How the History of Cyber Attacks is Changing Current & Future Security Defenses Cyber Security Dinner Seminar Tom Ruffolo CISA [email protected] Agenda Technology Trends History of Attacks New Tech that History of Defenses enables ⬧Examples Attacks or Future Security ⬧ Solutions ⬧Leveraging Defenses New ⬧Defense ⬧Likely Attacks Technology Technology ⬧Solutions History of Technology: Enabling Attacks 1980s 1990s 2000s 2010s Technology Evolution Blackberry, iPhone (’07) SaaS Cloud Apps & Office Real Internet Introduced WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IOT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10 Cloud Apps & Email Usage Up WiFi: 11-450 Mbps Slow Proprietary Networks Slow Internet Speeds: xx Kbps WiFi: Up to 16 Gbps Internet: Low Mbps Fast Internet: 100 Mbps–Gbps 3G: .4 Mbps+ 4G: ~10 Mbps (-1Gbps) 5G (2019): 100Mbps – 20Gbps 12/13/2018 Page 3 History of Security Attacks 12/13/2018 4 1980s Morris Worm ▪ Objective: ▪ Attack Target: – Graduate Student: Size the Internet – ARPANET Users ▪ Attack Type: ▪ Impact: 1st Malware Worm – Replicated out of control, 1,000s of Govt & University machines WW were so slow they Self Replicating Worm Sent to could not function (DDoS). Authorized Dec Vax Users on ARPANET – $100,000+ Cost in Downtime & Cleaning ▪ Attack Method: ▪ Response: 1. Leverages Unix, System Configuration – Admins: Tighten Security & Weak Password Vulnerabilities to Configurations, Password Security Self Replicate itself Rapidly Over 60,000 Node Network – DARPA Funding of US-CERT (Computer Emergency Readiness Team) – 1st Conviction Under 1986 Computer Fraud Act 12/13/2018 5 1989 Aids Info Disk - Ransomware ▪ Objective: ▪ Attack Target: – To Extort $$ from PC Users – PC DOS Users ▪ Attack Type: ▪ Impact: 1st Ransomware – Computer Unusable… Wait for your Unlock key in the Mail ▪ Attack Method: 1. Mail a “Floppy Disk” ▪ Response: – User is Educated 2. Insert Disk & Open File – Future: Endpoint Security External 3. Malware Hides Directories & Storage Lockdown or AV Scans Encrypts File Names on Drive C: 4. Mail $189 to Panama to Unlock 12/13/2018 6 Melissa & ILOVEYOU Macro Viruses 1999/2000 ▪ Objective: ▪ Attack Target: – Disruption, Steal Passwords – Everyone ▪ Attack Type: ▪ Impact: Mass Mailing Macro Worm – Most Costly Malware to Date Simple Multi-Stage, Self Replicating • $5-8B in Damages WW • $15B to Remove Worm ▪ Attack Method: ▪ 1. Email->MS Word Macro Attachment Response: 2. Open Attachment -> Infect PC – Windows Vulnerabilities Patched – Users: Restrict Running Programs 3. Replicate: – Vendors: Improved Email Security 1. Melissa: Sends Copy to 50 People – Employees Get an Education 2. ILOVEYOU: Send Copy to All Contacts – 2002- Bill Gates “Security Project” 12/13/2018 7 Advanced Persistent Threats (APTs) (2010+) Targeted Strategic Extract RECON Credentials Discovery Attacks Users Data Top 4 Attack Map Get Download & Find More Extract & Methods used Collect Data Network, Credentials Install Credentialed Remove on People of Targeted Backdoor Users Resources, Traces #1 Malware Users Data #2 Phishing #3 Malicious Websites #4 Social Engineering Spear Phish Increase Social Sites Email Map Your One Step Transfer Data Network Attack Closer Out Web Search Malicious Access Web Links Page 8 Operation Aurora - APT (2009+) ▪ Objective: ▪ Attack Targets: – Gain Access to Source Code – Google, Adobe, Juniper, – Gain Access to Dissident Gmail Rackspace, Symantec, Northrop… ▪ Attack Type: ▪ Impact: Advanced Persistent Threat (APT) – Some Google Source Code Stolen Multi-Year Attack – Google Threatens to Leave China (Censored Search Engine Business) ▪ Attack Method: ▪ Response: 1. China Based – Microsoft IE Patch 2. Visit Malicious Web Sites (Links) – Dedicated APT Solutions 1. Leveraging Zero Day Vulnerabilities in IE – Later: APT Solutions in Everything 3. Download & Encrypt Payload to Avoid Discovery 4. Ongoing Access to Source Code etc 12/13/2018 9 How Ransomware Works (2014+) Attackers Website Well Known VariantsDownload Malicious CodeCost of Ransomware Ransomware as a Service • Files Encrypted (even Backup) • System Unusable • 2013-2015 Crytolocker, Cryptowall • 2015 $325M • Ransom Needed (Ransomware) Request • No Traces of Dr. Evil • 2016 Locky, Petya, NotPetya • 2016 1.45B (FBI) (Ransomware) • 2017Download $5B • 2017 WannaCry (Cryptoworm) • 2019 $11.5B Forecasted Application or Attachment Ransomware Compromised O/S Exploit Replicate 12/13/2018 Page 10 WannaCry Ransomware (2017) ▪ Objective: ▪ Attack Target: – Extort $$ from Everyone – Everyone (Personal, Small, Enterprise) ▪ Attack Type: ▪ Impact: Ransomware