Combating Cyber Threats: Cyber Thread Information Program

UNCLASSIFIED
UNCLASSIFIED
Kansas City Terrorism Early Warning
Inter Agency Analysis Center
Cyber Threat Information Program
Missouri City/County
Manager’s Association
CYBER BRIEFING
May 7, 2015

UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
•South Carolina DOR. –3.6 million SSNs stolen and
tax returns exposed. –( Direct Cost = $14 million,
User fraud loss = $5.2 Billion)
•Shamoon (aka: Wiper) –Steals credentials wipes
boot record from 30,000 to 50,000 computers at
Saudi Aramco and RasGas.
•Banking DDOS against JP Morgan/Chase, PNC, Wells
Fargo, Bank Of America. Total of 8 banks attacked.

UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
•TARGET ( 40 MILLION credit cards) and other
retailers.
•City of Wichita ( > 60,000 vendor financial
records)
•14 banks, 12 cities and 10 police departments
disabled during the Ferguson unrest.

UNCLASSIFIED
UNCLASSIFIED
VIDEO 1

UNCLASSIFIED
UNCLASSIFIED
So What ?
•Computer network exploitation by threat actors enables:
•Massive financial losses
•Degradation/disruption of services
•Extortion
•Intellectual property theft
•Counterfeiting
•Theft of proprietary data
•Identity theft (personally identifiable information)
•Access to credit
•Loss of money and credibility

UNCLASSIFIED
UNCLASSIFIED
Agenda
•Threat Landscape
•Actors (Bad Guys)
•Attack types (Bad Stuff that Bad Guys do)
•Vulnerabilities (The things that Bad guys attack)
•Cyber Threats and Trends (The Future)
•What Can You Do ?

UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK

UNCLASSIFIED
UNCLASSIFIED
CYBER THREAT LANDSCAPE

UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Landscape
•Cyber Threat Actors
•State Sponsored
•Terrorist/Violent Extremists
•Insider Threat
•Hackers
•Hacktivists
•Criminals / Organized Crime

UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution

UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Motivations
•Notoriety
•Political Statement
•Money –Banks, Credit Cards, Extortion, etc.
•Intellectual Property / Trade Secrets
•Information for Negotiating Positions
(competitive advantage)
•Infrastructure Attack –Terrorism

UNCLASSIFIED
UNCLASSIFIED
Nation-StateTerroristsInsidersHackersHacktivistsCriminals
Commercial
Espionage
Fun/Curiosity/
Ego X
Money X X X X X
Retaliation/
retribution X X X
Political
Statement X X
Intellectual
Property X X X X
Negotiation
Information X X
Deny, Disrupt,
Degrade,
Destroy X X X X
Cyber Threat Motivations
(Intent)

UNCLASSIFIED
UNCLASSIFIED
Cyber Targets
•Government Networks
•Federal
•State
•Local
•Tribal and Territorial
•Critical Infrastructure and Key Resources (CIKR)
Networks
•Over 85% owned by private sector
•Industrial Control Systems/SCADA
•Embedded systems
•Business and Home Networks

UNCLASSIFIED
UNCLASSIFIED
Cyber Threats
•Supply Chain Exploitation
•Cyber exploitation, manipulation, diversion, or substitution of
counterfeit, suspect, or fraudulent items impacting US CIKR
•Disruption
•Distributed Denial of Service (DDOS) attack (effort to prevent site
or service from functioning efficiently or at all, temporarily or
indefinitely)
•Cyber Crime
•Criminals seeking sensitive, protected information for financial
gain

UNCLASSIFIED
UNCLASSIFIED
•Corporate Espionage
•Threat actors targeting US companies to gather intelligence and
sensitive corporate data for competitive advantage
•Advanced Persistent Threat
•Stealthy, coordinated cyber activity over long period of time
directed against political, business, and economic targets
•Industrial Control Systems/SCADA
•Threat actors disrupt ICS/SCADA based processes
Cyber Threats

UNCLASSIFIED
UNCLASSIFIED
21
Devices, Systems and Networks
•Desktops/Laptops
•OS/App
•Servers
•OS/App
•Printers
•Routers
•VPN
•DNS system
•PSAPS
•Public Notification Systems
•Mobile devices
•Household appliances
•Televisions
•Refrigerators
•Baby monitors

UNCLASSIFIED
UNCLASSIFIED
Embedded Systems
22
Computers built into other systems
Examples:
•Digital X-ray Machines, Medical Devices
•Computer Controlled Industrial Equipment
•Automobiles
•ATMs
•Printer/copier/fax machines
The underlying computer is likely to have unpatched vulnerabilities because
it is not on the System Administrators list of “computers,” or the system
must be upgraded by the vendor.

