A deep walk on the dark side of information security

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security BrokersWorkshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
A Deep Walk on the Dark Side of Information Security
MappingCybercrime’s new threats
Raoul «Nobody» Chiesa
Eng. Selene Giupponi
PUBLIC RELEASE

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Agenda
The trainers
Kick-off
Premises, Introductions
Underground Economy: Scenariosand Actors
«Hackers»?
Profiling
The evolutionof 0days market
Bitcoins
Underground currencies
Social Networks
Case study
Conclusions
Reading room
Q&A

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Disclaimer
●Theinformationcontainedwithinthispresentationdonotinfringeonany
intellectualpropertynordoesitcontaintoolsorrecipethatcouldbeinbreachwith
knownlaws.
●ThestatisticaldatapresentedbelongstotheHackersProfilingProjectbyUNICRIand
ISECOM.
●Quotedtrademarksbelongstoregisteredowners.
●Theviewsexpressedarethoseoftheauthor(s)andspeaker(s)anddonotnecessary
reflecttheviewsofUNICRIorothersUnitedNationsagenciesandinstitutes,nor
theviewsofENISAanditsPSG(PermanentStakeholdersGroup),neitherSecurity
Brokersones.
●Contentsofthispresentationmaynotbequotedorreproducedbutpartially(10%),
providedthatthesourceofinformationisacknowledged.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Introductions

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Raoul «Nobody» Chiesa
President, Founder, The Security Brokers
IndependentSpecial Senior Advisor on Cybercrime @ UNICRI
(United Nations Interregional Crime & Justice Research Institute)
PSG Member, ENISA(PermanentStakeholdersGroup @ EuropeanUnion
Network & Information Security Agency)
Founder, Board of Directors and Technical CommiteeMember@ CLUSIT
(Italian Information Security Association)
SteeringCommittee, AIP/OPSI, Privacy & Security Observatory
Board of Directors, ISECOM
Board of Directors, OWASPItalianChapter
Cultural Attachè. ScientificCommittee, APWGEuropeanChapter
Supporter atvarioussecurity communities

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Eng. Selene Giupponi
Founder, Head of Digital ForensicsUnit, Security Brokers
Computer EngineeringDegree+ Master in Computer Forensics& Digital Investigations
Active Member of the IT Engineer Commission, Engineers Association of the Latina Province
CLUSIT Member(ITALIAN INFORMATION SECURITY ASSOCIATION)
IISFAMember(INFORMATION SYSTEM FORENSICS ASSOCIATION, ITALIAN CHAPTER)
Technical Assessor/Expert Witness at Civil Court
Technical Assessor/Expert Witnessat Criminal Court
CyberWorldWorkingGroup formerMember-@CASD ( HigherStudiesDefenceCenter) / OSN
(National Security Observatory) atthe ItalianMinistryof Defense

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Ourcompany
The Security Brokers
Wedeal with extremelyinterestingtopics, givingourstrong know-hows gainedfrom +20 yearsof fieldexperienceand from our
+30 experts, verywellknownallover the world in the’InformationSecurityand Cyber Intelligencemarkets.
OurKeyAreasof servicescan be resumedas:
ProactiveSecurity
With a deepspecializationon TLC & Mobile, SCADA & IA, ICN & Trasportation, Space & Air, Social Networks, e-health,
*…+
Post-Incident
Attacker’sprofiling, Digital Forensics(Host, Network, Mobile, GPS, etc..), Trainings
Cyber Security Strategic Consulting(Technical, Legal, Compliance, PR, Strategy)
On-demand «Ninja Teams»
Security Incident PR Handling & Management
Psychological, social and behaviouraspects(appliedto cyber environments)
CybercrimeIntelligence
Botnet takeovers, takedowns, Cybercriminalsbounting, Cyber Intelligence Reports, interfacciamento con CERTse
LEAs/LEOs,*…+
Information Warfare & Cyber War(onlyfor MoDs)
0-day ed Exploits –Digital Weapons
OSINT

