EEconomy / Cyber Sec Michael Goedeker - CEO. © 2015 · Auxilium Cyber Security GmbH Our Story…… Business Focused Security o Our goal is to make threat

eEconomy / Cyber SecMichael Goedeker - CEO

© 2015 · Auxilium Cyber Security GmbH

Our Story…… Business Focused Security

o Our goal is to make threat Intel, and systems capable of providing actionable

threat Intel that businesses and nations can use.o Initial start of Threat Research with Windows and Unix (first mainstream viruses) (Firewalls, Logs,

SNMP, Syslog, packet capture, IDS, IPS, SIEM & DAM

o Academic Research into Innovative leadership of Security Teams

o Research into Cyber Espionage / Warfare as a factor in Cyber Crime

o Creation of Cyber Unit Trainings for Gov. and Corporate Customers

o Creation of AIFM – Actionable Intel Focus Methodology

o Creation of PSTM – Proactive Security Team Methodology

o Creation of SITAM– Secure IT Asset Management Methodology

o Creation of ETM – Evolving Threat Methodology


Our approach to Security

o Creating an accurate pictureo Proactive security

o Understanding risks / threats

o Getting Actionable Intel

o Continuous Research / Understanding Threatso Always evolving and dynamic

o Creating proactive and tested methods

o PSTM

o SITAM

o ODA

o Business Focused Securityo Security as a “business critical” process with benchmarks & goals

o Providing ROI for Security Investments that protect and increase revenue

Assessment

Classify

Audit

Actionable

Intel

Analyze

Improve


Time for a Hypothesiso H1 - Attacks are successful because they have become undetectable by current Anti Virus,

Firewalls and other current technologyo H2 - Attacks are successful because they are dynamic & complex (spillover of tech)o H3 - Attacks are becoming polymorphic in nature (due to them evolving and tech

spillover), which makes them detection averse! o H4 - Security Teams and Classical security training are not targeted at or teach how to

detect spyware and next gen threats (our Proactive Security Team Methodology PTSM)o H5 - Currently security processes, procedures and awareness are not adapted to cooping

with Next Gen Threats! o H6 - When “new” attacks and technology are published or found, they are reverse

engineered


The definition of “Cyber”Definition of Cyber (What does it really mean???)

o Origin of cyber and what it meant, how that changed


Introduction to “Cyber” Security“Cyber” really involves a few core things

o The Internet

o The eEconomy (how we use inter-connected systems for eCommerce and eBusiness)

o The Global Electronic World (Cyberspace)

o Traditional Network, Server and Clients that “connect” with each other

o Changes in how systems are attacked (Cyber Threats)

o Changes in Traditional Security due to new “threats” (Cyber Security)

o Changes in Warfare (Cyber War), Espionage (Cyber Espionage) and Crime (Cyber

Crime)


Introduction to “Cyber” SecurityCyber History 101

o The Internet was never meant to be secure!

o A global system used to communicate with others

o The importance was on being able to communicate, even when

the network was attacked because of a nuclear bomb

o Used to connect military, agencies and universities

o Security was originally not impacted by this first version (ARPA)

o Security and confidentiality was never part of the equation


Introduction to “Cyber” Securityo Networks and the protocols of the Internet were not

restricted in any real tangible ways because the objective was communicationo TCP / IPo HTTPo HTTPS (this came later with ssl)

o No one ever thought that this network would be as critical as it is todayo Interconnected Systemso Bases for an entirely new type of economy

o This open communication is the root of most of the web application, network services and router, firewall hacks and vulnerabilities todayo Challenging communication connectionso Data-in-transit securityo Requests / Responses


Introduction to “Cyber” Securityo The Internet has formed the basis for eBusiness and eCommerce

o Small companies are now global players because of reduced investments needed to deliver goodso Competition is totally different because all nations are part of the economyo All nations are impacted by the eEconomy

o National Boarderso The Internet has no national identity or bordero 24/7 not closed for any holidays and always ono Nations can not control what comes in or out of their “portion” of the internet

o Legal Issueso There is no global law for things “Cyber”o No global police force that monitors who is misbehaving


Why Security is Business Critical..

o Not just about large corporations, SMBs get

attacked more and more

o SMBs spend less on security but also find less

attacks, there is a connection?

o Security is a critical business process, it

protects revenue and products


What is going on today in “Cyber”…

o Increase in attacks and complexity on all

levels and for all businesses including SMBs!


What's going on in the Cyber Worldo Here are some attacks in April..


What's going on in the Cyber Worldo Here are some attacks in April..