UNCLASSIFIED
UNCLASSIFIED
Industrial Control Systems (ICS)
23
Controls processes such as manufacturing, product handling,
production, and distribution. Industrial Control Systemsinclude
Supervisory Control and Data Acquisitionsystems (SCADA).
Examples
Robotic assembly lines
Water treatment
Electric Power Grid
Building controls

UNCLASSIFIED
UNCLASSIFIED
Internet Connected Communications
Communications systems that are not typically considered computer networks that
are, none the less, connected to external networks such as the Internet.
Examples:
•Telephone switching –PBX, VOIP
•Emergency notification systems
•First responder communications (Trunked voice/data
terminals)

UNCLASSIFIED
UNCLASSIFIED
Targeting and Attack Techniques
•Social engineering
•Spear phishing
•Spoofing e-mail accounts
•Exploiting vulnerabilities
•Malware
•Downloaders, Trojans, Keyloggers, etc.
•External memory devices (USB)
•Supply-chain exploitation
•Leveraging trusted insiders
•Denial of Service
•Mobile Device Attacks

UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
•Category of cyber attack against political, business, or economic
targets
•Federal agencies
•State agencies
•City governments
•Commercial and non-profit organizations
•Actors use full spectrum of computer intrusion techniques and
technology
•Characterized by focus on specific information objectives rather than
immediate financial gain
•Stealthy, coordinated, focused activity over a long period of time
Operators are skilled, motivated, organized, well-funded

UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
•Information objectives include:
•Gov’t policy/planning
•Corporate proprietary data
•Contract data
•International meetings (G20, IMF,
Climate Change)
•Sabotage
•Espionage
•Use of compromised
computers as intermediate hop
points in future compromises

UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Methodology
•Reconnaissance
•Initial intrusion into network
•Establish backdoor into the network
•Obtain user credentials (login ID, passwords)
•Escalate privileges, move laterally through the network
•Search for and exfiltrate data
•Maintain persistence

UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Examples of APT in open reporting
•Operation Aurora –Damballa
•Finance, Technology, Media –30+ Countries
•LURID APT –Trend Micro
•Diplomatic, Government, Space-related agencies and companies –61
Countries
•Nitro –Symantec
•Gas, Oil, Energy, Chemical Sectors –8 countries
•Shady Rat –Symantec
•Governments, corporations, nonprofits, 14 countries
•FLAME –Kaspersky
•Mid-eastern countries

UNCLASSIFIED
UNCLASSIFIED
VIDEO 2

UNCLASSIFIED
UNCLASSIFIED
Cyber Threats and Trends

UNCLASSIFIED
UNCLASSIFIED
Trends
•ENORMOUSincrease in Cyber Attacks/Crime both in numbers
and sophistication.
•State sponsored attacks likely to increase. (Cyber Warfare is real
now.)
•Cyberweapon toolkits are common place utilized by not only state
sponsored attackers, but by any entity with medium/high skills.
•Cyber Crime As a Service is a full fledged business model.
•Anyone can use point and click services to deliver a devastating
attack.

UNCLASSIFIED
UNCLASSIFIED
Trends
Nation-States That Have Declared
OffensiveCyber Capability
•Iran
•India
•UK
•China
•Russia
•U.S.A.
•Australia
•Italy
•France
•Syria
•Germany
•Israel

UNCLASSIFIED
UNCLASSIFIED
Trends
Hactivists / Jihadists
•Alliances with ideologically similar groups
•More Skilled
•More Organized
•More Aggressive
•More of them

UNCLASSIFIED
UNCLASSIFIED
Trends
Cyber Criminals
•Can occasionally approach the sophistication
if not the endurance of State sponsored
attackers
•Adding much more emphasis to mobile
devices.
•Adds a physical dimension to the Cyber realm.

