HowHow toto preventprevent aa disasterdisaster inin cyberspacecyberspace ??
TheThe needneed forfor anan internationalinternational approachapproach toto undermineundermine thethe criminalcriminal cybercyber architecturearchitecture
Open-ended intergovernmental expert meeting on cybercrime UNODC Vienna, 19-01-2011
© 2011 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime PresentationPresentation
LucLuc BeirensBeirens ChiefChief SuperintendentSuperintendent HeadHead ofof thethe FederalFederal ComputerComputer CrimeCrime UnitUnit BelgianBelgian FederalFederal JudicialJudicial PolicePolice DirectionDirection EconomicalEconomical andand financialfinancial crimecrime
ChairmanChairman ofof thethe EUEU CybercrimeCybercrime tasktask forceforce representingrepresenting thethe organizationorganization ofof headsheads ofof nationalnational hightechhightech crimecrime unitsunits ofof thethe EUEU TopicsTopics -- overviewoverview
GeneralGeneral trendstrends todaytoday
CyberCyber crimescrimes andand cybercyber criminalscriminals todaytoday
WhatWhat hindershinders thethe combatcombat todaytoday ??
AA proposalproposal forfor anan integratedintegrated responseresponse
BelgianBelgian experiencesexperiences GeneralGeneral trendstrends todaytoday
EvolutionEvolution towardstowards ee--societysociety replace persons by e -applications Interconnecting all systems (admin, industrial, control) IPIP isis commoncommon platformplatform offeredoffered byby manymany ISPsISPs integratingintegrating telephonytelephony // datadata // VPNVPN && allall newnew appsapps =opportunities=opportunities // AchillesAchilles tendontendon // scatteredscattered tracestraces
PoorPoor securitysecurity inin legacylegacy applicationsapplications andand protocolsprotocols (userid+pw)=>(userid+pw)=> identityidentity fraudfraud isis easyeasy
EnduserEnduser isis notnot yetyet educatededucated toto actact properlyproperly WhatWhat dodo criminalscriminals wantwant ?? HowHow :: cybercyber crimescrimes todaytoday
ee--fraudfraud =>=> givegive moneymoney toto thethe criminalscriminals spamspam =>=> startstart forfor eFraudseFrauds hackinghacking =>=> changechange contentcontent ofof youryour websitewebsite (defacing)(defacing) transfertransfer moneymoney fromfrom thethe hackedhacked systemsystem espionnageespionnage =>=> knowknow youryour victimvictim useuse ofof hackedhacked systemsystem =>=> storagestorage // spamspam // proxyproxy // DNSDNS // CCCC // DDOSDDOS DDOSDDOS distributeddistributed denialdenial ofof serviceservice attacksattacks HowHow toto combatcombat cybercyber criminalscriminals ??
AnalyseAnalyse theirtheir methodsmethods andand toolstools Webserver / node ComputerComputer CrashCrash Hacker InternetInternet
Info AccessAccess lineline Cmd blockedblocked
My IP is x.y.z.z
Command & Botnet attack on a webserver / node Control Server InterestingInteresting DDOSDDOS
2004 UK : gambling website down (+ hoster + ISP) 2005 Netherlands : 2 botnets : millions of zombies 2005 Belgium : Commercial firm during social conflict 2006 Sweden : Gov websites after police raid on P2P 2007 Estonia : political inspired widespread DDOS attack 2008 Georgia : cyber war during military conflict 2010 Worldwide : Wikileaks cyberconflict WhatWhat areare botnetsbotnets usedused forfor ?? MakingMaking moneymoney !!
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie Click generation on banner publicity Dialer installation on zombie to make premium rate calls Spyware / malware / ransomware installation
Espionage : banking details / passwords / keylogging Transactions via zombie PC
Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router) Webserver / node
Hacker Knowledge server InternetInternet
Colle cted Info trigger event
MW update
Very frequent MW update request
Malware update server
Command & Malware update / knowledge transfer Control Server CyberCyber criminalcriminal ’’ss toolboxtoolbox
malwaremalware =>=> trojantrojan horseshorses distribution via mail, p2p, social networks, websites auto -update & auto -propagation in network very high rate of new versions remoteremote controlcontrol ofof infectedinfected systemssystems =>=> botnetsbotnets creationcreation ofof knowledgeknowledge databasesdatabases collected & keylogged info of infected pc keyserverskeyservers inin safesafe havenhaven countriescountries ButBut thethe criminalcriminal cybercyber architecturearchitecture alsoalso includesincludes ......
