![Page 1: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/1.jpg)
UNCLASSIFIED
UNCLASSIFIED
Kansas City Terrorism Early WarningKansas City Terrorism Early WarningInter Agency Analysis CenterInter Agency Analysis CenterCyber Threat Information ProgramCyber Threat Information Program
Missouri City/CountyMissouri City/County
Manager’s AssociationManager’s Association
CYBER BRIEFINGCYBER BRIEFING
May 7, 2015May 7, 2015
![Page 2: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/2.jpg)
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber EventsRecent Cyber Events
• South Carolina DOR. – 3.6 million SSNs stolen and tax returns exposed. – ( Direct Cost = $14 million, User fraud loss = $5.2 Billion)
• Shamoon (aka: Wiper) – Steals credentials wipes boot record from 30,000 to 50,000 computers at Saudi Aramco and RasGas.
• Banking DDOS against JP Morgan/Chase, PNC, Wells Fargo, Bank Of America. Total of 8 banks attacked.
![Page 3: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/3.jpg)
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber EventsRecent Cyber Events
• TARGET ( 40 MILLION credit cards) and other retailers.
• City of Wichita ( > 60,000 vendor financial records)
• 14 banks, 12 cities and 10 police departments disabled during the Ferguson unrest.
![Page 4: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/4.jpg)
![Page 5: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/5.jpg)
![Page 6: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/6.jpg)
![Page 7: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/7.jpg)
UNCLASSIFIED
UNCLASSIFIED
VIDEO 1
![Page 8: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/8.jpg)
UNCLASSIFIED
UNCLASSIFIED
So What ?So What ?• Computer network exploitation by threat
actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft
• Counterfeiting• Theft of proprietary data
• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility
![Page 9: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/9.jpg)
UNCLASSIFIED
UNCLASSIFIED
AgendaAgenda
• Threat Landscape• Actors (Bad Guys)• Attack types (Bad Stuff that Bad Guys do)• Vulnerabilities (The things that Bad guys
attack)
• Cyber Threats and Trends (The Future)• What Can You Do ?
![Page 10: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/10.jpg)
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISKEVALUATE YOUR RISK..
THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE
==RISKRISK
![Page 11: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/11.jpg)
UNCLASSIFIED
UNCLASSIFIED
CYBER THREAT CYBER THREAT LANDSCAPELANDSCAPE
![Page 12: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/12.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat LandscapeCyber Threat Landscape
• Cyber Threat Actors• State Sponsored• Terrorist/Violent Extremists• Insider Threat• Hackers• Hacktivists• Criminals / Organized Crime
![Page 13: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/13.jpg)
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
![Page 14: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/14.jpg)
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
![Page 15: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/15.jpg)
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
![Page 16: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/16.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat MotivationsCyber Threat Motivations
• Notoriety• Political Statement• Money – Banks, Credit Cards,
Extortion, etc.• Intellectual Property / Trade Secrets• Information for Negotiating Positions
(competitive advantage)• Infrastructure Attack – Terrorism
![Page 17: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/17.jpg)
UNCLASSIFIED
UNCLASSIFIED
Nation-State Terrorists Insiders Hackers Hacktivists CriminalsCommercial Espionage
Fun/Curiosity/Ego XMoney X X X X X Retaliation/ retribution X X X Political Statement X X Intellectual Property X X X XNegotiation Information X X
Deny, Disrupt, Degrade, Destroy X X X X
Cyber Threat Cyber Threat Motivations (Intent)Motivations (Intent)
![Page 18: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/18.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber TargetsCyber Targets• Government Networks
• Federal• State• Local• Tribal and Territorial
• Critical Infrastructure and Key Resources (CIKR) Networks• Over 85% owned by private sector• Industrial Control Systems/SCADA• Embedded systems
• Business and Home Networks
![Page 19: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/19.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber ThreatsCyber Threats
• Supply Chain Exploitation• Cyber exploitation, manipulation, diversion, or
substitution of counterfeit, suspect, or fraudulent items impacting US CIKR
• Disruption• Distributed Denial of Service (DDOS) attack (effort
to prevent site or service from functioning efficiently or at all, temporarily or indefinitely)
• Cyber Crime• Criminals seeking sensitive, protected information
for financial gain
![Page 20: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/20.jpg)
UNCLASSIFIED
UNCLASSIFIED