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Cybercrime

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
• Carder-Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.
• Carding -Trafficking in and fraudulent use of stolen credit card account information.
• Cashing-The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western Union wires, Postal
money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank account with a fake ID to withdraw cash on a credit
card account.
• CC -Slang for credit card.
• Change of Billing (COB or COBs)-Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This act allows the carder full
takeover capability of the compromised credit card account and increases the probability that the account will not be rejected when being used for Internet transactions.
• CVV2-CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on theback of the card.
• DDoS-Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website,at least for a period of time, by flooding
the network with an overflow of traffic.
• DLs-A slang term that stands for counterfeit or novelty driver's licenses.
• Drop-An intermediary used to disguise the source of a transaction (addresses, phones etc.)
• Dumps-Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data.
• Dump checking-Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is approved or declined. This
provides carders a higher sense of security for obtaining quality dumps fro those who offer them and also a sense of securitywhen doing in store carding.
• Full info(s)-Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and soon. Full Info(s) are synonymous with
carders who wish to take over the identity of a person or to sell the identity of a person.
• Holos-Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security feature.
• ICQ-An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their Internet culture, it
continues to be used for carding activity.
• IRC-An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange files, and interact in other
ways.
• IDs -Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports,or anything that can be used as an identity
document.
• MSR (Magnetic Strip Reader) -Device that can be used for skimming payment card information and/or encoding track information on plastic.
• Phishing -The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishersspam the Internet with e-mails in
hopes of obtaining information that can be used for fraudulent purposes.
• POS (Point of Sale)-Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline transactions.
• Proxies -Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors sell access to proxy
servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address when committing fraud or other illegal activity on the Internet.
• Track 1/Track 2 data-Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account information.
Digital Underground slang (cybercrime): example

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
The evolutionof the so-called«hacker’sunderground»
led to new criminalmodelsand approachesin the
Cybercrimeworld.
This lesson will analyze the so-called "Underground
Economy", its players and scenarios, then zooming in the
Bitcoins -as well as different "cybercrime currencies.
We will bring to the audience our own experiences on
these critical research areas.
Premise

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Videoclip: Will yoube ready? (DidYouknow, 2011)
Facingthe «new world» with 2020

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
UnexpectedEscalation –«Insecurityby Default»
2011: the «blackyear» of information leak: GOVs, MILs, InfoSec, IT Industry
2012, 2013, 2014: trends are more thanscary
2012: the yearof «missionimpossible»
2013: the yearof Cryptolockers
2014: the yearof Mobile & CloudHacking
2015, 2016, 2017, 2018: just nameit….
Impressive sequencesof IT incidents
No onehasbeenableto foreseenthisescalation
«Impossible» targets havebeenhacked
Domino effect
The bordersamongCybercrime, Hacktivism, Cyber Espionage, Information Warfareand Cyber War
are lessand lessclear
Strong needto reviewthe criminalprofiles
Wemust weightin the right way the psychologicaldynamicsfrom attack’smodalities
Wemust learnto be proactive
Wemust learnhowto managea security incident, atonce, in a professionalmanner.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
SCADA & Industrial
Automation Security,
Defense in-depth
Anti-DDoS,
(basic) Application
Security
Cyber Intelligence,
Black Ops
Human Factor, 0days
Insider’sprofiling, DLP
CybercrimeIntelligence,
Compliances

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Let’sstop dreaming!
In orderto «outperformyouradversaries», youmust knowwhotheyare.
And, over the last 10 years, the conceptof «attacker» hasdramaticallychanged.
Also, the conceptof a «securesystem» doesn’texistanymore.(IMHO).
Well, actually, itneverexisted…..? 
Vulnerabilitiesbrought-in by vendors
0days market
State-Sponsoredattacks
DDoSpowershot
Cybercrime& Underground Economy
That’swhythispresentationwillfocus on somethingdifferent, tryingto walk
youby new perspectives, providingcase studiesaswell.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
From «words»…

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
…to «Terminologies»
In the Information Security (InfoSec) world, we have a tremendous problem: the
terminology.
Each termhas different meanings, depending on the contexts and the actors.
This is not enough, tough: in the last years a new trend come out, which is adding
the prefix “cyber” to most of the terms:
Cybersecurity
Cyber Drills
Cyber Exercises
Cyber Lawyer (OMG!!)
Cyber War
Cyber Terrorism
Cyber Diplomacy (cool!)
Cyber Espionage
Cyber Bullism
Cyber Stalking
Cybersex

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Furtherissues…
No common spelling…
„Cybersecurity, Cyber-security, Cyber Security ?”
No common definitions…
Cybercrime is…?
No clear actors…
Cyber –Crime/war/terrorism ?
No common components?…
In those non English-speaking countries, problems with correctly understanding words
and terms rise up..

