DOCSLIB.ORG

Looking Towards the Future with Teachings from the Past

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Looking Towards the Future with Teachings from the Past Looking Towards the Future with Teachings from the Past Cybersecurity Forum – Opening Keynote, February 11, 2019 Ron Mehring, CISSP VP Technology & Security, CISO, Texas Health Resources Axel Wirth, CPHIMS, CISSP, HCISPP Distinguished Technical Architect, Symantec Corporation 1 Conflict of Interest Ron Mehring, CISSP has no real or apparent conflicts of interest to report. Axel Wirth, CPHIMS, CISSP, HCISPP is employed by Symantec, a cybersecurity vendor, but has no real or apparent conflicts of interest to report. 2 Learning Objectives • Identify how cyber-attacks were actually executed and understand cyber-attack trends • Explain how effective response to cyber-attacks can mitigate the impact and damage • Discuss what we may expect in the coming year regarding cyber-attacks in the healthcare space • State lessons learned from the past to assist with the present and what is anticipated in the future 3 Agenda 1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A 4 Cybersecurity – Historic Timeline “Core Wars” game First fully-functional virus Analogy to biological virus (Bell Labs) (V Risak, TU Vienna, Siemens) (J Kraus, U of Dortmund) Theory of self-replicating “Creeper” concept demo “A Disease of Machinery” “Computer virus” general code (J von Neumann) (ARPANET, PDP-10) (Westworld, MGM) definition (F. Cohen, UC) 1949 1950s 1970 1972 1973 1980 1984 Ancient History (1940 – 1980s) “Elk Cloner” released “SCA” leads to first virus “Concept” first macro “ILOVEYOU” million+ (15 yo, Apple II) checker (Amiga, est. 40%) virus (MS Word) infections in hours “Brain” tracking copyright “AIDS” first ransomware “Melissa” 1st social eng.; “SQL Slammer” violations (MS-DOS) (MS-DOS) 20% of world’s computers fastest worm 1982 1986 1987 1989 1995 1999 2000 2002 Middle Ages (1980s – 2000’s) “Conficker” infects Multiple highly sophisticated “Mirai” highly disruptive est. 15M computers viruses (e.g. Duqu, Flame) IoT DDoS, up to 1TBit/s Reports of Cyberwarfare “Stuxnet” sabotage of “CryptoLocker” ransomware “WannaCry” & “Petya” (Syria, Ukraine, Georgia) Iranian nuclear program “Darlloz” IoT virus cause $B+ losses 2007/08 2008 2010 2011/12 2013 2016 2017 Modern Age (2000’s – today) 5 Conficker – Happy 10th Birthday • Conficker (W32.Downadup) computer worm: – 5 variants produced (Nov. 2008 – April 2009) – Win2k, XP, Server 2003 & 2008, Vista – Multiple purposes: open backdoors, spam bot, keylogger, download other malware, … – Multiple propagation methods: Internet, LAN, shared folders, mapped drives, peer-to-peer networking, portable media (USB) – Estimated to have infected up to 15 million computers (compare: WannaCry: 350,000) • Advanced capabilities and highly resilient: – Hides and replicates before becoming active – Scans network for machines with the same vulnerability – Has the capability to protect itself (e.g. disable AV and Windows updates) • Still prevalent – but limited impact: – No active C&C servers – Fewer infections as target OS’s are declining, may have run its course by 2020 – Latent infections residing on legacy systems, e.g., leading malware in healthcare (June 2016) • Other noteworthy facts: – $250,000 bounty still available! – The end goal of Conficker has never become clear 6 • Other long-living malware: Sality (2003), MyDoom (2004), Zeus (2011), Mirai (2016) Emotet – Rolling with Opportunities • Mealybug Cyber Crime Actor: – Active since at least 2014 – Initially targeting banking industry in Europe – Custom malware Trojan.Emotet (network worm) – Brute force attack via password list • Started shifting focus in 2017 – Providing delivery services for other threat actors with Trojan.Emotet functioning as a “loader” – Europe U.S. (Canada, Mexico, China) • Key modules per direction of C&C server: Source: Symantec ISTR – Banking module – steals banking details from network traffic – Email client infostealer – email credentials – Browser infostealer – browsing history and passwords – PST infostealer – email addresses – DDoS module – carry out DDoS attacks • Mealybugs, as a evolving threat actor, has been refining their techniques: – Shifted from few regional banking attacks to a global distributor for other groups – Maximizing returns based on core competency and tools available 7 High Impact Malware Care Delivery, Supply Chain, Privacy WannaCry, Petya Trojan.Nibatad • EternalBlue exploit (NSA leak) • Largest