hac, hacs, an cbe k se - riga shipping...
TRANSCRIPT
![Page 1: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/1.jpg)
Hac , Hac s, an C be k Se ...
Rig pi D n 2019
![Page 2: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/2.jpg)
Ports have been hacked.
![Page 3: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/3.jpg)
Not just the ports, but ships too.
![Page 4: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/4.jpg)
What is it like to work a cyber incident?Long days and weeks, often sleepless nights.
Coordination between multiple victims.
Usually the group you thought was the attacker is a victim too.
Tough choices about knowing when the intrusion has been cleaned up.
High pressure as the business is leaking money or data.
Shall we have a little demonstration?
![Page 5: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/5.jpg)
“All risks are comparable, or at least they should be.” - Gordon Woo
Cyber risk should not be special here!
It needs to become comparable.
![Page 6: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/6.jpg)
“Life can only be understood backwards; but it must be lived forwards.”
-Søren Kierkegaard
![Page 7: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/7.jpg)
Start with your risk to others, not their risk to you.
![Page 8: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/8.jpg)
What if IoCs are a historical record of hacker effort?1. Binaries take time to produce (and reproduce).2. Domains have to be bought, maintained, shut down..3. Certificates have to be bought, keys generated…4. IP addresses for exfiltration need to have listening sockets…
Money, Time, Team size, and yes….TALENT, are encoded in their operational capacity.
APTs need infrastructure to operate, and that *is* quantifiable..
![Page 9: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/9.jpg)
The simplest of metrics would be event count.
We can do much, much, better than this if we take this seriously as a research idea.
And we MUST!
![Page 10: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/10.jpg)
Ok, but you have to be careful of sampling bias...maybe you detected more, because you focused more?
![Page 11: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/11.jpg)
Where those the most prolific threats? Or the most tracked?
![Page 12: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/12.jpg)
@ErwinKooi“Yo r im o f AP ’s ca t a d l in s p o r o l ow l u n t e n h i T .”
![Page 13: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/13.jpg)
“All your heatmaps are belong to us.” -Richard Struse
![Page 14: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/14.jpg)
“All your heatmaps are belong to us.” -Richard Struse
![Page 15: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/15.jpg)
But what if we abandon heatmaps and get quantitative?
![Page 16: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/16.jpg)
Some open research questions...
How much:
Money
People
Time
Does it take for attackers to:
Change an IP Address
Spin up a new domain
Make a 1Kb Binary
Make a 500Mb Binary
Change a binary’s SHA1
Change a binary’s IMPHash
![Page 17: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/17.jpg)
Some open^H^H^H^H quantifiable research questions...How much:
Money
People
Time
Does it take for attackers to:
Change an IP Address $4 1 8 Seconds
Spin up a new domain $20 1 30 seconds
Make a 1Kb Binary $5000 1-5 2 weeks
Make a 500Mb Binary $2500 1-2 1 Week
Change a binary’s SHA1 $0 1 90 seconds
Change a binary’s IMPHash ???
![Page 18: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/18.jpg)
Cost, people, and time, are distributions...
...but this is a proof of concept, so let’s pretend they are just constants for now.
![Page 19: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/19.jpg)
![Page 20: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/20.jpg)
![Page 21: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/21.jpg)
Now we’ve made APTs comparable, can we start to understand their capacity, so what about Ransomware?
![Page 22: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/22.jpg)
928 -> $105,955
![Page 23: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/23.jpg)
1074 -> $7.84 Million
![Page 24: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/24.jpg)
837 -> $7.50 Million
![Page 25: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/25.jpg)
Ain’t correlation grand?
25
Source for ransomware families: 2017 F-Secure State of Cyber Security & Trend Micro 2016 Security Roundup
![Page 26: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/26.jpg)
● Ankit and Mauro studied all the recent ransomware: ■ that used Bitcoin as at least one mode of ransom payment, and ■ for which at least one Bitcoin address is publicly known
Occurrence of Bitcoin ransomware
![Page 27: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/27.jpg)
Ransomware payments analysis help us build models of cyber risk.
![Page 28: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/28.jpg)
Ransomware Payment Analysisn=126kFrom an analysis of Ransomware payments:
$800 is the average, and the largest payment I found was $1.4 Million.
There are a lot of tiny payments like 0.18, presumably test payments.
We can see the cashouts too, and there’s even one that has a timestamp of 1972
(Before the blockchain was invented)
So the bad guys are obviously laughing all the way to the bank.
![Page 29: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/29.jpg)
● First known ransomware virus was written by an AIDS researcher, called Dr. Joseph Popp, in 1989.
● The “first” cashout we found in the blockchain was from CryptoLocker, in 1972, before the blockchain EXISTED!
Don’t believe me? Check yourself with the QR code.
29
Screenshot by: Security Focus
![Page 30: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/30.jpg)
Exploit usage is quantifiable
By volume
![Page 31: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/31.jpg)
Exploit usage is quantifiable
Across time
![Page 32: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/32.jpg)
Let’s switch to rDDoS. Remember, start with your risk to others.
2018 Max: 155 Tb/s
Actual: 1.35 Tb/s
https://www.tandfonline.com/doi/abs/10.1080/23738871.2017.1362020
![Page 33: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/33.jpg)
Largest DDoS per year.
Gathered from marketing material.
![Page 34: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/34.jpg)
Our estimates of pool of capacity.
Created by summing risk to others!
![Page 35: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/35.jpg)
Beware of our selection bias.
Most companies can not detect the largest DDoS without
sharing information!
![Page 36: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/36.jpg)
Normalise, Normalise, Normalise!
![Page 37: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/37.jpg)
First we estimate APT “capacity for harm”, then we solve for “loss estimation” of minimal and maximal harms.
![Page 38: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/38.jpg)
Why haven’t We Solved Cyber Risk yet?1. Because we focused on the risk to ourselves instead of our risk to others.2. Because we did not put any science in the loss quantification or estimation.3. Because we did not normalise or share the data.
![Page 39: Hac, Hacs, an Cbe k Se - Riga Shipping Dinnershippingdinner.com/file/presentation_2019/3_Eireann_Leverett_Hack… · Binaries take time to produce (and reproduce). 2. ... “All your](https://reader034.vdocuments.net/reader034/viewer/2022042318/5f0789fa7e708231d41d7bb6/html5/thumbnails/39.jpg)
Cyber risk is shared. Collaboration, not solitary heroes, reduce that risk.