Cyber Thieves: A Crash Course on Getting to Know Them Cary E. Moore, CFE, CISSP, EnCE Speaker Cary E. Moore, CFE, CISSP, EnCE • 12 years of Computer Forensic and InfoOps experience • Senior Vice President, Emerging Threats Manager – Cyber Intelligence Analytics Towards Emerging Threats • Formerly – Guidance Software Inc. • Technical Director, Cybersecurity – Special Agent, Air Force Office of Special Investigations • Computer Crime Investigations and Operations • Counterintelligence and Counterespionage Investigations • (Cyber) Technical Surveillance and Countermeasures (TSCM) • First computer: TI-99/4A – With the speech module! Agenda Cyber Thieves: A Crash Course on Getting to Know Them External ✓ 1 Insider Threats 2 Breaking Cyber Barriers Insiders 3 You Never Saw It Coming! 4 Attribution: The Cyber Holy Grail! Customers & Partners Insider Threats Profiles • Traitors – A trusted person – Makes a decision to betray – True motive might be unapparent 1985 CIA—Larry Wu-Tai Chin 1994 CIA—Aldrich “Rick” Ames 1998 CIA—Douglas Groat 2001 NRO—Brian Regan 2001 DIA—Ana Belen Montes 2003 FBI—Robert Hanssen 2006 USN—PO Ariel Weinmann Insider Threats Profiles • Traitors (continued) – Distinct warning signs • Unusual change in work habits – Seeks out sensitive projects – Unusual works hours • Sloppy security habits or scoffs security • Might rationalize inappropriate actions • Change in lifestyle – Living beyond their means Insider Threats Profiles • Zealots (a/k/a Hacktivists) – Ideological – Motivated by their beliefs – Believe their actions are just, no matter how detrimental – Might pass info. to allies, unaware of the intelligence threat Insider Threats Profiles • Spies – Intentionally in a situation or organization to glean intelligence Operation Ghost Stories • Foreign intelligence 2010 Russian Spy Ring • Business intelligence • Competitive intelligence Anna Chapman, June 2010 Insider Threats Profiles • The Browsers – Those who violate the “need-to-know” principal – Persons who have required clearance • But no requirement for the information • Search for information with or without specific intentions Insider Threats Profiles • The Browsers (continued) – Might utilize the activity or information for personal gain • Receiving rewards • Promotion • Contracts • Personal advantage Insider Threats Profiles • The Well-Intentioned • Victim to social engineering – Phishing – Spearphishing – Whaling • The Tinkers – Boredom – Curiosity Insider Threats Profiles • The Well-Intentioned (continued) – Unwittingly give unauthorized access • Carelessness – Unlocked workstations/network rooms • Ignorance – P2P and file sharing software – Dated security practices Insider Threats Case Study 1 • The key findings from “The Insider Threat Study” on Computer System Sabotage in Critical Infrastructure Sectors are: – A negative work-related event triggered most insiders’ actions – 43 percent of the insiders had authorized access to the system/network at the time of the incident Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 1 • Computer System Sabotage in Critical Infrastructure Sectors (continued) – 39 percent of the insiders used one or more relatively sophisticated methods of attack, which included: • A script or program • An autonomous agent • A toolkit Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 1 • Computer System Sabotage in Critical Infrastructure Sectors (continued) – 63 percent of the incidents were detected because of an irregularity in the information or system – 62 percent of the insiders developed plans to harm the organization – 47 percent of the cases involved overt behaviors in preparation for the incident, such as stealing copies of back-ups Source: www.secretservice.gov/ntac_its.shtml Insider Threats Case Study 2 • The key findings from “The Insider Threat Study” on Illicit Cyber Activity in the Banking and Finance Sector are: – Required minimal technical skill to execute – Involved the simple exploitation of inadequate practices, policies, or procedures – 78 percent of the cases involved the modification and/or deletion of information Source: www.secretservice.gov/ntac_its.shtml Insider Impact Mission Impact • Email Servers • Communication Systems • Security Systems • Database Operations • Accounting Operations • Research and Development Everything That Is • Maintenance and Monitoring Systems Connected • Critical Operation Systems Insider Impact Information at Risk • Intellectual Property • Customer Data • Design Documents • Personal Data • Source Code • Credit Card Numbers • Trade Secrets • Customer Financial Data • Government Data • War Plans • Corporate Data • Intelligence • Financial Data • Law Enforcement • Mergers and Acquisition Information • HR Data • Marketing and Sales Insider Detection Insider Indications • Test scripts and/or techniques • Try multitude of tools (i.e., port scanners, network probes, war driving) • Rogue systems • Bogus accounts • Odd hour activity • Undue curiosity • Hiding screen data • Positions screen to hinder view Insider Detection Insider Indications (continued) • Joking and bragging • Installs unauthorized software • Duty associated software • Dreamweaver, Nero, Photoshop, programming software • Unassociated harmless software • WinAmp, ICQ, games • Suspicious Software • L0phtCrack, key generators, rootkits • Escalated privileges • No fear of getting caught Insider Threats Investigation Techniques Logs -Firewall -IDS -A/V -Sniffers -Proxy and -System Account Records Create a Timeline GPS and Print Servers Insider Threats Investigation Indicators and Leads • When indicators arise, review for: – Unusual processes – TCP/UDP connections – Website activity (local/proxy) – Unauthorized devices Insider Threats Investigation Indicators and Leads • When indicators arise, review for: – Remote access sites (Logmein, PCAnywhere, WebEx, etc.) – Unauthorized websites – Use of anonymity sites or installation of >>>TOR<<< – Accounts and their rights Insider Threats Proactive Efforts • Monitor help desk tickets for trends. – Insiders do call for help when their attempts to circumvent security measures messes things up. • Monitor for unusual logon times. • Scan for bogus accounts. Insider Threats Proactive Efforts • Review scans for unauthorized software, file, and folder access and compile trends. • Train security to monitor contractors and visitors and report suspicious activities. • Deactivate access following termination. Insider Threats The Comparative Insider Hacker • Given access • Gains access by whatever means • Uses access to: necessary • Misuse equipment and • Once access is achieved, network access GAME ON! • Escalate privileges • Affect the business operations • Compromise systems and corporate data • Install Malware • Etc. Agenda Cyber Thieves: A Crash Course on Getting to Know Them External 1 Insider Threats ✓ 2 Breaking Cyber Barriers Insiders 3 You Never Saw It Coming! 4 Attribution: The Cyber Holy Grail! Customers & Partners Breaking the Cyber Barriers • 2011 Report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace – China and Russia are pursuing American technology and industrial secrets, jeopardizing an estimated $398 billion in U.S. research spending. – In 2010, the FBI prosecuted more Chinese espionage cases than at any time in our nation’s history. Source: www.ncix.gov/issues/economic/index.php Breaking the Cyber Barriers • 2011 Report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace – For example, a DuPont chemist in October 2010 pled guilty to stealing research from the company on organic light-emitting diodes. – The chemist intended to commercialize in China with financial help from the Chinese Government. Source: www.ncix.gov/issues/economic/index.php Breaking the Cyber Barriers Governments Under Attack • Solar Sunrise (1998) – Cyber attack on the Pentagon • Under the guidance of an Israeli hacker, he coordinated two kids from California to hack multiple targets, including the Pentagon • Attacking unpatched Solaris Systems • Basic hacking techniques: Recon, Probe, Exploit, Gather Data, Exfiltrate Source: www.wired.com/threatlevel/2008/09/video-solar-sun/ Breaking the Cyber Barriers Governments Under Attack • Moonlight Maze (1998) – U.S. officials accidentally discovered (during Eligible Receiver) a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities, and research labs. – Began in March 1998 and had been going on for nearly two years. Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/ Breaking the Cyber Barriers Governments Under Attack • Moonlight Maze (1998) – Tens of thousands of files included: • Maps of military installations • Troop configurations • Military hardware designs – The DOD traced the attack back to a mainframe computer in the former USSR. – The true attacker is unknown, and Russia denies any involvement. Source: www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/ Breaking the Cyber Barriers Governments Under Attack • Titan Rain (2003–2005) – A group of about 20 hackers, believed to be based in the Chinese province of Guangdong – Thought to have stolen U.S. military secrets, including aviation specifications and flight- planning software – “China has downloaded 10 to 20 terabytes of data from the NIPRNet”–Maj. Gen. William Lord Sources: www.zdnet.com/news/security-experts-lift-lid-on-chinese-hack-attacks/145763 http://gcn.com/Articles/2006/08/17/Red-storm-rising.aspx?p=1 Breaking the Cyber Barriers Governments