national HC provider, SE Asia • WannaCry (May 2017): • July 2018 attack • 1.5M records, incl. Prime Minister • faulty Ransomware, ~$4-$8B global impact • Post mortem report: • Petya (June 2017): • Breach identified, but no action taken • cloaked Ransomware (Wiper), ~$10B impact • Missing Risk Assessment • WannaCry - care delivery impact: • Lack of training, awareness, and concern • 81 of 236 hospital trusts; 595 of 7545 GP’s • Lack of vulnerability scans and pen testing • 1000+ systems, 19,000 appts., ~£92M loss • Missing patch, poor password policies • Root Cause: Underinvestment, patching • 16 recommendations (7 critical): • Leading to £21M security investment • Enhance security structure • Review and assess cyber security stack • WannaCry still active! • Improved staff awareness - prevent, detect, • Petya – healthcare supply chain and respond to security incidents • Global pharma company - ~$310M loss, • Enhanced security checks global drug and vaccine availability • Tighten privileged admin account controls • Transcription service provider - ~$68M loss, • Improve incident response processes 8 impacted hosted transcription service • Private/public partnerships around security Summary – Threat Landscape Trends Cybercrime continues to follow money and opportunity Worms are back: • Hitting networks today, expect next generation IoT worms Targeted attacks are hitting diverse targets: • Profiling, targeting, and execution continue to improve • E.g. Orangeworm group - healthcare Email malware rates are increasing again: Top 10 Malwares 12/2018 • Dropped 50% in 2017, back up in 1H 2018 • Emotet • Kovter BEC scams continue to be profitable: • ZeuS • Business Email Compromise: $12B loss in 6 years • NanoCore Ransomware numbers are stable: • Cerber • Crowded market, some have moved on • Gh0st Cryptojacking remains popular • CoinMiner • Trickbot • But – rises and falls with Cryptocurrency value • WannaCry IoT devices are the soft target: • Xtrat Source: CIS • Patching, default credentials, forgotten • 159% increase of attacks (7/17-7/18) 9 Agenda 1. Evolution of Cyber-Attacks 2. Effective response and impact mitigation 3. What we may expect in the coming year 4. Lessons learned and anticipating the future 5. Discussion / Q&A 10 Effective Response 1. Preparation 2. Execution 3. Communication Detection and Escalation and Getting Organized Response Peering Preparation is the key to Response activities must Timely escalation to peering managing the incident response account for multiple conditions response groups and cycle and reducing impact. and complexity of organization. leaderships teams. 11 Effective Response: Preparation Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity Threat Catalog Asset Inventory Catalog of potential threats Accurate inventory of with associated response Identity Inventory technology assets that includes playbooks. Accurate inventory of identities location, criticality and use. and entitlements across technology and application portfolio. Data Inventory Inventory of sensitive data and data flow. Exercises Tool Management Incident exercise plan tailored to Inventory of analytics and 12 unique environments and response tools. playbooks. Effective Response: Execution Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity 1. Protect Data Confidentially Regulated Data, Credit Card Data. Requirements may conflict with patient safety needs. • Effective incident 2. Protect the Enterprise response plans Control robustness must balance reliability and security. account for diverse Privacy operating environments and stakeholder Risk Based protection, Cybersecurity 01 02 03 Equilibrium detection and Response Playbooks response needs. Patient Safety • Reduction in time to 3. Protect the Patient respond and Medical devices and other critical care Response Plan Preparation Phase PreparationPlan Response device protection needs may conflict with remediate data confidentially requirements. 13 Effective Response: Playbooks Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity Example: Malware Attack Playbook Cyber Incident Response Phases Cascading Unique Playbooks • What type of Attack? • What type of Asset, Identity, Data Type? • Exposure? Treasury Privacy Patient Physical HICS/System JV/Business (PCI) Safety Security Preparedness Partners/Vendors Cyber/Technology Teams HTM Legal HR Risk Facilities Business Process (Medical Devices) Financing Owners 14 Effective Response: Communication Preparation Analysis/Detection Containment Eradication Recovery Post Incident Activity A robust communication plan that reflects the different cyber incident stakeholder groups is critical to controlling incident impacts. • The need to communicate effectively before, during and after incident should not be underestimated. • Preparation phase requirements and inputs should be well understood by technology/data custodians and system owners. • Timing of stakeholder involvement is important. • Balancing incident