• Corporate Espionage• Threat actors targeting US companies to gather
intelligence and sensitive corporate data for competitive advantage
• Advanced Persistent Threat • Stealthy, coordinated cyber activity over long period of
time directed against political, business, and economic targets
• Industrial Control Systems/SCADA• Threat actors disrupt ICS/SCADA based processes
Cyber ThreatsCyber Threats
![Page 21: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/21.jpg)
UNCLASSIFIED
UNCLASSIFIED 21
Devices, Systems and NetworksDevices, Systems and Networks
• Desktops/Laptops• OS/App
• Servers• OS/App
• Printers• Routers• VPN• DNS system
• PSAPS• Public Notification
Systems• Mobile devices• Household appliances
• Televisions• Refrigerators• Baby monitors
![Page 22: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/22.jpg)
UNCLASSIFIED
UNCLASSIFIED
Embedded SystemsEmbedded Systems
22
Computers built into other systems
Examples:
• Digital X-ray Machines, Medical Devices• Computer Controlled Industrial Equipment• Automobiles• ATMs• Printer/copier/fax machines
The underlying computer is likely to have unpatched vulnerabilities because it is not on the System Administrators list of “computers,” or the system must be upgraded by the vendor.
![Page 23: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/23.jpg)
UNCLASSIFIED
UNCLASSIFIED
Industrial Control Systems (ICS)Industrial Control Systems (ICS)
23
Controls processes such as manufacturing, product handling, production, and distribution. Industrial
Control Systems includeSupervisory Control and Data Acquisition systems
(SCADA).
Examples Robotic assembly lines Water treatment Electric Power Grid Building controls
![Page 24: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/24.jpg)
UNCLASSIFIED
UNCLASSIFIED
Internet Connected CommunicationsInternet Connected Communications
Communications systems that are not typically considered computer networks that are, none the less, connected to external networks such as the Internet.
Examples: • Telephone switching – PBX, VOIP• Emergency notification systems• First responder communications (Trunked
voice/data terminals)
![Page 25: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/25.jpg)
UNCLASSIFIED
UNCLASSIFIED
Targeting and Attack Targeting and Attack TechniquesTechniques
• Social engineering
• Spear phishing
• Spoofing e-mail accounts
• Exploiting vulnerabilities
• Malware
• Downloaders, Trojans, Keyloggers, etc.
• External memory devices (USB)
• Supply-chain exploitation
• Leveraging trusted insiders
• Denial of Service
• Mobile Device Attacks
![Page 26: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/26.jpg)
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
• Category of cyber attack against political, business, or economic targets
• Federal agencies
• State agencies
• City governments
• Commercial and non-profit organizations
• Actors use full spectrum of computer intrusion techniques and technology
• Characterized by focus on specific information objectives rather than immediate financial gain
• Stealthy, coordinated, focused activity over a long period of time
Operators are skilled, motivated, organized, well-funded
![Page 27: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/27.jpg)
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
• Information objectives include:• Gov’t policy/planning
• Corporate proprietary data
• Contract data
• International meetings (G20, IMF, Climate Change)
• Sabotage
• Espionage
• Use of compromised computers as intermediate hop points in future compromises
![Page 28: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/28.jpg)
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
Methodology
• Reconnaissance
• Initial intrusion into network
• Establish backdoor into the network
• Obtain user credentials (login ID, passwords)
• Escalate privileges, move laterally through the network
• Search for and exfiltrate data
• Maintain persistence
![Page 29: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/29.jpg)
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
Examples of APT in open reporting• Operation Aurora – Damballa
• Finance, Technology, Media – 30+ Countries
• LURID APT – Trend Micro
• Diplomatic, Government, Space-related agencies and companies – 61 Countries
• Nitro – Symantec
• Gas, Oil, Energy, Chemical Sectors – 8 countries
• Shady Rat – Symantec
• Governments, corporations, nonprofits, 14 countries
• FLAME – Kaspersky
• Mid-eastern countries
![Page 30: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/30.jpg)
UNCLASSIFIED
UNCLASSIFIED
VIDEO 2
![Page 31: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/31.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber Threats and Trends
![Page 32: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/32.jpg)
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
• ENORMOUS increase in Cyber Attacks/Crime both in numbers and sophistication.• State sponsored attacks likely to increase. (Cyber Warfare
is real now.)• Cyberweapon toolkits are common place utilized by not
only state sponsored attackers, but by any entity with medium/high skills.