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Once upona time….
I joinedthe wonderfulworld of hackingaround
1985.
Back in 1996, afterthe operation«IceTrap» which
leadedto my(home) arrestin 1995, I jumpedback
to the underground «scene».
My hacker friends toldme theyjust begandoing
somethingnamed«PenetrationTest».
I hadno idea WTH «thatthing» was.
ThenI realizedsomeonewasgladto payyouin order
to «hack» intosomething.
With rules, tough. Itwaslegal.
Paidin orderto do whatI mostlyliked?!? Risks-free??
«Youmust be kidding!!!!!!!», LOL 

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Hacker generations
Firstgeneration(70’s)wasinspiredbytheneedforknowledge
Secondgeneration(1980-1984)wasdrivenbycuriosityplusthe
knowledgestarving:theonlywaytolearnOSswastohackthem;later
(1985-1990)hackingbecomesatrend.
TheThirdone(90’s)wassimplypushedbytheangerforhacking,
meaningamixofaddiction,curiosity,learningnewstuff,hackingIT
systemsandnetworks,exchanginginfowiththeunderground
community.Herewesawnewconceptscoming,suchashacker’se-zines
(Phrack,2600Magazine)alongwithBBS
Fourthgeneration(2000-today)isdrivenbyangernessandmoney:
oftenwecanseesubjectswithaverylowknow-how,thinkingthatit’s
“cool&bragging”beinghackers,whiletheyarenotinterestedinhacking
&phreakinghistory,cultureandethics.Herehackingmeetswithpolitics
(cyber-hacktivism)orwiththecriminalworld(cybercrime).

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Crime -> Past
“Everynew technology,
opensthe door to new criminalapproaches”.
Therelationshipbetweentechnologiesandcriminalityhasalwaysbeen–
sincetheverybeginning–characterizedbyakindof“competition”between
thegoodandthebadguys,justlikecatsandmice.
Asanexample,atthebeginningof1900,whencarsappeared,the“badguys”
startedstealingthem(!)
….thepolice,inordertocontrastthephenomenon,definedthemandatory
useofcarplates…
….andthethievesbeganstealingthecarplatesfromthecars(and/or
“cloning”them).

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Crime -> Today
Those “cars” have been substituted by ITand ICT
Today’s “universal currency” is the information.
Yougotthe information, yougotthe power..
(atleast, in politics, in the business world, in ourpersonal relationships…)
•Simply put, thishappensbecausethe “information” can be transformedatonce into“somethingelse”:
1.Competitive advantage
2.Sensible/criticalinformation (blackmailing)
3.Money
… that’swhyallof uswewantto “be secure”.
It’snotby chance thatit’snamed“IS”: Information Security
Examples? (of coursewith cyber*asthe «mainactor»)
USA, China, ……
Stuxnet, Shamoon, etc..
LTT Lybia
Telecom Italia/SISMI affair
Vodafone Greece
Belgacom…………….

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
AboutCybercrime: mainmistake
We are speaking about an ecosystem which too often is underevaluated:
most of times, it is the starting or the transit point towards different ecosystems:
Information Warfare
Black Ops
Industrial Espionage
Hacktivism
(private) Cyber Armies
Underground Economy and Black Markets
Organized Crime
Carders
Botnet owners
0days
Malware factories (APTs, code-writing outsourcing)
Lonely wolves
“cyber”-mercenaries, Deep Web, etc

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Evolutionof cyber attacks

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Bandwidthand DDoS(2002-2009)
125 Gbit/s
(US Gov, 4 Luglio 2009)
300 Gbit/s,
Spamhaus/
CyberBunker(2011)
http://it.wikipedia.org/wiki/
CyberBunker

