Cyber Thieves: a Crash Course on Getting to Know Them

Home , Anna Chapman, Grail (web browser), Moonlight Maze, Robert Hanssen

Cyber Thieves: A Crash Course on Getting to Know Them

Cary E. Moore, CFE, CISSP, EnCE Speaker Cary E. Moore, CFE, CISSP, EnCE

• 12 years of Computer Forensic and InfoOps experience

• Senior Vice President, Emerging Threats Manager – Cyber Intelligence Analytics Towards Emerging Threats

• Formerly – Guidance Software Inc. • Technical Director, Cybersecurity – Special Agent, Air Force Office of Special Investigations • Computer Crime Investigations and Operations • Counterintelligence and Counterespionage Investigations • (Cyber) Technical Surveillance and Countermeasures (TSCM)

• First computer: TI-99/4A – With the speech module! Agenda Cyber Thieves: A Crash Course on Getting to Know Them

External ✓ 1 Insider Threats

2 Breaking Cyber Barriers Insiders 3 You Never Saw It Coming!

4 Attribution: The Cyber Holy Grail! Customers & Partners Insider Threats Profiles

• Traitors – A trusted person – Makes a decision to betray – True motive might be unapparent

1985 CIA—Larry Wu-Tai Chin 1994 CIA—Aldrich “Rick” Ames 1998 CIA—Douglas Groat 2001 NRO—Brian Regan 2001 DIA—Ana Belen Montes 2003 FBI—Robert Hanssen 2006 USN—PO Ariel Weinmann Insider Threats Profiles

• Traitors (continued) – Distinct warning signs • Unusual change in work habits – Seeks out sensitive projects – Unusual works hours • Sloppy security habits or scoffs security • Might rationalize inappropriate actions • Change in lifestyle – Living beyond their means Insider Threats Profiles

• Zealots (a/k/a Hacktivists) – Ideological – Motivated by their beliefs – Believe their actions are just, no matter how detrimental – Might pass info. to allies, unaware of the intelligence threat Insider Threats Profiles

• Spies – Intentionally in a situation or

organization to glean intelligence Operation Ghost Stories • Foreign intelligence 2010 Russian Spy Ring • Business intelligence • Competitive intelligence

Anna Chapman, June 2010 Insider Threats Profiles

• The Browsers – Those who violate the “need-to-know” principal – Persons who have required clearance • But no requirement for the information • Search for information with or without specific intentions

Insider Threats Profiles

• The Browsers (continued) – Might utilize the activity or information for personal gain • Receiving rewards • Promotion • Contracts • Personal advantage Insider Threats Profiles

• The Well-Intentioned • Victim to social engineering – Phishing – Spearphishing – Whaling • The Tinkers – Boredom – Curiosity Insider Threats Profiles

• The Well-Intentioned (continued) – Unwittingly give unauthorized access • Carelessness – Unlocked workstations/network rooms • Ignorance – P2P and file sharing software – Dated security practices

Insider Threats Case Study 1

• The key findings from “The Insider Threat Study” on Computer System Sabotage in Critical Infrastructure Sectors are: – A negative work-related event triggered most insiders’ actions – 43 percent of the insiders had authorized access to the system/network at the time of the incident

Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 1

• Computer System Sabotage in Critical Infrastructure Sectors (continued) – 39 percent of the insiders used one or more relatively sophisticated methods of attack, which included: • A script or program • An autonomous agent • A toolkit

Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 1

• Computer System Sabotage in Critical Infrastructure Sectors (continued) – 63 percent of the incidents were detected because of an irregularity in the information or system – 62 percent of the insiders developed plans to harm the organization – 47 percent of the cases involved overt behaviors in preparation for the incident, such as stealing copies of back-ups

Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 2

• The key findings from “The Insider Threat Study” on Illicit Cyber Activity in the Banking and Finance Sector are: – Required minimal technical skill to execute – Involved the simple exploitation of inadequate practices, policies, or procedures – 78 percent of the cases involved the modification and/or deletion of information