• Cyber Crime As a Service is a full fledged business model.• Anyone can use point and click services to deliver a
devastating attack.
![Page 33: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/33.jpg)
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Nation-States That Have DeclaredNation-States That Have Declared OffensiveOffensive Cyber Capability Cyber Capability
• Iran
• India
• UK
• China
• Russia
• U.S.A.
• Australia
• Italy
• France
• Syria
• Germany
• Israel
![Page 34: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/34.jpg)
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Hactivists / Jihadists• Alliances with ideologically similar
groups• More Skilled• More Organized• More Aggressive• More of them
![Page 35: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/35.jpg)
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Cyber Criminals• Can occasionally approach the
sophistication if not the endurance of State sponsored attackers
• Adding much more emphasis to mobile devices.
• Adds a physical dimension to the Cyber realm.
![Page 36: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/36.jpg)
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Shift in targeting preferencesShift in targeting preferences• State / Local
• State networks• Local Municipalities / Agencies
• FD, PD, Cities, NGOs• Universities, Colleges, Votech• Businesses
![Page 37: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/37.jpg)
UNCLASSIFIED
UNCLASSIFIED
COMMONCOMMONATTACK TYPES /ATTACK TYPES /
MITIGATION MITIGATION STRATEGIESSTRATEGIES
![Page 38: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/38.jpg)
UNCLASSIFIED
UNCLASSIFIED
Attacks from outside the Attacks from outside the firewallfirewall
![Page 39: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/39.jpg)
UNCLASSIFIED
UNCLASSIFIED
Big Three Most Common Attacks
DDoS – Distributed Denial of ServiceDDoS – Distributed Denial of Service
SQL-I - Structured Query Language SQL-I - Structured Query Language InjectionInjection
DefacementsDefacements
![Page 40: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/40.jpg)
UNCLASSIFIED
UNCLASSIFIED
Commonly Seen Commonly Seen AttacksAttacks
Attack Type (TTP – Tactics, Techniques, Procedures) What is it?Who uses them?Preferred targets?Consequences?Prevention / Mitigation.
![Page 41: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/41.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
WHAT IS IT?WHAT IS IT?
A DDOS attack tries to render a website either inoperable or inaccessible by using large numbers of computers sending overwhelming numbers of requests at a computer.
The target can become so busy trying to answer bogus requests that it cannot answer valid user requests and the website is unusable.
![Page 42: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/42.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
WHO USES IT ?WHO USES IT ?Used to be well resourced adversaries
(state sponsored, cyber crime enterprise)
More recently seen from Hactivists, (Anonymous Affiliates)
Anyone with $200 - $800 can rent a botnet with 10,000 computers for a day to attack anyone.
![Page 43: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/43.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
Examples?Examples?During unrest associated with Ferguson
MO shooting.15 Banking institutions State, Counties, Cities, Police
departments (at least 12)Educational institutions
![Page 44: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/44.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
PreventionPreventionCan’t be prevented – Plan for itCan’t be prevented – Plan for it
Establishing connections with multiple ISPs.Establishing connections with multiple ISPs.
