DOCSLIB.ORG

MODELING FANCY BEAR CYBER ATTACKS Designing a Unified Kill Chain for Analyzing, Comparing and Defending Against Cyber Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
MODELING FANCY BEAR CYBER ATTACKS Designing a Unified Kill Chain for Analyzing, Comparing and Defending Against Cyber Attacks MODELING FANCY BEAR CYBER ATTACKS Designing a Unified Kill Chain for analyzing, comparing and defending against cyber attacks Author: Mr. drs. Paul Pols Student ID: S1806084 Date: December 7, 2017 Supervisor: Dr. ir. Pieter Burghouwt Second Reader: Prof. dr. ir. Jan van den Berg Institution: Cyber Security Academy (CSA) [1] PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . Abstract Organizations increasingly rely on Information and Communication Technology (ICT), exposing them to increasing risks from cyber attacks from a range of threat actors. The term Advanced Persistent Threats (APTs) is used to refer to particularly capable threat actors, that are typically backed by nation-states. To raise their resilience, organizations can model APT cyber attacks using Lockheed Martin’s Cyber Kill Chain® (CKC) or ethical hacking assessments by Red Teams. The modus operandi (MO) of APTs does not necessarily coincide with these models, which can limit their predictive value and lead to misaligned defensive capabilities and investments. In this thesis, a Unified Kill Chain (UKC) model is developed that focuses on the tactics that form the consecutive phases of cyber attacks (Table 1). A hybrid research approach is used to develop the UKC, combining design science with qualitative research methods. The UKC is first developed through literature study, extending the CKC by uniting improvements that were previously proposed by other authors with the tactics of MITRE’s ATT&CK™ model. The UKC is subsequently iteratively evaluated and improved through case studies of attacks by Fox-IT’s Red Team and APT28 (alias Fancy Bear). The resulting UKC is a meta model that supports the development of end-to-end attack specific kill chains and actor specific kill chains, that can subsequently be analyzed, compared and defended against. Table 1 - Overview of the development of the Unified Kill Chain (UKC) literature study literature Bryant Malone Laliberte Nachreiner MITRE ATT&CK™ MITRE Cyber Kill Chain® (CKC) Chain® Kill Cyber UKC after Red Team C1 Team Red UKC after C2 Team Red UKC after C3 Team Red UKC after UKC after Red Team KC Team Red UKC after UKC after APT28 C4 & C4KC APT28 UKC after # Unified Kill Chain UKC after 1 Reconnaissance 1 1 1 1 1 1 1 1 1 1 1 2 Weaponization 2 3 3 3 2 2 2 2 2 2 2 3 Delivery 3 5 5 6 3 7 7 3 3 3 3 4 Social Engineering 5 6 6 11 5 3 3 4 4 4 4 5 Exploitation 6 8 8 14 6 5 4 5 5 5 5 6 Persistence 8 14 9 18 8 6 6 5 6 6 6 6 7 Defense Evasion 18 18 14 16 10 11 8 6 7 7 7 7 8 Command & Control 18 5 7 9 8 8 8 8 8 9 Pivoting 11 13 11 9 9 9 9 9 10 Discovery 14 10 10 11 11 11 10 10 11 Privilege Escalation 17 14 14 10 10 10 11 11 12 Execution 18 12 12 14 14 14 12 12 13 Credential Access 15 13 12 12 12 13 13 14 Lateral Movement 16 17 13 13 13 14 14 15 Collection 8 15 17 17 17 17 15 16 Exfiltration 16 15 15 15 15 16 17 Target Manipulation 16 16 16 16 17 18 Objectives 18 p a g e 2 | 104 PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . The literature and case studies show that the traditional CKC is perimeter- and malware-focused and as such fails to cover other attack vectors and internal attacks paths. The case studies falsify a crucial assumption underlying the CKC model, namely that attackers must progress successfully through each phase of the deterministic sequence of the CKC. The observation that attack phases can be bypassed affects defensive strategies fundamentally, as an attacker may also bypass the security controls that apply to that phase in doing so. Instead of focusing on thwarting attacks at the earliest point in time, layered defense strategies that focus on phases that are vital for the attack path or that occur with a higher frequency are thus expected to be more successful. The UKC provides insights into the ordered arrangement of phases in end-to-end cyber attacks and covers diverse attack vectors, by uniting and extending existing models. The UKC offers a significant improvement over the scope limitations of the CKC and the time-agnostic nature of the ATT&CK™ model. Other improvements over the existing CKC and ATT&CK™ models include: explicating the role of users by modeling