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Once upona time
Stillon thoseyears, weusedto findbugson ourown:
SunSolaris(we[still] love youso much)
HP/UX (harder)
VAX/VMS, AXP/OpenVMS(veryfewones)
Linux (plentyof)
etc…
No onewaspayingusfor thosefindings. Itwasjust phun.
No onewas«selling» thatstuff.
Weusedto keep‘emfor us, and occasionally«exchange» the exploits
with some other(trusted) hackers.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Yearslater…
A coupleof thingshappened.
Money slowlygotinvolvedin thisresearch-
basedthing.
And, the wholeworld got«always-on»,
«interconnected», IT&TLC fully-addicted.
Then, Cybercrimemovedto itsprime-time age.
Money quicklygotinvolvedin thisexploits-race
thing.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Original«profiles»
Black-hat:thosewhoviolateinformationsystems,withorwithoutpersonaladvantage.Theyare
ralliedonthe"bad"side,crossingoverthecleardemarcationlinebetween"loveforhacking"and
thedeliberateexecutionofcriminalactions.Fortheseactors,itisnormaltoviolateaninformation
systemandtopenetrateititsmostsecretmeanders,stealinginformationand,giventheirhacker’s
profile,resellingthemtoforeigncountries.
Grey-hat:thosewhodon'twanttobelabeledas"blackorwhite"andcanconsiderthemselves
"ethicalhackers."Theyoftencouldhaveperformedintrusionsininformationsystems,butthey
havedecidednottousethisapproach.
White-hat:alsodefined"hunters",theyhavethenecessaryskilltobeablack-hat,buttheyhave
decidedtosidewith“thegoodguys”.TheycollaboratewiththeAuthoritiesandthePolice,they
areinthefirstrowinanticomputer-crimeoperations,theyareadvisorsforgovernmentsand
companies;intheirlifetheydon'tusuallyviolatecomputersystems,oriftheydo,itisneverfor
criminalpurposesorforeconomicgain.

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Whatthe heckhaschangedthen?
What’s reallychangedisthe attacker’stypology.
From“boredteens”, doingitfor“hobby and
curiosity” (obviously: duringnight, pizza-hut’s
box on the floorand cansofRed Bull)….
...toteenagersand adultsnotmandatory“ICT”
or “hackers”: theyjust do itforthe money.
What’s changedisthe attacker’sprofile, along
with itsjustifications, motivationsand reasons.
And, OrganizedCrime tookallof thisover 

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
The actors? Profiling«hackers»

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Sharedaspects
Seriality:bothITattacksandserialcrimesare“serial”.
Virtuality:bothfromapsychologicalandamoral-ethicalperspective,theactorssomehowgeta«mind
distance»fromthecrimestheyareexecuting.
Differentaspects
Ahacker’smodusoperandiisnoteasytoidentify
•Thesimplenesswhengettingaccesstodedicatedsoftwareresources(tools)ratherthan
infrastructuresandresources«readytogo»makesmuchhardertoperformacompleteanalysis
oftheattackandprofilingthethreatagent;
•Thelegislationdoesnotallowarealbacktracingontheattacker(Attribution)
Strategiesandattackmethodologiesaredifferentandtheyreflectheterogenousmotivationsofthe
offendersoffender.
Crimesceneisnotaphysicalplace.
CriminalProfilingVS Hacking

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
HPP v1.0
Back in 2004welaunchedthe Hacker’sProfiling
Project -HPP:
http://www.unicri.it/special_topics/cyber_threats/
Sincethatyear:
+1.200 questionnairescollected& analyzed
9 Hackers profilesemerged
Twobooks (onein English)
Profilo Hacker, Apogeo, 2007
ProfilingHackers: the Science of CriminalProfilingas
Appliedto the World of Hacking, Taylor&FrancisGroup,
CRC Press (2009)

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Evaluation and Correlationstandards
Modus Operandi (MO)
Lonehackerorasa
memberofagroup
Motivations
Selected targets
Relationship between
motivations and targets
Hacking career
Principles of the hacker's ethics
Crashed or damaged systems
Perception of the illegality of
their own activity
Effect of laws, convictions and
technical difficulties as a deterrent
Mainly from:
USA
Italy
UK
Canada
Lithuania
Australia
Malaysia
Germany
Brazil
Romania
China

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
HPP v1.0 -Zoom: correlationstandards
Gender and age group
Background and place of residence
How hackers view themselves
Family background
Socio-economic background
Social relationships
Leisure activities
Education
Professional environment
Psychological traits
To be or to appear: the level of self-esteem
Presence of multiple personalities
Psychophysical conditions
Alcohol & drug abuse and dependencies
Definition or self-definition: what is a real hacker?
Relationship data
Handle and nickname
Starting age
Learning and training modalities
The mentor's role
Technical capacities (know-how)
Hacking, phreaking or carding: the reasons behind the choice
Networks, technologies and operating systems
Techniques used to penetrate a system
Individual and group attacks
The art of war: examples of attack techniques
Operating inside a target system
The hacker’s signature
Relationships with the System Administrators
Motivations
The power trip
Lone hackers
Hacker groups
Favourite targets and reasons
Specializations
Principles of the Hacker Ethics
Acceptance or refusal of the Hacker Ethics
Crashed systems
Hacking/phreaking addiction
Perception of the illegality of their actions
Offences perpetrated with the aid of IT devices
Offences perpetrated without the use of IT devices
Fear of discovery, arrest and conviction
The law as deterrent
Effect of convictions
Leaving the hacker scene
Beyond hacking

