a glimpse into the world of cyber security at...
TRANSCRIPT
Lawrence Livermore National Laboratory LLNL-PRES-663426
1 CS13-053
CS13-053
LLNL-PRES-663426
This work was performed under the auspices of the US Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344 Lawrence Livermore National Security LLC
A Glimpse Into the World of Cyber Security at LLNL
Prepared for MCySec Tuesday 11 November 2014
Lawrence Livermore National Laboratory LLNL-PRES-663426
2 CS13-053
Disclaimer
Our Security Infrastructure Will Never Be Perfect bull Current solutions and methodologies have flaws
bull We strive for continued growth
bull Development and collaboration are paramount
Your Mileage May Varyhellip mdash If you see areas for improvement please let us know
Lawrence Livermore National Laboratory LLNL-PRES-663426
3 CS13-053
Matthew Myrick (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security Architect Incident Response Team
bull 11 years in network security 17 years at LLNL
bull MS in CS CISSP BCCPA GCIH GPEN GCIA
bull Independent Security Researcher and Consultant
Who am I
Lawrence Livermore National Laboratory LLNL-PRES-663426
4 CS13-053
John Donaldson (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramInformation Operations and
Analytics Program
bull 5 years in network security
bull Computer Science (MS) Naval Postgraduate School
2013
Who am I (part 2)
Lawrence Livermore National Laboratory LLNL-PRES-663426
5 CS13-053
Jim Klopchic
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramLLNS Cyber Rotation
Program
bull 4 year offensive security lab member
bull Computer Science (BS) NYU Polytechnic School of
Engineering
Who am I (part 3)
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
2 CS13-053
Disclaimer
Our Security Infrastructure Will Never Be Perfect bull Current solutions and methodologies have flaws
bull We strive for continued growth
bull Development and collaboration are paramount
Your Mileage May Varyhellip mdash If you see areas for improvement please let us know
Lawrence Livermore National Laboratory LLNL-PRES-663426
3 CS13-053
Matthew Myrick (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security Architect Incident Response Team
bull 11 years in network security 17 years at LLNL
bull MS in CS CISSP BCCPA GCIH GPEN GCIA
bull Independent Security Researcher and Consultant
Who am I
Lawrence Livermore National Laboratory LLNL-PRES-663426
4 CS13-053
John Donaldson (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramInformation Operations and
Analytics Program
bull 5 years in network security
bull Computer Science (MS) Naval Postgraduate School
2013
Who am I (part 2)
Lawrence Livermore National Laboratory LLNL-PRES-663426
5 CS13-053
Jim Klopchic
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramLLNS Cyber Rotation
Program
bull 4 year offensive security lab member
bull Computer Science (BS) NYU Polytechnic School of
Engineering
Who am I (part 3)
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
3 CS13-053
Matthew Myrick (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security Architect Incident Response Team
bull 11 years in network security 17 years at LLNL
bull MS in CS CISSP BCCPA GCIH GPEN GCIA
bull Independent Security Researcher and Consultant
Who am I
Lawrence Livermore National Laboratory LLNL-PRES-663426
4 CS13-053
John Donaldson (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramInformation Operations and
Analytics Program
bull 5 years in network security
bull Computer Science (MS) Naval Postgraduate School
2013
Who am I (part 2)
Lawrence Livermore National Laboratory LLNL-PRES-663426
5 CS13-053
Jim Klopchic
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramLLNS Cyber Rotation
Program
bull 4 year offensive security lab member
bull Computer Science (BS) NYU Polytechnic School of
Engineering
Who am I (part 3)
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
4 CS13-053
John Donaldson (Livermore California)
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramInformation Operations and
Analytics Program
bull 5 years in network security
bull Computer Science (MS) Naval Postgraduate School
2013
Who am I (part 2)
Lawrence Livermore National Laboratory LLNL-PRES-663426