social engineering, recognizing the crucial role of choke points in attacks by modeling pivoting, covering the compromise of integrity and availability in addition to confidentiality and elucidating the socio-technical objectives of threat actors. These insights support the development (or realignment) of layered defense strategies that adopt the assume breach and defense in depth principles. Initial Foothold: Pivoting Network Propagation: Pivoting Network Propagation: Access Action on Objectives: Compromised System Office Environment Critical Infrastructure Critical Asset Access • Reconnaissance • Discovery • Discovery • Collection • Weaponization • Privilege • Privilege • Exfiltration • Delivery Escalation Escalation • Target • Social Engineering • Execution • Execution Manipulation • Exploitation • Credential Access • Credential Access • Objectives • Persistence • Lateral Movement • Lateral Movement • Defense Evasion • Command & Control Figure 1 – A further attack path abstraction supported by the Unified Kill Chain The UKC is utilized to analyze and compare attacks by Fox-IT’s Red Team and APT28 to improve threat emulation and to raise organizational resilience against APT28 attacks. The comparison shows that the tactical MO of these actors converge in their attack paths within internal networks of targeted organizations. Red Team assessments are thus thought to be particularly well suited to test the resilience of organizations against this part of APT28’s potential attack path. Notable divergences were also identified, which signify the potential to improve the predictive value of Red Team assessments, for example by performing action on objectives (Figure 1). As the reliance of organizations on ICT continues to grow, and APT cyber attacks continue to rise in number and in force, the risks for organizations and societies as a whole increase at an accelerating pace. The UKC attack model can be used by Red Teams to improve their threat emulations and by defenders to develop and realign their defense strategies in their attempts to decelerate this dangerous trend. Keywords — Attack Modeling, Attack Simulation, Threat Emulation, Cyber Kill Chain®, MITRE ATT&CK™, CORAS, APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy, Strontium, Red Team, Tactics, Techniques, Procedures, Design Science, Assume Breach, Defense in Depth, Unified Kill Chain. p a g e 3 | 104 PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . Table of Contents 1 Introduction ..................................................................................................................................... 7 1.1 Conceptualization and Contextualization ............................................................................... 7 1.1.1 Societal Dependence on Cyberspace .............................................................................. 7 1.1.2 Constructs of Technical and Cyber Risk ........................................................................... 8 1.1.3 Mitigation of Technical and Cyber Risk ........................................................................... 8 1.1.4 Advanced Persistent Threats (APTs) ................................................................................ 8 1.1.5 APT Threat Modeling ....................................................................................................... 9 1.1.6 Ethical Hacking and Red Teams ....................................................................................... 9 1.2 Problem Description ................................................................................................................ 9 1.2.1 High Profile and Impactful APT Attacks ........................................................................... 9 1.2.2 Attribution and Relevance ............................................................................................. 10 1.2.3 Red Team Threat Emulation and Attack Simulation ..................................................... 10 1.2.4 Limitations of APT Threat Modeling .............................................................................. 10 1.3 Research Question(s)............................................................................................................. 11 1.3.1 Research Goal ................................................................................................................ 11 1.3.2 Levels of Abstraction ..................................................................................................... 