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS /
PURPOSES
WannaBe Lamer 9-16 years
“I would like to be a hacker,
but I can’t”
GROUP End-User For fashion, It’s “cool” => to
boast and brag
Script Kiddie 10-18 years
The script boy
GROUP: but they act alone SME / Specific security flawsTo give vent of their anger /
attract mass-media attention
Cracker 17-30 years
The destructor, burned
ground
LONE Business company To demonstrate their power /
attract mass-media attention
Ethical Hacker 15-50 years
The “ethical” hacker’s world
LONE /
GROUP (only for fun)
Vendor / Technology For curiosity (to learn) and
altruistic purposes
Quiet, Paranoid, Skilled
Hacker
16-40 years
The very specialized and
paranoid attacker
LONE On necessity For curiosity (to learn) =>
egoistic purposes
Cyber-Warrior 18-50 years
The soldier, hacking for
money
LONE “Symbol” business company
/ End-User
For profit
Industrial Spy 22-45 years
Industrial espionage
LONE Business company /
Corporation
For profit
Government Agent 25-45 years
CIA, Mossad, FBI, etc.
LONE / GROUP Government / Suspected
Terrorist/
Strategic company/
Individual
Espionage/
Counter-espionage
Vulnerability test
Activity-monitoring
Military Hacker 25-45 years LONE / GROUP Government / Strategic
company
Monitoring /
controlling /
crashing systems
The 9 profiles

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
PROFILE MAY BE LINKED TO WILL CHANGE ITS
BEHAVIOR?
TARGET (NEW) MOTIVATIONS
& PURPOSES
Wanna Be Lamer No
Script Kiddie Urban hacks No Wireless Networks, Internet
Café, neighborhood, etc..
Cracker
Phishing
Spam
Black ops
Yes Companies, associations,
whatever
Money, Fame, Politics,
Religion, etc…
Ethical Hacker
Massive
Vulnerabilities
Probably Competitors (Telecom
Italia Affair), end-users
Bigmoney
Quiet, Paranoid, Skilled
Hacker
Black ops
Yes High-level targets Hesotericrequest (i.e.,
hack “Thuraya” for us)
Cyber-Warrior
CNIs attacks
Gov. attacks
Yes “Symbols”: from Dali Lama
to UN, passing through
CNIs and business
companies
Intelligence ?
Industrial Spy Yes Business company /
Corporation
For profit
Government Agent Probably Government / Suspected
Terrorist/
Strategic company/
Individual
Espionage/
Counter-espionage
Vulnerability test
Activity-monitoring
Military Hacker Probably Government / Strategic
company
Monitoring /
controlling /
crashing systems

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security BrokersDETERRENCE
EFFECT OF:
LAWS
CONVICTIONS
SUFFERED BY
OTHER
HACKERS
CONVICTIONS
SUFFERED BY
THEM
TECHNICAL
DIFFICULTIES
Wanna Be Lamer NULL NULL ALMOST NULL HIGH
Script Kiddie NULL NULL
HIGH: they stop
after the 1st
conviction
HIGH
Cracker NULL NULL NULL MEDIUM
Ethical Hacker NULL NULL
HIGH: they stop
after the 1st
conviction
NULL
Quiet, Paranoid,
Skilled Hacker
NULL NULL NULL NULL
Cyber-Warrior NULL NULL NULL
NULL: they do it
as a job
Industrial Spy NULL NULL NULL
NULL: they do it
as a job

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
HPP v2.0: whathappened?
VERY simple:
Lackof funding: for phases3&4 weneedsupport!
HW, SW, Analysts, Translators
Westartedback in 2004: «romantichackers», + weforeseenthose
«new» actorstough: .GOV, .MIL, Intelligence.
Wemissedout:
Hacktivism (!);
Cybercriminalsout of the «hobbystic» approach;
OC;
The financialaspects(Followthe Money!!);
Cyberterrorists(do theyreallyexist?)