Ensure that service level agreements (SLA) Ensure that service level agreements (SLA) with ISPs contain provisions for DDoS with ISPs contain provisions for DDoS prevention (such as IP address rotation)prevention (such as IP address rotation)
Assure the network has redundant systems Assure the network has redundant systems and sufficient excess capacityand sufficient excess capacity
![Page 45: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/45.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
PreventionPrevention• Enable rate limiting at the network perimeterEnable rate limiting at the network perimeter• Create backup remote site networks with Create backup remote site networks with
multiple address capabilitymultiple address capability• Segment web services across multiple Segment web services across multiple
machines and networksmachines and networks• Host public facing websites with ISPs having Host public facing websites with ISPs having
capability to withstand significant DDoS attackscapability to withstand significant DDoS attacks
![Page 46: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/46.jpg)
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
MITIGATIONMITIGATIONExecuting ISP address rotationExecuting ISP address rotation
Block source IP addresses that are generating Block source IP addresses that are generating DDoS traffic at the network boundary or within DDoS traffic at the network boundary or within the ISP infrastructurethe ISP infrastructure. . ( DDoS attacks can come ( DDoS attacks can come from tens of thousands of addresses that rotate from tens of thousands of addresses that rotate randomly, making this strategy difficult to implement.)randomly, making this strategy difficult to implement.)
Acquire increased bandwidth from the ISP Acquire increased bandwidth from the ISP (This (This solution is limited by your own servers ability to handle solution is limited by your own servers ability to handle the increased traffic.)the increased traffic.)
![Page 47: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/47.jpg)
![Page 48: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/48.jpg)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
WHAT IS IT?WHAT IS IT?A form of attack on a database-driven Web site A form of attack on a database-driven Web site
in which the attacker executes unauthorized in which the attacker executes unauthorized SQL commands by taking advantage of SQL commands by taking advantage of insecure bypassing the firewall.insecure bypassing the firewall.
Used to steal information Used to steal information from a database from a database and/or to gain access to an organization's and/or to gain access to an organization's host computers through the computer that is host computers through the computer that is hosting the database.hosting the database.
![Page 49: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/49.jpg)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
Who uses it?Who uses it?State sponsored, cyber criminals, State sponsored, cyber criminals,
Hackers, Hacktivists, Jihadists, Hackers, Hacktivists, Jihadists, Anonymous, script-kiddiesAnonymous, script-kiddies
Very effective tools are freely availableVery effective tools are freely available
Recipes for finding targets (call google Recipes for finding targets (call google dorks) are all over the open internet.dorks) are all over the open internet.
![Page 50: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/50.jpg)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
Local Examples?Local Examples?KCKPDKCKPD
Release of Accident records and Release of Accident records and related personal informationrelated personal information
WichitaWichitaRelease of vendor/personal financial Release of vendor/personal financial
informationinformation
![Page 51: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/51.jpg)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
PreventionPreventionLimit databased services Limit databased services
Assure all applications and operating systems are Assure all applications and operating systems are patched to current levelpatched to current level
Keep an eye for announced vulnerabilities Keep an eye for announced vulnerabilities
Dynamic monitoring at the firewall or application Dynamic monitoring at the firewall or application serverserver
Threat detection servicesThreat detection services
Applications configuration security ( Passwords )Applications configuration security ( Passwords )
![Page 52: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/52.jpg)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
MITIGATIONMITIGATIONWatch for “breach” announcementsWatch for “breach” announcements
Notification processNotification process
Prevent further breaches (turn off access till Prevent further breaches (turn off access till it’s fixed)it’s fixed)
Aggressively pursue disclosuresAggressively pursue disclosures
Where applicable, get outside help (FBI, DHS, Where applicable, get outside help (FBI, DHS, USSS, Commercial services)USSS, Commercial services)
![Page 53: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/53.jpg)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
WHAT IS IT?WHAT IS IT?Any unauthorized changes made to Any unauthorized changes made to
the appearance of either a single the appearance of either a single webpage, or an entire site. In webpage, or an entire site. In some cases, a website is some cases, a website is completely taken down and completely taken down and replaced by something new.replaced by something new.
