AT&T Security Consul2ng “The Dark Web”...Presentaon 9tle here—edit on Slide Master © 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your

AT&TSecurityConsul2ng“TheDarkWeb”Sco$Sweren,Sr.ConsultantOctober2017

Presenta9on9tlehere—editonSlideMaster

©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.

Su$on’sLaw

2

“Whydoyourobbanks?”“Becausethat’swherethemoneyis”

WillieSu$on….bankrobber…author

Sutton’s Law: https://en.wikipedia.org/wiki/Sutton%27s_law



TheWorldToday

China Alleged to Have Hacked Three Medical Device Companies

Cybercrime Costs the Average U.S. Firm $15 Million a Year

Russia Hacked Hundreds of Western Asian Companies: Security Firm

63% of SMBs Increased Security Spending, but More Than Half Still Experienced Breaches

Ransomware Sales on the Dark Web Spike 2,502% in 2017



10WorstDataBreachesofAllTime

4

10.USGovt.Agency,2008:76millionrecords9.RussianInternetPortal,2014:98millionaccounts8.EntertainmentandElectronicsCo.,2011:102millionrecords7.USRetailer,2013:110millionrecords6.PaymentProcessor,2008-2009:130millionrecords

5.CreditAgency,2017:143millionaccounts4.ProfessionalSocialNetwork,2012:165millionaccounts3.PersonalProfessionalNetwork,unknown:360millionaccounts2.SocialNetwork,2016:412millionaccounts

1.  InternetPortal,2013&2016:1.5billionaccountscombined

Elizabeth Palermo & Paul Wagenseil Sep 8, 2017 HTTPS://WWW.TOMSGUIDE.COM/US/PICTURES-STORY/872-WORST-DATA-BREACHES.HTML#S2



2017Breaches

5

Heidi Daitch Sep 26, 2017 HTTPS://WWW.IDENTITYFORCE.COM/BLOG/2017-DATA-BREACHES

1

3

7

2

7

3

2

1

6

0

1

2

3

4

5

6

7

8

January February March April May June July August September

2017Breaches

32BreachesToDate



•  Spearphishingemail•  Plugginginathumbdrivethathasn’tbeen

securityscreened•  Socialengineering•  Lackofemployeetraining,awareness

aroundsecurity

•  Revenge•  Money•  Whistleblowers•  Hack9vism•  Espionage•  BusinessAdvantage

6

InsiderThreats MaliciousInsiderRisks

Source:AT&TCybersecurityInsightsReport–DecodingtheAdversaryVolumeh$ps://www.business.a$.com/cybersecurity/docs/decodingtheadversary.pdf

WhyBreachesHappen



SomeStats…

Source:PonemonIns9tute2016CostofDataBreachStudy:GlobalAnalysis



Applica9onSecurityStats…

8

Source:PonemonIns9tute2016CostofDataBreachStudy:GlobalAnalysis



UnrestrictedWarfare….

Records from Government Data Breach Surface on ‘Darknet,’ says Expert

QiaoLiangandWangXiangsui(Beijing:PLALiteratureandArtsPublishingHouse,February1999)



ItisaboutmorethanPaymentCardData

Financial Hack2vism CyberEspionage

Drivenprimarilybystealingdatathatcanbemone3zed(BOA,MAZAFAKA,RBN)

Wishtomakeapoli3calorsocialstatementwitha$acks(Anonymous,LulzSec,FSA)

StatesponsoredIPthe:tobenefitstatePrimarilyChina,andRussiaalthoughothercountriestakepart

WhataretheMOTIVATIONS?



CyberEspionage

Mo9vatedtoStealIntellectualProperty,corporatesecrets

Chinese,Russian,andothergovernmentssponsor

“PatriotHackers”takeupcause

Companiesperformingresearch–private,government,aerospace,IP,etc.

AdvancedPersistentThreat…”LowandSlow”

$300,000,000,000peryearcosttoUS

“TheUnitedStatesisUnderAAack…TheCommunistChineseGovernmenthasdefinedusastheenemy.Itisbuying,

buildingandstealingwhateverittakestocontainanddestroyus.Again,theChineseGovernmenthasdefinedusastheenemy.”

Source:DanaRohrbacher,USCongressionalSubcommi$eeonOversightandInves9ga9ons,April15,2011



12

ANewBa$lefield(APT)

NorthKorea–  50Kservers,SouthKorean

financialsystem(2013)

–  SonyPictures,“TheInterview”(Nov2014)

China–  RSA/EMCphishingemail,

0-dayFlashVuln(2011)–  LockheedMar9nVPN/

2FAa$ack,F35(2011)–  OPM21Mrecords

includingclearances(July2015)

Russia–  PentagonJCSemailhack

(Aug2015)–  WHemail(Apr2015)

US(withsupportfromIsrael)

–  IranStuxnet/Dukuenrichmentfacul9eshack(2010)

–  Equa9onGrouprevealedbyKaspersky(2015)

ImageSource:CNN.com

ImageSource:CNN.com

ImageSource:krebsonsecurity.com



Hack9vists;DrivenbyIdeology

Vic2ms-WorldBank,Stra]or,SONY,etc.

