Kimberly Peretti at SUMIT 2011: Cyber Criminals: Who are they? Why are they successful? How do we respond?

Transcript

1. Cyber Criminals Who are they? Why are they successful? How

   do we respond? October 18, 2011 Presented by Kimberly Peretti, PricewaterhouseCoopers LLP www.pwc.com

2. PwC Agenda Cyber criminals Who are they? Organized groups targeting

   financial data State sponsored groups conducting economic espionage Hactivists Why are they successful? How do we respond? 2

3. PwC Organized cyber criminals Financial data 3

4. PwC The criminal “carding” scene “Carders” “Carding Forums” Websites dedicated

   to resale of large volumes of stolen financial information Often 6-12 primary sites active, usually with tens of 1000s of members worldwide Several competing sites with over 20,000 members Some highly organized and limited membership Some open and entirely chaotic Create a black market for information; make possible wide-scale global distribution of information instantly 4

5. PwC Forerunner #1: Dmitry Golubov a/k/a “Script” Godfather of carding

   Ukrainian, early 20s Arrest in 2005 Released on bond Now Ukrainian politician 5

6. PwC Forerunner #2: Vladislav Horohorin a/k/a “BadB” Godfather of carding

   Ukrainian/Israeli citizen, resides in Moscow Automated website to sell stolen card data Marketing videos on public websites Arrested August 7, 2010 while partying on beach in Nice, France 6

7. PwC Evolution of prosecutions Carding forums (2004-2005) Major vendors (2006-2007)

   International hacking rings (2008-2010) 7

8. PwC International hacking ring #1 United States v. Albert Gonzalez,

   et al. Four prosecutions Four conspiracies 13 defendants from US, Estonia, Ukraine, China, Belarus, Russia Largest hacking and identity theft case ever prosecuted Focus of this group: large volumes of track 2 data 8

9. PwC Conspiracy #1 – International distribution ring San Diego (2006-2008)

   Charges allege operation of an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, China, the Philippines and Thailand Maksym (“Maksik”) Yastremskiy 9

10. PwC Conspiracy #2 – National Restaurant Chain New York (May

    2008) 27-count indictment alleging breach of a national restaurant chain Hack of POS provide to steal credentials Installation of sniffer to steal thousands of credit and debit card numbers at 11 store locations Maksym Yastremskiy Aleksandr Suvorov Albert Gonzalez 10

11. PwC Conspiracy #3 – Major retailer Boston (August 2008) Gonzalez

    and coconspirators responsible for large scale data breaches at 8 major retailers from 2003-2008 Theft and sale of over 40 million credit and debit card numbers Techniques included war driving, SQL injections, and use of sniffers Stole track 2 data and encrypted PIN blocks and obtained technical assistance in decrypting PINs 11

12. PwC Conspiracy #3: Case results Damon Patrick Toey (9/11/2008) •

    Trusted subordinate • Right-hand man in Internet-based attacks • Indicted for conspiracy, access device fraud, computer fraud, aggravated identity theft • Pled guilty and sentenced to 5 years imprisonment Christopher Scott (9/22/2008) • Principal associate • Right-hand man in war-driving • Indicted for conspiracy, access device fraud, computer fraud, aggravated identity theft • Pled guilty and sentenced to 7 years imprisonment 12

13. PwC Conspiracy #3: Case results Humza Zaman (4/13/2009) • Courier,

    indicted for conspiracy • Pled guilty and sentenced to 4 years imprisonment 13

14. PwC Conspiracy #3: Case results Stephen Watt • Close friend

    • Coder • Provided sniffer • Pled guilty and sentenced to 2 years Judge Gertner: • We need to send a message to the hacking community • General deterrence vs. special deterrence 14

15. PwC Conspiracy #4 – Large Payment Processor New Jersey (August

    2009) Gonzalez and coconspirators responsible for large scale data breaches at 5 major retailers and processors from 2006-2008 Over 130 million credit and debit card numbers at risk Two Russian co-conspirators remain at large Most dangerous of the conspiracies 15

16. PwC Conspiracy #4: Methods of compromise Using SQL injection attacks

    Scouting potential victims by reviewing list of Fortune 500 companies Traveling to retail stores to understand potential vulnerabilities Using servers in Latvia, Ukraine, CA, IL, NJ, Netherlands as hacking platforms Placing malware for backdoors Conducting lengthy network reconnaissance Installing sniffers Programming malware to evade detection by anti-virus software and testing it against 20 different anti-virus programs 16

17. PwC Conspiracy #3 and #4: Case results Albert Gonzalez •

    Ringleader • Former informant • Indicted in three districts • Pled guilty 9/11/2009 • Sentenced to 20 years, 3/2010 Forfeiture • $1.6 million currency • Condominium • BMW • $1.1 million cash seized in Miami, FL 17