![Page 54: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/54.jpg)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Who uses it?Who uses it?Plethora of JihadistsPlethora of Jihadists
““Anonymous” AffiliatesAnonymous” Affiliates
Syrian Electronic ArmySyrian Electronic Army
POH (Plain old hackers)POH (Plain old hackers)
![Page 55: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/55.jpg)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Examples?Examples?Akron OHAkron OH
Marines.comMarines.com
HuffingtonHuffington
MO.GOVMO.GOV
Check out Check out www.zone-h.comwww.zone-h.com (database of 180,000)(database of 180,000)
![Page 56: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/56.jpg)
![Page 57: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/57.jpg)
![Page 58: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/58.jpg)
![Page 59: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/59.jpg)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Prevention / MitigationPrevention / MitigationKeep Server systems and CMS apps up-to-Keep Server systems and CMS apps up-to-
datedate
Better passwordsBetter passwords
Don’t share system accounts outside Don’t share system accounts outside organizationorganization
Reputation monitoring servicesReputation monitoring services
Good backupsGood backups
![Page 60: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/60.jpg)
UNCLASSIFIED
UNCLASSIFIED
Attacks That GetAttacks That GetThrough The FirewallThrough The Firewall
![Page 61: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/61.jpg)
UNCLASSIFIED
UNCLASSIFIED
APT – The Really Bad Stuff• Computer network exploitation by threat
actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft
• Counterfeiting• Theft of proprietary data
• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility
![Page 62: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/62.jpg)
UNCLASSIFIED
UNCLASSIFIED
Computer Network Exploitation
(Try to stay on the left side
of the Cyber “Kill Chain”)
The Bad Guys are INSIDE the computer now.
![Page 63: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/63.jpg)
UNCLASSIFIED
UNCLASSIFIED
Spear-PhishingSpear-Phishing
• Targeted e-mails containing malicious attachments or links
• E-mails forged to look as if they came from a legitimate source and have a subject that the victim is likely to open.
• Target e-mail addresses can be harvested from Web sites, social networks, etc.
• Targeting of CEOs, executives is called “whaling”.
63
![Page 64: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/64.jpg)
UNCLASSIFIED
UNCLASSIFIED 64
Sample Phishing WebsiteSample Phishing Website
(Via fsecure.com)
![Page 65: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/65.jpg)
UNCLASSIFIED
UNCLASSIFIED 65
Sample Phishing WebsiteSample Phishing Website
(Via fsecure.com)
Compromised police academy server in India
![Page 66: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/66.jpg)
UNCLASSIFIED
UNCLASSIFIED 66
(Via nytimes.com)
![Page 67: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/67.jpg)
UNCLASSIFIED
UNCLASSIFIED
PreventionConstant EducationConstant Education
Information Sharing between agenciesInformation Sharing between agencies
OPSECOPSEC
Cyber HygieneCyber Hygiene
PASSWORDS!!!!!!!!!!!!!PASSWORDS!!!!!!!!!!!!!
Response plansResponse plans
Cyber Tabletop ExercisesCyber Tabletop Exercises
Test Your CapabilitiesTest Your Capabilities
Figure Out Roles and ResponsibilitiesFigure Out Roles and Responsibilities
![Page 68: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/68.jpg)
UNCLASSIFIED
UNCLASSIFIED
What is your plan?
How to recover?WHO ?COST ?
How to mitigateCRITICAL SERVICES
How to deal with the publicPUBLIC CONFIDENCELIABILITY
![Page 69: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/69.jpg)
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISKEVALUATE YOUR RISK..
THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE
==RISKRISK
![Page 70: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/70.jpg)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?Fusion Center:
KC Regional Terrorism Early WarningCyber Threat Intelligence Program
[email protected](816) 413-3588
Missouri Information Analysis Center
St Louis Terrorism Early Warning
![Page 71: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/71.jpg)
![Page 72: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/72.jpg)
UNCLASSIFIED
UNCLASSIFIED
![Page 73: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/73.jpg)
OR
ID
NV
WY
MTND
SD
UT
WA
CO
NE
MN
KS
OKNMAZ
TX
AR
LA
AL GA
FL
TN NC
SC
MSSoutheast Regional Coordinator – Heather Perez (CFIX)
Western Regional Coordinator - Dana Kilian - NCRIC
AK
CA
Troy Campbell – Co-Chair – KCTEWDevin King – Co-Chair – LA-SAFE
National Capital Regional Coordinator - Fleming Campbell (WRTAC)
WI
IA
MO
ILIN
MI
ME
KY
OH
VAWV
PA
NY
NJ
NHMA
RI
MD
CT
DE
VT
DC
Northeast Regional Coordinator - Brett Paradis (CTIC)
Midwest Regional Coordinator – Kelley Goldblatt (MC3)
Central Regional Coordinator - John Burrell - MATIC
NFCA Cyber Intelligence Network (CIN)
![Page 74: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/74.jpg)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The Department of Homeland Security (DHS)The Department of Homeland Security (DHS)The National Cybersecurity & Communications The National Cybersecurity & Communications
Integration Center (NCCIC) Integration Center (NCCIC)
The U.S. Computer Emergency Readiness Team (US-The U.S. Computer Emergency Readiness Team (US-CERT) CERT)
The Industrial Control Systems Cyber Emergency The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Response Team (ICS-CERT)
The National Coordinating Center for The National Coordinating Center for Telecommunications (NCCTelecommunications (NCC)
74
![Page 75: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/75.jpg)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The USSS – US SECRET SERVICEThe USSS – US SECRET SERVICEYour Nearest field office usually has a Your Nearest field office usually has a
local Electronic Crimes Task Forcelocal Electronic Crimes Task Force
Has Critical Incident Response TeamsHas Critical Incident Response Teams
75
![Page 76: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/76.jpg)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The Federal Bureau of The Federal Bureau of Investigations (FBI)Investigations (FBI)Your Local FBI Cyber Division Your Local FBI Cyber Division
FBI CyWatch FBI CyWatch
FBI Critical Incident Response Group FBI Critical Incident Response Group (CIRG) Strategic Information and (CIRG) Strategic Information and Operations Center (SIOC) Operations Center (SIOC)
76
![Page 77: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/77.jpg)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
KC Regional Terrorism Early WarningCyber Threat Intelligence Program
[email protected](816) 413-3588
![Page 78: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/78.jpg)
UNCLASSIFIED
UNCLASSIFIED
Discussion
![Page 79: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/79.jpg)
UNCLASSIFIED
UNCLASSIFIED
ContactContact::
Troy CampbellTroy CampbellKCTEWKCTEW
Cyber Threat Intelligence Cyber Threat Intelligence ProgramProgram
[email protected]@kcpd.org
(816) 413-3588(816) 413-3588
![Page 80: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/80.jpg)
![Page 81: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/81.jpg)
![Page 82: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/82.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing Cyber Information Sharing IssuesIssues
![Page 83: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/83.jpg)
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing –A Challenging Process
![Page 84: UNCLASSIFIED Kansas City Terrorism Early Warning Inter Agency Analysis Center Cyber Threat Information Program Missouri City/County Manager’s Association](https://reader038.vdocuments.net/reader038/viewer/2022102718/56649d795503460f94a5c082/html5/thumbnails/84.jpg)
UNCLASSIFIED
UNCLASSIFIED
Issues in IntelligenceIssues in IntelligenceInformation SharingInformation Sharing
• No Cross Community Standards• Formats• Flow Paths
• Classification Downgrades• Identity requests• Standard terminology• Two-way information Flows