Sack the Bad Guys!
1 Introduction
Lance James •Chief Scientist @ Flashpoint •Former Head of Cyber Intelligence with Deloitte & Touche LLP •Responsible for multiple takedowns including Silk Road, CryptoLocker and SpyEye in collaboration with the FBI
2 CCS 2.0 - Outsourcing Model
Kingpin
Operations Finance
Product Manager Botnet Master Manager, Mule Ops Payment Systems SME
Sr. Developer Design/UI AV CI/Crypting QA Bulletproof HosterAnalytics Affiliate Relations
HijackerAd Broker SME Spammer Traffic Broker SME Sr. Loader DevSr. Bot Dev Exploit R&D 3 Information Sharing Ecosystem
• The key to defeating threats • Criminals share information to defeat protections • Information superiority: Who has the upper hand? - Criminals communicate openly behind password walls - Division of labor and information sharing increases efficiency • Other drivers of cybercrime: - Geopolitical competition - not a crime, but duty CISA Initiatives - Safe havens: freedom from prosecution hones skills ISAO Initiatives - Advanced education system, but limited opportunities
4 Information Sharing Along Lines of Operation
Development Finance • Antichat • Verified • Exploit • Korovka • Coru • DirectConnection • Maza • Monopoly • Wasm • Infraud
5 Organized Crime & Lone Actors: A Feedback Loop
Forum
Enterprise recruits developer from within forum • Syndicates hire & buy on forums • TTPs & products developed for syndicates are sold on forums Developer produces product for the enterprise • Division of labor lowers barriers to entry for would-be cybercriminals
Developer re-sells same product back into the forum
6 Methods of Attack
7 Turn-Key Services
Domain Ordering Panel
Pay-Per-Install Panel
8 Aggressive POS Malware Trend
9 Ransomware Evolution
• Asymmetric Encryption • Native Cryptography Libraries • Public Key Encrypts Data • Multi-tier Resilient Infrastructure • Bitcoin Payment
10 Ransomware Evolution - Resilient Networks
• Domain Generation Algorithms
Also their Kryptonite
11 Ransomware Evolution - Crypto Code Review
• Security Investment • Security Serves the Business • Goal: Develop the perfect ransomware
12 Ransomware Evolution - No Network Needed
• Thick Client Ransomware • Public Key Embedding • No remote server required to encrypt • RSA Crypto will be the Gold Standard
Possible Weakness: 768 bit keys
13 Ransomware Evolution – No Coder Needed
• Javascript Ransomware • Creates a client.scr binary • 15.9 MB • 3/54 AV detection • Crimeware-as-a-service • Hosted on Tor Onion • Uses NW.js Framework • Cross-Platform Potential RSA + AES-CTR 128
14 Intelligence Cycle: Solution to Data Overload
• Identify adversary and their operational framework
• Sync collections with priority intelligence requirements (PIRs)
• Chart key indicators for predictive insights
Source: FBI
15 Threat Intelligence Team • Pro-active in nature • Threat research team • Gain adversary understanding
• Threat indicators “indicate” what?
COMPONENT EXPLANATION Motivation The level of intensity and degree of focus Objectives Boasting rights, disruption, destruction, learn secrets, make money Timeliness How quickly they work (years, months, days, hours) Resources Well funded to unfunded (tools and tactics provide insight) Risk Tolerance High (don’t care) to low (never want to be caught) Skills and Methods How sophisticated are the exploits (scripting to hardware lifecycle attacks) Actions Well rehearsed, ad hoc, random, controlled versus uncontrolled Attack Origination Points Outside, inside, single point, diverse points Numbers Involved in Attack Solo, small group, big group Knowledge Source Chat groups, web, oral, insider knowledge, espionage
‹#› Copyright © 2015 Deloitte Development LLC. All rights reserved. Proactive Collection - Tor Use Case
Problem: Onion site crawling Non-existent
17 Proactive Collection - Tor Use Case
Solution: Passive DNS Monitoring = Realtime Insight
18 TOR Statistics
19
Doxing Awareness - A Weapon of Precision
• Very hard to prevent once targeted
• Nightmare can be kinetic
• Swatting, Harassment, Bomb Threats
• Will be a weapon worn well by retaliation focused actors
21 Deeper and Darker Down this Web
•Anonymous, Zero-Knowledge Currency
•More OpSec Increased behavior by threat actors
•Hosting Behind The Shadows
22 Mobile to Host Malware
Scenario: 2-factor increases to mobile devices for authentication out-of-band
Adaption: Adversaries tailor host- based malware to cross-infect to mobile devices to complete authentication sessions
Effect: Increase in mobile malware will be on the rise just for defeating authentication mechanisms
23 Privacy vs Intelligence
Scenario: Government pushes for key escrow/back doors in crypto
Adaption: Adversaries become more aware of anti-backdoor Cypherpunk protocols invented by the Community Privacy Tools cypherpunk community
Effect: Cypherpunks arm Cybercriminals with privacy tools, increasing their OPsec and anonymity against hunters
24 Questions
25