What’s going on in the Cyber World“Cyber” really involves a few core things


What’s going on in the Cyber World“Cyber” really involves a few core things


What’s going on in the Cyber World

The CAPEC Website and CybOx initiative


“Cybernetic” Definitionso Cyber Espionage – This is the term that is

used to refer to using computers, computer technology such as malware, viruses and more complex spyware for spying. Recently the lines that separate espionage from cyber crime, warfare and terrorism are very thin if not dilutedo Cyber has introduced a move from HUMINT to

computer based espionageo Think of the old classical phone taps and

transpose this onto network devices, cables and connections


“Cybernetic” Definitionso Cyber Crime – This is essentially using criminal

tactics that use computer systems to steal data and also implant espionage technology In order to bypass security systems and personnel. Cyber crime can involve espionage tech as well as warfare tech (and often does). This is a newer type of “crime” and also has the more traditional crime approaches that use electronic means in an effort to lower risk of capture and higher return on investment of the criminal or gang.o Traditional criminal acts by electronic means (i.e. cracking,

card skimmers, interception).o Leveraging criminal groups for espionage or hacktivisimo Cyber Terrorism


Cyber Threats – Security Evolveso Open systems lead to new architecture, network services,

new protocols and network devices that were created to enable global communication

o Based on the global nature of internet connected systems and potential attacks, security teams need a new approach to security

o New threats are also classified as “Cyber Threats” and can target anything and anyone 24/7


Cyber ThreatsAs new technology and access to otherwise closed systems was opened, so do we also

have new types of attacks and technologies that are used to attack those systemso Botnetso Social Botnetso Espionage based attacks that steal data and informationo DOS / DDOSo Drive-by-downloadso Last Mile Interceptionso Transmission Bugs / Interceptso Critical Infrastructureo Cyber Kidnappingo Cyber Extortiono Hacktivisim


How new threats enter the eEconomyo When “new” attacks and technology are

published or found, they are reverse engineered

o New attacks are then “rewritten” for cyber crime based attacks

o Stolen data is also purchases from (crackers) by nations

o Espionage is also done on a corporate level by nations

o New attacks lead to the need for better defenses and protection

o Security Teams as a result need to be dynamic, up to date, knowledgeable in Cyber Threats

Nation Develops Technology

Military Hacker uses attack on

target

Target reverse engineers

technology

Cyber Criminals modify

technology

New Cyber Crime / War attack


The eEconomy and Cyber Threatso Everything connected to the Internet and its

network of systems and businesses is a separate economy

o As discussed in the introduction, cyberspace has no traditional borders and so it spans the entire world

o Any attack on the internet such as a DOS (Denial Of Service) or DDOS (Distributed DOS) can potentially impact all businesses connected to the Internet

o Any Cyber War, Espionage and Crime can also impact this “Economy”



target


technology


technology



The eEconomy and Cyber Threatso The Internet is global, has its own economy and in

some cases its own currency (aka BitCoin, etc.)o If someone attacks the Internet, they also attack this

separate economyo Does an attack on the Internet endanger local

economies?o Does Espionage make this economy more or less

trusted and used?o Who is responsible for governing the Internet and its

economy?



target


technology


technology



Threats and Critical Infrastructureo A term that only recently has come up in the cyber worldo Started in its more modern form in 1998 with the US Presidential directive PDD-63 of

May 1998o Listed vital and important assets that were critical to the countryo Was updated by President Bush in December 17th, 2003 by Homeland Security

Presidential Directive HSPD-7 for “Critical Infrastructure Identification, Prioritization and Protection


Critical Infrastructure Protection

Protecting Critical Infrastructure (audits, assessments, defense &

threat / infection detection)o National Borders

o Utilities

o Financial Industry and “Economy Critical”

o Global and National Corporations

o National and Local Government, Law enforcement, Agencies

o Military and Defense Industry

o Educational, Cultural, Parks, Museums

o Telecommunications , Transport and Agriculture


Treats and Critical Infrastructureo Some of the “assets” deemed important to a

nation’s stability and well-being are listed on the right

o The EU also has something similar called EUCOM 2006

o Another term is “Infracritical” and can be referenced at: http://www.infracritical.com/images/cip-sectors5.jpg

o http://www.sciencedirect.com/science/article/pii/S1040619014000268

Water

Power

Banking & Financial Institutions

Transportation, Logistics & ShippingInformation & Communications

Federal & Municipal services

Emergency Services

Fire Departments

Public Works

Agriculture & Food

National Monuments & Icons

http://www.infracritical.com/images/cip-sectors5.jpg

http://www.infracritical.com/images/cip-sectors5.jpg

http://www.sciencedirect.com/science/article/pii/S1040619014000268

http://www.sciencedirect.com/science/article/pii/S1040619014000268


Attack Chain for Critical Infrastructure


Cyber Defenseo Understanding in writing Malware, Virus, Worms and Rootkitso Understanding of OS and Application Vulnerabilitieso Understanding of defensive technologieso Interception methods (network, communications systems)o Usage of OSINT against targetso Understanding and reverse engineering previous attack technologies to

understand how to defendo Usage of executive buy-ino Using Awareness and Awareness Campaignso Integration of ITIL Processes like Asset Management, Change Management,