5 CS13-053
Jim Klopchic
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramLLNS Cyber Rotation
Program
bull 4 year offensive security lab member
bull Computer Science (BS) NYU Polytechnic School of
Engineering
Who am I (part 3)
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
5 CS13-053
Jim Klopchic
bull Lawrence Livermore National Laboratory (LLNL)
bull Cyber Security ProgramLLNS Cyber Rotation
Program
bull 4 year offensive security lab member
bull Computer Science (BS) NYU Polytechnic School of
Engineering
Who am I (part 3)
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
6 CS13-053
~7000 employees
~40000 computers
~10000 egress
~150 ingress
~50 Million Emails
bull ~75 Spam
LLNL Cyber Footprint
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
7 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
8 CS13-053
About LLNL
Missions
bull Bio-Security
bull Counterterrorism
bull Defense
bull Energy
bull Intelligence
bull Nonproliferation
bull Science
bull Weapons
Cutting-edge science
bull Nuclear
weaponsfusiondeter-
rence
bull High-performance
computing
bull Additive manufacturing
bull Life sciences
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
9 CS13-053
Unique facilities
bull Center for Accelerator Mass Spectrometry (CAMS)
bull High Explosives Application Facility (HEAF)
bull National Atmospheric Release Advisory Center
(NARAC)
bull National Ignition Facility (NIF)
bull Terascale Simulation Facility (TSF)
bull Forensic Science Center (FSC)
bull Site 300
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
10 CS13-053
The computers bull Sequoia
mdash 98304 compute nodes
mdash 15M cores
mdash 16PB RAM
mdash 20 petaflops
mdash Top500 3
bull Vulcan mdash 24 576 compute nodes
mdash 393216 cores
mdash Top500 9
bull Catalyst
bull And more
About LLNL
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
11 CS13-053
About LLNL
Assorted cool things
bull 152 RampD 100 awards since 1978
mdash Radiation detection explosives detection artificial retinas scalable debuggers high-precisions lasers etc
bull Co-discovered elements 113-118
mdash Livermorium (116)
bull Explosives detection
bull Pathogen detection
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
12 CS13-053
About LLNL
Assorted cool things
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
13 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
14 CS13-053
General view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
15 CS13-053
My view of the Internet
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
16 CS13-053
Cyber Security Staff
Cyber Security Program bull Network Security Team
mdash Security Operations Center (4 FTErsquos) ndash Front lines of defense (phonesemailalerts)
mdash Vulnerability Assessment Team (2 FTErsquos) ndash Scan for vulnerable systems
mdash Firewall Monitoring Team (2 FTErsquos) ndash Modify network tapsfirewallsaccess controls
mdash Incident Management Team (4 FTErsquos)
ndash Incident Response Intrusion DetectionPrevention Security Architecture Email Monitoring Forensics Penetration Tests Wireless Reverse Engineeringhellip
bull Finite Resourceshellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
17 CS13-053
Security Lingo
Definitions
bull Vulnerability ndash weakness in a computing system
bull Exploit ndash software that takes advantage of a
vulnerability
bull Phishing ndash sending an email to a user falsely
claiming to be somebody else in an attempt to scam
the user
bull Zero Day ndash a publically available exploit for which
there is no patch
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
18 CS13-053
The World IS Shrinking
No longer have to physically travel the globe in order to attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
19 CS13-053
NKorea doubles cyber war personnel
httpnewsyahoocomn-korea-doubles-cyber-war-personnel-024102387html
Photo shows students using computers at the Grand Peoples Study House near
Kim Il-Sung Square in Pyongyang capital of North Korea (AFP Photo)
The Norths cyber
war unit now has
5900 personnel
compared with 3000
two years ago the
Souths Yonhap news
agency said
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
20 CS13-053
