HowHow toto preventprevent aa disasterdisaster inin cyberspacecyberspace ??

TheThe needneed forfor anan internationalinternational approachapproach toto undermineundermine thethe criminalcriminal cybercyber architecturearchitecture

Open-ended intergovernmental expert meeting on cybercrime UNODC Vienna, 19-01-2011

© 2011 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime PresentationPresentation

LucLuc BeirensBeirens ChiefChief SuperintendentSuperintendent HeadHead ofof thethe FederalFederal ComputerComputer CrimeCrime UnitUnit BelgianBelgian FederalFederal JudicialJudicial PolicePolice DirectionDirection EconomicalEconomical andand financialfinancial crimecrime

ChairmanChairman ofof thethe EUEU CybercrimeCybercrime tasktask forceforce representingrepresenting thethe organizationorganization ofof headsheads ofof nationalnational hightechhightech crimecrime unitsunits ofof thethe EUEU TopicsTopics -- overviewoverview

GeneralGeneral trendstrends todaytoday

CyberCyber crimescrimes andand cybercyber criminalscriminals todaytoday

WhatWhat hindershinders thethe combatcombat todaytoday ??

AA proposalproposal forfor anan integratedintegrated responseresponse

BelgianBelgian experiencesexperiences GeneralGeneral trendstrends todaytoday

EvolutionEvolution towardstowards ee--societysociety
replace persons by e -applications
Interconnecting all systems (admin, industrial, control)

IPIP isis commoncommon platformplatform offeredoffered byby manymany ISPsISPs integratingintegrating telephonytelephony // datadata // VPNVPN && allall newnew appsapps =opportunities=opportunities // AchillesAchilles tendontendon // scatteredscattered tracestraces

PoorPoor securitysecurity inin legacylegacy applicationsapplications andand protocolsprotocols (userid+pw)=>(userid+pw)=> identityidentity fraudfraud isis easyeasy

EnduserEnduser isis notnot yetyet educatededucated toto actact properlyproperly WhatWhat dodo criminalscriminals wantwant ?? HowHow :: cybercyber crimescrimes todaytoday

ee--fraudfraud =>=> givegive moneymoney toto thethe criminalscriminals

spamspam =>=> startstart forfor eFraudseFrauds

hackinghacking =>=>

changechange contentcontent ofof youryour websitewebsite (defacing)(defacing)

transfertransfer moneymoney fromfrom thethe hackedhacked systemsystem

espionnageespionnage =>=> knowknow youryour victimvictim

useuse ofof hackedhacked systemsystem =>=> storagestorage // spamspam // proxyproxy // DNSDNS // CCCC // DDOSDDOS

DDOSDDOS distributeddistributed denialdenial ofof serviceservice attacksattacks HowHow toto combatcombat cybercyber criminalscriminals ??

AnalyseAnalyse theirtheir methodsmethods andand toolstools Webserver / node ComputerComputer CrashCrash Hacker InternetInternet

Info AccessAccess lineline Cmd blockedblocked

My IP is x.y.z.z

Command & Botnet attack on a webserver / node Control Server InterestingInteresting DDOSDDOS

2004 UK : gambling website down (+ hoster + ISP)
2005 Netherlands : 2 botnets : millions of zombies
2005 Belgium : Commercial firm during social conflict
2006 Sweden : Gov websites after police raid on P2P
2007 Estonia : political inspired widespread DDOS attack
2008 Georgia : cyber war during military conflict
2010 Worldwide : Wikileaks cyberconflict WhatWhat areare botnetsbotnets usedused forfor ?? MakingMaking moneymoney !!

Sometimes still for fun (scriptkiddies)

Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware / malware / ransomware installation

Espionage : banking details / passwords / keylogging
Transactions via zombie PC

Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router) Webserver / node

Hacker Knowledge server InternetInternet

Colle cted Info trigger event

MW update

Very frequent MW update request

Malware update server

Command & Malware update / knowledge transfer Control Server CyberCyber criminalcriminal ’’ss toolboxtoolbox

malwaremalware =>=> trojantrojan horseshorses
distribution via mail, p2p, social networks, websites
auto -update & auto -propagation in network
very high rate of new versions

remoteremote controlcontrol ofof infectedinfected systemssystems =>=> botnetsbotnets

creationcreation ofof knowledgeknowledge databasesdatabases
collected & keylogged info of infected pc

keyserverskeyservers inin safesafe havenhaven countriescountries ButBut thethe criminalcriminal cybercyber architecturearchitecture alsoalso includesincludes ......

