1/18/2018
Cybersecurity Threats – “What Every Employer Needs To Know”
Connecticut Department of Labor
Bryan Cassidy, VP / Information Security Officer (CISA, CISSP, CFE)
Disclaimers
The opinions expressed in this presentation and on the following slides are solely those of the presenter and not necessarily those of Farmington Bank. Farmington Bank does not guarantee the accuracy or reliability of the information provided herein.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Farmington Bank.
1/18/2018 | page 2
1 1/18/2018
Bad Actor Profiles
Organized Nation Hacktivists Fraudsters Crime States
Motivation Skill
1/18/2018 | page 3
Hacktivists
WikiLeaks Anonymous Lulzsec
1/18/2018 | page 4
2 1/18/2018
Fraudsters
Brett Johnson Alexandre Cazes Ross Ulbricht Sanford Wallace (“ GollumFun”) (“ DeSnake”) (“ Dread Pirate Roberts” ) (“ Spam King” ) ShadowCrew AlphaBay Silk Road 1.0 Cyber Promotions
Albert Gonzalez Roman Vega Ercan Findikoglu Yarden Bidani (“ CumbaJohnny”) (“ Boa” ) (“ Segate”) (“ applej4ck” ) ShadowCrew CarderPlanet ATM Cash Out vDOS
1/18/2018 | page 5
Blurring of Organized Crime / Nation States
Equation Group Deep Panda Cozy Bear
Longhorn Black Vine Sofacy
DragonOK Fancy Bear
Hidden Lynx Shadow Brokers
Mofang
Syrian Electronic Army OilRig
1/18/2018 | page 6
3 1/18/2018
Why Are They Not Arrested!?
PARIS MOSCOW HARTFORD
MIAMI DUBAI
LAGOS
DAR ES SALAAM
Geopolitical Challenges Protections Masking Techniques Laws/Regulations Attribution Challenges
1/18/2018 | page 7
Shedding Light On The Dark Web
1/18/2018 | page 8
4 1/18/2018
Surface Web Only 4% of Web content (~8 billion pages) is available via search engines
1 zettabyte
Deep Web Approximately - 250 billion 96% of the digital 7.9 universe is DVDs unsearchable or Zettabytes - 36 million password protected years of HD video
Dark Web A portion of the “deep web” used by criminals to perform illegal activities
1/18/2018 | page 9 Source: The Deep Web: Semantic Search Takes Innovation to New Depths
The Onion Router (TOR)
“…free software for enabling anonymous communication…directs traffic through a free overlay network to conceal a user’s location and usage . TOR’s intended use is to help protect personal privacy of users, as well as their freedom and ability to conduct confidential
communications…” Wikipedia
1/18/2018 | page 10
5 1/18/2018
The Onion Router (TOR)
India Nepal Canada Colorado Vietnam
Ohio Brazil Texas Vermont Malaysia
Hartford Poland Peru Canada Russia Austria Estonia
You Website Spain Utah Russia Yemen Sweden
Maine Canada France China Ukraine
Entry Guards Exit Nodes The TOR Network Encrypted Unencrypted
1/18/2018 | page 11
Structure of a Dark Web Marketplace
Website Payment Methods Parties
Sellers
Buyers
Centralized Vendors
Buyers De-Centralized
1/18/2018 | page 12
6 1/18/2018
Products & Services On the Dark Web
Products Services Account Credentials Spam Rental Services
Drugs & Prescriptions Translation Services
Debit/Credit Cards Money Mules
Crimeware Kits Re-shippers
Human Trafficking Crimeware-as-a-Service DIY Guides “…daily sales were Identification Docs found to fluctuate Exploits between $300,000 and Bank Statements $500,000 per day.” Carnegie Mellon University: “Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem (August 2015).
