Computer Crime on the Computer Crime on the Rise Rise FBI-San Francisco FBI-San Francisco Computer Intrusion Computer Intrusion Squad Squad
Dec 18, 2015
Computer Crime on the RiseComputer Crime on the Rise
FBI-San FranciscoFBI-San Francisco
Computer Intrusion SquadComputer Intrusion Squad
OverviewOverview
• Computer Security Institute (CSI) Computer Security Institute (CSI) SurveySurvey
• FBI Computer SquadsFBI Computer Squads
• How to Prepare for an AttackHow to Prepare for an Attack
• What to do when You’re a VictimWhat to do when You’re a Victim
CSI and FBICSI and FBI
Computer Security SurveyComputer Security Survey
Unauthorized use of computer Unauthorized use of computer systems within the last 12 months?systems within the last 12 months?
4237
50
18
70
12
21 19
33
18
64
2117
62
16
0
10
20
30
40
50
60
70
80
1996
1997
1998
1999
2000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
YES NO DON’T KNOW
Types of attack or misuse detected Types of attack or misuse detected within the last 12 monthswithin the last 12 months
59
407
133
66
68
380
75
297
114
104
53
53
124
394
58
223
70
9
280
128
118
102
45
145
463
68
499
414
69
8
348
158
198
287
338
101
69
54
99
18
203
353
82
45
108
5
365
0 100 200 300 400 500 600
Theft of proprietary info
Sabotage
Telecom eavesdropping
System penetration
Insider abuse of Net access
Financial fraud
Virus
Unauthorized access by insiders
Telecom fraud
Active wiretap
Laptop
Denial of Service
2000
1999
1998
1997
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
Likely sources of attackLikely sources of attack
22 23
73
51
87
21
29
72
48
89
21
30
74
53
86
2126
77
44
81
0102030405060708090
100
Foreign gov. Foreign corp. Independenthackers
U.S.competitors
Disgruntledemployees
1997199819992000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
Internet connection is increasingly Internet connection is increasingly used as point of attackused as point of attack
54
39
52
24
38
59
37.5
47
35
54
44
57
28
51
22
0
10
20
30
40
50
60
70
1996
1997
1998
1999
2000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
INTERNAL SYSTEMS REMOTE DIAL-IN INTERNET
Dollar amount of losses by typeDollar amount of losses by type
$991,200
$27,148,000
$8,247,500
$27,984,740
$10,404,300
$29,171,700
$4,028,000
$22,554,500
$7,104,000
$55,996,000
$5,000,000
$66,708,000
Active wiretapping
Telecom eavesdropping
System penetration
Sabotage
Denial of service
Insider net abuse
Laptop theft
Virus
Financial fraud
Telecom fraud
Theft of proprietary info
Unauth. insider access
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
WWW site incidents:WWW site incidents:What type of unauthorized What type of unauthorized
access or misuse?access or misuse?
98
27
93
25
64
3
60
8
0
20
40
60
80
100
120
Vandalism Financial Fraud Denial of Service Theft ofTransaction Info
19992000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
If your organization has If your organization has experienced computer intrusion(s) experienced computer intrusion(s) within the last 12 months, which of within the last 12 months, which of the following actions did you take?the following actions did you take?
48
2316 11
44
2617
11
50
2617 16
96
48
32 29
85
44
25 20
0
20
40
60
80
100
120
Patched holes Did not report Reported to lawenforcement
Reported tolegal counsel
1996
1997
1998
1999
2000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
74.9 72.1
52.860
65.1
54.847.5
83
74
4651
8479
36
5852
39
13
5553.2
0102030405060708090
Negativepublicity
Competitorswould use to
advantage
Unaware thatcould report
Civil remedyseemed best
19961997199819992000
The reasons organizations did not The reasons organizations did not report intrusions to law enforcementreport intrusions to law enforcement
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
Would your organization Would your organization consider hiring reformed consider hiring reformed hackers as consultants?hackers as consultants?
