Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016

ESTABLISHING STRATEGIC LEVEL ANALYSIS

Cameron Brown

CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber

[email protected]

The views and opinions expressed in this presentationare solely those of the presenter and do not representany official policy or position of past or presentemployers of the presenter.

The material in the following slides is for informational purposes onlyand should in no way be construed as advice of any kind.

Disclaimer


[email protected]

Cyber Crime Defence Advisor

Information Security Strategist

International Legal Practitioner

Published Author

Cameron Brown

MIntSecSt, MPICT

LL.B, B.A (Behavioural Science)

Grad.Cert (Computer Crime Investigation)

Cyber Related Industry Experience

Legal Practice: Australian Attorney

Policing: State and Federal Law Enforcement

United Nations: Office on Drugs and Crime

Transparency International: Anti-Corruption

Academic Institutions: Australian National

University, Oxford, Max Planck, Korean

Institute of Criminology

Ernst and Young

• Information Security: Forensic Investigator,

Incident Responder, Trusted Advisor

• Risk Advisory: Strategic Cybersecurity

Introduction


[email protected]

75Billion

By 2020

Source: Cisco

Connected IoT Devices

Smart Phones

1.9Billion

By 2020

Source: IDC

Internet Population

4Billion

By 2020

Source: ITU/UNESCO

44ZettaBytes

By 2020

Source: IDC

Data Universe

Digital transformation and managing complexity


[email protected]

Threat intelligence and Incident Response

Market for cyber insurance

Cloud security opening new growth avenues

Increasing security needs across critical infrastructure, and utilities

Insider threats

Criminal activity within the Deep Web

Pervasiveness of online and digital data

Exponential growth of social media and business disruptors

Increasing severity of evolving threats to cyber security Tougher government regulations and penalties

Market Drivers

Market drivers for as robust strategic approach to cybersecurity


[email protected]

Unsophisticated attackers

(script kiddies)

You are attacked because you are on the internet and have a vulnerability – you represent a challenge

Sophisticated attackers

(hackers)

You are attacked because you are on the internet and have information of value – or they have a reason for disrupting your business

Corporate espionage

(malicious insiders)

Your current or former employee seeks financial gain from stealing/selling your IP – or they want to cause disruption for other reasons

State sponsored attacks

Advanced Persistent Threat (APT)

You are targeted because of who you are, what you do, or the value of your intellectual property

Ris

k

Attacker resources and sophistication

Revenge

Personal gain

Stock price

manipulation

Organised crime

(criminal networks)

You are attacked because you have information of value – for them to sell, to use as blackmail or hold to ransom

scri

pt

kid

die

sh

acke

rs

mal

icio

us

insi

der

scr

imin

aln

etw

ork

sA

PT

Amusement/

Experimentation/

Nuisance/

Notoriety

State sponsored espionage

Market manipulation

Competitive advantage

Military/political objectives

Any information of

potential value to sell

or use for extortion/

ransom:

Cash

Credit cards

Identities

Inside information

IP

Manipulation of

systems

Industrial espionage

and competitive

advantageMoney

Embarrassment

Political/social/

environmental causes

2016

► BrainBoot/Morris Worm

► Polymorphic viruses

► Michelangelo

1980s/1990s

► Anna Kournikova

► Sircam

► Code Red and Nimda

► Zeus

► Koobface

► Conficker

► Aurora

► Poison Ivy

► agent.btz

► Stuxnet

► WikiLeaks

► Anonymous

► MyDoom

► NetSky

► Sasser

► Concept Macro Virus

► Melissa

► ‘I Love You’

► SQL Slammer

► Blaster

► Fizzer

► SpyEye

► Flame

► CryptoLocker

Most companies have adequate cybersecurity controls in place to stop these threats……

….But the reality is these types of attacks are now more and more frequent and companies are not equipped to cope

Evolving threat landscape

Source: EY


[email protected]

Threat actors, intelligence and motivation


[email protected]

Source: Kaspersky

Highly organised and persistent

► Support for operations run by cyber-criminals has evolved into a global enterprise encompassing managed software deployments and scheduled updates, roadmaps for platform development, and even helpdesks to service needs of clients and users

► Innovative and agile illicit businesses harnessing expertise of specialists across various domains of online criminality.