11 1.3.3 Primary and Sub Questions ........................................................................................... 12 1.4 Research Methodology ......................................................................................................... 12 1.4.1 Availability of Research Data ......................................................................................... 12 1.4.2 Research Design and Approach ..................................................................................... 13 1.4.3 Incorporating the Guidelines for Design Science .......................................................... 15 1.5 Thesis Structure ..................................................................................................................... 16 2 Modeling Framework .................................................................................................................... 17 2.1 The Cyber
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Minimizing the Risk of Ransomware
    Minimizing the Impact of Ransomware Authors: Tushar Nandwana, OneBeacon Technology Risk Control and Joe Budzyn – OneBeacon Insurance Group Published: July 2018 1 Ransomware has featured prominently in the news over the last few years. Ransomware – Hospitals, municipalities, businesses, law enforcement agencies, individuals and A Growing Threat even entire regions of the world have been affected by it. Some have paid the ransom and recovered their computer data; others have lost their data forever. In March 2018, the city of Atlanta, Georgia was hit by SamSam ransomware which prevented city residents from paying their bills and accessing court information online. The demand was for $51,000 but it ultimately cost the city several million dollars from other costs to rectify. SamSam also infected the Colorado Department of Transportation twice in February 2018. Numerous other U.S. municipalities and healthcare organizations have been hit by this ransomware2. WannaCry wreaked havoc on the world in May 2017. With its worm‐like, self‐ propagating behaviour, it spread to thousands of systems within hours using the Eternal Blue exploit to target Windows machines. WannaCry resulted in an estimated $4B in economic losses to the affected businesses and infected 30,000 machines worldwide3. In June 2017 we also saw Petya and NotPetya which used the same exploit as WannaCry, but were more intent on destruction rather than ransom. NotPetya targeted systems specifically in the Ukraine4. FedEx ended up reporting a $300M loss, not from the ransom payout but due to the downtime and economic loss sustained by its Ukrainian subsidiary, TNT Express5. Petya caused Danish shipping giant AP Moller $300M in lost revenue6.
    [Show full text]
  • Hacking Healthcare Petya
    Hacking Healthcare Welcome to the first edition of Hacking Healthcare, NH-ISAC’s new weekly newsletter designed to guide you through the week in healthcare cybersecurity and policy. Every Wednesday, Hacking Healthcare, will bring you analysis on the latest news stories, policy developments, reports, and public remarks that impact the cybersecurity practitioner across all the different healthcare industries. We have our views on what matters, but we also want to reflect your interests – so get in touch and let the Hacking Healthcare team know what you want to see. Here we go… This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of the NH-ISAC. Petya (aka GoldenEye, NotPetya) For the second time in as many months, a ransomware attack is snaking its way around the globe. It appears that the attack started in Ukraine and has much of its impact in Europe. But there are reports that U.S. entities have also been infected, including at least 1 U.S. hospital. Some researchers have reported that the malware resembles Petya or GoldenEye, or maybe an off-spring of one of these variants. We’ll call it Petya for now since that is the standard that NH-ISAC has adopted. Regardless of its lineage, the malware used in the current attack does seem to be relying on the ETERNALBLUE exploit to gain initial network access. Installing all of the latest Microsoft updates for the related vulnerabilitiesseems like a good first step in response. The NH-ISAC is working hard to gather and share further information on this attack and will keep its members informed through their incident- specific blog and AMBER list-serve.