18. PwC Who were these criminals? In the US Young kids

    Self-taught computer skills Self-taught bankers Drugs No formal education after high school In Eastern Europe Young kids with privileged backgrounds Smart investors Best formal computer training programs 18

19. PwC International hacking ring #2 Elite International Ring #2 •

    Russian-speaking • Focus of this group: small number of PINs • Usually targeted payroll card cards • Used sophisticated methods of obtaining plaintext PINs • Used sophisticated cash-out networks Some of these criminals apprehended; others remain at large 19

20. PwC Corporate Account Takeovers – compromise of online banking credentials

    of small- to mid-sized corporate entities and engage in unauthorized wire and ACH transfers Compromise different methods of user authentication Eastern European ring Ongoing for almost two years Use thousands of witting and unwitting money mules International Hacking Ring #3 April 2011

21. PwC State sponsored groups Economic espionage 21

22. PwC Economic espionage Sponsored by a state or political entity

    Sophisticated and well-funded Use a combination of internal and external attack techniques What do they want? Economic, military, or political intelligence Control of critical US infrastructures Maintain remote access for a long time Targeting specific email and specific documents Key is in incident response 22

23. PwC Hacktivists Information leakage 23

24. PwC Information leakage Young politically-motivated hackers Loosely organized and affiliated

    Increasing capabilities What do they want? Disrupt IT services impacting business operations Leak sensitive information to the public Cause reputational damage and other harm to target Wikileaks and the media are making it possible for criminals to successfully disclose/leak confidential information 24

25. PwC Why are they successful? 25

26. PwC Obvious answer: because unauthorized access is easy “Only 4%

    of breaches were assessed to require difficult and expensive preventative measures” Well-known vulnerabilities exploited time and time again • SQL injection • Insecure RDP • Insecure wireless Phishing/Spear phishing/Whaling 26

27. PwC Less obvious answer: because they are patient Advanced cyber

    threat groups • Are patient • Are persistent • Invest in R&D to evade detection • These are targeted attacks Double goal of stealing information and maintaining access Average time maintain remote access to systems • Six to eighteen months 27

28. PwC Even less obvious answer: because we are focused on

    prevention, not detection In most cyber investigations, the evidence of the intrusion was available for days, months, years Examples: • Unauthorized web pages created on Internet-facing web server • Data transmitted outbound over unlikely protocols • Large compressed files being transmitted outbound • Unusual connections from a user’s system using native Windows networking features • Log entries capturing the execution of unauthorized programs 28

29. PwC How do we respond? 29

30. PwC Emerging cyber security practices Enhance detection capabilities Consider in-house

    cyber incident response capabilities • Assume ongoing state of compromise Enhance signature-based technologies with custom rules and alerts informed by a cybercrime mindset Collect and maintain all logs from monitoring technology and systems. Focus detection on all systems, not just on critical data stores and external- facing computers Increase operating system logging on all systems Have a systematic method to collect and analyze live memory on systems Collect and maintain all network traffic Minimize Internet-access points 30

31. PwC Emerging cyber security practices Enhance cyber intrusion security controls

    31 March 2011 • Targeted attacks often use spam & spear phishing to gain initial entry - Enhance spam filtering technology - Increase user & customer awareness of this type of attack - Baseline online behavior of customers • Targeted attacks steal the email of key personnel - Explore and implement email encryption technologies • Targeted attacks steal Domain Admin credentials - Develop process to continually monitor Domain Controller logs for unauthorized program execution

32. PwC Emerging cyber security practices Enhance insider risk security controls

    32 March 2011 • Review USB device policies and controls & enforcement violations • Review non-corporate Web-based email policies and controls & enforce violations • Explore and implement technology to monitor/detect USB device usage on user systems with access to sensitive information and with sensitive job roles • Explore and implement technology to monitor/detect connections from unauthorized computing assets • No Internet access on computers used for wire transferring of currency

33. PwC Invest in cyber forensics 33 Cyber forensics Computer forensics

    Network forensics Live memory forensics Malware forensics

34. PwC Common missteps • Assigning the organization's IT operations department

    to investigate the incident • Incident response becomes a technical endeavor • Investigative actions are not forensic • Pulling the plug on the compromised system (if you have to pull the network plug, at least don’t turn off the computer) • Neutralizing, but not analyzing the malware 34

35. PwC Prepare, prepare, prepare … Have a high-level plan •

    Create, develop, enhance, and/or review your incident response plan Practice • Test the plan through scenario planning and tabletop exercises Enhance what you have • Evaluate in-house people, processes, and technologies to identify gaps 35 It’s an art developed from experience Could you effectively investigate a breach or even detect an advanced attack

36. PwC Questions 36

37. PwC Contact information 37 Kimberly K. Peretti Director – Washington

    D.C. PricewaterhouseCoopers (703) 918-1500 [email protected]

38. © 2011 PricewaterhouseCoopers LLP. All rights reserved. In this document,

    “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.