17
65
1920
61
19
0
10
20
30
40
50
60
70
Yes No Don't know
1999
2000
CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute
The FBI and Computer The FBI and Computer Intrusion InvestigationIntrusion Investigation
Regional Computer Regional Computer SquadsSquads
• 14 Regional Squads14 Regional Squads– SupervisorSupervisor– InvestigatorsInvestigators– AnalystsAnalysts– Computer Analysis Computer Analysis
Response Team (CART)Response Team (CART)
• InvestigationInvestigation• LiaisonLiaison
National Infrastructure Protection CenterNational Infrastructure Protection Center
NIPCNIPC
ChicagoChicago
DallasDallasLos AngelesLos Angeles
San FranciscoSan Francisco
WFOWFO
New YorkNew YorkBostonBoston
MiamiMiami
AtlantaAtlantaCharlotteCharlotte
SeattlSeattlee
Approximately 215 Special Agents TodayApproximately 215 Special Agents Today Target 275 SAs FY00 plus Computer ScientistsTarget 275 SAs FY00 plus Computer Scientists
NewNew OrleansOrleansSan DiegoSan Diego
NewarkNewark
FBI ProgramFBI Program
• Specially trained agents in all 56 Specially trained agents in all 56 FBI DivisionsFBI Divisions
• Growing programGrowing program– Ongoing trainingOngoing training– Technical recruitingTechnical recruiting
• Computer Forensic ExaminersComputer Forensic Examiners– FBI LaboratoryFBI Laboratory– Field Agents (CART)Field Agents (CART)
How to Prepare for an How to Prepare for an AttackAttack
PreparationPreparation
• Post Warning Banners:Post Warning Banners:– Every system should display bannerEvery system should display banner
• Display at every log inDisplay at every log in
• System is property of your organizationSystem is property of your organization
• System is subject to monitoringSystem is subject to monitoring
• No expectation of privacy while using systemNo expectation of privacy while using system
– Management and Legal Counsel should Management and Legal Counsel should approveapprove
– DO NOT reveal system purpose/OS/etc.DO NOT reveal system purpose/OS/etc.
DoD BannerDoD Banner• ““This is a Department of Defense (DoD) computer This is a Department of Defense (DoD) computer
system. DoD computer systems are provided for system. DoD computer systems are provided for the processing of Official US Government the processing of Official US Government information only. All data contained on DoD information only. All data contained on DoD computer systems is owned by the Department of computer systems is owned by the Department of Defense and may be monitored, intercepted, Defense and may be monitored, intercepted, recorded, read, copied, or captured in any manner recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized and disclosed in any manner, by authorized personnel.”personnel.”
DoD BannerDoD Banner
• ““THERE IS NO RIGHT OF PRIACY IN THIS THERE IS NO RIGHT OF PRIACY IN THIS SYSTEM. System personnel may give to law SYSTEM. System personnel may give to law enforcement officials any potential evidence of enforcement officials any potential evidence of crime found on DoD computer systemscrime found on DoD computer systems. . USE OF USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING or RECORDING, READING, COPYING or CAPTURING and DISCLOSURECAPTURING and DISCLOSURE.”.”
PreparationPreparation
• Be Proactive to Prevent IncidentsBe Proactive to Prevent Incidents– Establish Security PolicyEstablish Security Policy– Monitor and Analyze Network TrafficMonitor and Analyze Network Traffic– Assess Vulnerabilities (System Scans)Assess Vulnerabilities (System Scans)– Configure Systems WiselyConfigure Systems Wisely
• Limit Services (FTP/telnet)Limit Services (FTP/telnet)• PatchesPatches
– Establish Training for EmployeesEstablish Training for Employees
PreparationPreparation
• Establish Policy on Employee Establish Policy on Employee PrivacyPrivacy– E-mail: Owned by Corp. or EmployeeE-mail: Owned by Corp. or Employee– Data FilesData Files– Encryption okay?Encryption okay?