    [Show full text]
  • View Final Report (PDF)
    TABLE OF CONTENTS TABLE OF CONTENTS I EXECUTIVE SUMMARY III INTRODUCTION 1 GENESIS OF THE PROJECT 1 RESEARCH QUESTIONS 1 INDUSTRY SITUATION 2 METHODOLOGY 3 GENERAL COMMENTS ON INTERVIEWS 5 APT1 (CHINA) 6 SUMMARY 7 THE GROUP 7 TIMELINE 7 TYPOLOGY OF ATTACKS 9 DISCLOSURE EVENTS 9 APT10 (CHINA) 13 INTRODUCTION 14 THE GROUP 14 TIMELINE 15 TYPOLOGY OF ATTACKS 16 DISCLOSURE EVENTS 18 COBALT (CRIMINAL GROUP) 22 INTRODUCTION 23 THE GROUP 23 TIMELINE 25 TYPOLOGY OF ATTACKS 27 DISCLOSURE EVENTS 30 APT33 (IRAN) 33 INTRODUCTION 34 THE GROUP 34 TIMELINE 35 TYPOLOGY OF ATTACKS 37 DISCLOSURE EVENTS 38 APT34 (IRAN) 41 INTRODUCTION 42 THE GROUP 42 SIPA Capstone 2020 i The Impact of Information Disclosures on APT Operations TIMELINE 43 TYPOLOGY OF ATTACKS 44 DISCLOSURE EVENTS 48 APT38 (NORTH KOREA) 52 INTRODUCTION 53 THE GROUP 53 TIMELINE 55 TYPOLOGY OF ATTACKS 59 DISCLOSURE EVENTS 61 APT28 (RUSSIA) 65 INTRODUCTION 66 THE GROUP 66 TIMELINE 66 TYPOLOGY OF ATTACKS 69 DISCLOSURE EVENTS 71 APT29 (RUSSIA) 74 INTRODUCTION 75 THE GROUP 75 TIMELINE 76 TYPOLOGY OF ATTACKS 79 DISCLOSURE EVENTS 81 COMPARISON AND ANALYSIS 84 DIFFERENCES BETWEEN ACTOR RESPONSE 84 CONTRIBUTING FACTORS TO SIMILARITIES AND DIFFERENCES 86 MEASURING THE SUCCESS OF DISCLOSURES 90 IMPLICATIONS OF OUR RESEARCH 92 FOR PERSISTENT ENGAGEMENT AND FORWARD DEFENSE 92 FOR PRIVATE CYBERSECURITY VENDORS 96 FOR THE FINANCIAL SECTOR 96 ROOM FOR FURTHER RESEARCH 97 ACKNOWLEDGEMENTS 98 ABOUT THE TEAM 99 SIPA Capstone 2020 ii The Impact of Information Disclosures on APT Operations EXECUTIVE SUMMARY This project was completed to fulfill the including the scope of the disclosure and capstone requirement for Columbia Uni- the disclosing actor.
    [Show full text]
  • Security – a Midlife Crisis 02/12/19 What Constitutes a Security Midlife Crisis? History of Technology and Threats
    Security – A midlife crisis 02/12/19 What constitutes a security midlife crisis? History of technology and threats 2005 – 2006 Identify theft (phishing) 2003 – 2004 Advanced worm/Trojan (“I love you”) 2007 – 2008 2000 1995 Organized crime Malicious (data theft) 1980s Breaking code Viruses websites (Melissa) 2009 – today Sophisticated targeted attacks Petya/ Non-Petya Meltdown/ Slammer Stuxnet Spectre Advanced For-profit Viruses and worms persistent Targeted attacks malware threats Mainframe Client / server Client / cloud You know the challenge – breaches are increasing World’s largest data breaches and hacks 2009 – 2014 2015 – 2019 2014 Latest 2019 2013 2018 2012 2017 2011 2016 2010 2015 2009 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Sept 26 – Food delivery service gets hacked • Affected users: 4.9 million • Industry or type: restaurant • Cause of breach: hack DoorDash learned in September that an unauthorized third party was able to access its user data on May 4, 2019. Many of the food delivery app’s users were affected, totaling almost 5 million. The hack affected only those people who joined before April 5, 2018. The hacker was able to access the following information: • Profile information • Names • Email addresses • Delivery addresses • Order history • Phone numbers • Passwords (hashed and salted) • Last four digits of payment cards (for consumers) • Last four digits of bank accounts (for Dashers and merchants) • Driver’s license numbers (for roughly 100,000 Dashers) July 30 – Largest banking data breach • Affected users: 100 million • Industry or type: banking and finance • Cause of breach: hack Capital One, the major US banking institution, suffered possibly the largest banking data breach in history.