Incident Management, Problem Management, etc.o Integration of ISO2700Xo Looking at and integrating SANs


Cyber Defense and Hackingo Hackers are not Crackers (Criminal Hackers)

o Hackers understand technology, improve on ito Find holes so that people are aware, ask for fixes

o Crackers are the criminalso Crackers use vulnerabilities to exploit and break into systemso Disrupt systems for financial gain or Lulz

o Hacktivistso Like Crackers but have political motivationso Can in extreme cases turn into Cyber Terrorists


Cyber Defense and Hackingo Hacking is a scienceo The reason or

motivation tends to point to a narrow set of profiles

o Intel and Recon are vital to hacking


Cyber Defense and Hackingo The reason for a hack defines the hacker profile o Also points to possible goal

o Cyber Warfareo Cyber Espionage / Corp Espionageo Cyber Crimeo Cyber Terrorism


Cyber Defense and Hackingo Intelo Gathering information about the target and scoping out how the company is, are vitial

to successful hackingo Good hackers will spend a majority of their time here (80%+)


Cyber Defense and Hackingo After getting intel and noting down any interesting pieces of information, we move on

to the next phase which is Identifying and looking for potential systems and vulnerabilities

o This includes using tools like google dorks, shodan and other tools that search but do not leave an imprint or trail


Cyber Defense and Hackingo After identifying potential target systems its now time to look at specific exploits and

prepare them for testingo We take the information from previous phases to select low hanging fruits and then

match these with zero day attacks or CVEs


Cyber Defense and Hackingo After accessing a system it is then time to look around in the system for more

important data, information or planting malware or rootkitso While injecting or installing tools, it also becomes important to keep access by

deleting important logs, alerts, etc.o This phase is also were additional users are added to maintain access if activity is

detected


Cyber Defense and Hackingo Here we are close to the goal or have achieved the goalo Data and information are saved and stored off-site o Depending on the goal the website was defaced, the server was corrupted, a rookit

installed or systems disrupted


Cyber Threats – BotnetsOne of the biggest threats today in cyberspace is

the Botneto Botnets are used in cyber war, espionage and

crimeo Botnets can have very complex structureso Are typically used for DOS/DDOS attacks and

can have attack bandwidths over 100GBS!o Are created very quickly and are very

economical

BotNet Owner

Cybil Creator

Target 1

Target 2

Target ….

Command & Control Server Social Media Monitor


Cyber Threats – Botnets (Normal)There are different types of Botnets, we will talk about two

o “Traditional” or normal

o Social Media BotNet


Cyber Threats – Botnets (Social Media)There are different types of Botnets, we will talk about two

o “Traditional” or normal

o Social Media BotNet


Cyber Threats - Botnet Attack Case StudyHere is an example of a Botnet attack case that we see and resolve on a regular basiso Attack Case $Random Company


How Cyber Threats have emergedo Initially we dealt with “typical” threats o Malware, Virus, Wormso Less from Nationso More from Groupso Increase in Hacktivisimo Emerging of Espionage as a way to steal corporate datao Emerging of the “Military Hacker”


Threat Evolution Methodology

How Threats evolve via Espionage

& Warfare into Cyber Crimeo Cyber Warfare Technology develops

o Cyber Espionage develops

o Developed technology finds its way

into Cyber Crime groups

o Technology is reverse engineered



New Threats evolve from oldo Old Attacks are developed and tested

o Old technology improved

o New Types of attacks are developed

o New variants turn into completely new threats

o Traditional Security got “stuck”



How Threats evolve via Espionage & Warfare into Cyber Crimeo Cyber Warfare Technology develops



How Threats evolve via Espionage & Warfare into Cyber Crimeo Cyber Warfare Technology develops


Cyber Defense / Anti Espionage

Defenseo Creation, Training, Implementation

o Support, Audits, Assessments

o Cyber Defense Systems

Offenseo Creation, Training, Implementation


o Cyber Offense Systems

Products/Serviceso Interception Detection / Blocking

o Secure Infrastructure



Impact factors of Cyber Defenseo Creation, Training, Implementation


o Cyber Defense Systems



Social Engineering o Drive-By- Downloads

o Phishing / Emails

o PDF or Email Attachments

o Dumpster Diving

o Tailgating

o Intel o Traditional

o Social Media

o Maltego

o Web Leaks



Web Applications / Web2.0, 3.0o MitM

o SQLi (Sql injection)

o XSS – Cross Site Scripting

o Authentication (Verification)

o Weak Passwords (Cracking)