[email protected]

Source: Check Point

Dark clouds and Malware-as-a-Service

► The Nuclear operation accumulated revenue of $100,000 a month

► Attackers renting Nuclear servers to view and manage a malware campaign

► ‘Customers’ able to disseminate any malware via the console, but not permitted to target endpoints in Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan and Ukraine (Eastern Partnership)

► Developer may have resided within one of these jurisdictions and keen to avoid extradition


[email protected]

► Just as threat perpetrator motivations and capabilities vary from group to group, so does OPSEC tradecraft

► Different actors have different requirements for privacy and anonymity

► Example: cyber crime forum operators must balance need to stay off the radar of law enforcement with need to sell and market their products

OPSEC and online criminality


[email protected]

Disrupt

Contain

Minimise

Redefining OPSEC for participants in the underground economy


[email protected]

► Participants in the underground economy are mindful of the threat posed by law enforcement and intelligence agencies

► Transnational criminal enterprises actively track developments in the media and academia, and pay off insiders to gain visibility into the activities of policing organisations

► As quick adopters, technological developments make criminal enterprises more agile and effective in meeting their operational security objectives which are focussed on anonymity, disinformation, disruption, secrecy, and containing exposure

► Yet, cybercriminals still face the conundrum of establishing trusted relationships among criminal co-conspirators

► The human factor is the weakest link for security in both the legitimate and underground economy

Threats, monitoring, early adopters, trust and the human factor


[email protected]

Uncovering

zero-day

vulnerabilities

Credential harvesting and target profiling

Developing

botnets and

malware

Scanning

systems for

items of value

to sell or exploit

Exploring

new

technologies

to leverage

and exploit

Following

media, blogs

and forums to

harvest open

intelligence

and react to

activities of

LEA

Research, development, and refining modus operandi


[email protected]

Source: Digital Shadows

Bulletproof hosting


[email protected]


Avoiding detection and obfuscation


[email protected]


Mentoring among cybercriminals


[email protected]

Use of codes / aliases for communication

Dead dropping

Cryptography

Steganography

Compromised intermediaries

Spoofing

Hiding in safe jurisdictions

Anonymity networks and proxy services

5

3

1

2

4

6

7

8

► “The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you - and then periodically erasing your footprints” (Tor)

Evasive techniques employed by miscreants


[email protected]

Ransomware evolving

Source: Symantec


[email protected]

► Malware is already becoming more situationally aware so as to avoid detection and resist static analysis by security researchers

► Nefarious code will evolve from the reactive polymorphic modes of today to a more proactive mission orientated design

► Like trained dogs sniffing for drugs at airports or concealed explosive devices in warzones, it is conceivable that cognitive computing will be used by criminals to autonomously hunt and capture valuable information from business networks and applications

► 16% of malware can recognise and exploit a virtual machine environment - vulnerabilities such as VENOM could allow attackers to escape a compromised virtual machine and attack others on the same system, or even attack the host hypervisor

Malware becoming more situationally aware

Source: Symantec


[email protected]

Source: Symantec

NEWER NASTY VARIANTS

STAMPADO

ENCRYPTING

THE ENCRYPTED

JIGSAW

COUNT DOWN

PUNITIVE DELETION

PHILADELPHIA

COUNT DOWN

RUSSIAN ROULETTE

► Miscreants are moving at a much faster pace than security countermeasures

► We can expect more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth

► Increasingly attacks will target data intensive organisations like medical practices and law and architectural firms

Crypto-ransomware


[email protected]

Source: Bleeping Computer

Forcing capitulation


[email protected]

Source: Bleeping Computer

Forcing capitulation


[email protected]

Digital idealism


[email protected]