ldquoMalware hidden in Chinese inventory
scanners targeted logistics shipping
firmsrdquo
httpwwwnetworkworldcomarticle2453101malware-hidden-in-chinese-inventory-
scanners-targeted-logistics-shipping-firmshtml
The supply chain attack dubbed ldquoZombie Zerordquo was
identified by security researchers from TrapX
The malware was designed to launch attacks using
the SMB (Server Message Block) protocol and the
Radmin remote control protocol when the infected
inventory scanner was connected to a companyrsquos
wireless network It then looked for ERP (enterprise
resource planning) servers with the word ldquofinancerdquo in
their names and used known exploits to compromise
them said Carl Wright executive vice president and
general manager of TrapX
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
21 CS13-053
Attacked From Within
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
22 CS13-053
Current State of Affairs Commercial Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
23 CS13-053
Current State of Affairs Government Sector
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
24 CS13-053
Who is the Adversary
Script Kiddie (motivation vengeance) bull Hobbyists who dabble in mischief and chaos (ie Anonymous)
bull Attack method Distributed Denial of Service Defacement
bull Frequency Daily
bull Location Mostly Western Countries
Cyber Criminals (motivation $money$) bull Regular olrsquo criminals
bull Attack method Identity Theft Botnets Extortion
bull Frequency Daily
bull Mostly Eastern Bloc
Advanced Persistent Threat (motivation power)
bull Bad people from other countries paid to steal from the US
bull Frequency Monthly-gtWeekly-gtPeriodically
bull Mostly China
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
25 CS13-053
The BIG Picture
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
26 CS13-053
Anatomy Of A Targeted Attack
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
27 CS13-053
LLNL Cyber Security Lifecycle
Deter
Detect
Respond
Remediate
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
28 CS13-053
Our Security Stack
28
External
Intense Monitoring
Full
Pac
ket
Cap
ture
DN
S P
rote
ctio
n
Net
wo
rk E
ven
t P
arsi
ng
SIEM
Fire
wal
l
Ap
plic
atio
n F
irew
all
Emai
l Blo
ckin
g
APT Detection
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
29 CS13-053
Technologies
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
30 CS13-053
Countermeasures and Response
30
Tools
TTPs
Network and Host Indicators
Domain Names
IP Addresses
bull Tough
bull Challenging
bull Annoying
bull Easy
bull Trivial
Goal Make the process painful and more expen$ive for the adversary by using painful Indicators of Compromise (IOCrsquos) and by sharing
Pyramid of Pain
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
31 CS13-053
LLNL Has A Wake Up Call
June 2008
bull 150 Emails
mdash 2 Different messages
bull Emails had a links to an Adobe Flash 0-day
bull 22 People clicked 13 initially infected
mdash Within minutes they were on 5 enterprise servers
bull We received the phone call over a month laterhellip
bull 100rsquos of machines compromised
bull 3 Command amp Control channels
mdash FTPHTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
32 CS13-053
LLNL Wake Up Call Lessons Learned
We Needed To Get Serious (Digital 911)
bull Too many ingressegress points
bull Not enough logs
bull Needed way more security
Bought A Bunch of Technology
bull Separated Value From Snake Oil
Hired More People
bull Training Is Mandatory
mdash Keep guard up and anticipate the next punch
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
33 CS13-053
If You Donrsquot Learn The First Timehellip
March 2010
bull 776 Emails
mdash 2 Different messages
bull Emails had links to Internet Explorer 67 0-day
bull 18 People clicked 3 Initially Infected
mdash Within an hour they were on 2 enterprise servers
bull Only 5 Machines
bull Fully contained within 5 hours
bull 4 Command amp Control channels
mdash HTTPHTTPS
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
34 CS13-053
Keep On Learning Lessons Security Must Be Baked In
bull Safety And Security Are Paramount bull No longer ldquoTrustrdquo the network bull Security presence is known
Maintain a wish list
