Welcome
Safeguard Iowa Partnership is a voluntary coali�on of the state's business and government leaders, who share a commitment to strengthen the capacity of the state to prevent, prepare for, respond to, and recover from disasters through public-private collabora�on. § All par�cipant lines are muted § Submit a ques�on – use the Ques�ons feature § Webinar is being recorded and will be posted on our website along with presenter slides § Technical �ps: ú U�lize a USB headset ú Use a wired connec�on vs. wireless ú Close any applica�ons on your computer which require large bandwidth OVERVIEW OF CURRENT CYBER THREATS
Division of Criminal Investigation SA Nathan Teigland FBI Omaha Cyber Task Force Overview • FBI Cyber Task Force Mission • Computer Intrusion Definitions • Cyber Threats • Criminal • Counterintelligence • Cyber Terrorism • Incident Response and Recommendations
FBI Priorities 1. Protect the United States from Terrorist Attack. 2. Protect the United States against foreign intelligence operations and espionage. 3. Protect the United States against cyber based attacks and high technology crimes.
UNCLASSIFIED
Cyber Task Force (CTF) § Douglas County Sheriff’s Office § Omaha Police Department § Nebraska State Patrol § Sarpy County Sheriff’s Office § Iowa Division of Criminal Inves�ga�on
UNCLASSIFIED What is a Computer Intrusion?
Criminal National Security
Goal § Prosecution § Intelligence gathering § Title 18 United States Code § § Sharing of intel with trusted USIC 1030 – Fraud and Related Activity partners in Connection with Computers § Protection of critical infrastructure
Evidence “Discoverable” by the defendant § Typically CLASSIFIED at SECRET level or above § Not released to public
Publicity § Court documents will eventually § Cases do not go to court be unsealed § ID of asset owner will NEVER be § The FBI will not proactively released by FBI divulge information to the media UNCLASSIFIED Exploitation of Trust § Trusted Email ú Inbound e-mail trusted, exploited by “Spear Phishing” § Trusted Internet Websites ú Cross site scripting, remote code execution § Trusted Applications ú Un-patched program vulnerabilities, e.g. PDF, Word, Excel exploits ú Unauthorized software, e.g. media players
§ Trusted Business Relationships ú Subcontractors and/or peer connections ú Mergers, business partnerships, etc. § Trust of Internal Networks ú Authentication performed externally ú “Internal” users assumed to be § Use of ‘Valid’ Credentials
UNCLASSIFIED Criminal - RBS WorldPay
• 15,730 attempted transactions worth $10.2M • 14,544 successful transactions worth $9.7M • $9.4M (97%) was withdrawn on Nov 8 2008 • 2,136 ATM terminals were accessed in over 28 countries Criminal - Phishing Scams Criminal – Botnets and Exploit Kits • Used for DoS attacks • Identity Theft • Keyloggers • Common Botnets: Zeus variants, Torpig, Coreflood, Mariposa, Cutwail • Common Exploits Kit: BlackHole, CEK, Styx
Criminal – Cryptolocker CryptoLocker – File Types § Encryption ú Target’s users or company’s personal files:
ú Encrypts files located on local drives, shared drives, and networked drives
CryptoLocker - Payment CryptoLocker – Other Payment Methods CryptoLocker - Payment CryptoLocker - Decryption
Insider Threat – Criminal (Insiders) § Insider with access § Paid money to complete a task § Directed by foreign power § Resources § Disgruntled employee § Terminated § Disagreement with management § Policy change
UNCLASSIFIED 22 Jesse William McGraw aka “Ghost Exodus” § 26 years old. § Hospital security guard. § Leader of the Electronik Tribulation Army. § Sentenced to nine years in prison in 2011. Water Facility Criminal (Hacktivism)
§ Attempt to cause disruption to networks and service and loss of data. § Actions are non-violent and not aimed at individuals, but rather a company or government entity. § Retaliation. § Recent threats – financial, ICS, etc. Criminal (Hacktivism) Criminal (Hacktivism) Cyber Threats – Criminal (Hacktivism) How is ICS (Industrial Control Systems) being attacked? § #1 attack vector - SPEARPHISHING § SHODAN website ú Increased publication of ICS vulnerabilities. ú Shodan is the world's first computer search engine that lets you search the Internet for computers. Find devices based on city, country, latitude/longitude, hostname, operating system and IP. Counterintelligence • Espionage • Today our adversaries can sit on the other side of the globe and have access to an entire network at their fingertips. • Who are they? • Nation-State Actors • Mercenaries for Hire • Rogue Hackers • Transnational Criminal Syndicates
Counterintelligence
• What are they after? • Technology • Policies • Intellectual Property • Military Weapons • Military Strategy • They have everything to gain; we have a great deal to lose. New Chinese J20 stealth jet built with stolen F-35 component designs?
“The viciousness, and just the volume of a�acks, not only by the Chinese but Russians and others trying to get the blueprints of our most sensi�ve material is just breathtaking – and they’re ge�ng be�er.” Rep. Mike Rogers Chairman of the House Intelligence Commi�ee Cyber Terrorism
§ Growing presence of terrorist organizations on the Internet – recruit and radicalize.
