GTCW13 Winning the Cyber Security Battles - Tom Osborne

7/27/2019 GTCW13 Winning the Cyber Security Battles - Tom Osborne

1/25

Federal Bureau of InvestigationCyber Program

The Cyber Threat

Sacramento Division

Assistant Special Agent in Charge Tom Osborne

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO


2/25

Cyber as an FBI Priority

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO

Down the road, the cyber threat, which cuts across

all FBI programs, will be the number one threat to

the country, surpassing terrorism.

FBI Director Mueller


3/25

Who are the Adversaries?

SECRET//NOFORN

Threat Level 1 Inexperienced

Limited funding

Opportunisticbehavior

Target knownvulnerabilities

Use viruses, worms,

rudimentary trojans,bots

In it for thrills,bragging rights

Easily detected

Threat Level 2 Higher order skills

Well-financed

Target known vulnerabilities

Use viruses, worms, trojans,bots to introduce moresophisticated tools

Target and exploit valuable data

Detectable, but hard to attribute

Threat Level 3 Very sophisticated tradecraft

Foreign Intel Agencies

Very well financed

Target technology as well asinfo

Use wide range of tradecraft

Establish covert presenceon sensitive networks

Undetectable?

Sophistication Expertise Funding Patience Target Value

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO


4/25

UNCLASSI FI ED


5/25

HACTIVISTSAlthough the term

hactivist refers tocyber attacks conducted

in the name of polit icalactivism, this segment of

the cyber threatspectrum coverseverything from

individual hackersseeking thrills and

bragging rights to hackergroups conducting

distributed denial ofservice (DDoS) attacks

and website defacementsagainst government and

UNCLASSIFIED

UNCLASSIFIED


6/25

Hawthorne PD


7/25

CRIMINAL

Organized criminal groups

have easily adapted to

todays technology in

exploiting the cyber arena.These groups continually

attack systems for monetary

gain through identify theft,

online fraud, computerextortion, phishing, and

spyware/malware.

UNCLASSIFIED

UNCLASSIFIED


8/25

Botnet Threat to Financial Sector

A credential stealing malware created by Eastern European cyber actors

Use Malware to carry out online bank account takeovers and steal information

Multiple versions available on the cyber underground making it easy to obtain

Evolving variants make it hard for anti-virus to detect

UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE

UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE


9/25

Botnet Case Highlight:

Operation Ghost Click

UNCLASSIFIED

UNCLASSIFIED


10/25

Botnet Initiative: Operation Clean Slate

Hill/W.H.Notification

Draft JIB

State/Local andTrustedPartners

(Website, IC3,

InfraGard)

PublicAwareness

(PSA,Newspapers,

Advert isement)

Coder

Herder

Users

Botnet/Malware

UNCLASSIFIED

UNCLASSIFIED


11/25

INDUSTRIAL

ESPIONAGEEvery year, bill ions ofdollars are lost to

foreign and domestic

competitors who

deliberately targeteconomic intelligence

in U.S. industries and

technologies. Through

cyber intrusions,

these intruders searchfor intellectual

property, prototypes,

and company trade

secrets to gain an

illegitimate advantage

UNCLASSIFIED

UNCLASSIFIED


12/25

STATE ESPIONAGE

Foreign adversaries use cyber

tools as part of traditional

intelligence-gathering andespionage activi ties. These

adversaries conduct

computer network operations

that target mili tary and

governmental organizationsintellectual property and

insider information.

UNCLASSIFIED

UNCLASSIFIED

C SS // O O C S O


13/25

Advanced Persistent Threat

Infiltration

Reconnaissance

Infection

Persistence

Escalate Privileges

Install Utilities

Enumerate the Network

Establish backdoors

Exfiltration

Harvest data

Exfiltration

Conceal activity

Intrusion Phases

UNCLASSIFIED//FOR OFFICIAL USE ONLY

UNCLASSIFIED//FOR OFFICIAL USE ONLY


14/25

0

20

40

60

80

100

120

140

PeakGbps

January February March

Gbps per Attack

Recent Financial Sector Cyber Events

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


15/25

Recent Energy Sector Cyber Events

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


16/25

CYBERTERRORISM

UNCLASSIFIED

UNCLASSIFIED

Cyberterrorism isdisruptive or destructive

acts perpetrated against

noncombatant targets at

the direction, on behalf, or

in support of a terroristgroup or their ideology,

through the use of

computer network attack

or exploitation. Such

intrusions/attacks areintended to intimidate or

coerce a government or

population in furtherance

of a social, political,

ideological, or religiousa enda b causin

UNCLASSIFIED//FOUO


17/25

Priority Cyber Threat Target

Critical Infrastructure

Industrial Control Systems (ICS) / SupervisoryControl and Data Acquisition Systems (SCADA):

Controlling the nations critical infrastructure.

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO

UNCLASSIFIED


18/25

STATE-SPONSORED

DISRUPTIONS/WARSeveral nations are aggressivelyworking to develop cyber

warfare doctrine, programs, and

capabil ities. Cyber warfare

enables a single enti ty to have a

significant and serious impact

by disrupting the supply,

communications, and economic

infrastructures that supportmili tary power impacts that

could affect the lives of ci tizens

across the country.

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


19/25

Individuals

Nation-States

HacktivistGroups

Organized CrimeSyndicates

InfrastructureIndustry Law Enforcement& Government

NationStatesIndividuals

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED//FOUO


20/25

FBI Investigative and Operational

Capabilities

Investigative Interviews

Evidence Collection

Electronic Surveillance

Network Traffic Analysis

Digital Forensics through Computer Analysis Response Team (CART)

Malware analysis through the Binary Analysis, Characterization, and

Storage System (BACSS)

Cyber Action Team (CAT) Deployment

Legal Attach Support

Indict/Arrest AuthorityUNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO

UNCLASSIFIED


21/25

Partnerships

No one country, company, or agency can stopcyber crime We must start at the source; we

must find those responsible. And the only way

to do that is by standing together.

Robert Mueller III,

FBI Director

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED//FOUO


22/25

NCIJTF Members

22

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO


23/25

Cyber Task Forces (CTF)

Each CTF synchronizes domestic cyber threat

investigations in the local community through

information sharing, incident response, and joint

enforcement and intelligence actions.

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO
http://hq-eslnx1-014.fbinet.fbi:7777/pls/apex/f?p=210:1http://www.bing.com/images/search?q=ncfta+logo&id=E5323AFF232FBC2B61B4E76DB5E1DA0075AA6D37&FORM=IQFRBAhttp://www.bing.com/images/search?q=ncfta+logo&id=E5323AFF232FBC2B61B4E76DB5E1DA0075AA6D37&FORM=IQFRBA


24/25

Private Sector Partnerships

InfraGard

National Cyber-Forensics Training

Allianceand Cyber Initiative and Resource FusionUnit

Information Sharing Analysis Centers

Internet Crime Complaint Center

UNCLASSIFIED//FOUO
http://www.ncfta.net/Index.aspxhttp://www.bing.com/images/search?q=ncfta+logo&id=E5323AFF232FBC2B61B4E76DB5E1DA0075AA6D37&FORM=IQFRBAhttp://www.bing.com/images/search?q=ncfta+logo&id=E5323AFF232FBC2B61B4E76DB5E1DA0075AA6D37&FORM=IQFRBAhttp://clickthumbnail%2829%29/


25/25

Conclusion

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO

Questions?

Documents

GTCW13 Winning the Cyber Security Battles - Tom Osborne