The Future of Hacking

The Future of Hacking

A Review of the Economics, Motivations, Tools, and Techniques of Cyber

Adversaries

5/7/2016 1 Richard S. Smith

Agenda

• Battlefield Assessment

• Hacking Economics

• Components of a Hack

• Hacker Traits

• Social Motivators

• Delivery and Transport

• Likely Targets

• Attack Tools

• Hacking R&D

5/7/2016 Richard S. Smith 2

Battlefield Assessment • Statista reports over 781 breaches

occurred in 2015 and 169 million sensitive records were exposed; a 97% increase from last year

• Ponemon’s 2015 Cost of Data Breach Report, data breaches cost Financial companies $259 per user; second highest average cost per breach by industry

• PwC’s, Global State of Information Security Survey 2015 reports the cost of global information security budgets decreased four percent when compared with 2013; security spending is stalled at four percent or less for the past five years


Hacking Economics Corporate costs of prevention are increasing while Hacker cost are decreasing. • Total cost to hackers for a successful

attack decreased due to: o Less time to execute successful attacks

o Improvement in hacker tools ($1,300 for sophisticated tools) o Decrease in the cost of computing power.

• Conversely, annualized cost of breaches last year was $7.7M with a broad range $.3M to $65M

• Financial Services and Energy breach costs are 67% greater (on average) than other industries


Components of a Hack

• People

• Motivators

• Transport

• Targets

• Tools or Methods


= PMT3

Hacker Traits

• Technical

• Creative

• Curious

• Resourceful

• Industrious

• Impatient

• Obsessive

• Self-absorbed

• Intellectual arrogance


Des

tru

ctiv

enes

s

Social Motivators


Casual Hacking

Fun and Thrill

Curiosity and Anonymity

Notoriety

Hacktivism or Moral Compass

Sabotage or Retaliatory

Property Destruction

Cyber Terrorism

Financial Gain

Ransom

Corporate Espionage

Intelligence Gathering

51%

29%

19%

1%

Delivery and Transport

Delivery Vehicle

• Spear-phishing email

• Phone call (social engineering and voicemail hacks)

• Reconnaissance or Scanning for unpatched devices in target network

Transport Method

• Cell phone

• Internet Cafes

• Home Network (utilize multiple hops for anonymity)


Likely Individual Targets


30%

40%

8%

6%

16%

IT Administrator

Contractor

Executive Assistant

Executive

Non-executive Employee

Attack Tools (Methods)


Attack Methods Probability Severity Expected

Loss

Malicious Code Moderate High High

Denial of Service Moderate Moderate Moderate

Phishing and Social Engineering Moderate Moderate Moderate

Web-based attacks Moderate Moderate Moderate

Malware High Low Low

Virus, worms, trojans High Low Low

Stolen devices Moderate Low Low

Botnets Moderate Low Low

Malicious insiders Low Low Low

Hacking R&D 1. Bitcoin: Criminals will exponentially increase the use of

Bitcoin to collect funds from criminal actions or as payment for new hacker tools

2. Social Media and Cloud Services: New attack vectors and platforms will emerge

3. Multi-vector DDoS Attacks: Use of Stressers/Booters will surpass traditional botnet attacks

4. Internet of Things: Increasing attacks on IoT devices (ATMs, planes, cars, smart home devices) will consume the news

5. Mobile attacks: Hackers will increasingly focus on malware affecting mobile devices and payment methods

6. Ransomware: Encryption will increasingly be used as a weapon against its victims


Malicious Code • Sophisticated malware borne

from legacy malware specifically aimed at stealing banking credentials

• Ransomware encrypts victim’s files and demands payment for decryption keys—all while using Bitcoin to transact payment

• ATM-focused cyber attacks that do not require skimmers, but utilize malicious code that can be loaded directly to the terminal


Hacking R&D

Distributed Denial of Service

• Stresser/booter-based botnets are the source of a vast majority of DDoS attacks

• DDoS tools rely heavily upon reflection techniques to generate massive amounts of traffic

• 56% of all DDoS attacks repeat targets

• China is the top country sourcing DDoS attacks and the gamer industry is the most frequent target


Hacking R&D

Phishing and Social Engineering


• In 2015, 90% of all phishing attacks were targeted at Financial Services

• Spear-phishing remains the attack method of choice for APT actors

• Gmail is used heavily as a drop point once usernames and passwords are stolen from a target

• Social media is used to market and distribute phishing kits and related goods and services

Hacking R&D

Web-based Attacks • Tor, Darknet, and Bitcoin are used in concert to

market and distribute exploits, like zero-days

• Increase in zero-day web-based tools available on the Darknet black market

• Hacker Toolkits provide configuration options to use different exploits

• Ransomeware campaigns use zero-day attacks for high-probability attacks that hit a large number of users simultaneously


Hacking R&D

Tech for Slowing Down Advanced Attackers

• Security intelligence or SIEM systems provide a significant ROI

• Deploying encryption technologies (storage, middle-tier, and database)

• Advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds

• Hiring expert security staff, including a CISO

• Training your workforce to recognize attacks, especially spear-phishing

• Apply controls to systems based on the risk and sensitivity of the data


Questions?

“I'm a really good hacker, but

I'm not a sensible person.” –Richard D. James (Aphex Twin) British

electronic musician and composer


Sources • Ward, Peter. "The Future of Hacking: Your Planes, Trains and Automobiles

Aren't Safe." Newsweek. N.p., 07 July 2015. Web. 23 Apr. 2016.

• Press. "Thycotic Black Hat 2014." Thycotic Black Hat 2014 Hacker Survey

Executive Report (2014): n. pag. Thycotic. Aug. 2014. Web. 23 Apr. 2016.

• Kovaks, Eduard. "Ransomware: A Formidable Enterprise Threat |

SecurityWeek.Com." Ransomware: A Formidable Enterprise Threat |

SecurityWeek.Com. SecurityWeek, 30 Oct. 2015. Web. 23 Apr. 2016.

• Hassell, Jonathan. "You've Been Hit with Ransomware. Now What?" CIO. CIO,

21 Apr. 2016. Web. 24 Apr. 2016.

• Page, Jeremy. "4 Different Types of Attacks – Understanding the “Insider

Threat”." 4 Different Types of Attacks. CloudTweaks, 19 Jan. 2015. Web. 25 Apr.

2016.


Documents

The Future of Hacking