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • The Middle East Under Malware Attack Dissecting Cyber Weapons
    The Middle East under Malware Attack Dissecting Cyber Weapons Sami Zhioua Information and Computer Science Department King Fahd University of Petroleum and Minerals Dhahran, Saudi Arabia [email protected] Abstract—The Middle East is currently the target of an un- have been designed by the same unknown entity 1. The next precedented campaign of cyber attacks carried out by unknown malware of this lineage was Flame [7] which was discovered parties. The energy industry is praticularly targeted. The in May 2012 by Kaspersky Lab while investigating another attacks are carried out by deploying extremely sophisticated malware. The campaign opened by the Stuxnet malware in piece of malware called Wiper [8]. Flame features very 2010 and then continued through Duqu, Flame, Gauss, and unusual characteristics such as large size, large number of Shamoon malware. This paper is a technical survey of the modules, self adapting, etc. As Duqu, Flame’s objective is attacking vectors utilized by the three most famous malware, data collection and espionnage. Gauss [9] is another data namely, Stuxnet, Flame, and Shamoon. We describe their main stealing malware discovered in June 2012 by Kaspersky Lab modules, their sophisticated spreading capabilities, and we discuss what it sets them apart from typical malware. The focusing on banking information. Flame and Gauss exhibit main purpose of the paper is to point out the recent trends striking similarities and several technical evidences indicate infused by this new breed of malware into cyber attacks. that they come from the same “factories” that produced Stuxnet and Duqu [9]. The latest malware-based attack Keywords-Malwares; Information Security; Targeted At- tacks; Stuxnet; Duqu; Flame; Gauss; Shamoon targeting the middle east was the Shamoon attack on Saudi Aramco [10].
    [Show full text]
  • Computer Security CS 426 Lecture 15
    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
    [Show full text]
  • Duqu the Stuxnet Attackers Return
    Uncovering Duqu The Stuxnet Attackers Return Nicolas Falliere 4/24/2012 Usenix Leet - San Jose, CA 1 Agenda 1 Revisiting Stuxnet 2 Discovering Duqu 3 Inside Duqu 4 Weird, Wacky, and Unknown 5 Summary 2 Revisiting Stuxnet 3 Key Facts Windows worm discovered in July 2010 Uses 7 different self-propagation methods Uses 4 Microsoft 0-day exploits + 1 known vulnerability Leverages 2 Siemens security issues Contains a Windows rootkit Used 2 stolen digital certificates Modified code on Programmable Logic Controllers (PLCs) First known PLC rootkit 4 Cyber Sabotage 5 Discovering Duqu 6 Boldi Bencsath Announce (CrySyS) emails: discovery and “important publish 25 page malware Duqu” paper on Duqu Boldi emails: Hours later the “DUQU DROPPER 7 C&C is wiped FOUND MSWORD 0DAY INSIDE” Inside Duqu 8 Key Facts Duqu uses the same code as Stuxnet except payload is different Payload isn‟t sabotage, but espionage Highly targeted Used to distribute infostealer components Dropper used a 0-day (Word DOC w/ TTF kernel exploit) Driver uses a stolen digital certificate (C-Media) No self-replication, but can be instructed to copy itself to remote machines Multiple command and control servers that are simply proxies Infections can serve as peers in a peer-to-peer C&C system 9 Countries Infected Six organizations, in 8 countries confirmed infected 10 Architecture Main component A large DLL with 8 or 6 exports and 1 main resource block Resource= Command & Control module Copies itself as %WINDIR%\inf\xxx.pnf Injected into several processes Controlled by a Configuration Data file Lots of similarities with Stuxnet Organization Code Usual lifespan: 30 days Can be extended 11 Installation 12 Signed Drivers Some signed (C-Media certificate) Revoked on October 14 13 Command & Control Module Communication over TCP/80 and TCP/443 Embeds protocol under HTTP, but not HTTPS Includes small blank JPEG in all communications Basic proxy support Complex protocol TCP-like with fragments, sequence and ack.