Digital realism


[email protected]

► Collaboration and information sharing

► Regional outposts as a visibility and compliance challenge

► Third-party vulnerabilities

► Understanding the shifting geopolitical landscape and impact on worker demography

► Preparing for crisis management (security fire drills)

► Seeking to do more with less via automation, correlation, and threat telemetry without due consideration around ‘care and feeding’ needed to drive these systems

► Organisations still seeing security as an IT issue

Security pain points for enterprises


[email protected]

► Misaligned reporting and governance structures can quickly lead to dangerous blind spots

► Many organisations have a lack of clarity around security roles and accountabilities

► Where silos exist and there is a disconnect between operational teams and middle management, an impasse occurs

► Functions inside an enterprise can quickly go dark and become starved of resources

► Effective communication channels between leadership and hands-on technical roles are integral to inform decision making, and the budget allocation

► Critically, the C-Suite needs to be aware of where valuable information is disbursed across their enterprise and how a compromise of that information will impact profitability, branding, and reputation

Silos


[email protected]

► Organic and inorganic business growth changes the attack surface and risk profile for an organisation

► As information systems converge and disparate networks are linked together, new security vulnerabilities emerge

► Architects of secure environments carefully tailor their systems to meet challenges within a specific context

► When the context shifts, so too will the stressors that impact these systems

► For continuous security improvement to occur, change management must be a key part of enterprise growth and contraction

Growth and change management


[email protected]

► For organisations that forward deploy their technology and human assets into the businesses of their clients, these unfamiliar environments will present new dangers

► This may be caused by differences in the way a business treats physical security or cultural peculiarities impacting the behaviour of the workforce in terms of how data is handled

► It's useful to consider this as analogous to taking an animal out of one habitat and placing it into another

► Changes in climate and terrain impact the ecosystems and ultimately alter the natural order of things

► Predators can quickly become prey

Forward deployment


[email protected]

1

2

3

4

Negative Social Media

Debilitating

operational pressure

Staff lockout from

system

Forensic investigation

and remediation costs

5Negative local and

international press

6Customer

notification costs

7Costs for contractual

breach, litigation, and

fines from regulators

8Loss of customers

and loss of sales

9 Loss of jobs and

business failure

Breach tree


[email protected]

1. Notice the worry

NO YES

3. Ask: Can I do something about it?

Let worry go Action plan

Change focus of attention

What? When? How?

NOW LATER

Do it!

Let worry go


Let worry go


Schedule it

Source: Adapted from Butler and Hope 2007

2. Ask: What am I worrying about?

Worry tree


[email protected]

VFAC Review No. 12 July & August 2016

https://eng.kic.re.kr/..

Considerations for defenders (open access)


[email protected]

IJCCVol. 9 January – June 2015

http://www.cybercrimejournal.com/..

Considerations for incident responders (open access)


[email protected]

UNODC2013

https://www.unodc.org/..

Considerations for governments (open access)


[email protected]

United Nations - Comprehensive Study on Cybercrime

Source: UNODC

TRANSLATION LINKS

Spanish:

https://www.unodc.org/documents/organized-

crime/cybercrime/Cybercrime_Study_Spanish.pdf

Arabic:


crime/cybercrime/Cybercrime_Study_Arabic.pdf

Chinese:


crime/cybercrime/Cybercrime_Study_Chinese.pdf

English:


crime/cybercrime/CYBERCRIME_STUDY_210213

.pdf

French:


crime/cybercrime/Cybercrime_Study_French.pdf

Russian:


crime/cybercrime/Cybercrime_Study_Russian.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/Cybercrime_Study_Spanish.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/Cybercrime_Study_Arabic.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/Cybercrime_Study_Chinese.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/CYBERCRIME_STUDY_210213.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/Cybercrime_Study_French.pdf

https://www.unodc.org/documents/organized-crime/cybercrime/Cybercrime_Study_Russian.pdf


[email protected]

c

Questions

Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016

Documents