Track known APT bull Only block when no other option
Collaborate and Communicate bull DOE Apt Focus Group Bay Area APT-SIG
bull The Attacks Keep Comingbut this story stops here
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
35 CS13-053
Lets take a closer lookhellip
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
36 CS13-053
First Wave of Recent Attack From sharonhoofbeatsorguk
Sent Monday July 07 2014 738 AM
To Myrick Matt
Subject Payment for myrick3llnlgov
Thanks for shopping with our company now Your order is on process at
present You will receive more info in the next message
BILLING DETAILS
Purchase Number Z643213424
Order Date 737 Wed Jul 07 2014
Customer Email myrick3llnlgov
Outright Purchase 3742 USD
Please see the invoice enclosed with this email to get more info about your
order
IMPORTANT
In case you cannot read the file do the following save it to your computer and
manually change an extension SCR (characters after dot) See the sample
name Ivoice7765116SCR
Then try again to open this
Attached file Ivoice6886066PFJ
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
37 CS13-053
Second Wave
To myrick3llnlgov
From addmechpartsru
Subject Payment_for_myrick3llnlgov
Date Fri 11 Jul 2014 154404 -0500
Thank you for placing order with us today Your order is now
on process
ORDER DETAILS Purchase Number D552845188
Order Date 1209 PM Wed July 11 2014
Customer Email myrick3llnlgov
Order Total 6889 USD Download your invoice
Please hit the link provided above to have more info about
this issue
httpswwwdropboxcomsi5dnimddh4d5xn5Invoice_161PDFscrdl=1
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
38 CS13-053
What Is This
ZbotZeus httpwwwsymanteccomsecurity_responsewriteupjspdocid=2010-011016-3514-99amptabid=2
TrojanZbot is created using a toolkit that is readily available on underground marketplaces used
by online criminals There are different versions available from free ones (often back doored
themselves) to those an attacker must pay up to $700 USD for in order to use These
marketplaces also offer other Zeus-related services from bulletproof hosting for CampC servers to
rental of already-established botnets
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
39 CS13-053
What Does It Do Downloaded file
Invoice_[2-3 digits]PDFscr [MD5 255819e2f28ee210479928517f676b30]
It drops a downloader exe in CUsers[userid]AppDataRoamingms[5 chars]exe [MD5 525de1b3ae058ca5d601bd54fa99315a]
Company Name Tpowersoft
File Description IMS Image Manipullation
Software File Version 1072 Internal
Name imm manip softw
Legal Copyright Copyright (C) 2013 Tpowersoft Original
Filename ims imagge
Product Name IMS Image Manipullation Software
Beacon IPs
http7812915398080warezcloaclaphp
http78129153118080warezcloaclaphp
IP Address Country Location Coordinates ISP Org
781291539 GB United
Kingdom
Europe
515
-013
Iomart
Hosting
Limited
RapidSwitch Ltd
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
40 CS13-053
New and Exciting Possibilities
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
41 CS13-053
LLNL Cyber Security
Warcopter
bull Why not do our
wardriving from the air
bull Lots of interesting
legalpolicy issues to
navigate
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
42 CS13-053
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
43 CS13-053
ldquoBig datardquo problems
bull Data fusion
Machine learning
Network mapping
bull NeMS
LLNL Cyber Security Research
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
44 CS13-053
How Can I Learn More
Host Forensics
File Forensics Malware Analysis
Computer
Network Defense Computer
Network Offense
Penetration Testing
Exploit Development CommandControl
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769
Lawrence Livermore National Laboratory LLNL-PRES-663426
45 CS13-053
Thank You For Your Time and Attention ldquoAmericarsquos economic prosperity in the 21 century will
depend on cyber securityrdquo (President Barack Obama)
ldquoItrsquos not what happens to you but how you react to it that mattersrdquo (Epictetus Greek Philosopher)
Matthew Myrick myrick3llnlgov (925)422-0361
John Donaldson
donaldson8llnlgov
(925) 423-8562
Jim Klopchic klopchic1llnlgov (925) 424-2769