ShutdownsiteswithDDOSa$acks,stealdatato“makeapoli9calorsocialstatement”

–  Anonymous&LulzSec,FreeSyrianArmy

–  Entertainment,NewMedia,InternetPortals,etc.

“Oneman’sfreedomfighterisanotherman’sterrorist.Soletthemcallusterrorists,”headdedmomentslater:“I’lls3llbombtheirbuildings.”JeremyHammond

“SABU”



CyberCriminals-DrivenbyFinancialMo9ves

DmitryIvanovichGolubov“Script”(ARRESTED)–  Allegedtobeamajorcyberthief–  FounderofCarderPlanet–  RanforUkrainianSenate–  Headspoli9calparty

StevenWab(Convicted)–  CreatedTrojanresponsibleformajorretailbreaches–  Graduatedcollegeat19–  WorkedatMorganStanleyat9meofbreach

MaxRayButler“IceMan”(convicted)–  FounderofCardersMarket–  Recovered1.3millionaccountsonlaptop



“InternetPartyofUkraine”–DmitryGulubov(Script)



TheMostProlificGanginCyberHistory?

AlbertGonzalez"soupnazi"(convicted)–  Large-scaleretailbreaches

–  MostwhileonpayrollwithSS$75k/yr

–  Serving20yearterm

HumzaZaman,laundering(convicted)–  Internalbadactor,workedon-staffatglobalbankasnetworksecuritymanager

–  Moneymule,ATMs(FedExpor9ontoGonzalez)

MaksymYastremskiy“Maksik”(convicted)

–  Greatestprofiteer$11Mascarder

ChristopherScob&JonathanJames(convicted)

–  US-1wardrivingspecialists


©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.

HowitisDone

17



18 Source:Verisign



19 Source:Verisign



TheDeepWeb…

Surfaceweb(clearweb)accountsfor4%ofcontent…19TBofcontent(1billionuniquedocuments)Deepwebaccountsfor96%ofcontentor7,500+TB(550billionuniquedocuments)Deepwebhasanes9mated1,000–2,000moreinforma9onthanclearwebUsedbyspies,journalists,dissidents,ac9vists,thoseinrestrictedcountries…andcriminals.

Source:CharlieAbrahams,MarkMonitor



Tor



h$p://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page

TheHiddenWiki



FakeRealPlas9c



ZeroSquad&SafeDrop



Cebulka


©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.

TheChallengeofDefiningSecurity



Denota9on?Connota9on?Somecommonlyusedphrasestodescribesecurity:

“Personal,privateorpublicprotec2on”?“Providingalevelofdefenseforatargetofhighvalueagainstaggressors.”?“LIFE,Property,Knowledge.Freedom”?“Beingpreparedtolessenoreliminatetheeffectofunwantedevents.”?“Protec2onfromvulnerabili9esandac9onstoreduceriskofcomprises.”?“Ensureconfiden2ality,integrityandavailabilityofsystemsanddata”?

“…intheabsenceofagreeddefini3onstheconceptofsecuritymeansdifferentthingstodifferentpeopleindifferentcontexts.”Manunta,Giovanni.“WhatisSecurity?”:SecurityJournal.1999Pg.57-66

Whatdowemeanwhenwesay“Security”?



Socrates,Jacobellis,&Security-Security201

Whatis“F-Ness”?Ifyoudon’tknowthen:

•  Youcan’tknowifsomethingisorisnot“F”

•  Can’tdescribethecharacteris9csof“F-ness”

•  Can’ttellsomeonehowtoachieve“F-ness”

“I shall not today attempt further to define the kinds of material I understand to be

embraced within that shorthand description ["hard-core pornography"]; and perhaps I could never succeed in

intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that.”- Mr. Justice Stewart;

Jacobellis v. Ohio, 378 US 184 (1964)



Defini9onThroughNega9on(apophasis)

IcannotdefinewhatsecurityisthroughitsaAributesbutIcandefinesecuritybydescribingwhatitisnot.Nobodywilltellacompanywhentheyaresecurebutarequicktorenderanopiniona:erabreach…



“Giventhepoorstateofcybersecurity,compliance-drivensecurityisatbestaqualifiedfailure.”-CommiAeeonDeterringCyberaAacks:InformingStrategiesandDevelopingOp3ons;Na3onalResearchCouncil

PCIDSS,FISMA,HIPAA/HITECH,SB1386,NREC,FRPA,ISO27001,MPSA,PADSS,etc.,etc.,etc.!