Terrorism – Oil and Gas • Shamoon • Saudi Aramco • Infected 30,00 computers and rendered them useless. • One of the most destructive infections in a business. • RASGAS - Qatar • Also infected but details are sketchy Terrorism - Financial • US Banking • Coordinated DDOS attack against 30+ banks • Millions of dollars spent responding to attacks • Online banking affected for multiple days • Large institutions request assistance from NSA Terrorism – Electrical Grid
• Energy Sector • A power generation and electric utility facility located in the United States infected by malware in 2012 • Power company down for three weeks • USB drive initiated infection • Malware was sophisticated in nature Terrorism – Syrian Electronic Army
• SEA Objectives: • Propaganda tool • Anti-American • Backed by Government • Identify and track activists • Cause economic damage Intrusion Vectors – What Can You Do?
• Educate, Educate, Educate – First line of defense • “Out of the Box” solutions • Termination Policies • Key assets - what do I need to protect the most? • Monitor (within corporate policy) • Cyber Incident Policy – NIST, SANS, US-CERT Incident Response: § What does law enforcement want to collect? § Logs, logs, logs (IDS, web, server, system, etc) § Images of infected systems § IP’s, domain names, emails – investigative leads. § Highlight information of target value. § Work with IT security and admin personnel. Response What the FBI Cyber TF can do: • Investigate (when, how long, damage?) • Cyber Task Forces • National and International – Legats and Foreign LE • Combine technical skills and investigative experiences • Long-term commitment of resources • Forensics (RCFLs) • Patterns, Signatures and Link Analysis • Monitor – Trespasser/Consensual (Patriot Act) Response
What the FBI Cyber Task Force won’t do: • Place blame on the victim • Take over systems • Repair and mitigate systems • Share proprietary information with competitors. • Provide investigation-related information to the media or shareholders. • Bottom line…we will not further victimize the victim. § Information sharing and analysis effort. § Partnership between the FBI and the private sector. § Businesses, academic institutions, state and local law enforcement agencies, and other participants. § Two Infragard Chapters in Omaha and Des Moines with over 200+ members per Chapter. § www.infragard.org § NIISTFG – Nebraska Iowa ICS Scada Threat Focus Group
S/A Nathan Teigland FBI Cyber Task Force Omaha Division 712-328-4870 [email protected] Mike Chesmore
Not a representative of the:
FBI/DHS/DOJ/NSA/CIA/FSB/NRO/ DEA/DOD/Mi6/ATF/MOSSAD or the CDC
I and only I approved this message. Iowa Division of Intelligence and Fusion Center
Cyber Intelligence Analysis Fusion Centers What are they?
§ Facilitate information exchange among public safety entities. § Developed post 9/11 to address information gaps. § Encompass not only law enforcement but key public and private sector partners. § Today there are 72 designated fusion centers in the U.S. (one in each state and 22 in major urban areas). Iowa Fusion Center
§ Under the Iowa Department of Public Safety (DPS) ú The Iowa Division of Intelligence and Fusion Center has the mission of leading and coordinating intelligence and homeland security efforts that protect Iowa, while upholding the Constitution. History
§ In 2013 the State of Iowa began a pilot project to do cyber intelligence analysis in the Fusion Center. ú Assigned a senior cyber security engineer 50% to cyber intelligence analysis. ú Developed the Mission, Vision and Goals for a cyber intelligence effort. § 2014 ongoing development and clarification of roles and responsibilities. ú Still a moving target. Cyber Mission
§ Maintain Situational Awareness (SA) of the current Cyber threat environment.
§ Collect and analyze information used to reduce Cyber related risk.
§ Provide accurate, up-to-date, actionable intelligence at the strategic and tactical level. Vision
§ All areas of government and our private sector partners require a safe, stable, resilient and agile IT environment. In an increasingly interconnected world we must use intelligence based analytics to calculate and reduce Cybersecurity threats at machine speed. The Iowa Fusion Center Cyber Intelligence effort will be considered successful when it provides customers and consumers with the information required to thwart Cyber attacks prior to their becoming victims. Goals
§ Promote an understanding of Cyber security threats.
§ Collect Cyber information and perform Cyber Intelligence analysis.
§ Share analytical information with trusted partners.
§ Manage the flow of Cyber Intelligence for the Iowa Fusion Center. Activities
Produce a monthly block list Create Cyber Intelligence products • A list of known “bad” IP addresses • Alerts • Over 18,000 IP addresses to • Bulletins date • Informational papers • A list of known bad “URL’s” • Over 250,000 URL’s to date • Distribute to over 40 state, city, county and private sector organizations Limited monitoring of social media for Outreach • Iowa.gov related hacking and event • Partner with Safeguard Iowa using specific posts their reach into the private sector • Monitor hacker “scoreboard” sites to raise threat awareness for Iowa references
Activities
Brief the State of Iowa Information Liaison to FBI and Department of Security Office, CISO Homeland Security • Weekly update the State CISO • Monitor classified FBI and DHS about Fusion Center activities information systems • Pass relevant information to the State of Iowa Information Security Office
Interpret technical Cyber threat information into non-technical speak Out of Scope
Incident Response Vendor Recommendations Penetration Testing Computer Forensics
Contact
Mike Chesmore [email protected] [email protected] Join Safeguard Iowa Partnership www.safeguardiowa.org/application Thank You! Thank You!