Upload
jamison-utter
View
461
Download
1
Embed Size (px)
Citation preview
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved.
Unlocking Cyber-Crime – The New Cold WarJamison Utter | Principal Security Consultant6/15/2016
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved.
Motive Matters
No one can build his security upon
the nobleness of another person.” **Willa Cather, Alexander's Bridge
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved.
Exponential ROI
1 Year
CD = 1%Money
Market =
0.5%
Average
Stock
Market =
7%
Cyber Crime
= 1425%
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved.
Breaking it down
What’s the cost of entry?
Item Total Investment
Payload $3000
Infection Vector $500
Traffic Acquisition $1800
Daily Traffic $600
Total Expenses $5,900
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved.
The Payload
The Challenge:
- Avoid trivial signature detection
The Solution:
- A new hash of a crypto-variant that is identified with
‘good’ programs (by purchasing the source code with
support)
The Cost:
- 10 Bitcoin (or about $3000 USD)
This does not include
source code and support!
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved.
Commodity Programming
• Criminal elements are in constant
reinvestment cycles expanding both
footprint and technical ability.
• Like real software most malware is
developed in teams by technical coders
specialized in the particular function.
• Customer support, code support, and bug
fix are now table stakes in professional
malware.
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved.
Economy of Scale
0 200 400 600 800 1000
Poland
Czech Republic
Slovak Republic
Russian Federation
Hungary
Romania
Bulgaria
Ukraine
Average Monthly Income
US Dollars
A Semi-skilled Ukrainian Hacker
can make 5x – 25x their normal
income by switching to a
business model that is illegal (in
the US)
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved.
The Infection Vector
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved.
Traffic Acquisition
Getting clicks!
- Often via Phishing (pretty easy)
- Sometimes scare-ware
- Sometimes Ad networks
- Also via Botnets (RATS)
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved.
Crime as a Service
Professional Crime Software
Technical Innovators
Reseller/Maintainers
Non-technical Opportunists / Crimeware-as-a-Service Users
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved.
Breaking it down
What’s the ROI?
Item Total Investment
Visitors 20,000
Infection Rate 10%
Payout rate 0.5% (Symantec = 3%)
Ransom Amount $300
ROI (Average 30 days)$3,000/day
($90,000/month)
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved.
What is the scale of this
The Black
Market
Georgia
Iceland
AlbaniaHonduras
El Salvador
The Black market is a 17
Billion dollar economy
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved.
The Zero Sum Game
Innovation
Development
Deployment
Capitalization
Current
State
Where we need to be
Ceiling Cat FTW!
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved.
Change the Security Paradigm
“The long term goal of a security strategy cannot be to outsmart
criminals, since that just breeds smarter criminals.”*
*Jarnon Lanier – “Who Owns the Future”
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved.
Meeting the Challenge
Collaboration
Intelligence
Speed
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved.
Identify
Collect
AnalyzeDistribute
Act
Collaboration
Security is a system, its
as alive as an
organization or organism.
Without cooperation and
data sharing between
devices,
you will never triangulate
and locate threats already
in your network
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved.
Intelligence
Securing cyberspace is
shared responsibility -
collecting, analyzing &
disseminating cyber threat
intel” - FBI
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved.
What’s missing from your Threat Intel?
Risks
Targets and
AssetsThreats
(or Threat Actors)
Movement
Observation and
Restriction
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved.
What makes “actionable” intelligence?
• Early discovery, appropriate TTLs, sensible refresh rateTimely
• Applies to your problems, your use casesRelevant
• Reasonable precision, limited false positives Accurate
• Why a threat, what kind, and what else is it related toContextual
• Pre-integrated, standard formats, Rest APIsEasy-to-Use
• Consistent in quality and rate/volumeReliable
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved.
Speed
We must shorten
the Kill Chain, or
we will always be
behind the ball.
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved.
Changing Security Culture
Wisdom consists in being able to distinguish among dangers and
make a choice of the least harmful.
— Niccolo Machiavelli, The Prince
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved.
Security is a Culture
Application Development
Network Design
End-user Training
Business Workflow
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved.
Insecure CodeCharacteristic
I Injectable Code
N Non-Repudiation Mechanisms not Present
S Spoofable
E Exceptions and Errors not Properly Handled
C Cryptographically Weak
U Unsafe/Unused Functions and Routines in Code
R Reversible Code
E Elevated Privileges to Run
(ISC)2 InSecure Code practices
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved.
Secure Network Design
Know Don’t Guess
Avoid Dangling Networks
Route where needed not where possible
See all manage all
Know when to standardize
Power is important
Embrace DocumentationJennifer Jabbusch
CISO, Carolina Advanced Digital
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved.
Secure Environment
Educate
Evaluate
AdjustCultivate
Test
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved.
Business Workflow
Leadership
Performance
Culture