The account data is always

updated and current

Theclient-side malware kills the

links to printable statements. It also searches for and erases confirmationemails and email copies of

the statement. Finally, it also changes the

transactions, transaction values,

and account balance in the statement displayed on the

victim’s screen so the amounts are what the

account holder expects to see.


Debrief

Fast Moving

Highly Knowledgeable of Banking processes

Focused and targeted

Hybrid Automation

• Spear Phishing

• Bank Account Usage Analysis

Highly Creative techniques, no new code.

The Focus is on small to medium-sized businesses and wealthy consumers

A Storm Is Here


Why Security Consultants?

15


Soldiers Win Battles

• Specialists are key.

• Tools and Weapons

• “Thin and wide” vs “Deep and Narrow”

• Internal Battles should not be overlooked.

“Soldiers win the battle, the generals get the credit for them”

-Napoleon Bonaparte


Allies Win The War

• Cyber Threat Intelligence

• Attribution “Who is attacking you”

• Regional and Vertical Partners

• Maturity of Weapons

• Can you

• Communicate Risk?

• Value of Weapons?

• Free or Commercial Intelligence?

• Be open to Trusted Advisors

• Get a good understanding of what is working, and what is not in the industry

• Build a good relationship with local, state, and federal Law Enforcement.


Debrief

Targeted Attacks increasing

• Red October

• Stuxnet

• Watering Hole attacks

• Gauss

Current Global IT Security spend is 60 Billion

Visibility and Maturity of IT Security programs is necessary.

Everyone is now a target, not just highly visible targets.

Operation started in 2007 and was found in Dec 2012.

Infiltrated over 1K+ High level government computers and was focused specifically

on government esponiage, most likely from Hactivist

groups, but could be supported by a private firm

or rogue nation.

First detected in 2010, yet believe to be older than

2009*, Stuxnet was aimed at Iran’s Natanz nucleur plant. Most likely from a

Nation/State

Discovered in June 2012, Focused on middle-east online banking records,

capable of stealing specific data such as passwords,

banking credentials, cookies and specific configurations.

Made popular by the recent attacks on Twitter, Facebook

and Apple. This attack focused on specific users browser habits and were

infected by malware downloaded when the user clicked on normally trusted

links.

Together We Win*Or have a Chance

Issues Seen in the Field


Issues

• Time

• Vet Security Partner (s)

• References

• External Vendors

• Vertical Professionals

• Why only one?

• Daily security vs Security projects

• Vice-versa

• Money

• Talk to the Asset owner

• Executive Buy-In program

• Threat Intelligence Report


Predictions for 2013

• Legal will be put on “notice”

• IT Security will be brought under the Legal umbrella

• Fundamental Shifting

• The Bad Actors

• Containment

• Push to Pull

• Security is a Critical Business Function

2015 The Internet will no longer be a right, it will be a privilege


Questions & Answers


Thank You

Jeff Danielson

Security Evangelist

GCIH, GCFA, EnCE, EnCEP

970-407-8307

jdanielson@ Accuvant.com

mailto:[email protected]






Documents

Operation High Roller: The need for a security ally!