Espionage&

The Law

SpeakersJarrett Kolthoff, President / CEOSpearTip800.236.6550jkolthoff@speartip.com@SpearTipCyberCIweb: speartip.com

Jarrett Kolthoff, President / CEO of SpearTip, has 20 years of experience in the Information Security field. As a former Special Agent – U.S. Army Counterintelligence, he has experience in cyber investigations, counterintelligence, and Fusion Cell analysis that assist SpearTip’s clients to identify, assess, neutralize, and exploit threats leveled against their corporation. His civil case work includes investigations in anti-trust lawsuits, embezzlement, collusion, theft of intellectual property, and corporate espionage. He has testified in civil cases as an expert computer forensic witness in depositions in the U.S. Federal Court – Eastern District of Missouri, and has acted as a liaison between companies and law enforcement agencies.

Board Member, National Forensic Science Technology Center (NFSTC)

Adjunct Professor, Washington University in St. Louis – Cyber Security Master’s Program

Member, Association of Former Intelligence Officers (AFIO)

Member, Espionage Research Institute International (ERII)

Board Member & Past-President, St. Louis InfraGard Chapter

Board Member & Past-President, St. Louis Chapter of the International High Technology Crime Investigation Association (HTCIA)

SpeakersShawn Tuma, PartnerBrittonTuma469.635.1335stuma@brittontuma.com@shawnetumablog: shawnetuma.comweb: brittontuma.com

Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:

Chair, Collin County Bar Association Civil Litigation & Appellate Law Section

College of the State Bar of Texas

Privacy and Data Security Committee of the State Bar of Texas

Computer and Technology, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

Social Media Committee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee

International Association of Privacy Professionals

The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.

Cyber CounterespionageCompetitive & State-Sponsored Threats

• Emerging Threats / Market Analysis• Insider Threats• Malware Analysis• Fusion Cell Analysis• Espionage Case Studies• Computer Fraud & Abuse Act• Federal and Texas Law

Outline

5

Rapidly Emerging Underground

Industry (Several Examples Of

Successful Large Scale Operations)

• Organization: High

• Capability: High

• Intent

• “Hacktivisim”

• Financial / Political Gain

• Terrorist Organization Funding

Emerging Threats – Hacking Groups

6

U.S. DOJ – OIG Audit DivisionApril 2011

• Compares Technical vs. Counterintelligence• Proper Use of Fusion Cell Analysis• Practical Experience Over Just Training• Intrusion Cases vs. Other Cyber Crimes

Specialization – Forensics, Intrusion, Malware Analysis

7

Office of the National Counterintelligence Executive

• Report to Congress on Foreign Economic / Industrial Espionage Governments of China & Russia “Hacktivist” – Political & Social Agendas Theft of Intellectual Property & Dual Use Technology

8

Forrester Research – Value of Corporate Secrets

• Current Data Security Strategies Identify the Most Valuable Information Assets

Create a “Risk Register” – Compliance / Corporate Secrets

Assess Balance Between Compliance & Protecting Secrets

• Establish Baseline

Reprioritize Enterprise Security Investment

Increase 3rd Party Vigilance

Measure Effective – Key Performance Indicators (KPIs) and

“Audit the Auditor”

9

U.S. Intelligence Community

10

• Requests for Information (RFI). Foreign collectors make unsolicited direct and indirect requests for information

via personal contacts, telephone, e-mail, fax, and other forms of communication and often seek classified, sensitive, or export-

controlled information.

• Solicitation or Marketing of Services. Foreign companies seek entrée into US firms and other targeted

institutions by pursuing business relationships that provide access to sensitive or classified information, technologies, or

projects.

• Conferences, Conventions, and Trade Shows. These public venues offer opportunities for foreign adversaries to gain access to

US information and experts in dual-use and sensitive technologies.

• Official Foreign Visitors and Exploitation of Joint Research. Foreign government organizations,

including intelligence services, use official visits to US Government and cleared defense contractor facilities, as well as joint

research projects between foreign and US entities, to target and collect information.

