unclassified kansas city terrorism early warning inter agency analysis center cyber threat...
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
Kansas City Terrorism Early WarningKansas City Terrorism Early WarningInter Agency Analysis CenterInter Agency Analysis CenterCyber Threat Information ProgramCyber Threat Information Program
Missouri City/CountyMissouri City/County
Manager’s AssociationManager’s Association
CYBER BRIEFINGCYBER BRIEFING
May 7, 2015May 7, 2015
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber EventsRecent Cyber Events
• South Carolina DOR. – 3.6 million SSNs stolen and tax returns exposed. – ( Direct Cost = $14 million, User fraud loss = $5.2 Billion)
• Shamoon (aka: Wiper) – Steals credentials wipes boot record from 30,000 to 50,000 computers at Saudi Aramco and RasGas.
• Banking DDOS against JP Morgan/Chase, PNC, Wells Fargo, Bank Of America. Total of 8 banks attacked.
UNCLASSIFIED
UNCLASSIFIED
Recent Cyber EventsRecent Cyber Events
• TARGET ( 40 MILLION credit cards) and other retailers.
• City of Wichita ( > 60,000 vendor financial records)
• 14 banks, 12 cities and 10 police departments disabled during the Ferguson unrest.
UNCLASSIFIED
UNCLASSIFIED
VIDEO 1
UNCLASSIFIED
UNCLASSIFIED
So What ?So What ?• Computer network exploitation by threat
actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft
• Counterfeiting• Theft of proprietary data
• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility
UNCLASSIFIED
UNCLASSIFIED
AgendaAgenda
• Threat Landscape• Actors (Bad Guys)• Attack types (Bad Stuff that Bad Guys do)• Vulnerabilities (The things that Bad guys
attack)
• Cyber Threats and Trends (The Future)• What Can You Do ?
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISKEVALUATE YOUR RISK..
THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE
==RISKRISK
UNCLASSIFIED
UNCLASSIFIED
CYBER THREAT CYBER THREAT LANDSCAPELANDSCAPE
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat LandscapeCyber Threat Landscape
• Cyber Threat Actors• State Sponsored• Terrorist/Violent Extremists• Insider Threat• Hackers• Hacktivists• Criminals / Organized Crime
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution
UNCLASSIFIED
UNCLASSIFIED
Cyber Threat MotivationsCyber Threat Motivations
• Notoriety• Political Statement• Money – Banks, Credit Cards,
Extortion, etc.• Intellectual Property / Trade Secrets• Information for Negotiating Positions
(competitive advantage)• Infrastructure Attack – Terrorism
UNCLASSIFIED
UNCLASSIFIED
Nation-State Terrorists Insiders Hackers Hacktivists CriminalsCommercial Espionage
Fun/Curiosity/Ego XMoney X X X X X Retaliation/ retribution X X X Political Statement X X Intellectual Property X X X XNegotiation Information X X
Deny, Disrupt, Degrade, Destroy X X X X
Cyber Threat Cyber Threat Motivations (Intent)Motivations (Intent)
UNCLASSIFIED
UNCLASSIFIED
Cyber TargetsCyber Targets• Government Networks
• Federal• State• Local• Tribal and Territorial
• Critical Infrastructure and Key Resources (CIKR) Networks• Over 85% owned by private sector• Industrial Control Systems/SCADA• Embedded systems
• Business and Home Networks
UNCLASSIFIED
UNCLASSIFIED
Cyber ThreatsCyber Threats
• Supply Chain Exploitation• Cyber exploitation, manipulation, diversion, or
substitution of counterfeit, suspect, or fraudulent items impacting US CIKR
• Disruption• Distributed Denial of Service (DDOS) attack (effort
to prevent site or service from functioning efficiently or at all, temporarily or indefinitely)
• Cyber Crime• Criminals seeking sensitive, protected information
for financial gain
UNCLASSIFIED
UNCLASSIFIED
• Corporate Espionage• Threat actors targeting US companies to gather
intelligence and sensitive corporate data for competitive advantage
• Advanced Persistent Threat • Stealthy, coordinated cyber activity over long period of
time directed against political, business, and economic targets
• Industrial Control Systems/SCADA• Threat actors disrupt ICS/SCADA based processes
Cyber ThreatsCyber Threats
UNCLASSIFIED
UNCLASSIFIED 21
Devices, Systems and NetworksDevices, Systems and Networks
• Desktops/Laptops• OS/App
• Servers• OS/App
• Printers• Routers• VPN• DNS system
• PSAPS• Public Notification
Systems• Mobile devices• Household appliances
• Televisions• Refrigerators• Baby monitors
UNCLASSIFIED
UNCLASSIFIED
Embedded SystemsEmbedded Systems
22
Computers built into other systems
Examples:
• Digital X-ray Machines, Medical Devices• Computer Controlled Industrial Equipment• Automobiles• ATMs• Printer/copier/fax machines
The underlying computer is likely to have unpatched vulnerabilities because it is not on the System Administrators list of “computers,” or the system must be upgraded by the vendor.