Source: www.secretservice.gov/ntac_its.shtml Insider Impact

Mission Impact • Email Servers

• Communication Systems

• Security Systems

• Database Operations

• Accounting Operations

• Research and Development Everything That Is • Maintenance and Monitoring Systems Connected • Critical Operation Systems Insider Impact

Information at Risk

• Intellectual Property • Customer Data • Design Documents • Personal Data • Source Code • Credit Card Numbers • Trade Secrets • Customer Financial Data • Government Data • War Plans • Corporate Data • Intelligence • Financial Data • Law Enforcement • Mergers and Acquisition Information • HR Data • Marketing and Sales

Insider Detection Insider Indications • Test scripts and/or techniques

• Try multitude of tools (i.e., port scanners, network probes, war driving)

• Rogue systems

• Bogus accounts

• Odd hour activity

• Undue curiosity

• Hiding screen data

• Positions screen to hinder view

Insider Detection

Insider Indications (continued) • Joking and bragging

• Installs unauthorized software • Duty associated software • Dreamweaver, Nero, Photoshop, programming software • Unassociated harmless software • WinAmp, ICQ, games • Suspicious Software • L0phtCrack, key generators, rootkits

• Escalated privileges

• No fear of getting caught

Insider Threats Investigation Techniques

Logs -Firewall -IDS -A/V -Sniffers -Proxy and -System Account Records Create a Timeline

GPS

and Print Servers Insider Threats Investigation Indicators and Leads

• When indicators arise, review for: – Unusual processes – TCP/UDP connections – Website activity (local/proxy) – Unauthorized devices

Insider Threats Investigation Indicators and Leads

• When indicators arise, review for: – Remote access sites (Logmein, PCAnywhere, WebEx, etc.) – Unauthorized websites – Use of anonymity sites or installation of >>>TOR<<< – Accounts and their rights

Insider Threats Proactive Efforts

• Monitor help desk tickets for trends. – Insiders do call for help when their attempts to circumvent security measures messes things up. • Monitor for unusual logon times. • Scan for bogus accounts. Insider Threats Proactive Efforts

• Review scans for unauthorized software, file, and folder access and compile trends. • Train security to monitor contractors and visitors and report suspicious activities. • Deactivate access following termination. Insider Threats The Comparative

Insider Hacker

• Given access • Gains access by whatever means • Uses access to: necessary • Misuse equipment and • Once access is achieved, network access GAME ON! • Escalate privileges • Affect the business operations • Compromise systems and corporate data • Install Malware • Etc.

Agenda Cyber Thieves: A Crash Course on Getting to Know Them

External 1 Insider Threats

✓ 2 Breaking Cyber Barriers Insiders 3 You Never Saw It Coming!

4 Attribution: The Cyber Holy Grail! Customers & Partners Breaking the Cyber Barriers

• 2011 Report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace – China and Russia are pursuing American technology and industrial secrets, jeopardizing an estimated $398 billion in U.S. research spending. – In 2010, the FBI prosecuted more Chinese espionage cases than at any time in our

nation’s history. Source: www.ncix.gov/issues/economic/index.php Breaking the Cyber Barriers

• 2011 Report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace – For example, a DuPont chemist in October 2010 pled guilty to stealing research from the company on organic light-emitting diodes. – The chemist intended to commercialize in China with financial help from the Chinese Government. Source: www.ncix.gov/issues/economic/index.php Breaking the Cyber Barriers Governments Under Attack

• Solar Sunrise (1998) – Cyber attack on the Pentagon • Under the guidance of an Israeli hacker, he coordinated two kids from California to hack multiple targets, including the Pentagon • Attacking unpatched Solaris Systems • Basic hacking techniques: Recon, Probe, Exploit, Gather Data, Exfiltrate

Source: www.wired.com/threatlevel/2008/09/video-solar-sun/ Breaking the Cyber Barriers Governments Under Attack

• Moonlight Maze (1998) – U.S. officials accidentally discovered (during Eligible Receiver) a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities, and research labs. – Began in March 1998 and had been going on for nearly two years.

Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/ Breaking the Cyber Barriers Governments Under Attack

• Moonlight Maze (1998) – Tens of thousands of files included: • Maps of military installations • Troop configurations • Military hardware designs – The DOD traced the attack back to a mainframe computer in the former USSR. – The true attacker is unknown, and Russia denies any involvement. Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/ Breaking the Cyber Barriers Governments Under Attack

• Titan Rain (2003–2005) – A group of about 20 hackers, believed to be based in the Chinese province of Guangdong – Thought to have stolen U.S. military secrets, including aviation specifications and flight- planning software – “China has downloaded 10 to 20 terabytes of data from the NIPRNet”–Maj. Gen. William Lord

Sources: www.zdnet.com/news/security-experts-lift-lid-on-chinese-hack-attacks/145763 http://gcn.com/Articles/2006/08/17/Red-storm-rising.aspx?p=1 Breaking the Cyber Barriers Governments Under Attack

• The Target? – R&D – Intellectual Property • For? – Economic Advantages – Geopolitical

Images from: Advantages http://en.wikipedia.org/wiki/File:F22a3view.png http://en.wikipedia.org/wiki/File:Chengdu_J-20.svg Breaking the Cyber Barriers Governments Under Attack

• Rep. Michael McCaul (R–TX, April 24, 2012) – “When I look at countries like China, who have stolen our Joint Strike Fighters, F-35 and F-22s, stolen those blueprints so they can manufacture those planes…”

– “You know when I look at the theft of intellectual property to the tune of $1 trillion, that’s a serious economic issue for the United States.” Source: cnsnews.com/news/article/chinese-hackers-stole-plans-americas-new-joint-strike-fighter-plane-says-investigations Breaking the Cyber Barriers Corporations Under Attack

• Operation Aurora (2009–2010) – Cyber attack to multiple high profile companies • Google, Adobe, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical, etc. – Purported intent to access and alter software source code and other intellectual property – Link in email to malicious JavaScript – Created a backdoor into their networks

Source: www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf Breaking the Cyber Barriers Corporations Under Attack

• RSA Attack (2011) – Spearphishing attack with an Adobe Flash vulnerability in an Excel spreadsheet • “2011 Recruitment plan.xls” • Zero-day exploit opened a backdoor into RSA • Poison-Ivy—Remote Access Tool (RAT) • Focus was believed to be the inner working of their SecurID product, used to secure some of the world’s most sensitive networks

Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ RSA Attack (continued)

Source: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ Breaking the Cyber Barriers Corporations Under Attack

• RSA Attack (2011) – The stolen SecurID data was used to compromise additional companies.

• Lockheed Martin (confirmed)

• L-3 Communications (confirmed)

• Northrop Grumman (unconfirmed)

Sources: http://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx/ www.wired.com/threatlevel/2011/05/l-3/ www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/ Breaking the Cyber Barriers Corporations Under Attack

• The Result? – “Inspiration”

Images from: http://commons.wikimedia.org/wiki/File:Martin_Motors_CEO_Rear.JPG http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101155.jpg Breaking the Cyber Barriers Corporations Under Attack

• The Result? – “Naturally, our cars are inspired by European carmakers,” said Karl Schlössl, a German who is the chief executive of China Automobile. “But we reject the charge that they are copies.” www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vs- shuanghuan/ www4.pictures.gi.zimbio.com/62nd+International+Motor+Show+Cars+IAA+cc0QC1ZxBxyl.jpg Breaking the Cyber Barriers Corporations Under Attack

Image from: sunboar.files.wordpress.com/2006/10/bmw-vs-byd-logo.jpg • Knock it off!