UNCLASSIFIED
UNCLASSIFIED
Trends
Shift in targeting preferences
•State / Local
•State networks
•Local Municipalities / Agencies
•FD, PD, Cities, NGOs
•Universities, Colleges, Votech
•Businesses

UNCLASSIFIED
UNCLASSIFIED
COMMON
ATTACK TYPES /
MITIGATION
STRATEGIES

UNCLASSIFIED
UNCLASSIFIED
Attacks from outside the firewall

UNCLASSIFIED
UNCLASSIFIED
Big Three Most Common Attacks
DDoS–Distributed Denial of Service
SQL-I -Structured Query Language Injection
Defacements

UNCLASSIFIED
UNCLASSIFIED
Commonly Seen Attacks
Attack Type (TTP –Tactics, Techniques,
Procedures)
What is it?
Who uses them?
Preferred targets?
Consequences?
Prevention / Mitigation.

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHAT IS IT?
A DDOS attack tries to render a website either inoperable or
inaccessible by using large numbers of computers sending
overwhelming numbers of requests at a computer.
The target can become so busy trying to answer bogus requests
that it cannot answer valid user requests and the website is
unusable.

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHO USES IT ?
Used to be well resourced adversaries (state
sponsored, cyber crime enterprise)
More recently seen from Hactivists, (Anonymous
Affiliates)
Anyone with $200 -$800 can rent a botnet with
10,000 computers for a day to attack anyone.

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Examples?
During unrest associated with Ferguson MO shooting.
15 Banking institutions
State, Counties, Cities, Police departments (at least 12)
Educational institutions

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
Can’t be prevented –Plan for it
Establishing connections with multiple ISPs.
Ensure that service level agreements (SLA) with ISPs
contain provisions for DDoSprevention (such as IP
address rotation)
Assure the network has redundant systems and sufficient
excess capacity

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
•Enable rate limiting at the network perimeter
•Create backup remote site networks with multiple address
capability
•Segment web services across multiple machines and
networks
•Host public facing websites with ISPs having capability to
withstand significant DDoSattacks

UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
MITIGATION
Executing ISP address rotation
Block source IP addresses that are generating DDoS
traffic at the network boundary or within the ISP
infrastructure. ( DDoSattacks can come from tens of
thousands of addresses that rotate randomly, making this
strategy difficult to implement.)
Acquire increased bandwidth from the ISP (This solution is
limited by your own servers ability to handle the increased
traffic.)

UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
WHAT IS IT?
A form of attack on a database-driven Web site in which
the attacker executes unauthorized SQL commands by
taking advantage of insecure bypassing the firewall.
Used to steal information from a database and/or to
gain access to an organization's host computers
through the computer that is hosting the database.

UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Who uses it?
State sponsored, cyber criminals, Hackers,
Hacktivists, Jihadists, Anonymous, script-kiddies
Very effective tools are freely available
Recipes for finding targets (call google dorks) are
all over the open internet.

UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Local Examples?
KCKPD
Release of Accident records and related personal
information
Wichita
Release of vendor/personal financial information

UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Prevention
Limit databased services
Assure all applications and operating systems are patched
to current level
Keep an eye for announced vulnerabilities
Dynamic monitoring at the firewall or application server
Threat detection services
Applications configuration security ( Passwords )

UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
MITIGATION
Watch for “breach” announcements
Notification process
Prevent further breaches (turn off access till it’s fixed)
Aggressively pursue disclosures
Where applicable, get outside help (FBI, DHS, USSS,
Commercial services)

UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
WHAT IS IT?
Any unauthorized changes made to the
appearance of either a single webpage, or an
entire site. In some cases, a website is
completely taken down and replaced by
something new.

UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Who uses it?
Plethora of Jihadists
“Anonymous” Affiliates
Syrian Electronic Army
POH (Plain old hackers)

UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Examples?
Akron OH
Marines.com
Huffington
MO.GOV
Check out www.zone-h.com(database of
180,000)

UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Prevention / Mitigation
Keep Server systems and CMS apps up-to-date
Better passwords
Don’t share system accounts outside organization
Reputation monitoring services
Good backups

UNCLASSIFIED
UNCLASSIFIED
Attacks That Get
Through The Firewall

UNCLASSIFIED
UNCLASSIFIED
APT –The Really Bad Stuff
•Computer network exploitation by threat actors
enables:
•Massive financial losses
•Degradation/disruption of services
•Extortion
•Intellectual property theft
•Counterfeiting
•Theft of proprietary data
•Identity theft (personally identifiable information)
•Access to credit
•Loss of money and credibility

UNCLASSIFIED
UNCLASSIFIED
Computer Network Exploitation
(Try to stay on the left side
of the Cyber “Kill Chain”)
The Bad Guys are INSIDEthe computer now.