UNCLASSIFIED
UNCLASSIFIED
Industrial Control Systems (ICS)Industrial Control Systems (ICS)
23
Controls processes such as manufacturing, product handling, production, and distribution. Industrial
Control Systems includeSupervisory Control and Data Acquisition systems
(SCADA).
Examples Robotic assembly lines Water treatment Electric Power Grid Building controls
UNCLASSIFIED
UNCLASSIFIED
Internet Connected CommunicationsInternet Connected Communications
Communications systems that are not typically considered computer networks that are, none the less, connected to external networks such as the Internet.
Examples: • Telephone switching – PBX, VOIP• Emergency notification systems• First responder communications (Trunked
voice/data terminals)
UNCLASSIFIED
UNCLASSIFIED
Targeting and Attack Targeting and Attack TechniquesTechniques
• Social engineering
• Spear phishing
• Spoofing e-mail accounts
• Exploiting vulnerabilities
• Malware
• Downloaders, Trojans, Keyloggers, etc.
• External memory devices (USB)
• Supply-chain exploitation
• Leveraging trusted insiders
• Denial of Service
• Mobile Device Attacks
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
• Category of cyber attack against political, business, or economic targets
• Federal agencies
• State agencies
• City governments
• Commercial and non-profit organizations
• Actors use full spectrum of computer intrusion techniques and technology
• Characterized by focus on specific information objectives rather than immediate financial gain
• Stealthy, coordinated, focused activity over a long period of time
Operators are skilled, motivated, organized, well-funded
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
• Information objectives include:• Gov’t policy/planning
• Corporate proprietary data
• Contract data
• International meetings (G20, IMF, Climate Change)
• Sabotage
• Espionage
• Use of compromised computers as intermediate hop points in future compromises
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
Methodology
• Reconnaissance
• Initial intrusion into network
• Establish backdoor into the network
• Obtain user credentials (login ID, passwords)
• Escalate privileges, move laterally through the network
• Search for and exfiltrate data
• Maintain persistence
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
Examples of APT in open reporting• Operation Aurora – Damballa
• Finance, Technology, Media – 30+ Countries
• LURID APT – Trend Micro
• Diplomatic, Government, Space-related agencies and companies – 61 Countries
• Nitro – Symantec
• Gas, Oil, Energy, Chemical Sectors – 8 countries
• Shady Rat – Symantec
• Governments, corporations, nonprofits, 14 countries
• FLAME – Kaspersky
• Mid-eastern countries
UNCLASSIFIED
UNCLASSIFIED
VIDEO 2
UNCLASSIFIED
UNCLASSIFIED
Cyber Threats and Trends
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
• ENORMOUS increase in Cyber Attacks/Crime both in numbers and sophistication.• State sponsored attacks likely to increase. (Cyber Warfare
is real now.)• Cyberweapon toolkits are common place utilized by not
only state sponsored attackers, but by any entity with medium/high skills.
• Cyber Crime As a Service is a full fledged business model.• Anyone can use point and click services to deliver a
devastating attack.
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Nation-States That Have DeclaredNation-States That Have Declared OffensiveOffensive Cyber Capability Cyber Capability
• Iran
• India
• UK
• China
• Russia
• U.S.A.
