unclassified kansas city terrorism early warning inter agency analysis center cyber threat...

UNCLASSIFIED

UNCLASSIFIED

Kansas City Terrorism Early WarningKansas City Terrorism Early WarningInter Agency Analysis CenterInter Agency Analysis CenterCyber Threat Information ProgramCyber Threat Information Program

Missouri City/CountyMissouri City/County

Manager’s AssociationManager’s Association

CYBER BRIEFINGCYBER BRIEFING

May 7, 2015May 7, 2015

UNCLASSIFIED

UNCLASSIFIED

Recent Cyber EventsRecent Cyber Events

• South Carolina DOR. – 3.6 million SSNs stolen and tax returns exposed. – ( Direct Cost = $14 million, User fraud loss = $5.2 Billion)

• Shamoon (aka: Wiper) – Steals credentials wipes boot record from 30,000 to 50,000 computers at Saudi Aramco and RasGas.

• Banking DDOS against JP Morgan/Chase, PNC, Wells Fargo, Bank Of America. Total of 8 banks attacked.

UNCLASSIFIED

UNCLASSIFIED

Recent Cyber EventsRecent Cyber Events

• TARGET ( 40 MILLION credit cards) and other retailers.

• City of Wichita ( > 60,000 vendor financial records)

• 14 banks, 12 cities and 10 police departments disabled during the Ferguson unrest.

UNCLASSIFIED

UNCLASSIFIED

VIDEO 1

UNCLASSIFIED

UNCLASSIFIED

So What ?So What ?• Computer network exploitation by threat

actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft

• Counterfeiting• Theft of proprietary data

• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility

UNCLASSIFIED

UNCLASSIFIED

AgendaAgenda

• Threat Landscape• Actors (Bad Guys)• Attack types (Bad Stuff that Bad Guys do)• Vulnerabilities (The things that Bad guys

attack)

• Cyber Threats and Trends (The Future)• What Can You Do ?

UNCLASSIFIED

UNCLASSIFIED

EVALUATE YOUR RISKEVALUATE YOUR RISK..

THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE

==RISKRISK

UNCLASSIFIED

UNCLASSIFIED

CYBER THREAT CYBER THREAT LANDSCAPELANDSCAPE

UNCLASSIFIED

UNCLASSIFIED

Cyber Threat LandscapeCyber Threat Landscape

• Cyber Threat Actors• State Sponsored• Terrorist/Violent Extremists• Insider Threat• Hackers• Hacktivists• Criminals / Organized Crime

UNCLASSIFIED

UNCLASSIFIED

Hacker Evolution

UNCLASSIFIED

UNCLASSIFIED

Cyber Threat MotivationsCyber Threat Motivations

• Notoriety• Political Statement• Money – Banks, Credit Cards,

Extortion, etc.• Intellectual Property / Trade Secrets• Information for Negotiating Positions

(competitive advantage)• Infrastructure Attack – Terrorism

UNCLASSIFIED

UNCLASSIFIED

Nation-State Terrorists Insiders Hackers Hacktivists CriminalsCommercial Espionage

Fun/Curiosity/Ego XMoney X X X X X Retaliation/ retribution X X X Political Statement X X Intellectual Property X X X XNegotiation Information X X

Deny, Disrupt, Degrade, Destroy X X X X

Cyber Threat Cyber Threat Motivations (Intent)Motivations (Intent)

UNCLASSIFIED

UNCLASSIFIED

Cyber TargetsCyber Targets• Government Networks

• Federal• State• Local• Tribal and Territorial

• Critical Infrastructure and Key Resources (CIKR) Networks• Over 85% owned by private sector• Industrial Control Systems/SCADA• Embedded systems

• Business and Home Networks

UNCLASSIFIED

UNCLASSIFIED

Cyber ThreatsCyber Threats

• Supply Chain Exploitation• Cyber exploitation, manipulation, diversion, or

substitution of counterfeit, suspect, or fraudulent items impacting US CIKR

• Disruption• Distributed Denial of Service (DDOS) attack (effort

to prevent site or service from functioning efficiently or at all, temporarily or indefinitely)

• Cyber Crime• Criminals seeking sensitive, protected information

for financial gain

UNCLASSIFIED

UNCLASSIFIED

• Corporate Espionage• Threat actors targeting US companies to gather

intelligence and sensitive corporate data for competitive advantage

• Advanced Persistent Threat • Stealthy, coordinated cyber activity over long period of

time directed against political, business, and economic targets

• Industrial Control Systems/SCADA• Threat actors disrupt ICS/SCADA based processes

Cyber ThreatsCyber Threats

UNCLASSIFIED

UNCLASSIFIED 21

Devices, Systems and NetworksDevices, Systems and Networks

• Desktops/Laptops• OS/App

• Servers• OS/App

• Printers• Routers• VPN• DNS system

• PSAPS• Public Notification

Systems• Mobile devices• Household appliances

• Televisions• Refrigerators• Baby monitors

UNCLASSIFIED

UNCLASSIFIED

Embedded SystemsEmbedded Systems

22

Computers built into other systems

Examples:

• Digital X-ray Machines, Medical Devices• Computer Controlled Industrial Equipment• Automobiles• ATMs• Printer/copier/fax machines

The underlying computer is likely to have unpatched vulnerabilities because it is not on the System Administrators list of “computers,” or the system must be upgraded by the vendor.

UNCLASSIFIED

UNCLASSIFIED

Industrial Control Systems (ICS)Industrial Control Systems (ICS)

23

Controls processes such as manufacturing, product handling, production, and distribution. Industrial

Control Systems includeSupervisory Control and Data Acquisition systems

(SCADA).

