1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved.

Unlocking Cyber-Crime – The New Cold WarJamison Utter | Principal Security Consultant6/15/2016

2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved.

Motive Matters

No one can build his security upon

the nobleness of another person.” **Willa Cather, Alexander's Bridge

3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved.

Exponential ROI

1 Year

CD = 1%Money

Market =

0.5%

Average

Stock

Market =

7%

Cyber Crime

= 1425%

4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved.

Breaking it down

What’s the cost of entry?

Item Total Investment

Payload $3000

Infection Vector $500

Traffic Acquisition $1800

Daily Traffic $600

Total Expenses $5,900

5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved.

The Payload

The Challenge:

- Avoid trivial signature detection

The Solution:

- A new hash of a crypto-variant that is identified with

‘good’ programs (by purchasing the source code with

support)

The Cost:

- 10 Bitcoin (or about $3000 USD)

This does not include

source code and support!

6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved.

Commodity Programming

• Criminal elements are in constant

reinvestment cycles expanding both

footprint and technical ability.

• Like real software most malware is

developed in teams by technical coders

specialized in the particular function.

• Customer support, code support, and bug

fix are now table stakes in professional

malware.

7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved.

Economy of Scale

0 200 400 600 800 1000

Poland

Czech Republic

Slovak Republic

Russian Federation

Hungary

Romania

Bulgaria

Ukraine

Average Monthly Income

US Dollars

A Semi-skilled Ukrainian Hacker

can make 5x – 25x their normal

income by switching to a

business model that is illegal (in

the US)

8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved.

The Infection Vector

9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved.

Traffic Acquisition

Getting clicks!

- Often via Phishing (pretty easy)

- Sometimes scare-ware

- Sometimes Ad networks

- Also via Botnets (RATS)

10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved.

Crime as a Service

Professional Crime Software

Technical Innovators

Reseller/Maintainers

Non-technical Opportunists / Crimeware-as-a-Service Users

11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved.

Breaking it down

What’s the ROI?

Item Total Investment

Visitors 20,000

Infection Rate 10%

Payout rate 0.5% (Symantec = 3%)

Ransom Amount $300

ROI (Average 30 days)$3,000/day

($90,000/month)

12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved.

What is the scale of this

The Black

Market

Georgia

Iceland

AlbaniaHonduras

El Salvador

The Black market is a 17

Billion dollar economy

13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved.

The Zero Sum Game

Innovation

Development

Deployment

Capitalization

Current

State

Where we need to be

Ceiling Cat FTW!

14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved.

Change the Security Paradigm

“The long term goal of a security strategy cannot be to outsmart

criminals, since that just breeds smarter criminals.”*

*Jarnon Lanier – “Who Owns the Future”

15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved.

Meeting the Challenge

Collaboration

Intelligence

Speed

16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved.

Identify

Collect

AnalyzeDistribute

Act

Collaboration

Security is a system, its

as alive as an

organization or organism.

Without cooperation and

data sharing between

devices,

you will never triangulate

and locate threats already

in your network

17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved.

Intelligence

Securing cyberspace is

shared responsibility -

collecting, analyzing &

disseminating cyber threat

intel” - FBI

18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved.

What’s missing from your Threat Intel?

Risks

Targets and

AssetsThreats

(or Threat Actors)

Movement

Observation and

Restriction

19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved.

What makes “actionable” intelligence?

• Early discovery, appropriate TTLs, sensible refresh rateTimely

• Applies to your problems, your use casesRelevant

• Reasonable precision, limited false positives Accurate

• Why a threat, what kind, and what else is it related toContextual

• Pre-integrated, standard formats, Rest APIsEasy-to-Use

• Consistent in quality and rate/volumeReliable

20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved.

Speed

We must shorten

the Kill Chain, or

we will always be

behind the ball.

21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved.

Changing Security Culture

Wisdom consists in being able to distinguish among dangers and

make a choice of the least harmful.

— Niccolo Machiavelli, The Prince

22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved.

Security is a Culture

Application Development

Network Design

End-user Training

Business Workflow

23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved.

Insecure CodeCharacteristic

I Injectable Code

N Non-Repudiation Mechanisms not Present

S Spoofable

E Exceptions and Errors not Properly Handled

C Cryptographically Weak

U Unsafe/Unused Functions and Routines in Code

R Reversible Code

E Elevated Privileges to Run

(ISC)2 InSecure Code practices

24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved.

Secure Network Design

Know Don’t Guess

Avoid Dangling Networks

Route where needed not where possible

See all manage all

Know when to standardize

Power is important

Embrace DocumentationJennifer Jabbusch

CISO, Carolina Advanced Digital

25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved.

Secure Environment

Educate

Evaluate

AdjustCultivate

Test

26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved.

Business Workflow

Leadership

Performance

Culture

27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved.

THANK YOU

@jamison_utter

Jamison Utter