UndergroundUnderground forafora andand chatroomschatrooms BotnetsBotnets forfor hirehire MalwareMalware onon demanddemand // offoff thethe shelfshelf packagespackages TradeTrade stolenstolen CreditCredit cardscards // credentialscredentials MoneyMoney launderinglaundering servicesservices
OrganizedOrganized CyberCyber criminalscriminals taketake overover // setset upup ISPISP ’’ss infiltrateinfiltrate inin developmentdevelopment firmsfirms AndAnd thethe victimsvictims ??
WhoWho ?? Communication networks and service providers Companies especially transactional websites Every internet user
ReactionReaction Unaware of incidents going on => dark number Victims try to solve it themselves Nearly no complaints made => dark number
ResultResult ?? TheThe hackershackers gogo onon developingdeveloping botnetsbotnets RisksRisks
EconomicalEconomical disasterdisaster LargeLarge scalescale :: criticalcritical infrastructureinfrastructure SmallSmall scalescale :: enterpriseenterprise
IndividualIndividual && corporatecorporate (secret)(secret) datadata
LossLoss ofof trusttrust inin ee --societysociety CombinedCombined threatthreat
WhatWhat ifif abusedabused byby terroriststerrorists ?? CyberCyber armyarmy ?? ...... simultaniouslysimultaniously withwith aa realreal worldworld attack?attack?
HowHow willwill youyou handlehandle thethe crisiscrisis ?? YourYour telephonetelephone systemsystem isis notnot workingworking !! IntermediateIntermediate conclusionsconclusions
SocietySociety isis veryvery dependantdependant ofof ICTICT eSocietyeSociety isis veryvery vulnerablevulnerable forfor attacksattacks
UrgentUrgent needneed toto reducereduce risksrisks onon criticalcritical ICTICT
BotnetsBotnets asas criminalcriminal cybercyber infrastructureinfrastructure isis commoncommon platformplatform forfor lotslots ofof cybercrimescybercrimes
=>=> undermineundermine itit andand youyou reducereduce crimecrime TraditionalTraditional wayway ofof lawlaw enforcementenforcement toto tackletackle cybercrimecybercrime
ReactiveReactive Register complaint => judicial case Hotlines (or cooperation with) (Eventualy) undercover operations
ProactiveProactive (?)(?) Who is doing what, where and how ? Patrolling the net
EffectiveEffective (?)(?) butbut notnot underminingundermining cybercriminalscybercriminals WhatWhat hindershinders anan effectiveeffective combatcombat ofof cybercyber crimecrime ??
UnawarenessUnawareness andand negligencenegligence endend useruser LackLack ofof overalloverall viewview onon risksrisks // incidentsincidents byby Enterprise managers Political decision makers CombatingCombating :: everyoneeveryone onon hishis ownown LackLack ofof specializedspecialized investigatorsinvestigators JurisdictionsJurisdictions limitedlimited byby nationalnational bordersborders SubscriberSubscriber identityidentity fraudfraud MobilityMobility ofof thethe (criminal)(criminal) servicesservices inin cloudcloud WhatWhat actionsactions areare neededneeded ??
EveryoneEveryone playsplays aa rolerole inin ee --securitysecurity
WeWe havehave toto dodo itit asas partnerspartners WeWe havehave toto dodo itit inin anan integratedintegrated wayway GoalsGoals forfor operationaloperational cybercrimecybercrime actionaction planplan AsAs ““societysociety ”” (=(= govgov && privateprivate sector)sector) improveimprove detectiondetection andand getget aa viewview andand actact onon criminal cyberinfrastructure especially botnets incidents threatening eSociety
StrengthenStrengthen robustnessrobustness ofof ICTICT eSocietyeSociety ISPISP ’’ss // EnterprisesEnterprises // EndEnd usersusers WeakenWeaken andand dismantledismantle thethe criminalcriminal cyberinfrastructurecyberinfrastructure Each partner within his role & competence Preserve evidence Webserver / node Report incident Stop activity Bring to court Hacker
InternetInternet Take out of order Analyse to identify hacker & zombies Identify critical infrastructure Alarm procedures Preserve evidence
Prevent infection & MW autopropagation Detect infections & desinfect Botnetservers CC, Knowledge, MW Actions against botnet architecture RoleRole ofof governmentsgovernments && internationalinternational organizationsorganizations
WorkingWorking accordingaccording aa strategystrategy
DevelopDevelop internationalinternational plansplans && reactionreaction schemesschemes forfor criticalcritical ICTICT infrastructureinfrastructure protectionprotection
DevelopDevelop legallegal frameworkframework Obligation to report cybercrime incidents Obligation to secure your computersystem (?) Possibility for ISP to cut off infected machines (?) Obligation to respond to requests of Gov authority when serious incidents happen TelecommunicationsTelecommunications sectorsector
PreventPrevent // reducereduce SPAMSPAM HaveHave toto makemake therethere infrastructureinfrastructure robustrobust ReportReport seriousserious incidentsincidents toto CERTCERT IntegratedIntegrated reactionreaction withwith authoritiesauthorities
ImplementImplement strongstrong authenticationauthentication inin internetinternet protocolsprotocols andand servicesservices
DetectDetect negligentnegligent endend usersusers && react/help/react/help/ cutcut offoff EnterprisesEnterprises
EE--SecuritySecurity == businessbusiness riskrisk =>=> managementmanagement responsibilityresponsibility
ThinkThink aboutabout howhow toto survivesurvive whenwhen ee--systemssystems areare underunder attackattack
EnforceEnforce detectiondetection ofof incidentsincidents –– IDSIDS ?? ReportReport incidentsincidents toto CERTCERT ?? toto policepolice ??