1/18/2018 | page 13
Cybercrime Pricelist
Attack Tools Data
• $400 Remote Access Trojan • $3 SSN and DOB Verification • $100 Remote Desktop Control • $150 Credit Report 750+ Score • $400 1 Million Spam Emails • $5 Credit/Debit Card (Online) Services • $10 Credit/Debit Card (Cloned) • $100 Email Account • $5 Bank Account Login • $150 Bulletproof Hosting ( China, • $1 Existing PayPal Account Eastern Europe, etc .) • $100 Email Account • $20 Virtual Private Network • $1 Proxy • $25 Malicious File Encryption • $25 Fake Driver’s License • $25 Digital Copy of Fake Utility Bill or Social Security Card
Source: Recorded Future
1/18/2018 | page 14
7 1/18/2018
Carding Shops
1/18/2018 | page 15
Dark Web Distrust – Scammers & Law Enforcement
A dark web marketplace owner can perform an ‘ exit scam ’ and take all the digital currency with him/her.
A vendor can steal a buyer’s digital currency by never providing a service or shipping a product but risks negative feedback.
A vendor can sell fake services/products to a buyer but risks negative feedback.
Law enforcement can be impersonating a vendor/buyer in an attempt to identify dark web marketplace owners, vendors, and/or buyers.
Law enforcement may have taken full control over a dark web marketplace by possessing the servers, in an attempt to identify vendors and/or buyers.
1/18/2018 | page 16
8 1/18/2018
Law Enforcement Takedown
1/18/2018 | page 17
Law Enforcement Monitoring
1/18/2018 | page 18
9 1/18/2018
Spoofing, Compromise, and Account Takeover
1/18/2018 | page 19
FBI Public Service Announcements
January 22, 2015 I-012215-PSA There have been 2,126 victims with an exposed loss amount of $0.2 billion from October 2013 to December 2014. August 27, 2015 I-082715a-PSA There have been 8,179 victims with an exposed loss amount of $0.8 billion from October 2013 to August 2015. June 14, 2016 I-061416-PSA There have been 22,143 victims with an exposed loss amount of $3.1 billion from October 2013 to May 2016.
May 4, 2017 I-050417-PSA There have been 40,203 victims with an exposed loss amount of $5.3 billion from October 2013 to December 2016.
1/18/2018 | page 20
10 1/18/2018
Headlines (March 2016 – August 2017)
1/18/2018 | page 21
Wire Fraud Example
From : [email protected] Sent : April 2, 2017 10:02am To : [email protected]
Hi Sasha, We have to make a payment to Def Company for $123,000 today. Do you have time to process a wire?
Thank you, Bryan AB Company
1/18/2018 | page 22
11 1/18/2018
Wire Fraud Example
From : [email protected] Sent : April 2, 2017 10:40am To : [email protected]
Bryan, I’ll process the wire after lunch and send you the confirmation tomorrow as I’m out of the office.
Regards, Sasha AB Company
1/18/2018 | page 23
Wire Fraud Example
From : [email protected] Sent : April 2, 2017 10:51am To : [email protected]
Great! Please pay them as soon as possible as it is urgent. This is the bank account information for them; BANK NAME: Global Bank BANK ADDRESS: 1 Farm Glen Blvd., Farmington, CT 06032 ACCT NO: 123456789 ROUTING NO: 9515710 BENEFICIARY: ABC Company BENEFICIARY ADDRESS: 32 Main Street, Farmington, CT 06032
Thank you, Bryan AB Company
1/18/2018 | page 24
12 1/18/2018
Wire Fraud Example
From : [email protected] Sent : April 3, 2017 8:01am To : [email protected]
Hi Bryan, I’ve paid the vendor as requested.
Regards, Sasha AB Company
1/18/2018 | page 25
Wire Fraud Example
From : [email protected] Sent : April 5, 2017 9:15am To : [email protected]
Hi Bryan, We still haven’t received payment yet for the $123,000. Please pay as soon as possible to avoid any late charges.
Thanks, Lauren Def Company
1/18/2018 | page 26
13 1/18/2018
Common Phishing/Email Spoofing Fraud Red Flags
Poor spelling and/or grammar .
Requests for instructions on processing wire/ACH payments.
Last minute changes in wire/ACH instructions.
Elements of urgency . -“This needs to be completed by today !”
Elements of secrecy . -“Don’t tell anyone !” -“This needs to remain confidential !”