• Australia
• Italy
• France
• Syria
• Germany
• Israel
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Hactivists / Jihadists• Alliances with ideologically similar
groups• More Skilled• More Organized• More Aggressive• More of them
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Cyber Criminals• Can occasionally approach the
sophistication if not the endurance of State sponsored attackers
• Adding much more emphasis to mobile devices.
• Adds a physical dimension to the Cyber realm.
UNCLASSIFIED
UNCLASSIFIED
TrendsTrends
Shift in targeting preferencesShift in targeting preferences• State / Local
• State networks• Local Municipalities / Agencies
• FD, PD, Cities, NGOs• Universities, Colleges, Votech• Businesses
UNCLASSIFIED
UNCLASSIFIED
COMMONCOMMONATTACK TYPES /ATTACK TYPES /
MITIGATION MITIGATION STRATEGIESSTRATEGIES
UNCLASSIFIED
UNCLASSIFIED
Attacks from outside the Attacks from outside the firewallfirewall
UNCLASSIFIED
UNCLASSIFIED
Big Three Most Common Attacks
DDoS – Distributed Denial of ServiceDDoS – Distributed Denial of Service
SQL-I - Structured Query Language SQL-I - Structured Query Language InjectionInjection
DefacementsDefacements
UNCLASSIFIED
UNCLASSIFIED
Commonly Seen Commonly Seen AttacksAttacks
Attack Type (TTP – Tactics, Techniques, Procedures) What is it?Who uses them?Preferred targets?Consequences?Prevention / Mitigation.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
WHAT IS IT?WHAT IS IT?
A DDOS attack tries to render a website either inoperable or inaccessible by using large numbers of computers sending overwhelming numbers of requests at a computer.
The target can become so busy trying to answer bogus requests that it cannot answer valid user requests and the website is unusable.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
WHO USES IT ?WHO USES IT ?Used to be well resourced adversaries
(state sponsored, cyber crime enterprise)
More recently seen from Hactivists, (Anonymous Affiliates)
Anyone with $200 - $800 can rent a botnet with 10,000 computers for a day to attack anyone.
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
Examples?Examples?During unrest associated with Ferguson
MO shooting.15 Banking institutions State, Counties, Cities, Police
departments (at least 12)Educational institutions
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
PreventionPreventionCan’t be prevented – Plan for itCan’t be prevented – Plan for it
Establishing connections with multiple ISPs.Establishing connections with multiple ISPs.
Ensure that service level agreements (SLA) Ensure that service level agreements (SLA) with ISPs contain provisions for DDoS with ISPs contain provisions for DDoS prevention (such as IP address rotation)prevention (such as IP address rotation)
Assure the network has redundant systems Assure the network has redundant systems and sufficient excess capacityand sufficient excess capacity
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
PreventionPrevention• Enable rate limiting at the network perimeterEnable rate limiting at the network perimeter• Create backup remote site networks with Create backup remote site networks with
multiple address capabilitymultiple address capability• Segment web services across multiple Segment web services across multiple
machines and networksmachines and networks• Host public facing websites with ISPs having Host public facing websites with ISPs having
capability to withstand significant DDoS attackscapability to withstand significant DDoS attacks
UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
MITIGATIONMITIGATIONExecuting ISP address rotationExecuting ISP address rotation
Block source IP addresses that are generating Block source IP addresses that are generating DDoS traffic at the network boundary or within DDoS traffic at the network boundary or within the ISP infrastructurethe ISP infrastructure. . ( DDoS attacks can come ( DDoS attacks can come from tens of thousands of addresses that rotate from tens of thousands of addresses that rotate randomly, making this strategy difficult to implement.)randomly, making this strategy difficult to implement.)
Acquire increased bandwidth from the ISP Acquire increased bandwidth from the ISP (This (This solution is limited by your own servers ability to handle solution is limited by your own servers ability to handle the increased traffic.)the increased traffic.)
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
WHAT IS IT?WHAT IS IT?A form of attack on a database-driven Web site A form of attack on a database-driven Web site
in which the attacker executes unauthorized in which the attacker executes unauthorized SQL commands by taking advantage of SQL commands by taking advantage of insecure bypassing the firewall.insecure bypassing the firewall.