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • Digitaalisen Kybermaailman Ilmiöitä Ja Määrittelyjä
    DIGITAALISEN KYBERMAAILMAN ILMIÖITÄ JA MÄÄRITTELYJÄ PROF. MARTTI LEHTO V 15.0 6.4.2021 JYVÄSKYLÄN YLIOPISTO INFORMAATIOTEKNOLOGIAN TIEDEKUNTA 2021 ALKUSANAT Euroopan komissio analysoi pohdinta-asiakirjassaan kesällä 2017 tulevaisuuden uhka- maailmaa. Sen mukaan teknologian kehitys muuttaa merkittävästi niin turvallisuuden kuin puolustuksen luonnetta. Big data, pilviteknologia, miehittämättömät ajoneuvot ja tekoäly muokkaavat yhteiskunnan eri rakenteita aina turvallisuuteen ja puolustukseen saakka. Tämän verrattain helposti saatavilla olevan teknologian käyttö mahdollistaa epätavanomaisten, valtioiden rajat ylittävien ja epäsymmetristen uhkien nopean kas- vun. Näitä ovat muun muassa hybridi- ja kyberuhat, terrorismi sekä kemialliset, biologi- set ja radiologiset iskut. Internetin käyttäjien määrän nopean kasvun myötä kyberrikol- lisuus ja terroristien internetin käyttö ovat 2000-luvulla muokanneet merkittävästi digi- taalista toimintaympäristöä.1 Digitaaliteknologia muuttaa ihmisten elämää. EU:n digitaalistrategian tavoitteena on valjastaa digitalisaatio palvelemaan ihmisiä ja yrityksiä sekä tukemaan tavoitetta tehdä Euroopasta ilmastoneutraali vuoteen 2050 mennessä. Komissio on päättänyt tehdä ku- luvasta vuosikymmenestä Euroopan "digitaalisen vuosikymmenen". Euroopan on nyt lu- jitettava digitaalista suvereniteettiaan ja asetettava standardeja sen sijaan, että se kul- kisi muiden jäljissä. Painopisteinä ovat data, teknologia ja infrastruktuuri.2 Euroopan komissio ja unionin ulkoasioiden ja turvallisuuspolitiikan korkea edustaja esit-
    [Show full text]
  • Hacks, Leaks and Disruptions | Russian Cyber Strategies
    CHAILLOT PAPER Nº 148 — October 2018 Hacks, leaks and disruptions Russian cyber strategies EDITED BY Nicu Popescu and Stanislav Secrieru WITH CONTRIBUTIONS FROM Siim Alatalu, Irina Borogan, Elena Chernenko, Sven Herpig, Oscar Jonsson, Xymena Kurowska, Jarno Limnell, Patryk Pawlak, Piret Pernik, Thomas Reinhold, Anatoly Reshetnikov, Andrei Soldatov and Jean-Baptiste Jeangène Vilmer Chaillot Papers HACKS, LEAKS AND DISRUPTIONS RUSSIAN CYBER STRATEGIES Edited by Nicu Popescu and Stanislav Secrieru CHAILLOT PAPERS October 2018 148 Disclaimer The views expressed in this Chaillot Paper are solely those of the authors and do not necessarily reflect the views of the Institute or of the European Union. European Union Institute for Security Studies Paris Director: Gustav Lindstrom © EU Institute for Security Studies, 2018. Reproduction is authorised, provided prior permission is sought from the Institute and the source is acknowledged, save where otherwise stated. Contents Executive summary 5 Introduction: Russia’s cyber prowess – where, how and what for? 9 Nicu Popescu and Stanislav Secrieru Russia’s cyber posture Russia’s approach to cyber: the best defence is a good offence 15 1 Andrei Soldatov and Irina Borogan Russia’s trolling complex at home and abroad 25 2 Xymena Kurowska and Anatoly Reshetnikov Spotting the bear: credible attribution and Russian 3 operations in cyberspace 33 Sven Herpig and Thomas Reinhold Russia’s cyber diplomacy 43 4 Elena Chernenko Case studies of Russian cyberattacks The early days of cyberattacks: 5 the cases of Estonia,
    [Show full text]
  • Belling the BEAR