Because‘we’can’tdefinesecuritywedefaultto‘compliance’…

Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Committee on Deterring Cyberattacks: Informing Strategies and Developing Options; National Research Council ISBN: 0-309-16086-3, 400 pages, 8 1/2 x 11, (2010)



TheChallengewithSecurityToday

“Informa3onSecurityProfessionals”arereally“technologyprofessionals”andnot“securityprofessionals”

Securityisul9matelyaboutpredic9ngandcontrollinghumanbehaviorontwosidesofarela9onship…SecuritydescribesanAdversarialRela9onship

Frequen9stProbabilityModelsareineffec9veforAdap9veThreats…BayesianProbabilityisabe$ermeasure

SecurityProfessionalsinalldomainsneedtounderstand… -  Ra9onalActorModel

-  Deterrence/Compellencetheory-  ThreatAdapta9on-  ThreatAsymmetry-  ParallaxandConvergence

-  ChangeBlindness-  ProximateReality-  DefenseinDepth-  Condi9onalProbability-  Etc.!!



Adap9veThreats&AsymmetricThreats

“..includesthreatsinten3onallycausedbyhumans.”ItfurtherstatesthatAdap9veThreatsare:“…causedbypeoplethatcanchangetheirbehaviororcharacteris3csinreac3ontopreven3on,protec3on,response,andrecoverymeasurestaken.”–DHSLexicon,2010

AccordingtoPimmerman,anAsymmetricThreatmustmeetthreecriteria.Thesehavebeenmodifiedforourpurposesandinclude:

1.  Itmustinvolveanexploit,tac9corstrategythattheadversarybothcouldandwoulduseagainstanorganiza9on

2.  Itmustinvolveanexploit,tac9c,orstrategythattheorganiza9onwouldnotemployagainsttheadversary

3.  Itmustinvolveanexploit,tac9c,orstrategythat,ifnotcountered,couldhaveseriousconsequences


©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.33

IsthisaValidStatement?(hint..HindsightBias)

“Felixquipotuitrerumcognoscerecausas”

“blessedaccomplishmenttheirs,whocantrackthecausesofthings”-Virgil;420BC


©2017AT&TIntellectualProperty.Allrightsreserved.AT&T,Globelogo,MobilizingYourWorldandDIRECTVareregisteredtrademarksandservicemarksofAT&TIntellectualPropertyand/orAT&Taffiliatedcompanies.Allothermarksarethepropertyoftheirrespec9veowners.34

“…atcurrentspendingrates,companiesareonlyaddressing68%ofvulnerabili3es.Toachieve95%protec3on,companieswouldneedtoincreasespendingby700%from$30.8millionto$270.9million.

PonemonIns9tute;2012

“Today,thePCIprocesstakesupto55%ofthetotaldatasecuritybudgetforretailers…”

IHL;2015

SpendingOurselvesIntoOblivion



35

Whichwouldyouratherhave?

Magne9cLock

PalmReader

KeyLock

ComboDeadbolt

SecurityGuard

IrisScannerBadgeReader



•  StrengthenYourSecurityFounda9on•  Focusyourteamonthebasicsfirst

•  MakeSecurityEveryone’sResponsibility•  Employeetraininghelpsturnemployeesintoa

maliciousinsiderearlywarningsystem•  BreakDownOrganiza9onalSilos

•  Demandsecurityteamshavefullaccesstoalldataandrecordsinalldepartmentsanddivisions

•  InvestinBehavioralAnaly9cs•  BigDatatoolscanhelpsniffoutac9vi9esbymalicious

insiders

•  TrainYourUsers•  Offermandatorysecurityawarenesscourses

•  SharetheSecurityResponsibility•  FollowISO27001tocreateasteeringgroup

•  EmployeeBuy-inforSecurityStartsattheTop•  Leadbyexample

•  EnforcetheRules•  Enforcesecuritytrainingeffortswithpromptand

highlyvisibleenforcementofyoursecuritypolicies•  Don’tBanShadowIT,ManageIt

•  Findoutwhybusinessunitsbuycloudservicesandsecurethem

•  EvaluateandMonitorYourSuppliers•  Assesstheirsecurityandcomplianceprac9cesbefore

andwhiledoingbusinesswiththem

36

MaliciousInsiders Uninten9onalInsiders

Source:AT&TCybersecurityInsightsReport–DecodingtheAdversaryVolumeh$ps://www.business.a$.com/cybersecurity/docs/decodingtheadversary.pdf

ThingsYouCandoToday



Documents

AT&T Security Consul2ng “The Dark Web”...Presentaon 9tle here—edit on Slide Master © 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your