IntegrateIntegrate strongstrong authenticationauthentication inin ee--businessbusiness applicationsapplications DevelopersDevelopers
StrongStrong authenticationauthentication UseUse thethe strongeststrongest availableavailable butbut ...... ThinkThink asas aa hackerhacker HowHow cancan aa transactiontransaction onon anan infectedinfected PCPC bebe interceptedintercepted ??
StoreStore IPIP --addressesaddresses andand timestampstimestamps ofof thethe endend useruser !! notnot ofof thethe routerrouter !! NeededNeeded inin casecase ofof anan incidentincident !! ResponsibilizationResponsibilization ofof endend useruser
AwarenessAwareness raisingraising =>=> mediamedia
TrainingTraining onon ee --securitysecurity && attitudeattitude alreadyalready atat schoolschool inin thethe enterprisesenterprises
ObligationObligation toto securesecure hishis PCPC properlyproperly ?? RoleRole ofof policepolice andand justicejustice ??
GatherGather intelligenceintelligence aboutabout BotnetsBotnets
DismantleDismantle botnetbotnet serversservers inin youryour countrycountry
AnalyseAnalyse BotnetBotnet --serversservers toto findfind tracestraces toto criminalscriminals
FocusFocus onon knowledgeknowledge serversservers && CCCC serversservers BelgianBelgian experienceexperience
11 nationalnational FCCUFCCU +25+25 RegionalRegional CCU=175CCU=175 officersofficers (computer(computer forensicsforensics && cybercrimecybercrime combat)combat) 22 specializedspecialized FederalFederal prosecutorsprosecutors minimumminimum 11 ICTICT referencereference prosecutorprosecutor // districtdistrict FCCUFCCU analysesanalyses attacksattacks onon criticalcritical ICTICT infrainfra
BelNISBelNIS GovGov NetworkNetwork informationinformation securitysecurity Develops and organizes ICT security strategy Problem : no central authority SinceSince 20092009 :: Cert.beCert.be forfor GovGov andand CriticalCritical infrainfra BelgianBelgian experienceexperience
eBanking fraud => start of Malware analysis Gain insight in how it ’s working Leads to detection of botnet -servers / bogus ISP ’s Combined team cybercrime & financial investigators Building trust with law enforcement with other countries Collaboration with several partners and organizations => Information send to & analysed by Cert.be
Effective in dismantling of Botnet -servers (50 since ‘09) Impact of 1 Malware distribution server ? Analysis shows 2 months 1,5 million downloads, 300.000 unique IP ’s ProblemsProblems
BotnetBotnet --serversservers oftenoften onon victimvictim ’’ss serversservers But is it really a victim ? NoNo knowledgeknowledge --serversservers inin BEBE LanguageLanguage problemproblem duringduring analysisanalysis CCCC --serverserver IsIs itit thethe rolerole ofof thethe policepolice // CertCert ?? If Cert does it (eg Finland) => fast but do we go after criminals afterwards ? Which incidents are severe enough to report to police ? If police does it Which botnet -servers do we analyse ? Malware analysis => help from AV -industry ? DoDo wewe reallyreally havehave anan impactimpact ??
SeveralSeveral hundredshundreds ofof botnetsbotnets 5.0005.000 –– 10.00010.000 botnetbotnet serversservers worldworld widewide MillionsMillions ofof infectedinfected endend usersusers
=>=> needneed forfor actionaction inin everyevery countrycountry CContactontact informationinformation
FederalFederal JudicialJudicial PolicePolice Direction for Economical and Financial crime FederalFederal ComputerComputer CrimeCrime UnitUnit NotelaarstraatNotelaarstraat 211211 -- 10001000 BrusselsBrussels –– BelgiumBelgium
TelTel officeoffice :: +32+32 22 743743 7474 7474 FaxFax :: +32+32 22 743743 7474 1919
EE--mailmail :: [email protected]@fccu.be