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
HPP v2.0: nextenhancements
Going after Cybercriminals:
Kingpins & Master minds (the “Man at the Top”)
oOrganized Crime
oMO, Business Model, Kingpins –“How To”
Techies hired by the Organized Crime (i.e. Romania & skimming at the very beginning;
Nigerian cons 419-like; Ukraine Rogue AV; Pharma ADV Campaigns; ESTDomainsin Estonia;
POS malware; etc..)
Structure, Infrastructures (links with Govs& Mils?)
Money Laundering: Follow the money (E-mules & new ways to “cash-out”: mPOS, vPOS,
etc..)
Outsourcing: malware factories (Stuxnet? DuQu?? Lingbo? Regint? What about
all of the rest…??)

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
And, it’snotjust
«hackers»

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
→ Why“Cybercrime”?
Cybercrime
“2011Cybercrime financialturnover apparentlyscoredup more
thanDrugsdealing, Human
Traffickingand WeaponsTraffickingturnovers”
Varioussources(UN, USDOJ, INTERPOL, 2011)
Financial Turnover, 2011 estimation: 6-12 BLN USD$/year
«Cybercrime
ranksasone
ofthe top
foureconomic
crimes»
PriceWaterhouseCoopersLLC
Global EconomicCrime
Survey2011
2018: (at least) 80B USD$/year

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
CybercrimeKeypoints
Cybercrime:
“The use of IT tools and telecommunication networks
in order to commit crimes in different manners”.
The axiom of the whole model:
“acquiring different types of data (information),
which can be transformed into money.”
Key points:
Virtual(pyramidal approach, anonymity, C&C, flexible and scalable, moving quickly and rebuilding fast, use of
“cross” products and services in different scenarios and different business models)
Transnational
Multi-market (buyers)
Differentiating products and services
Low “entry-fee”
ROI/Return of Investment (on each single operation, which means that, exponentially, it can be industrialized)
Tax & (cyber) Law heaven

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Cybercrime’sscenario
HIGHLY COMPLEX
Actors
oWe’llspeakaboutthislater
Motivations
oFame
oMoney
oIdeals
oNothing(?)
Products/Services
oCampaignson Affiliation, TrafficGeneration/Boosting, Advertising, etc…
oDozensof servicesand productsavailable: human creativitydefinetelyworks!
oWe’llseemanyof themtoday
Legislations
oNotpresentin allthe Countriesfor allof the crimes
oLackof internationalcooperation
oCybercrime: deeppresencein Countrieswith internalissues

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
«Deliverables» of Cybercrime
ID theft
oPersonal Infos
Credit Identity theft
oFinancial Info: e-banking logins, CC/CVV, «fullz», etc
Hacking
oTowardse-commerce, e-banking, Credit Processing Centers
Industrial Espionage
Malware
oVirus, Worm, Spyware, Key Loggers, RogueAV, Botnets, Mobile
Hackingon-demand
DDoSattacks
oBlackmail, Hacktivism
Spam
Counterfeiting
omedicines, luxury, products& services
Gambling
oMoney laundering
oFakesites/ notauthorizedby National authorities
Genericporn
ofakesites, etc
Minorsand Infantspornography

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Scenario odierno(cybercrime)
ABN AMRO
case study

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
GettingCybercrime’sROI

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
Whyisallof thishappening?
Becauseusersare stupid(or «naive», uneducated, notaware,
etc…)
Videoclip: the «wizard» from Belgium

Cybercrime: reasons
1. Thereare new users, more and more every
day: thismeansthe totalamountof potential
victimsand/or attackvectorsisincreasing.
2. Makingmoney, “somehowand straight
away”.
3. Technical know-how public availability&
ready-to-go, evenwhentalkingaboutaverage-
high skills: that’swhatI name“hackingpret-à-
porter”
Thanks to broadband,
3G/LTE and «always-on»
WW Economical
crisis…
0-days, Internet
distribution system /
Black Markets

Cybercrime: reasons/2
4. It’s extremely easy to recruit “idiots” and set up groups, molding those adepts upon
the bad guy’s needs (think about e-mules)
5. “They will never bust me”
6. Lack of violent actions
Newbies,
Script Kids
Psychology, Criminology
Psychologyand Sociology

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
CybercrimeBusiness Model
→ The «RBN model» (Russian Business Network)

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
OC (OrganizedCrime) meetswith Cybercrime
→ Commandchain(and operatingphases)

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
→ Approachby «operative macro-units»
OC (OrganizedCrime) meetswith Cybercrime

Workshop Riga –Latvia26/10/2018 –© 2012-2018 Security Brokers
CybercrimeBusiness Model 2