CESG-HP-CyberIntel-Dancho.pdf

Transcript

1. Intell on the Criminal Underground - Who’s Who in Cyber

   Crime for 2007?

2. Who is Dancho Danchev? • Independent Security Consultant - Before

   • Cyber Threats Analyst - Nowadays • Active Blogger (ddanchev.blogspot.c om) • Diverse background equals different perspective

3. Presentation Outline • Basics of OSINT and CYBERINT • Dynamics

   of the Underground Economy • Who’s Who in Cybercrime for 2007? • Conclusion and Key Summary Points

4. What You Will Learn After This Presentation? • How powerful

   open source intelligence gathering techniques are for anticipating the emerging cyber threatscape • An inside look at the Underground Economy with practical examples • Who were the main cyber crime groups in 2007? • Understand the difference between Cyber Crime 1.0 and today’s Cyber Crime 2.0

5. The Basics of OSINT/CYBERINT • What is OSINT and how

   important it is to fighting Cyber Crime? • Competitive Intelligence and OSINT • (CYBERINT) as the convergence of HUMINT, SIGINT and OSINT online

6. The Basics of OSINT/CYBERINT - Threat Intell Data Sources •

   Publicly obtainable statistics • Real-time incident response and preservation of actionable intelligence data • “Informants” and cyber buddies • Hot Leads as Stepping Stones • Subscriptions to Cyber Crime services newsletters • Keep you friends close, the Cyber Criminals closer

7. The Basics of OSINT/CYBERINT - Threat Intell Data Sources

8. The Basics of OSINT/CYBERINT - Threat Intell Data Sources

9. The Basics of OSINT/CYBERINT - Cyber Intelligence Practices • Tactical

   Intelligence - “I Want to Know God’s Thoughts, all Rest are Details” • consolidation of malicious parties • assessing their degree of collaboration • personalizing and profiling the groups • Scenario Building Intelligence - Devil’s Advocate • Understanding of OPSEC

10. The Basics of OSINT/CYBERINT - Cyber Intelligence Practices • Operational

    Intelligence • real-time incident response as a window of opportunity • Official sites, underground forums, live exploit URLs, IPs, Netblocks - cross checking for malicious activity on multiple fronts = the entire criminal ecosystem is exposed

11. Dynamics of the Underground Economy • Do Socioeconomic or Sociocultural

    factors drive the Criminal Underground? • Revenge is more powerful than Greed • Full scale capitalism, and microeconomic environment

12. Dynamics of the Underground Economy • Common business and market

    practices • Consolidation • Vertical Integration • Benchmarking - QA • Standartization • Malicious Economies of Scale • Maturity from Products to Services

13. Dynamics of the Underground Economy • Customer Service, Manuals and

    Video Tutorials • Promotions and Bargain deals with commodity services and products • Exclusive, customer-tailored and proprietary tools/services • Localization to break the entry barriers • Risk-hedging and risk-forwarding • Customization of products/services • Botnets,Malware,Spamming,Phishing On Demand

14. Dynamics of the Underground Economy - 1000 Bots for $100

15. Dynamics of the Underground Economy - 1000 Bots for $100

16. Dynamics of the Underground Economy - Malware as a Web

    Service

17. Dynamics of the Underground Economy - Financial Liquidity is a

    Variable

18. Who’s Who in Cyber Crime for 2007? • The Russian

    Business Network - a Powerhouse • Riders on the Storm Worm • New Media Malware Gang • Ukrtelegroup Ltd • The Rock Phishers Crowd

19. Who’s Who in Cyber Crime for 2007? - The Russian

    Business Network • The proof that Cyber Crime cooperation has a long way to go • 100% operational, split on different netblocks • RBN IPs behind every high profile malware embedded attack in 2007 • The Massive Malware Attack in Italy • Bank of India • Syrian Embassy in the U.K • Possibility Media’s portfolio of E-zines

20. Who’s Who in Cyber Crime for 2007? - The Russian

    Business Network • A connection between the RBN, Storm Worm and the New Media Malware Gang • Infrastructure as a service, revenue sharing on a bargain deal, or direct involvement • Each and every malware embedded attack assessment indicates they cooperate or have cooperated with each other • An underground ecosystem for hosting and dissemination of malware, attack kits and exploit URLs

21. Who’s Who in Cyber Crime for 2007? - The Russian

    Business Network • Started issuing fake “account suspended notices” upon getting “blogosphered” • The enemy you know is better than the enemy you don’t know - no OPSEC policy • Centralization => efficiency and easy of management => easy to block/traceback • Chasing down the RBN - how to breath down the RBN’s neck?