Used to steal information Used to steal information from a database from a database and/or to gain access to an organization's and/or to gain access to an organization's host computers through the computer that is host computers through the computer that is hosting the database.hosting the database.
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
Who uses it?Who uses it?State sponsored, cyber criminals, State sponsored, cyber criminals,
Hackers, Hacktivists, Jihadists, Hackers, Hacktivists, Jihadists, Anonymous, script-kiddiesAnonymous, script-kiddies
Very effective tools are freely availableVery effective tools are freely available
Recipes for finding targets (call google Recipes for finding targets (call google dorks) are all over the open internet.dorks) are all over the open internet.
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
Local Examples?Local Examples?KCKPDKCKPD
Release of Accident records and Release of Accident records and related personal informationrelated personal information
WichitaWichitaRelease of vendor/personal financial Release of vendor/personal financial
informationinformation
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
PreventionPreventionLimit databased services Limit databased services
Assure all applications and operating systems are Assure all applications and operating systems are patched to current levelpatched to current level
Keep an eye for announced vulnerabilities Keep an eye for announced vulnerabilities
Dynamic monitoring at the firewall or application Dynamic monitoring at the firewall or application serverserver
Threat detection servicesThreat detection services
Applications configuration security ( Passwords )Applications configuration security ( Passwords )
UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)SQL Injection (SQL-I)
MITIGATIONMITIGATIONWatch for “breach” announcementsWatch for “breach” announcements
Notification processNotification process
Prevent further breaches (turn off access till Prevent further breaches (turn off access till it’s fixed)it’s fixed)
Aggressively pursue disclosuresAggressively pursue disclosures
Where applicable, get outside help (FBI, DHS, Where applicable, get outside help (FBI, DHS, USSS, Commercial services)USSS, Commercial services)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
WHAT IS IT?WHAT IS IT?Any unauthorized changes made to Any unauthorized changes made to
the appearance of either a single the appearance of either a single webpage, or an entire site. In webpage, or an entire site. In some cases, a website is some cases, a website is completely taken down and completely taken down and replaced by something new.replaced by something new.
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Who uses it?Who uses it?Plethora of JihadistsPlethora of Jihadists
““Anonymous” AffiliatesAnonymous” Affiliates
Syrian Electronic ArmySyrian Electronic Army
POH (Plain old hackers)POH (Plain old hackers)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Examples?Examples?Akron OHAkron OH
Marines.comMarines.com
HuffingtonHuffington
MO.GOVMO.GOV
Check out Check out www.zone-h.comwww.zone-h.com (database of 180,000)(database of 180,000)
UNCLASSIFIED
UNCLASSIFIED
DEFACEMENTDEFACEMENT
Prevention / MitigationPrevention / MitigationKeep Server systems and CMS apps up-to-Keep Server systems and CMS apps up-to-
datedate
Better passwordsBetter passwords
Don’t share system accounts outside Don’t share system accounts outside organizationorganization
Reputation monitoring servicesReputation monitoring services
Good backupsGood backups
UNCLASSIFIED
UNCLASSIFIED
Attacks That GetAttacks That GetThrough The FirewallThrough The Firewall
UNCLASSIFIED
UNCLASSIFIED
APT – The Really Bad Stuff• Computer network exploitation by threat
actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft
• Counterfeiting• Theft of proprietary data
• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility
UNCLASSIFIED
UNCLASSIFIED
Computer Network Exploitation
(Try to stay on the left side
of the Cyber “Kill Chain”)
The Bad Guys are INSIDE the computer now.
UNCLASSIFIED
UNCLASSIFIED
Spear-PhishingSpear-Phishing
• Targeted e-mails containing malicious attachments or links
• E-mails forged to look as if they came from a legitimate source and have a subject that the victim is likely to open.
• Target e-mail addresses can be harvested from Web sites, social networks, etc.
• Targeting of CEOs, executives is called “whaling”.