UndergroundUnderground forafora andand chatroomschatrooms

BotnetsBotnets forfor hirehire

MalwareMalware onon demanddemand // offoff thethe shelfshelf packagespackages

TradeTrade stolenstolen CreditCredit cardscards // credentialscredentials

MoneyMoney launderinglaundering servicesservices

OrganizedOrganized CyberCyber criminalscriminals

taketake overover // setset upup ISPISP ’’ss

infiltrateinfiltrate inin developmentdevelopment firmsfirms AndAnd thethe victimsvictims ??

WhoWho ??
Communication networks and service providers
Companies especially transactional websites
Every internet user

ReactionReaction
Unaware of incidents going on => dark number
Victims try to solve it themselves
Nearly no complaints made => dark number

ResultResult ?? TheThe hackershackers gogo onon developingdeveloping botnetsbotnets RisksRisks

EconomicalEconomical disasterdisaster

LargeLarge scalescale :: criticalcritical infrastructureinfrastructure

SmallSmall scalescale :: enterpriseenterprise

IndividualIndividual && corporatecorporate (secret)(secret) datadata

LossLoss ofof trusttrust inin ee --societysociety CombinedCombined threatthreat

WhatWhat ifif abusedabused byby terroriststerrorists ?? CyberCyber armyarmy ?? ...... simultaniouslysimultaniously withwith aa realreal worldworld attack?attack?

HowHow willwill youyou handlehandle thethe crisiscrisis ?? YourYour telephonetelephone systemsystem isis notnot workingworking !! IntermediateIntermediate conclusionsconclusions

SocietySociety isis veryvery dependantdependant ofof ICTICT

eSocietyeSociety isis veryvery vulnerablevulnerable forfor attacksattacks

UrgentUrgent needneed toto reducereduce risksrisks onon criticalcritical ICTICT

BotnetsBotnets asas criminalcriminal cybercyber infrastructureinfrastructure isis commoncommon platformplatform forfor lotslots ofof cybercrimescybercrimes

=>=> undermineundermine itit andand youyou reducereduce crimecrime TraditionalTraditional wayway ofof lawlaw enforcementenforcement toto tackletackle cybercrimecybercrime

ReactiveReactive
Register complaint => judicial case
Hotlines (or cooperation with)
(Eventualy) undercover operations

ProactiveProactive (?)(?)
Who is doing what, where and how ?
Patrolling the net

EffectiveEffective (?)(?) butbut notnot underminingundermining cybercriminalscybercriminals WhatWhat hindershinders anan effectiveeffective combatcombat ofof cybercyber crimecrime ??

UnawarenessUnawareness andand negligencenegligence endend useruser

LackLack ofof overalloverall viewview onon risksrisks // incidentsincidents byby
Enterprise managers
Political decision makers

CombatingCombating :: everyoneeveryone onon hishis ownown

LackLack ofof specializedspecialized investigatorsinvestigators

JurisdictionsJurisdictions limitedlimited byby nationalnational bordersborders

SubscriberSubscriber identityidentity fraudfraud

MobilityMobility ofof thethe (criminal)(criminal) servicesservices inin cloudcloud WhatWhat actionsactions areare neededneeded ??

EveryoneEveryone playsplays aa rolerole inin ee --securitysecurity

WeWe havehave toto dodo itit asas partnerspartners WeWe havehave toto dodo itit inin anan integratedintegrated wayway GoalsGoals forfor operationaloperational cybercrimecybercrime actionaction planplan

AsAs ““societysociety ”” (=(= govgov && privateprivate sector)sector) improveimprove detectiondetection andand getget aa viewview andand actact onon
criminal cyberinfrastructure especially botnets
incidents threatening eSociety

StrengthenStrengthen robustnessrobustness ofof ICTICT eSocietyeSociety

ISPISP ’’ss // EnterprisesEnterprises // EndEnd usersusers

WeakenWeaken andand dismantledismantle thethe criminalcriminal cyberinfrastructurecyberinfrastructure
Each partner within his role & competence Preserve evidence Webserver / node Report incident Stop activity Bring to court Hacker

InternetInternet Take out of order Analyse to identify hacker & zombies Identify critical infrastructure Alarm procedures Preserve evidence

Prevent infection & MW autopropagation Detect infections & desinfect Botnetservers CC, Knowledge, MW Actions against botnet architecture RoleRole ofof governmentsgovernments && internationalinternational organizationsorganizations

WorkingWorking accordingaccording aa strategystrategy

DevelopDevelop internationalinternational plansplans && reactionreaction schemesschemes forfor criticalcritical ICTICT infrastructureinfrastructure protectionprotection

DevelopDevelop legallegal frameworkframework
Obligation to report cybercrime incidents
Obligation to secure your computersystem (?)
Possibility for ISP to cut off infected machines (?)
Obligation to respond to requests of Gov authority when serious incidents happen TelecommunicationsTelecommunications sectorsector