22. Who’s Who in Cyber Crime for 2007? - The RBN

23. Who’s Who in Cyber Crime for 2007? - The RBN

24. Who’s Who in Cyber Crime for 2007? - The RBN

25. Who’s Who in Cyber Crime for 2007? - Stormy Wormy

    • Persistence, simplicity, and outdated vulnerabilities lead to the world’s largest botnet • Storm Worm is not an Attack, it’s a Campaign • Storm Worm is a Russian malware operation

26. Who’s Who in Cyber Crime for 2007? - Stormy Wormy

27. Who’s Who in Cyber Crime for 2007? - Stormy Wormy

    • Storm Worm’s Fast-Flux Networks • bnably.com • wxtaste.com • snbane.com • tibeam.com • eqcorn.com • dropped domains as key fast-flux nodes before the “infrastructure” scaled enough

28. Who’s Who in Cyber Crime for 2007? - Stormy Wormy

29. Who’s Who in Cyber Crime for 2007? - New Media

    Malware Gang • Domain farms of live exploit URLs, malware C&C • Have used and is still using RBN infrastructure • Connection with Storm Worm and several high profile malware embedded attacks • Same infrastructure is used by the RBN, Storm Worm and the New Media Malware Gang • A Russian malware group

30. Who’s Who in Cyber Crime for 2007? - New Media

    Malware Gang • The Gang speaks out - “get lost” and die() • Dots dots dots • musicbox1.cn/iframe.php refreshes textdesk.com - refreshing Storm Worm domains - eliteproject.cn; takenames.cn; bl0cker.info; space-sms.info • French government’s Lybia site hack assessment ends up to 208.72.168.176 - the gang’s main IP

31. Who’s Who in Cyber Crime for 2007? - New Media

    Malware Gang

32. Who’s Who in Cyber Crime for 2007? - New Media

    Malware Gang

33. Who’s Who in Cyber Crime for 2007? - Ukrtelegroup Ltd

    • Dispersed over several different netblocks - 88.255.114.*; 88.255.113.*; 88.255.94.*; 88.255.120.*; • Huge farm for hosting malware, downloaders update locations, live exploit URLs, malware C&C • Cooperation with the RBN, Storm Worm campaigners and the New Media Malware Gang • Known RBN customers using their services

34. Who’s Who in Cyber Crime for 2007? - Ukrtelegroup Ltd

35. Who’s Who in Cyber Crime for 2007? - Rock Phishers

    Crowd • Standardizing Phishing and Social Engineering • Malicious Economies of Scale • Several different gangs • Rock Phishing’s a trend not a fad • Static and descriptive structure • 209 Host Locked • 209.1 Host Locked • 66.1 Host Locked
36. None

37. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits

38. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits

39. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits • Rootlauncher Kit, WebAttacker, Mpack, IcePack, Zunker, Pinch, Apophis, Fire Pack, Advanced Pack, Nuclear Malware Kit, Metaphisher Banker Kit, Nuclear Grabber - the list is endless • Modularity, Open Source, Localization, “Add an exploit” DIY customization

40. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits

41. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits

42. Cyber Crime 1.0 and Cyber Crime 2.0 - DIY tools

    matured into Malware Kits
43. None
44. None
45. None

46. Conclusion and Key Summary Points • It’s all a matter

    of perspective • How deep you really wanna go? • Personal efforts expand the entire ecosystem • Cyber Criminals are lazy • Keep it Simple Stupid (KISS) pragmatic Cyber Crime • Assess the final product or infiltrate the assembly line?

47. Conclusion and Key Summary Points • OSINT through Botnets •

    Corporate Espionage through Botnets • Asymmetric Warfare on Demand • Cyber Crime is outsourceable • Cyber Crime Powerhouses outpace boutique cyber crime operations • Cyber Crime - a HR pool for cyber warfare talent - FAPSI

48. Conclusion and Key Summary Points ddanchev.stripgenerator.com

49. Conclusion and Key Summary Points • http://ddanchev.blogspot.com - switchboard to

    real-time and historical threat intell • [email protected] Thank you for your time and attention!