FBI Cyber Presentation

Andrew P. DoddSpecial Agent

Computer Intrusion ProgramFBI New Haven Field Office

Andrew P. DoddSpecial Agent

Computer Intrusion ProgramFBI New Haven Field Office

2

Best Practices

1. Logs are your “internet security cameras”– Point them at what matters!– Store them for a reasonable time– Study them to know what is

normal

2. Know Your Systems3. Accountability4. Patches

ALL PART OF YOUR SECURITY POLICY

3

Threats on the Rise

• Advanced Persistent Threat (APT)• Nation-States• Long-term, unauthorized access to

your network• Hard to detect (impossible without

logs)• Prevention is great…DETECTION is a

must

• Devastating consequences

4

APT Signs

• Five signs of APT attacks:• Abnormal logon activity (logs)• Widespread backdoor Trojans (logs)• Unexpected data flows (logs)• Discovering unexpected data

bundles• Hacking tools left behind

5

Threats on the Rise

• Ransomware• Encrypts your data until you pay a fee to

get it unlocked• Either securely back up your data, or pay

the bad guys and pray…

• Man-in-the-Email• Customer needs urgent transfer of funds• Often the Financial Controller is

tricked• Keep tabs on what you post online

6

Investigating Internationally

• What to do when the criminals operate exclusively beyond U.S. borders?– Have a law-firm on call (e.g. China)– FBI global law enforcement

presence• FBI Legal Attaches (LEGAT)

– Global coverage from more than 60 embassies

• Interpol• Mutual Legal Assistance Treaties (MLAT)

7

Case Study

• Case began in June 2005 when an InfraGard member received a phishing e-mail from Peoples Bank– Member did not have an account with

Peoples Bank and immediately recognized it as phishing

• A spoofed e-mail address and graphical images were created to look like the message was truly from Peoples Bank

• Phishing e-mail contained a link to a phishing web site unwittingly hosted in Minnesota

8

Romanian Phishing Case Study

• Unwitting owner of phishing web site provided copies of files used to produce the web site– From the scripts, it was determined

that phished data was sent to an e-mail collector account, vercarti1@yahoo.com

– Search warrants and subpoenas to Yahoo! and various ISPs revealed a connection to Romania

9

Romanian Phishing Case Study

• Investigative assistance provided by Peoples Bank revealed numerous ATM withdrawals made in Romanian cities using phished data

• The LEGAT in Bucharest was brought into the investigation– The LEGAT worked closely with the

Romanian National Police (RNP) in a joint investigation

10

Romanian Phishing Case Study

• Timeline– 06/2005 – case begins from e-mail receipt– 08/2005 – first of many search warrants issued– 01/2007 – Seven Romanians indicted in CT– 06/2007 – First arrest made in Bulgaria– November 10, 2010 – fourteen new indictments– Between December 2011 and November 2013,

nine Romanians were arrested and extradited directly from Romania

– 07/2014 – Last subject sentenced to 45 months

11

Romanian Phishing Case Study

• Results– 13 Arrests

• 1 Bulgaria, 1 Canada, 1 Croatia, 9 Romania, 1 Sweden• None had ever been to the United States

– 13 Extraditions from 5 different countries– 13 Convictions

• 12 guilty pleas and 1 at trial

– 13 Sentences ranging from 7 – 80 months• Average around 50 months

– First extradition for computer crimes committed by someone who had never been to the U.S.

– First extraditions directly from Romania of Romanian citizens

12

Reaching out to Law Enforcement

• Who• KNOW IN ADVANCE WHO YOU WILL

CALL!!!• Call a known person

• Calling publically listed numbers is BAD PLANNING!

• Verify at least annually your contact information

• What• Computer intrusions and Internet-crimes

• Report regardless of loss

• Share what you know

13

Reaching out to Law Enforcement

• Why– Because the security of the Internet

is a global community concern• All of us need to work together on this• A secure Internet will boost every

legitimate business• A non-secure Internet may knock out

some competition, but the bottom line of the survivors will not reap the benefits that a secure Internet can provide

14

Reaching out to Law Enforcement

• Where• Location of intrusion• Where are the computers?

• Location of subject• Often not known until deep into

investigation

• Company headquarters• Often better equipped to assist with

investigation

15

Reaching out to Law Enforcement

• When– As soon as you can, however…– Collect as much information as you can

before calling law enforcement• Once law enforcement becomes involved,

restrictions on gathering evidence may attach• More information will help to determine if an

investigation will be opened and what, if any, public exposure the victim may face

16

Reaching out to Law Enforcement

• How– However you had it planned

• Work day, work hours• Work day, after hours• Weekend• Holiday• POC on vacation

Questions???

SA Andrew P. Dodd203-503-5488

andrew.dodd@ic.fbi.gov

SA Andrew P. Dodd203-503-5488

andrew.dodd@ic.fbi.gov