BMW X5 Shuanghuan CEO Toyota Land Cruiser Images from: http://images.forbes.com/images/2002/07/08/test_int_415x308.jpg http://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101102.jpg http://www.sobrecoches.com/var/plain_site/storage/images/coches/toyota/land_cruiser/novedad_r_edition/interior/toyota_land_cruiser_r_edition/313114-1-esl-ES/toyota_land_cruiser_r_edition1.jpg Breaking the Cyber Barriers Physical Data Exfiltration

Source: Cyber Threat Presentation, SA Doris Gardner, FBI Breaking the Cyber Barriers Governments Under Attack

• Responsive Legislation (CISPA)

– Rep. Mike Rogers (R–MI, May 3, 2012) • “It began with China stealing hard-copy business plans and sensitive research-and-development …when (our) executives traveled to China.” • “U.S. companies soon began noticing a surge in counterfeit products as their innovations were being stolen, re-engineered, and sold by Chinese companies on global markets.”

Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA Breaking the Cyber Barriers Governments Under Attack

• Responsive Legislation (CISPA)

– Rep. Mike Rogers (R–MI, May 3, 2012) • “With the Internet boom, China turned its focus to cyber espionage and began stealing the hard work and innovations of U.S. companies…” • “Thousands of highly-trained computer spies now work…to steal U.S. research and development information that the Chinese can use to further their economic growth and compete against us in the global marketplace.”

Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA Breaking the Cyber Barriers Governments Under Attack

• Responsive Legislation (CISPA)

– Rep. Mike Rogers (R–MI, May 3, 2012) • “China is literally trying to steal our prosperity and our way of life out from under us.” • “Other nation-states such as Russia and Iran also are getting in on the act, rapidly becoming insatiable cyber predators.”

Source: The Detroit News: www.detroitnews.com/article/20120503/OPINION01/205030326#ixzz1u2BldppA Breaking the Cyber Barriers Investigation Indicators and Leads

• Follow same leads as an insider threat – Create a timeline

– Review logs (Firewall, IDS, Proxy, etc.) – Work with IT to determine “Subject Zero” • Email • USB Drive • Remote User Access Breaking the Cyber Barriers Investigation Indicators and Leads

• Be Proactive – Monitor Help Desk ticket • Compromised systems might show signs – Slow processing, strange issues, program crashes, etc. – Unusual network connections and unauthorized programs – Bogus accounts

– Strange websites (proxy logs) Breaking the Cyber Barriers Investigation Indicators and Leads

• Employee Training – Examples of malicious site indicators – Have employees report unauthorized devices • Hotline? – Run an internal Phishing training exercise – Even if it’s an email from someone you trust, was the email/attachment expected? Agenda Cyber Thieves: A Crash Course on Getting to Know Them

External 1 Insider Threats

2 Breaking Cyber Barriers Insiders ✓ 3 You Never Saw It Coming!

4 Attribution: The Cyber Holy Grail! Customers & Partners You Never Saw It Coming! Partners Are the Focus

• Subcontractors • Partner Suppliers and Supply Chain • Service Providers (ISP, Telecom, Teleconference providers, facility management) • Service Contractors (Incident responders, IT Support, security guards) You Never Saw It Coming! Partners Are the Focus

• Partner Network/Systems – Low IT resources – Unable to focus on security over services – Might connect via VPN or bring a system into your organization You Never Saw It Coming! Partners Are the Focus

• Partner Network/Systems – Once connected they bring “everything” along • Malware, vulnerabilities, backdoors – Disgruntled employees, poor practices, etc. You Never Saw It Coming! Partners Are the Focus

• Partner Network/Systems – Your organization was the true target, but the vector was your partner organization. – Could be industry focused, take oil and gas… – Logic bomb? You Never Saw It Coming! Customers in the Crosshairs

• How easy is it to rob a bank? You Never Saw It Coming! Customers in the Crosshairs

• How easy is it to rob a bank’s customers? – The bank will likely reimburse the customer for stolen funds. • So, who’s really being robbed here? Online Banking Trojans Social Spaces

Phase 1

1010001010101101 Social Engineering 1010001010101101

Fraudster deploys multiple tools Man-in-The-Phone Phishing/Spear Phishing & Vishing OLB Account Access

Phase 2 Account Take Over

Out-of-band Passcode SMS Alerts SafePassOTP

Fraudster gathers all collected info Security Questions during a Call center conversation You Never Saw It Coming! Wrap-Up