Cryptoworm – Infected >230,000 Computers in 150 Countries Simple Multi-Stage, Self Replicating ▪ Response: ▪ Attack Method: – Windows Vulnerabilities Patched – Kill Switch Turned on to Kill Replication, 1. Initial Infection Unknown (normally Email or Web) 2. Encrypts Data – PC, Server but New Variant Ignores Kill Switch 3. Ransomware Request - Bitcoin – New Ransomware/Zero Day Security 4. Spreads to Random PCs on Network or • Endpoint Security Developed (including AI) • Gateway Firewall UTMs Internet w/Win Vulnerability (EternalBlue) • Patch Management – Backup & Disaster Recovery Focus 12/13/2018 11 CEO Fraud - Social Eng. Attack (2015+) ▪ Objective: ▪ Attack Target: – Steal $$ or High Value Data – All Size Companies ▪ Attack Type: ▪ Impact: Impersonate “CEO”, Order Teams to – Unrecoverable $$ or Data Loss Initiate Targeted Transactions ▪ Response: ▪ Attack Method (Social Eng.): – Improved Email Security 1. Reconnaissance (Social Media…) – Online Employee Training 2. Spear Phishing (Spoofed Emails) – Human 2-Factor Authentication 3. Response • Improved Internal Communication 4. Damage • Policies, Process, Procedures 5. Impact – Social Media Usage Controls – Website Domain Control (Spoofing) 12/13/2018 12 Supply Chain Attacks (2017) ▪ Objective: ▪ Attack Target: – Introduce Malware Into Your – All Companies – Any Software Network, then Initiate an Attack ▪ Impact: ▪ Attack Type: – Any Attack is Possible Corrupt Legitimate Software ▪ Response (Hard to Prevent/Detect): Downloads from Trusted Vendor – Prevent: • NextGen Web Reputation Checking ▪ Attack Method: • Controlled (or Delayed) Updates 1. Corrupt Trusted Software/Update • Vendor Selection Scrutiny 1. On Suppliers Download Servers or – Detect 2. Corrupt Software Vendor’s Software or • Zero Day Malware Detection 3. Hijack Software Update Path 2. User Downloads Malware • APT Detection(C&C) 3. Attack Starts – Respond: • Backup and Disaster Recovery 12/13/2018 13 Crypto Currency Attacks & Mining (2017) ▪ Objective: ▪ Attack Target: 1. Steal Cryptocurrency or – Crypto Food Chain Incl. Users 2. Create Crytocurrency on Your Nickel ▪ Attack Methods (Numerous & Growing): 1. Crypto Mining by ▪ Broad Crypo Currency Ecosystem • Cryptojacking Browsers or Servers • Using Malware Infections Attacks Require Broad Solutions in 2. Hijacking the Cryptojacker: Redirect wallet Address to These Areas: another wallet – Traditional Security Solutions 3. Crypto Attacks on 3rd Parties: Tools, Wallets, Exchanges 4. Attacks on End users: – Crypto Infrastructure Protection • Crypto Wallet Shuffling (Stealing your wallet or changing your wallet with theirs for crytofund storage – Secure Access Control • Scraping your PC for crypto information (wallets, coin addresses) • Stealing login Credentials for your Crypto Account and wallet – Protect Developers & Tools 5. Attacks on Cryto Exchanges: $532M lost from Credential – Social Attacks on People Stealing Malware, Stolen Private Wallet Keys While the architecture of Blockchain may be secure the surrounding ecosystem is not. 12/13/2018 14 New Threats from Moving to the Cloud ISSUES Data Center ❑Visibility ❑Data Protection ❑Malware ❑Access Control Cloud Applications Storage/ CRM HR Sharing Finance Office Sales Development Operations Apps 12/13/2018 15 History of Security – Attacks Summary 1980s 1990s 2000s 2010s Technology Blackberry, iPhone (’07) SaaS Cloud Apps & Office Evolution Rapid Internet Growth WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IoT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10 WiFi: 11-450 Mbps Cloud Apps & Email Usage Up Internet: Low Mbps WiFi: < 1Gbps Slow Proprietary Networks Slow Internet Speeds: xx bps K 3G: .4 Mbps+ Fast Internet: 100 Mbps–Gbps 4G: ~10 Mbps – 1Gbps 5G: 100 Mbps - 20 Gbps Software Supply Chain Website Vulnerabilities CEO Fraud Email Threats Stolen credentials Ransomware / RaaS 1st Malware Worms Adv Persistent Threats Attack Windows OS, Servers Phishing Email 1st Ransomware Spear Phishing Malware Variants Attachments Methods Hackers Fast Morphing Malware Hacker Malware, Worms, Botnets Privilege Misuse Hacking Website Vulnerabilities Hacking History of Security – Defense Responses 2010s Software Supply Chain 1980s 1990s 2000s CEO Fraud Ransomware/ RaaS Adv. Persistent Threats Website Vulnerabilities Privilege Misuse Stolen credentials Email Threats Website Vulnerabilities Malware Worms Phishing Email, Attack Windows OS, Servers Spear Phishing 1st Ransomware Attachments Fast Morphing Malware 1st Morphed Malware Methods Hackers Malware, Worms, Hacking Hackers Botnets Hacking Windows 10 Dedicated APT Solution Improved