UNCLASSIFIED
UNCLASSIFIED
Spear-Phishing
•Targetede-mails containing malicious attachments or links
•E-mails forged to look as if they came from a legitimate
source and have a subject that the victim is likely to open.
•Target e-mail addresses can be harvested from Web sites,
social networks, etc.
•Targeting of CEOs, executives is called “whaling”.
63

UNCLASSIFIED
UNCLASSIFIED
64
Sample Phishing Website
(Via fsecure.com)

UNCLASSIFIED
UNCLASSIFIED
65
Sample Phishing Website
(Via fsecure.com)
Compromised police academy server in India

UNCLASSIFIED
UNCLASSIFIED
66
(Via nytimes.com)

UNCLASSIFIED
UNCLASSIFIED
Prevention
Constant Education
Information Sharing between agencies
OPSEC
Cyber Hygiene
PASSWORDS!!!!!!!!!!!!!
Response plans
Cyber Tabletop Exercises
Test Your Capabilities
Figure Out Roles and Responsibilities

UNCLASSIFIED
UNCLASSIFIED
What is your plan?
How to recover?
WHO ?
COST ?
How to mitigate
CRITICAL SERVICES
How to deal with the public
PUBLIC CONFIDENCE
LIABILITY

UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK

UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
Fusion Center:
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
[email protected]
(816) 413-3588
Missouri Information Analysis Center
St Louis Terrorism Early Warning

UNCLASSIFIED
UNCLASSIFIED

OR
ID
NV
WY
MT
ND
SD
UT
WA
CO
NE
MN
KS
OK
NM
AZ
TX
AR
LA
ALGA
FL
TN
NC
SC
MS
Southeast Regional
Coordinator –
Heather Perez (CFIX)
Western Regional
Coordinator -
Dana Kilian -NCRIC
AK
CA
Troy Campbell –Co-Chair –KCTEW
Devin King –Co-Chair –LA-SAFE
National Capital Regional
Coordinator -
Fleming Campbell (WRTAC)
WI
IA
MO
IL
IN
MI
ME
KY
OH
VA
WV
PA
NY
NJ
NH
MA
RI
MD
CT
DE
VT
DC
Northeast Regional
Coordinator -
Brett Paradis (CTIC)
Midwest Regional
Coordinator –
Kelley Goldblatt (MC3)
Central Regional
Coordinator -
John Burrell -MATIC
NFCA Cyber Intelligence Network (CIN)

UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The Department of Homeland Security (DHS)
The National Cybersecurity& Communications Integration Center
(NCCIC)
The U.S. Computer Emergency Readiness Team (US-CERT)
The Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT)
The National Coordinating Center for Telecommunications (NCC)
74

UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The USSS –US SECRET SERVICE
Your Nearest field office usually has a local
Electronic Crimes Task Force
Has Critical Incident Response Teams
75

UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The Federal Bureau of Investigations (FBI)
Your Local FBI Cyber Division
FBI CyWatch
FBI Critical Incident Response Group (CIRG) Strategic
Information and Operations Center (SIOC)
76

UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
[email protected]
(816) 413-3588

UNCLASSIFIED
UNCLASSIFIED
Discussion

UNCLASSIFIED
UNCLASSIFIED
Contact:
Troy Campbell
KCTEW
Cyber Threat Intelligence Program
[email protected]
(816) 413-3588

UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing Issues

UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing –A Challenging Process

UNCLASSIFIED
UNCLASSIFIED
Issues in Intelligence
Information Sharing
•No Cross Community Standards
•Formats
•Flow Paths
•Classification Downgrades
•Identity requests
•Standard terminology
•Two-way information Flows

Combating Cyber Threats: Cyber Thread Information Program

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Combating Cyber Threats: Cyber Thread Information Program

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Slide 78

Slide 79

Slide 82

Slide 83

Slide 84

Tags

Categories

Download