Avoiding communication - “I can’t talk right now .” - “I’m in a meeting !”
1/18/2018 | page 27
Steps To Help Prevent Becoming a Victim
Append a disclaimer for all external emails coming into your network (e.g., “ The below email is from an external source. Please be careful with open attachments or clicking on links .”)
Use out of band methods for confirming out of the ordinary requests instead of solely relying on email.
Create a culture of cybersecurity awareness to help employees understand threats and red flags.
Block foreign IP addresses (if possible ) to prevent attempts from low skilled fraudsters/criminals.
Know who to immediately contact at your financial institution to begin the process to recover funds.
1/18/2018 | page 28
14 1/18/2018
Cybersecurity Awareness Training Vendors
1/18/2018 | page 29
Ransomware
1/18/2018 | page 30
15 1/18/2018
What is “Ransomware”?
A malware variant that encrypts important file types (.docx, .xlsx, etc.) and demands a “ ransom ” via digital currency to obtain the private key that unlocks your data.
of respondents say negligent employees put 58% their company at risk for a ransomware attack. Source: Ponemon Institution: Rise of Ransomware 2017
Common Digital Currencies
1/18/2018 | page 31
FBI - Public Service Announcement
“…the FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data ; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to September 15, target other victims for profit, and could 2016 provide incentive for other criminals to I-091516-PSA engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers .”
1/18/2018 | page 32
16 1/18/2018
Recent High Profile Victims
Target Industry Demand Negotiated Payment San Francisco Light Trail Transportation Did Not Pay Transit $73,000 Hollywood Presbyterian Healthcare $17,000 Medical Center $3,600,000 University of Calgary Education $16,000 $16,000 City of Detroit Government $800,000 Did Not Pay Moses Afonso Ryan Ltd. Legal $25,000 Paid (Undisclosed) Carroll County Sheriff's Office Law Enforcement $2,400 (Arkansas) $2,400
1/18/2018 | page 33
Ransomware Timeline (2005 to 1Q2016)
2005-2013 2014 2014 2015 2016 (Q1)
Gpcoder Urausy Linkup TeslaCrypt Locky Reveton Kovter Slocker Cryptolocker2015 Nanolocker Nymaim Onion BandarChor Paycrypt Cryptowall CTB-Locker/Citron Cryptvault Hi Buddy Browlock TorrentLocker Simplocker Job Cryptor Zerolocker Pacman HydraCrypt Synolocker Pclock Umbrecrypt Coinvault Threat Finder Ransom32 Virlock Hidden Tear CryptoJocker ORX-Locker Magic Tox LeChiffre Troldesh Ginx “...emails containing Encryptor RaaS Jigsaw CryptoApp Lockdroid ransomware XRTN VaultCrypt Radamant increased 6,000% LowLevel404 Dumb from FY15.” Power Worm DMA-Locker IBM “Ransomware: How Consumers and Business Value Their Chimera-Locker Data ” Satan Source: Symantec
1/18/2018 | page 34
17 1/18/2018
Phishing/Social Engineering (Example)
1/18/2018 | page 35
TeslaCrypt (Crypto-Locker)
1/18/2018 | page 36
18 1/18/2018
Jigsaw (Crypto-Locker)
1/18/2018 | page 37
Tox (RaaS)
1/18/2018 | page 38
19 1/18/2018
Steps To Help Prevent Ransomware/Malware
Apply latest operating system security & software patches to prevent vulnerabilities from being exploited. Avoid using obsolete / end-of-life software within your network (e.g., Windows XP, Adobe, Java, etc.) Create a culture of cybersecurity awareness to help employees understand threats and red flags. Avoid clicking on links or opening attachments in suspicious emails. Configure settings to block higher risk file types in file attachments, such as; .exe, .js, .jar, .bat, .msi, .html, .scr, and .rar. Implement website filtering software to prevent employees from visiting risky website categories (e.g., social media, personal email, online gambling, pornography, etc.). Implement anti-virus software and ensure that data definition files are being updated periodically. Perform regular backups of critical data so you can restore operations with minimal impact.
