Sack the Bad Guys!

1 Introduction

Lance James •Chief Scientist @ Flashpoint •Former Head of Cyber Intelligence with Deloitte & Touche LLP •Responsible for multiple takedowns including Silk Road, CryptoLocker and SpyEye in collaboration with the FBI

2 CCS 2.0 - Outsourcing Model

Kingpin

Operations Finance

Product Manager Botnet Master Manager, Mule Ops Payment Systems SME

Sr. Developer Design/UI AV CI/Crypting QA Bulletproof HosterAnalytics Affiliate Relations

HijackerAd Broker SME Spammer Traffic Broker SME Sr. Loader DevSr. Bot Dev Exploit R&D 3 Information Sharing Ecosystem

• The key to defeating threats • Criminals share information to defeat protections • Information superiority: Who has the upper hand? - Criminals communicate openly behind password walls - Division of labor and information sharing increases efficiency • Other drivers of cybercrime: - Geopolitical competition - not a crime, but duty CISA Initiatives - Safe havens: freedom from prosecution hones skills ISAO Initiatives - Advanced education system, but limited opportunities

4 Information Sharing Along Lines of Operation

Development Finance • Antichat • Verified • Exploit • Korovka • Coru • DirectConnection • Maza • Monopoly • Wasm • Infraud

5 Organized Crime & Lone Actors: A Feedback Loop

Forum

Enterprise recruits developer from within forum • Syndicates hire & buy on forums • TTPs & products developed for syndicates are sold on forums Developer produces product for the enterprise • Division of labor lowers barriers to entry for would-be cybercriminals

Developer re-sells same product back into the forum

6 Methods of Attack

7 Turn-Key Services

Domain Ordering Panel

Pay-Per-Install Panel

8 Aggressive POS Malware Trend

9 Ransomware Evolution

• Asymmetric Encryption • Native Cryptography Libraries • Public Key Encrypts Data • Multi-tier Resilient Infrastructure • Bitcoin Payment

10 Ransomware Evolution - Resilient Networks

• Domain Generation Algorithms

Also their Kryptonite

11 Ransomware Evolution - Crypto Code Review

• Security Investment • Security Serves the Business • Goal: Develop the perfect ransomware

12 Ransomware Evolution - No Network Needed

• Thick Client Ransomware • Public Key Embedding • No remote server required to encrypt • RSA Crypto will be the Gold Standard

Possible Weakness: 768 bit keys

13 Ransomware Evolution – No Coder Needed

• Javascript Ransomware • Creates a client.scr binary • 15.9 MB • 3/54 AV detection • Crimeware-as-a-service • Hosted on Tor Onion • Uses NW.js Framework • Cross-Platform Potential RSA + AES-CTR 128

14 Intelligence Cycle: Solution to Data Overload

• Identify adversary and their operational framework

• Sync collections with priority intelligence requirements (PIRs)

• Chart key indicators for predictive insights

Source: FBI

15 Threat Intelligence Team • Pro-active in nature • Threat research team • Gain adversary understanding

• Threat indicators “indicate” what?

COMPONENT EXPLANATION Motivation The level of intensity and degree of focus Objectives Boasting rights, disruption, destruction, learn secrets, make money Timeliness How quickly they work (years, months, days, hours) Resources Well funded to unfunded (tools and tactics provide insight) Risk Tolerance High (don’t care) to low (never want to be caught) Skills and Methods How sophisticated are the exploits (scripting to hardware lifecycle attacks) Actions Well rehearsed, ad hoc, random, controlled versus uncontrolled Attack Origination Points Outside, inside, single point, diverse points Numbers Involved in Attack Solo, small group, big group Knowledge Source Chat groups, web, oral, insider knowledge, espionage

‹#› Copyright © 2015 Deloitte Development LLC. All rights reserved. Proactive Collection - Tor Use Case

Problem: Onion site crawling Non-existent

17 Proactive Collection - Tor Use Case

Solution: Passive DNS Monitoring = Realtime Insight

18 TOR Statistics

19

Doxing Awareness - A Weapon of Precision

• Very hard to prevent once targeted

• Nightmare can be kinetic

• Swatting, Harassment, Bomb Threats

• Will be a weapon worn well by retaliation focused actors

21 Deeper and Darker Down this Web

•Anonymous, Zero-Knowledge Currency

•More OpSec Increased behavior by threat actors

•Hosting Behind The Shadows

22 Mobile to Host Malware

Scenario: 2-factor increases to mobile devices for authentication out-of-band

Adaption: Adversaries tailor host- based malware to cross-infect to mobile devices to complete authentication sessions

Effect: Increase in mobile malware will be on the rise just for defeating authentication mechanisms

23 Privacy vs Intelligence

Scenario: Government pushes for key escrow/back doors in crypto

Adaption: Adversaries become more aware of anti-backdoor Cypherpunk protocols invented by the Community Privacy Tools cypherpunk community

Effect: Cypherpunks arm Cybercriminals with privacy tools, increasing their OPsec and anonymity against hunters

24 Questions

25