PreventPrevent // reducereduce SPAMSPAM

HaveHave toto makemake therethere infrastructureinfrastructure robustrobust

ReportReport seriousserious incidentsincidents toto CERTCERT

IntegratedIntegrated reactionreaction withwith authoritiesauthorities

ImplementImplement strongstrong authenticationauthentication inin internetinternet protocolsprotocols andand servicesservices

DetectDetect negligentnegligent endend usersusers && react/help/react/help/ cutcut offoff EnterprisesEnterprises

EE--SecuritySecurity == businessbusiness riskrisk =>=> managementmanagement responsibilityresponsibility

ThinkThink aboutabout howhow toto survivesurvive whenwhen ee--systemssystems areare underunder attackattack

EnforceEnforce detectiondetection ofof incidentsincidents –– IDSIDS ??

ReportReport incidentsincidents toto CERTCERT ?? toto policepolice ??

IntegrateIntegrate strongstrong authenticationauthentication inin ee--businessbusiness applicationsapplications DevelopersDevelopers

StrongStrong authenticationauthentication

UseUse thethe strongeststrongest availableavailable butbut ......

ThinkThink asas aa hackerhacker HowHow cancan aa transactiontransaction onon anan infectedinfected PCPC bebe interceptedintercepted ??

StoreStore IPIP --addressesaddresses andand timestampstimestamps

ofof thethe endend useruser !! notnot ofof thethe routerrouter !!

NeededNeeded inin casecase ofof anan incidentincident !! ResponsibilizationResponsibilization ofof endend useruser

AwarenessAwareness raisingraising =>=> mediamedia

TrainingTraining onon ee --securitysecurity && attitudeattitude

alreadyalready atat schoolschool

inin thethe enterprisesenterprises

ObligationObligation toto securesecure hishis PCPC properlyproperly ?? RoleRole ofof policepolice andand justicejustice ??

GatherGather intelligenceintelligence aboutabout BotnetsBotnets

DismantleDismantle botnetbotnet serversservers inin youryour countrycountry

AnalyseAnalyse BotnetBotnet --serversservers toto findfind tracestraces toto criminalscriminals

FocusFocus onon knowledgeknowledge serversservers && CCCC serversservers BelgianBelgian experienceexperience

11 nationalnational FCCUFCCU +25+25 RegionalRegional CCU=175CCU=175 officersofficers (computer(computer forensicsforensics && cybercrimecybercrime combat)combat)

22 specializedspecialized FederalFederal prosecutorsprosecutors minimumminimum 11 ICTICT referencereference prosecutorprosecutor // districtdistrict

FCCUFCCU analysesanalyses attacksattacks onon criticalcritical ICTICT infrainfra

BelNISBelNIS GovGov NetworkNetwork informationinformation securitysecurity
Develops and organizes ICT security strategy
Problem : no central authority

SinceSince 20092009 :: Cert.beCert.be forfor GovGov andand CriticalCritical infrainfra BelgianBelgian experienceexperience

eBanking fraud => start of Malware analysis
Gain insight in how it ’s working
Leads to detection of botnet -servers / bogus ISP ’s
Combined team cybercrime & financial investigators
Building trust with law enforcement with other countries
Collaboration with several partners and organizations => Information send to & analysed by Cert.be

Effective in dismantling of Botnet -servers (50 since ‘09)
Impact of 1 Malware distribution server ? Analysis shows
2 months 1,5 million downloads, 300.000 unique IP ’s ProblemsProblems

BotnetBotnet --serversservers oftenoften onon victimvictim ’’ss serversservers
But is it really a victim ?

NoNo knowledgeknowledge --serversservers inin BEBE

LanguageLanguage problemproblem duringduring analysisanalysis CCCC --serverserver

IsIs itit thethe rolerole ofof thethe policepolice // CertCert ??
If Cert does it (eg Finland)
=> fast but do we go after criminals afterwards ?
Which incidents are severe enough to report to police ?
If police does it
Which botnet -servers do we analyse ?
Malware analysis => help from AV -industry ? DoDo wewe reallyreally havehave anan impactimpact ??

SeveralSeveral hundredshundreds ofof botnetsbotnets

5.0005.000 –– 10.00010.000 botnetbotnet serversservers worldworld widewide

MillionsMillions ofof infectedinfected endend usersusers

=>=> needneed forfor actionaction inin everyevery countrycountry CContactontact informationinformation

FederalFederal JudicialJudicial PolicePolice Direction for Economical and Financial crime FederalFederal ComputerComputer CrimeCrime UnitUnit NotelaarstraatNotelaarstraat 211211 -- 10001000 BrusselsBrussels –– BelgiumBelgium

TelTel officeoffice :: +32+32 22 743743 7474 7474 FaxFax :: +32+32 22 743743 7474 1919

EE--mailmail :: [email protected]@fccu.be