1/18/2018 | page 39
Multi-Factor Authentication
1/18/2018 | page 40
20 1/18/2018
Single Factor Authentication
You are at… trying to access;
“Something You Know”
Username
Password
Knowledge Based Answers
1/18/2018 | page 41
Multi Factor Authentication
You are at… trying to access;
“Something You Know”
Username
Password
Knowledge Based Answers
“Something You Have” One Time Token
“Something You Are”
Biometrics
1/18/2018 | page 42
21 1/18/2018
Disabling Call Forwarding
A fraudster/criminal uses your stolen personal information to gain access to your mobile or landline account and adds call forwarding for either every call or specific phone numbers (e.g., financial institutions, etc.); thus, all calls would be directed to a phone number owned by the fraudster/criminal.
This allows the fraudster/criminal to receive call-back verifications
Call your mobile phone service provider ( e.g., Verizon, T- Mobile, etc .) and request that they disable call forwarding from your account.
Call your landline service provider ( e.g., Xfinity, Charter, etc. etc .) and request that they disable call forwarding from your account.
1/18/2018 | page 43
Carrier Freeze
A fraudster/criminal uses your stolen personal information to trick your mobile service provider to ‘port ’ your mobile number to a different service provider ; thus, all calls would be directed to the criminal’s phone but with your mobile number.
This allows the fraudster/criminal to receive call-back verifications and SMS tokens, reset passwords, or gain access to other platforms (e.g., email, online banking, etc.)
Call your mobile phone service provider ( e.g., Verizon, T- Mobile, etc .) and request that they add a ‘carrier freeze’.
1/18/2018 | page 44
22 1/18/2018
Steps To Help Prevent Account Takeovers
Use encrypted communications and implement multi-factor authentication on critical systems (e.g., email, banking, etc.) Apply latest operating system security & software patches to prevent vulnerabilities from being exploited. Avoid using obsolete / end-of-life software within your network (e.g., Windows XP, Adobe, Java, etc.). Create a culture of cybersecurity awareness to help employees understand threats and red flags. Implement website filtering software to prevent employees from visiting risky website categories (e.g., social media, personal email, online gambling, pornography, etc.). Implement anti-virus software and ensure that data definition files are being updated periodically. Resist connecting to public wireless access points (e.g., airports, restaurants, etc.) as unencrypted data could be read by others on the same access point.
1/18/2018 | page 45
Incident Response Planning
1/18/2018 | page 46
23 1/18/2018
Incident Response Planning
What immediate actions will you take to contain the Contain incident? Disconnect Internet connection but never power down!
What vendor will you contact to perform forensics and/or remove malware? Remediate If not using a vendor, what tools/services will you run to clean an infected device?
Who would you contact at your financial institution(s) to let them know? What law enforcement agencies would you contact for assistance? Notify When would you report a data breach to customers and the Attorney General ? Should you report the incident to the Internet Crime Compliant Center (ic3.gov)?
1/18/2018 | page 47
Incident Response Planning (www.IC3.gov)
Complaint Referral Form Internet Crime Complaint Center
Financial Transaction Details Other Information – Account Numbers – Obtaining Full Email Message Headers – Routing Numbers – Witnesses or Other Victims? – Bank Names – Reported to Other Law Enforcement – Addresses Agencies? – Names Name – Phone Numbers Phone Number Email Address Date Reported Subject Details Report/Case Number – Personal / Business Name – Address – Email Address – Phone Numbers – Websites – IP Addresses
1/18/2018 | page 48
24 1/18/2018
Contact Information & Resources
www.linkedin.com/in/bryancassidy
Internet Crime Complaint Center ( ic3.gov ) – For reporting incidents to the FBI.
US Computer Emergency Readiness Team ( us-cert.gov ) – For learning of new cyber threats and tips to help prevent them.
Federal Trade Commission ( consumer.ftc.gov ) – For learning about new online scams and how to help prevent identity theft.
Department of Homeland Security ( dhs.gov/stopthinkclick ) – For helpful training materials on creating a cybersecurity awareness culture.
1/18/2018 | page 49
25