• KeysKeys• Disgruntled EmployeesDisgruntled Employees
PreparationPreparation• Establish Organizational Approach to Establish Organizational Approach to
Intrusions (2 ways)Intrusions (2 ways)– Contain, Clean and Deny Further AccessContain, Clean and Deny Further Access
• STOP Intruder STOP Intruder • Remove from NetworkRemove from Network• Repair SystemRepair System• IP Filtering, Firewalls, etc.IP Filtering, Firewalls, etc.
– Monitor and Gather InformationMonitor and Gather Information• Intruder in a FishbowlIntruder in a Fishbowl
PreparationPreparation• Policy for Peer NotificationPolicy for Peer Notification
– DDOSDDOS– Network AttacksNetwork Attacks
• Remote ComputingRemote Computing– TelecommutersTelecommuters
• Laptop Privacy (temps, contractors too)Laptop Privacy (temps, contractors too)
– Acceptable Use Policy (Sign Yearly)Acceptable Use Policy (Sign Yearly)– Revoke Access when no longer requiredRevoke Access when no longer required– Log Remote Access (Radius/Caller ID/Remote Log Remote Access (Radius/Caller ID/Remote
Callback)Callback)
PreparationPreparation
• Develop Management SupportDevelop Management Support
• Develop a TeamDevelop a Team– Assign Specific DutiesAssign Specific Duties
• Call - out duty and phone listCall - out duty and phone list• Legal CounselLegal Counsel• PR/Law Enforcement LiaisonPR/Law Enforcement Liaison
• Assign a Person to be Responsible Assign a Person to be Responsible for Incident for Incident
System PreparationSystem Preparation
• System BackupsSystem Backups– Original O/SOriginal O/S– Log FilesLog Files– Admin Files/ApplicationsAdmin Files/Applications– DataData– Don’t re-introduce problemDon’t re-introduce problem
System PreparationSystem Preparation
• Install and ConfigureInstall and Configure– Intrusion Detection SystemIntrusion Detection System– FirewallFirewall– Auditing/LoggingAuditing/Logging
• Monitor Monitor – Industry informationIndustry information– Intrusion/hacker techniquesIntrusion/hacker techniques
The Security InvestmentThe Security Investment
• Recruit and hire security capable staffRecruit and hire security capable staff– ““Reformed” Hackers?Reformed” Hackers?
• Keep current on system vulnerabilitiesKeep current on system vulnerabilities• Ensure networked systems are maintained Ensure networked systems are maintained
and patchedand patched• Train administrators and users of systems Train administrators and users of systems
in security and protection measuresin security and protection measures
PreparationPreparation
• Have a plan in place PRIOR to an Have a plan in place PRIOR to an attackattack
• You WILL be attacked!You WILL be attacked!
I’ve Been Hacked!I’ve Been Hacked!oror
What to do when you’re What to do when you’re a Victima Victim
What the FBI can doWhat the FBI can do
• Combine technical skills and investigative Combine technical skills and investigative experienceexperience
• National and Global coverage (LEGATS)National and Global coverage (LEGATS)• Apply more traditional investigative techniquesApply more traditional investigative techniques• Long-term commitment of resourcesLong-term commitment of resources• Integration of law enforcement and national Integration of law enforcement and national
security concernssecurity concerns• Pattern analysis - BIG PICTUREPattern analysis - BIG PICTURE• Can provide deterrent effect . . . even if hacker Can provide deterrent effect . . . even if hacker
not prosecutednot prosecuted
What the FBI won’t do:What the FBI won’t do:
• Take over your systemsTake over your systems
• Repair your systemsRepair your systems
• Share proprietary information Share proprietary information with competitorswith competitors
• Provide investigation-related Provide investigation-related information to the media or your information to the media or your shareholdersshareholders
When You’re a VictimWhen You’re a Victim
• Stop and Think -- REMAIN CALMStop and Think -- REMAIN CALM– Take detailed notes (who, what, why, Take detailed notes (who, what, why,
where, when, and how)where, when, and how)– Notify appropriate personsNotify appropriate persons
• SupervisorSupervisor• Security CoordinatorSecurity Coordinator• Legal CounselLegal Counsel
– Enforce a Need to Know PolicyEnforce a Need to Know Policy
When You’re a VictimWhen You’re a Victim
• Communicate WiselyCommunicate Wisely– email/chat -- intruder may be listeningemail/chat -- intruder may be listening– Use telephone/voicemail/fax/etc.Use telephone/voicemail/fax/etc.– If email, use encryptionIf email, use encryption
• Remove system from NetworkRemove system from Network
• Disable Internet AccessDisable Internet Access
When You’re a VictimWhen You’re a Victim• Make a Bit by Bit copy of systemMake a Bit by Bit copy of system
– Use NEW media & VERIFY the backup!!Use NEW media & VERIFY the backup!!– Initial and date backup…time stampInitial and date backup…time stamp– Secure in a locked, limited access locationSecure in a locked, limited access location
• Maintain Chain of CustodyMaintain Chain of Custody
• Collect other evidence in the same Collect other evidence in the same mannermanner– Always preserve originals!Always preserve originals!