    [Show full text]
  • Analysis of the Teslacrypt Family and How to Protect Against Future
    Sophia Wang COMP 116 Final Project Analysis of the TeslaCrypt Family and How to Protect Against Future Ransomware/Cyber Attacks Abstract Ransomware accounts for a large majority of the malicious attacks in the cyber security world, with a company hit with a ransomware attack once every 40 seconds. There was a 300% increase in ransomware attacks from 2015 to 2016 — and it’s only going up from there. One family of Trojan-style ransomware technology that introduced itself in early 2015 is TeslaCrypt. TeslaCrypt affected Windows users from the US, Germany, Spain, Italy, France, and the United Kingdom, targeting mostly gamers. This form of ransomware would encrypt the victim’s files using a highly complicated encryption key and demand $250 to $1,000 for ransom. The creators of TeslaCrypt eventually released the master decryption key in May of 2016, so in the end the victims were able to recover their files and systems. This paper will explore the process by which the TeslaCrypt ransomware infected a system, the steps that were taken to ameliorate this issue, and what steps should be taken to avoid an incident like this in the future. Introduction Ransomware is a special form of malware that can infect a system through either encrypting and denying users access to their files, or restricting access and locking users out of their systems. Once the ransomware has the target’s files and/or system on lock, it demands a ransom be paid, usually through some form of cryptocurrency. In February of 2015, a new family of file-encrypting Trojan-style ransomware technology was introduced — TeslaCrypt.
    [Show full text]
  • The Flame: Questions and Answers 1.8
    The Flame: Questions and Answers 1.8 Aleks Kaspersky Lab Expert Posted May 28, 13:00 GMT Tags: Targeted Attacks, Wiper, Cyber weapon, Cyber espionage, Flame Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame. Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super­weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage. For the full low­down on this advanced threat, read on… General Questions What exactly is Flame? A worm? A backdoor? What does it do? Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm­like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
    [Show full text]
  • Newmind-Ransomware-Ebook.Pdf
    Contents What Is Ransomware? ............................................................................................................................. 3 Who Is It Affecting? ................................................................................................................................. 4 Common Forms Of Ransomware .......................................................................................................... 5 Protect Yourself With These Tips: ........................................................................................................ 9 How To Handle An Infection: ................................................................................................................ 11 Your Next Step ........................................................................................................................................ 12 There’s a malware threat online, maybe lurking in your inbox or spam folder, called Ransomware. It’s been around for a while, but recent months have seen it gaining traction, under different names you may have heard, such as Cryptolocker, Cryptowall, and TeslaCrypt. What is Ransomware? One of the ways that Ransomware makes its way to end users is through a well-crafted email with an attachment. The attachment is malicious and when you click to download it, the ransomware encrypts (locks) certain types of files (.docx, .pdf, .jpg, etc) stored on local and mounted network drives, such as a server shared drive at the office. It then displays a message which offers to decrypt
    [Show full text]
  • Potential Human Cost of Cyber Operations
    ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS REPORT ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Report prepared and edited by Laurent Gisel, senior legal adviser, and Lukasz Olejnik, scientific adviser on cyber, ICRC THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Table of Contents Foreword............................................................................................................................................. 3 Acknowledgements ............................................................................................................................. 4 Executive summary ............................................................................................................................. 5 Introduction....................................................................................................................................... 10 Session 1: Cyber operations in practice .………………………………………………………………………….….11 A. Understanding cyber operations with the cyber kill chain model ...................................................... 11 B. Operational purpose ................................................................................................................. 11 C. Trusted systems and software supply chain attacks ...................................................................... 13 D. Cyber capabilities and exploits ..................................................................................................
    [Show full text]
  • No Random, No Ransom: a Key to Stop Cryptographic Ransomware
    No Random, No Ransom: A Key to Stop Cryptographic Ransomware Ziya Alper Genç, Gabriele Lenzini, and Peter Y.A. Ryan Interdisciplinary Centre for Security Reliability and Trust (SnT) University of Luxembourg Abstract. To be effective, ransomware has to implement strong encryp- tion, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to miti- gate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses. Keywords: ransomware, cryptographic malware, randomness, mitigation. 1 Introduction Ransomware is a malware, a malicious software that blocks access to victim’s data. In contrast to traditional malware, whose break-down is permanent, ransomware’s damage is reversible: access to files can be restored on the payment of a ransom, usually a few hundreds US dollars in virtual coins. Despite being relatively new, this cyber-crime is spreading fast and it is believed to become soon a worldwide pandemic. According to [24], a US Govern- ment’s white paper dated June 2016, on average more than 4,000 ransomware attacks occurred daily in the USA. This is 300-percent increase from the previous year and such important increment is probably due to the cyber-crime’s solid business model: with a small investment there is a considerable pecuniary gain which, thanks to the virtual currency technology, can be collected reliably and in a way that is not traceable by the authorities.
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]