• Be aware of the security implications posed by your business partners and the threats to your customers. – Education is the start. – Consider offering tools to your customers, such as AV, or at least recommendations. – Ask your business partners about their security posture. You Never Saw It Coming! Wrap-Up

• Don’t let anyone attach a system to your network without scanning or assurance. • Don’t give contractors unsupervised access into your network. – Monitor physically and electronically. You Never Saw It Coming! Wrap-Up

• Have contractors sign the same network access agreement as employees. – Privacy issues – Unauthorized use – Legal recourse Agenda Cyber Thieves: A Crash Course on Getting to Know Them

External 1 Insider Threats

2 Breaking Cyber Barriers Insiders 3 You Never Saw It Coming!

✓ 4 Attribution: The Cyber Holy Grail! Customers & Partners Attribution The Cyber Holy Grail!

• Can a Word document call home? • Can a PowerPoint presentation let you know it was just opened? Attribution The Cyber Holy Grail!

• Yes! – It all starts with a very small image. – The Tracker.gif

– Can you see it? Attribution The Cyber Holy Grail!

• Let’s make it a little bigger: – Transparent .gif image – Used by Web Designers as a “spacer.gif”

Hi! 1pixel I’m Tracker.gif!

1pixel So, how does it work? Tracker enlarged: Attribution The Cyber Holy Grail!

• But, the document is accessing the Internet… – Isn’t the user notified? • No – Will the user get an error if the document can’t get the tracker? • No Attribution The Cyber Holy Grail!

• But, you have the tracker in the text and the user can easily delete it. – Headers and footers are your friends!!! – PowerPoint Slide Master – Excel—Be creative… The key is “embedding” the image as a link: This is a view of the document in the recovery text view.

We can see the image being pulled from the Web server. The Tracker.gif can reside anywhere on your public Web server:

Covertforensics.com is an actual domain for testing. Attribution The Cyber Holy Grail!

• So, what will you see from your server logs?

– 2009-05-09 14:15:09 GET Word_tracker.gif - 80 – >>Your Public IP Address<<

– HTTP/1.1 Mozilla/4.0+ (compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+Tablet+PC+1.7;+ .NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)

– The document was opened on 2009-05-09 19:15:09

– From Windows XP Tablet PC Edition (Windows+NT+5.1;+SV1;+Tablet+PC)

– Which has Internet Explorer 7.0 and FireFox (Mozilla 4.0) Sounds cool, but how is it applied? ABC Inc. is concerned Steve is giving info. to XYZ Inc. Steve takes the files without knowing they have trackers. Steve accesses them from his house: Steve sends them to his buddy at XYZ Inc. XYZ Inc. opens the files within their corporate network. Web logs show the documents opened from two IPs: The files are now considered compromised. ABC Inc. identifies Steve to the authorities for a formal criminal investigation.

ABC Inc. files an Intellectual Property Theft Complaint against XYZ Inc.

- During the discovery process, the judge orders eDiscovery on XYZ Inc. Attribution The Cyber Holy Grail!

• XYZ Inc. Tries to hide data by removing “ABC Inc.” and any logos belonging to ABC Inc.

• But, ABC Inc. was ready for that… Attribution The Cyber Holy Grail!

• ABC Inc. injected a specific keyword “tag” into every electronic file created in the company. – To include templates!

Attribution The Cyber Holy Grail!

• The search revealed three files on XYZ’s network similar to the compromised files, except the company names and logos were changed to XYZ Inc.

• By tagging the document, it was present even if the user changes the document text.

Attribution The Cyber Holy Grail!

• The likeliness of “@BC-1NC0RP0R@T10N” happening by accident is VERY low.

Attribution The Cyber Holy Grail!

• Any document created by a template (.dot) will also have the tag.

Questions?

Cyber Thieves: A Crash Course on Getting to Know Them Cary E. Moore, CFE, CISSP, EnCE

Image From: http://dilbert.com/strips/comic/2007-09-13/