• Foreign Targeting of US Visitors Overseas. Whether traveling for business or personal reasons, US travelers

overseas—businesspeople, US Government employees, and contractors—are routinely targeted by foreign collectors, especially

if they are assessed as having access to some sensitive information.

• Open Source Information. Foreign collectors are aware that much US economic and technological information is

available in professional journals, social networking and other public websites, and the media.

NON-CYBER COLLECTION EFFORTS

Insider Threat

• Building Diverse Team – Tech/JD/GRC/Biz/Linguist

• HUMINT / Network & Host Forensic / OSINT / TSCM

• Combination of disk forensics and memory forensics can paint a more complete picture.

• Time-Event Charts / Association Matrices / Link Analysis

• Analysis of Diverse Data – Mature Methodology

Fusion Cell Analysis

12

Malware Analysis• Contains information that may not be found on disk• Can locate keyloggers running on the system

• Can reveal malware that may not leave traces on disk

• Attackers making more use of “on the fly” memory modifications to foil disk forensics and antivirus

• Lsass.exe was trying to talk within the network environment on port 6666 (Process Injection)

13

IntroductionIt has become the industry standard, and a

necessity for enterprises, to defend their external perimeter with the latest firewalls and most advanced intrusion prevention systems (IPS).

Although these devices play an important role in any enterprise network, they all lack one crucial

capability and functionality:

Cyber Pre-Attack Intelligence

Cyber Threats

• SpearTip has identified a number of organizations, consisting of loose networks of hackers, who communicate through forums, social networks and more established communities

• The following are individual analyses of the players identified in the context of cyber-attacks against financial institutions

Advanced Cyber Threat Detection - Analysis Summary

THE FOLLOWING INFORMATION WAS ETHICALLY COLLECTED WHILE CONDUCTING CYBER SOURCE OPERATIONSON THOUSANDS OF CRIMINAL NETWORKS.

Cyber Counterintelligence provides the unique combination of up-to-date malware-related threat intelligence gathered from live botnets, correlated with an enterprise’s external IP addresses

• Information Stealers• Worms• DDoS Malware• Remote Access Tools• Downloaders• Spammers• HTTP-Proxy Malware• Exploit Kits (Currently Active)

Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030

17

Computer Fraud = Fraud 2.0• Deception, through the use of a computer

• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”

• computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks

• mouse and keyboard = modern fraudster tools of choice

18

Who knows the percentage of businesses that suffered at least one act

of computer fraud in last year?

90%(Ponemon Institute Study)

19

has a processor or stores data

“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”

IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”

The CFAA says

20

What about . . .

21

“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”

-United States v. Kramer

The Fourth Circuit says

22

This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now?

The CFAA applies only to “protected” computers

Protected = connected to the Internet

Any situations where these devices are connected?

23

The CFAA access of or transmission to a protected computer that is

Without authorization, or

Exceeds authorized access

24

Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortion

25

More Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510

• Wiretap Act ≠ intercept communications

• Stored Communications Act ≠ comm. at rest

• Fraud with Access Devices - 18 U.S.C. § 1029

• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

• Identity Theft – 18 U.S.C. § 1028

26

Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)

• knowingly access a computer without effective consent of owner

• Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13)

• Fraudulent Use or Possession of Identifying Info (TPC § 32.51)• Unlawful Interception, Use, or Disclosure of Wire, Oral or

Electronic Communications (TPC § 16.02)• Unlawful Access to Stored Communications (TPC § 16.04)• Identity Theft Enforcement and Protection Act (BCC § 48.001)• Consumer Protection Against Computer Spyware Act (BCC §

48.051)• Anti-Phishing Act (BCC § 48.003)

27

• Welcome to the world of Cyber Espionage

• CFAA is very broad and covers all kinds of computer fraud (sometimes) – evolving!

• Data Breaches – be prepared – it will happen!

• Many other Federal and Texas laws also available for combating computer fraud

• Cyber Insurance

28