When You’re a VictimWhen You’re a Victim
• Best Evidence RuleBest Evidence Rule– Original Drives Original Drives
– Bit by Bit Copy (dd)Bit by Bit Copy (dd)
– Copy of relevant filesCopy of relevant files
When You’re a VictimWhen You’re a Victim
• Begin analysis to determine what Begin analysis to determine what happenedhappened– Work from copy if possibleWork from copy if possible– Review system, firewall, router logsReview system, firewall, router logs– Look for “Trojaned” system filesLook for “Trojaned” system files– Look for new, suspicious usersLook for new, suspicious users– Contact ISP for logs and possible filteringContact ISP for logs and possible filtering– Consider contacting attacking host sys adminConsider contacting attacking host sys admin
When You’re a VictimWhen You’re a Victim
• Start to determine cost of attackStart to determine cost of attack– Recovery costsRecovery costs– Lost businessLost business– Legal expensesLegal expenses– SalariesSalaries– Technical and Security ContractorsTechnical and Security Contractors
• Maintain incident log and chronologyMaintain incident log and chronology
When You’re a VictimWhen You’re a Victim
• Know When to Contact Law Know When to Contact Law EnforcementEnforcement– Intrusions, theft, espionage, child Intrusions, theft, espionage, child
pornography, hate crimes, threats, and fraudpornography, hate crimes, threats, and fraud– Dollar losses due to intrusions exceed Dollar losses due to intrusions exceed $5K$5K
• Law Enforcement DifficultiesLaw Enforcement Difficulties– keystroke monitoringkeystroke monitoring– legal restrictions (victim as agent)legal restrictions (victim as agent)
NetworkingNetworking
• Establish relationships within Establish relationships within industryindustry
• Participate in computer security Participate in computer security forumsforums– All industries have common cyber-linkAll industries have common cyber-link– SANS, CSI, others provide useful SANS, CSI, others provide useful
security programs, planssecurity programs, plans
InfragardInfragard
• Cooperative effort between Cooperative effort between government and industrygovernment and industry
• Local chapters meet Local chapters meet regularlyregularly
• Secure web site for sharing Secure web site for sharing informationinformation
• Security bulletins e-mailed Security bulletins e-mailed to membersto members
Final ThoughtsFinal Thoughts
• Any computer system Any computer system is vulnerableis vulnerable– InternetInternet– Local userLocal user
• Private and Public Private and Public sector need to work sector need to work togethertogether
Contact UsContact Us
FBI - San FranciscoFBI - San FranciscoComputer Intrusion SquadComputer Intrusion Squad
22320 Foothill Blvd., Suite 53022320 Foothill Blvd., Suite 530Hayward, CA 94541-2700Hayward, CA 94541-2700
(510) 886-7447(510) 886-7447(415) 553-7400 [24 hrs.](415) 553-7400 [24 hrs.]
[email protected]@fbi.gov