    2016/12/21 Russia Hacks Bellingcat MH17 Investigation | ThreatConnect SEPTEMBER 28, 2016 Belling the BEAR IN BLOG, FEATURED ARTICLE, RESEARCH BY THREATCONNECT RESEARCH TEAM ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation. Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee [https://www.threatconnect.com/tapping-into-democratic-national-committee/] ”, “Shiny Object? Guccifer 2.0 and the DNC Breach [https://www.threatconnect.com/guccifer-2-0-dnc-breach/] “, “What’s in a Name Server? [https://www.threatconnect.com/whats-in-a-name-server/] “, “Guccifer 2.0: the Man, the Myth, the Legend? [https://www.threatconnect.com/reassesing-guccifer-2-0-recent-claims/] “, “Guccifer 2.0: All Roads Lead to Russia [https://www.threatconnect.com/guccifer-2-all-roads-lead-russia/] “, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch [https://www.threatconnect.com/fancy-bear-it-itch-they-cant-scratch/] “, “Does a BEAR Leak in the Woods? [https://www.threatconnect.com/blog/does-a-bear-leak-in-the-woods/] “, and “Russian Cyber Operations on Steroids [https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/] “. [UPDATE] October 7th 2016 [/russia-hacks-bellingcat-mh17-investigation#update] Introduction Since posting about the DNC hack [https://threatconnect.com/blog/tapping-into-democratic-national-committee/] , each time we published a blog post on a BEAR-based topic we thought it was going to be our last. But like the Death Star’s gravitational pull, the story keeps drawing us back in as new information comes to light.
    [Show full text]
  • 4233 4233-601.Pdf
    WHAT’S OUR OBLIGATION? Instructor Course WHY SHOULD I…?? Legal Lives Depend Fiduciary on it! Privacy Ethical - Patriotic Instructor Course Instructor Course GLOBAL ATTACKS • Cyber crime will cost 6 trillion annually by 2021 • It will be more profitable than the global drug trade • Cyber defense spending will be 1 Trillion within the next 4 years • There will be 3.5 million UNFILLED Cyber Security Jobs by 2021 • Ransomware alone is estimated to cost 11.5 billion in 2019 https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html Instructor Course A MASSIVE PROBLEM http://allnewspipeline.com/images/cna1.jpg http://media4.s-nbcnews.com/j/newscms/2015_31/1148606/150730-nsa-cyber-map-jhc-1407_cde28ac585ec2df79ff3cb20f7bb4559.nbcnews-ux-2880-1000.jpg Instructor Course LOSS OF CRITICAL TECHNOLOGY? Chinese Hackers Steal Sensitive Data on U.S. Subs and Missiles from Military Contractor, Report Says • 614 gigabytes of submarine communications data and information about Sea Dragon “an underwater technology that the Defense Department has described as introducing a “disruptive offensive capability”” • It is believed that China’s Ministry of State Security, or MSS is responsible • It was reported that the data was on an unclassified network as officials say the data “could be considered classified and was highly sensitive” • “Former Navy officer and NSA analyst John Schindler, writing for the Observer, highlights the loss of cryptographic information used in submarine communications.” He likens the theft
    [Show full text]
  • Information Provided by DHS Regarding Russian Scanning Was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM
    From: (b) (6) To: (b) (6) Subject: FW: Information Provided by DHS Regarding Russian Scanning was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM From: Secretary of State, Press Sent: Wednesday, September 27, 2017 2:58:05 PM To: Secretary of State, Press Subject: Information Provided by DHS Regarding Russian Scanning was Incorrect AP17:073 FOR IMMEDIATE RELEASE September 27, 2017 CONTACT: Jesse Melgar or Sam Mahood (916) 653-6575 Information Provided by DHS Regarding Russian Scanning was Incorrect SACRAMENTO – California Secretary of State Alex Padilla issued the following statement. “Last Friday, my office was notified by the U.S. Department of Homeland Security (DHS) that Russian cyber actors 'scanned' California’s Internet-facing systems in 2016, including Secretary of State websites. Following our request for further information, it became clear that DHS’ conclusions were wrong.” “DHS confirmed that Russian scanning activity had actually occurred on the California Department of Technology statewide network, not any Secretary of State website. Based on this additional information, California voters can further rest assured that the California Secretary of State elections infrastructure and websites were not hacked or breached by Russian cyber actors.” “Our notification from DHS last Friday was not only a year late, it also turned out to be bad information. To make matters worse, the Associated Press similarly reported that DHS has reversed itself and 'now says Russia didn’t target Wisconsin’s voter registration system,' which is contrary to previous briefings.” epic.org EPIC-17-03-31-DHS-FOIA-20180416-Production-1 000001 NPPD 000650 “The work of our intelligence agencies is critical in defending against cyber threats.
    [Show full text]
  • Hack.Lu 2019 / 2019-10-23 Public / Tlp:White Disturbance the Sorry State of Cybersecurity and What We Can Do About It
    SAÂD KADHI, HEAD OF CERT-EU. HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE THE SORRY STATE OF CYBERSECURITY AND WHAT WE CAN DO ABOUT IT v1 IN THE BEGINNING IN THE BEGINNING, A CYBERSECURITY PRODUCT WAS BORN THE ANTIVIRUS IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT) FILELESS MALWARE RANSOMWARE SLAMMER (2003) BRAIN POWELIKS (1986) (2015) WORMS AIDS (1989) ILOVEYOU (2000) REVETON (2012) CODE NIMDA RED (2001) THE ANTIVIRUS (2001) CRYPTOLOCKER (2013) CONFICKER (2008) TROJANS & RATS PETYA (2016) EGABTR (1989?) POTENTIALLY UNWANTED APPLICATIONS WANNACRY (2017) NETBUS MIMIKATZ DARKCOMET (1998) (2011) (2012) FINFISHER (2011?) IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT) FILELESS MALWARE THIS SLIDE (NOR RANSOMWARE MY LIFE) WILL SLAMMER SUFFICE TO LIST (2003) BRAIN (1986) THEM ALL POWELIKS (2015) WORMS AIDS (1989) ILOVEYOU (2000) REVETON (2012) CODE NIMDA RED (2001) THE ANTIVIRUS (2001) CRYPTOLOCKER (2013) CONFICKER (2008) TROJANS & RATS PETYA (2016) EGABTR (1989?) POTENTIALLY UNWANTED APPLICATIONS WANNACRY (2017) NETBUS MIMIKATZ DARKCOMET (1998) (2011) (2012) FINFISHER (2011?) Source: Wired HOW WE ENDED UP HERE? CYBERINSECURITY: THE COST OF MONOPOLY HOW THE DOMINANCE OF MICROSOFT’S PRODUCTS POSES A RISK TO SECURITY DAN GEER, SEP 24, 2003 THESE EXAMPLES ARE ALL TELLTALE SIGNS OF THE DOMINATING MONOCULTURE BUT… A MONOCULTURE HAS ADVANTAGES (AND THE SECURITY OF MS PRODUCTS HAS SIGNIFICANTLY AND STEADILY IMPROVED) HOWEVER, CLASS BREAKS ARE TOO COSTLY TO IGNORE CLASS BREAKS 101 TARGETS A CERTAIN COMPROMISES A PIECE OF SOFTWARE
    [Show full text]