Hardware Hackingo Baseband – Telephones

o Only 2 manufacturers

o Supply-Chain-Hacking/Espionage

o Firmware

o Out-of-Band Managemento AMT / Intel

o Out of band protocol used to spy on people via

chipset

o Signals Hackingo Signals Interception

o GSM, 3 and 4G

o Sat



Next Generation Hackingo Combining old tech with new features

o Using Hostile Encryption (Ransom)

o Solutions that proactively intercept traffic

and signals (Heat, Wifi, Sound)

o Application Backdoors

o Cloud Backdoors (AWS & Co.)

o Critical Infrastructure

o Cyber War / Espionage


SOC – Security Operations Center

Core ITIL Processeso Incident & Problem Management (*)

o Change Management (*)

o Risk Management (*)

o Service Desk, Service Level Management (*)

o IT Asset, Configuration Mgmt. / CMDB (*)

o Application, Test and Development Mgmt.

o IT / Strategic Planning (*)

o Release, Deployment, capacity, & Availability Mgmt.

o Demand & Service Continuity Mgmt.

o Vendor / Supplier / Partner Management

o (*) = Minimal Requirements



Basic Level (logs, files, Agents, Monitoring)

o LAN / WAN / VPN / Proxy

o Firewall / IDS / IPS

o AV (Client, Server and Mobile Devices)

o Data Base Monitoring / Access & ID Management

o Service Desk

Advanced Level

o Software Catalogue, CMDB

o NAC

o SIEM

o Threat Intel (sensors & system)

o Proactive Security Tools and Lab


SOC – Security Operations CenterPersonnel

o Manager

o SIEM / Monitoring Engineer

o Analyst

o Incident Response / Blue / Red(?) Teams

Technology

o Software

o Hardware

o Facilities / Data Center

Services

o Event Monitoring, Correlation, Incident Response/Management

o Consulting, Training

o Penetration Testing, Audits, Assessments


SOC – Security Operations CenterIn-house

o Own staff & technology (larger companies)

o Higher Costs

o All Skills in house

Outsourced

o Outsourced staff & systems (SMB’s)

o Skills purchased externally

o Lower Costs (depending on levels)

Hybrid

o Mixture of in-house and external staff &

technologies

o Services via long term contracts possible

o Mixed costs (in some cases cheapest option)



SOC Reasons: Laws, Regulations

o Based on National & International Laws

o High fines for non compliance or breaches

Protecting Revenue

o High Risk of attacks

o High Risk of lost revenue due to downtime, IP

theft or disruption

Critical Infrastructure / National Defense

o National Security

o Economical or Cultural Collapse

o Cyber War and Espionage Defense


SOC – Security Operations CenterBusiness Case

o Assessment on what is in place for SOC

o Business Case for SOC

Classify Security Service Catalogue needed

o Catalogue of security services needed

Audit

o Build Management / Ops pieces to support SOC

Actionable Intel

o Build Technology in place for Event Mgmt. etc.

Analyze

o Start Operations and gather metrics

Improve

o Tweak Operations and Tech to achieve goals


Proactive Threat Intelligence

Interpreting and unifying threat Intel that’s usableo Firewall, SIEM, IDS/IPS from multiple InfoSec Event &

Info Systems into actionable Intelo Planning, Configuring, Implementing and Tweaking

o Threat Research into Cyber Espionage, War and Crime

o Turning systems into proactive threat and cyber threat

management systems (also using PSTM and SITAM)o Providing NOC, SOC and Detailed Security Analysis via team of

globally experienced Forensics and InfoSec professionals

o Additional Threats Intel via Partners and Social Media Analysis

Solution


Penetration Test, Audit, Assessment

SOC 2.5

Vulnerability Status / Report

SIEM D

ashboard

Proactive Monitoring

Alert & Event Reporting

Incident / Problem Management

Thre

at F

eeds

Change / Risk Management

Event Correlation

API, Agents, Logs, Other

Envi

ronm

ent

Thre

ats

OSI

NT

Proactive Intel (security posture & status) Dashboard


Governance & Actionable Intel

Regulations, standards & Best Practice

Proactive & Actionable Intel (D

ash)

Governance

ITSM

ITAM

Risk

, Kill

Cha

in R

elev

ance

Apps, Data & Info, IP

FW, Net, IDS, IPS, LM, SIEM, TI

Hardware, Firmware, Baseband

Thre

ats

Envi

ronm

ent


Attack Case Studies


The Big Picture

Threatbutto Attacks going on in real Time


The Big Picture

Norseo Attacks going on in real Time

Documents

EEconomy / Cyber Sec Michael Goedeker - CEO. © 2015 · Auxilium Cyber Security GmbH Our Story…… Business Focused Security o Our goal is to make threat