Hackers Interrupted - RSA Conference Interrupted. CCT-W05. ... Resume Petty Crimes Crime & Punishment ... Use Threat Intelligence as a defense technique. Understand the Dark

SESSION ID:SESSION ID:

#RSAC

Alex Holden

Hackers Interrupted

CCT-W05

Chief Information Security OfficerHold Security, LLC@HoldSecurity

#RSAC

Understanding Hackers

2

Why is this important?

Can this stop cyber crime?

Transcending technology

#RSAC

What Drives a Hacker?

3

HACKTIVISM REVENGE STATE-SPONSORED

FOR-PROFIT CRIME

#RSAC

Modern Hacker

4

#RSAC

What is a Threat to You

5

Defamation and Reputation Loss

Stolen Secrets

Stolen Data

Availability

#RSAC

Learn to be a Hacker

6

Carding UniversityVirtual Carding Basics

Hacker University

Job After Graduation

Professor’s Insight

#RSAC

Hackers’ View of Us

7

Tessa88: Foreignersthe common folkI despise themthey are garbage to me

War of stereotypes“I’m fighting a holy war against the West… They drive their Rolls Royce's and go home to their million-dollar houses, while people here are struggling. I will never harm my fellow Slavs; but America, Europe, and the rest of the world deserve it.”

- aqua (jabberzeus)

#RSAC

Target Retail Stores Breach

8

Kartoxa POS Malware author - Rinat Shabaev was looking for a regular job programming, asking for about 12 USD per hour. After failing to find a job, he is recruited to write a virus that steals financial data from 40 million victims.

#RSAC

Target Breach – Delivery Man

9

#RSAC

Target Breach

10

#RSAC

Extortion - Ransomware

11

#RSACSan Francisco Municipal Transport Agency Ransomware Attach

12

What Happened?

Hacker Techniques

Who Is To Blame?

How To Defend?

#RSAC

The Russians Did It

13

Yandex Mail Messages

Russian Phone Numbers

х Language Preferences

х Access Techniques

#RSAC

Hackers Setup

14

Discovery and Attack ServerScan the Internet

Exploit

Explore

Infection Server

Extort and Communicate

#RSAC

San Francisco Light Rail Ransomware

15

Metropolitan area railroad transportation system paralyzed from Ransomware attack sourced from Iran

#RSAC

Target the Internet

16

Scans of 4.0.0.0/8 network (Layer 3)Scan of 75.0.0.0/11 network (AT&T)

Found 75.10.2xx.xxx target SFMTA Oracle Primavera Server

Exploited vulnerability

Identified a network with 8,000+ systems

Continued scanning US, Iran, and other networks.

#RSAC

Tessa88

17

#RSAC

Who is the Real Tessa88?

18

Hacker sells stolen credentials from major breaches. Creates instability by exposing billions of accounts, and lying about Twitter and Yahoo breached data.

#RSAC

Graduation to a Criminal

19

Resume

Petty Crimes

Crime & Punishment

Graduation

#RSAC

Drugs

20

HiroshimaAlso called “Atomic Bomb” or “Atomic Blast”

Contains synthetic cannabinoid products like JWH-018

#RSAC

2014 – Drug Runner

21

#RSAC

While in Prison

22

I see a dreamI am DROWNING

My heart beats fastI want to ESCAPETake a deep breath

This is only a dreamOnly a NIGHTMARE

I see myselfI am a bird flying so high

I wake up I am still in SHOCK

White pillowBed CAGEI am LOCKED UP

My mood is dimWorld disappeared This is my reality now

#RSAC

Yahoo – Summer 2016

23

July sampleFake sale

#RSAC

Malware Tech – Marcus Hutchins

24

Transformation from hacker to a security researcher

2009 – Selling password stealers and scareware

2012-2014 – Distribution and reselling of viruses and exploit kits

2014 – Emergence of a researcher alter ego

2017 – Accidental discovery of WannaCry killswitch.

#RSAC

Understanding Hackers

25

Hackers are human with faults

Hackers are ruthless

Hackers are innovative

Understanding the human side of a hacker leads to improvement of our defenses

#RSAC

Defense Techniques

26

Learn about your enemy

Tune your defenses toward the threat

Fortify against hackers NOT auditors

#RSAC

Defenses 101

27

Viruses

Credentials Misconfigurations

0days

#RSAC

Using Knowledge to Discourage Hackers

28

Increase complexity required for an attack to make your infrastructure the most unhospitable and fruitless for an attacker.

Create HoneyPots in systems, applications, functions, and data as early identifiers for on-going attacks or exploitations.

Use Threat Intelligence as a defense technique. Understand the Dark Web. Stay ahead of the adversary by adapting your defenses to their attack techniques.

#RSAC

Conclusions

29

Hackers are winning

We are improving

Understanding our adversary is the key