63
UNCLASSIFIED
UNCLASSIFIED 64
Sample Phishing WebsiteSample Phishing Website
(Via fsecure.com)
UNCLASSIFIED
UNCLASSIFIED 65
Sample Phishing WebsiteSample Phishing Website
(Via fsecure.com)
Compromised police academy server in India
UNCLASSIFIED
UNCLASSIFIED 66
(Via nytimes.com)
UNCLASSIFIED
UNCLASSIFIED
PreventionConstant EducationConstant Education
Information Sharing between agenciesInformation Sharing between agencies
OPSECOPSEC
Cyber HygieneCyber Hygiene
PASSWORDS!!!!!!!!!!!!!PASSWORDS!!!!!!!!!!!!!
Response plansResponse plans
Cyber Tabletop ExercisesCyber Tabletop Exercises
Test Your CapabilitiesTest Your Capabilities
Figure Out Roles and ResponsibilitiesFigure Out Roles and Responsibilities
UNCLASSIFIED
UNCLASSIFIED
What is your plan?
How to recover?WHO ?COST ?
How to mitigateCRITICAL SERVICES
How to deal with the publicPUBLIC CONFIDENCELIABILITY
UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISKEVALUATE YOUR RISK..
THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE
==RISKRISK
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?Fusion Center:
KC Regional Terrorism Early WarningCyber Threat Intelligence Program
[email protected](816) 413-3588
Missouri Information Analysis Center
St Louis Terrorism Early Warning
UNCLASSIFIED
UNCLASSIFIED
OR
ID
NV
WY
MTND
SD
UT
WA
CO
NE
MN
KS
OKNMAZ
TX
AR
LA
AL GA
FL
TN NC
SC
MSSoutheast Regional Coordinator – Heather Perez (CFIX)
Western Regional Coordinator - Dana Kilian - NCRIC
AK
CA
Troy Campbell – Co-Chair – KCTEWDevin King – Co-Chair – LA-SAFE
National Capital Regional Coordinator - Fleming Campbell (WRTAC)
WI
IA
MO
ILIN
MI
ME
KY
OH
VAWV
PA
NY
NJ
NHMA
RI
MD
CT
DE
VT
DC
Northeast Regional Coordinator - Brett Paradis (CTIC)
Midwest Regional Coordinator – Kelley Goldblatt (MC3)
Central Regional Coordinator - John Burrell - MATIC
NFCA Cyber Intelligence Network (CIN)
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The Department of Homeland Security (DHS)The Department of Homeland Security (DHS)The National Cybersecurity & Communications The National Cybersecurity & Communications
Integration Center (NCCIC) Integration Center (NCCIC)
The U.S. Computer Emergency Readiness Team (US-The U.S. Computer Emergency Readiness Team (US-CERT) CERT)
The Industrial Control Systems Cyber Emergency The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Response Team (ICS-CERT)
The National Coordinating Center for The National Coordinating Center for Telecommunications (NCCTelecommunications (NCC)
74
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The USSS – US SECRET SERVICEThe USSS – US SECRET SERVICEYour Nearest field office usually has a Your Nearest field office usually has a
local Electronic Crimes Task Forcelocal Electronic Crimes Task Force
Has Critical Incident Response TeamsHas Critical Incident Response Teams
75
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
The Federal Bureau of The Federal Bureau of Investigations (FBI)Investigations (FBI)Your Local FBI Cyber Division Your Local FBI Cyber Division
FBI CyWatch FBI CyWatch
FBI Critical Incident Response Group FBI Critical Incident Response Group (CIRG) Strategic Information and (CIRG) Strategic Information and Operations Center (SIOC) Operations Center (SIOC)
76
UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?WHO CAN YOU CALL?
KC Regional Terrorism Early WarningCyber Threat Intelligence Program
[email protected](816) 413-3588
UNCLASSIFIED
UNCLASSIFIED
Discussion
UNCLASSIFIED
UNCLASSIFIED
ContactContact::
Troy CampbellTroy CampbellKCTEWKCTEW
Cyber Threat Intelligence Cyber Threat Intelligence ProgramProgram
[email protected]@kcpd.org
(816) 413-3588(816) 413-3588
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing Cyber Information Sharing IssuesIssues
UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing –A Challenging Process
UNCLASSIFIED
UNCLASSIFIED
Issues in IntelligenceIssues in IntelligenceInformation SharingInformation Sharing
• No Cross Community Standards• Formats• Flow Paths
• Classification Downgrades• Identity requests• Standard terminology• Two-way information Flows