Examples Robotic assembly lines Water treatment Electric Power Grid Building controls

UNCLASSIFIED

UNCLASSIFIED

Internet Connected CommunicationsInternet Connected Communications

Communications systems that are not typically considered computer networks that are, none the less, connected to external networks such as the Internet.

Examples: • Telephone switching – PBX, VOIP• Emergency notification systems• First responder communications (Trunked

voice/data terminals)

UNCLASSIFIED

UNCLASSIFIED

Targeting and Attack Targeting and Attack TechniquesTechniques

• Social engineering

• Spear phishing

• Spoofing e-mail accounts

• Exploiting vulnerabilities

• Malware

• Downloaders, Trojans, Keyloggers, etc.

• External memory devices (USB)

• Supply-chain exploitation

• Leveraging trusted insiders

• Denial of Service

• Mobile Device Attacks

UNCLASSIFIED

UNCLASSIFIED

Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)

• Category of cyber attack against political, business, or economic targets

• Federal agencies

• State agencies

• City governments

• Commercial and non-profit organizations

• Actors use full spectrum of computer intrusion techniques and technology

• Characterized by focus on specific information objectives rather than immediate financial gain

• Stealthy, coordinated, focused activity over a long period of time

Operators are skilled, motivated, organized, well-funded

UNCLASSIFIED

UNCLASSIFIED


• Information objectives include:• Gov’t policy/planning

• Corporate proprietary data

• Contract data

• International meetings (G20, IMF, Climate Change)

• Sabotage

• Espionage

• Use of compromised computers as intermediate hop points in future compromises

UNCLASSIFIED

UNCLASSIFIED


Methodology

• Reconnaissance

• Initial intrusion into network

• Establish backdoor into the network

• Obtain user credentials (login ID, passwords)

• Escalate privileges, move laterally through the network

• Search for and exfiltrate data

• Maintain persistence

UNCLASSIFIED

UNCLASSIFIED


Examples of APT in open reporting• Operation Aurora – Damballa

• Finance, Technology, Media – 30+ Countries

• LURID APT – Trend Micro

• Diplomatic, Government, Space-related agencies and companies – 61 Countries

• Nitro – Symantec

• Gas, Oil, Energy, Chemical Sectors – 8 countries

• Shady Rat – Symantec

• Governments, corporations, nonprofits, 14 countries

• FLAME – Kaspersky

• Mid-eastern countries

UNCLASSIFIED

UNCLASSIFIED

VIDEO 2

UNCLASSIFIED

UNCLASSIFIED

Cyber Threats and Trends

UNCLASSIFIED

UNCLASSIFIED

TrendsTrends

• ENORMOUS increase in Cyber Attacks/Crime both in numbers and sophistication.• State sponsored attacks likely to increase. (Cyber Warfare

is real now.)• Cyberweapon toolkits are common place utilized by not

only state sponsored attackers, but by any entity with medium/high skills.

• Cyber Crime As a Service is a full fledged business model.• Anyone can use point and click services to deliver a

devastating attack.

UNCLASSIFIED

UNCLASSIFIED

TrendsTrends

Nation-States That Have DeclaredNation-States That Have Declared OffensiveOffensive Cyber Capability Cyber Capability

• Iran

• India

• UK

• China

• Russia

• U.S.A.

• Australia

• Italy

• France

• Syria

• Germany

• Israel

UNCLASSIFIED

UNCLASSIFIED

TrendsTrends

Hactivists / Jihadists• Alliances with ideologically similar

groups• More Skilled• More Organized• More Aggressive• More of them

UNCLASSIFIED

UNCLASSIFIED

TrendsTrends

Cyber Criminals• Can occasionally approach the

sophistication if not the endurance of State sponsored attackers

• Adding much more emphasis to mobile devices.

• Adds a physical dimension to the Cyber realm.

UNCLASSIFIED

UNCLASSIFIED

TrendsTrends

Shift in targeting preferencesShift in targeting preferences• State / Local

• State networks• Local Municipalities / Agencies

• FD, PD, Cities, NGOs• Universities, Colleges, Votech• Businesses

UNCLASSIFIED

UNCLASSIFIED

COMMONCOMMONATTACK TYPES /ATTACK TYPES /

MITIGATION MITIGATION STRATEGIESSTRATEGIES

UNCLASSIFIED

UNCLASSIFIED

Attacks from outside the Attacks from outside the firewallfirewall

UNCLASSIFIED

UNCLASSIFIED

Big Three Most Common Attacks

DDoS – Distributed Denial of ServiceDDoS – Distributed Denial of Service

SQL-I - Structured Query Language SQL-I - Structured Query Language InjectionInjection

DefacementsDefacements

UNCLASSIFIED

UNCLASSIFIED

Commonly Seen Commonly Seen AttacksAttacks

Attack Type (TTP – Tactics, Techniques, Procedures) What is it?Who uses them?Preferred targets?Consequences?Prevention / Mitigation.

UNCLASSIFIED

UNCLASSIFIED

Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)

WHAT IS IT?WHAT IS IT?

A DDOS attack tries to render a website either inoperable or inaccessible by using large numbers of computers sending overwhelming numbers of requests at a computer.

The target can become so busy trying to answer bogus requests that it cannot answer valid user requests and the website is unusable.

UNCLASSIFIED

UNCLASSIFIED


WHO USES IT ?WHO USES IT ?Used to be well resourced adversaries

(state sponsored, cyber crime enterprise)

More recently seen from Hactivists, (Anonymous Affiliates)

Anyone with $200 - $800 can rent a botnet with 10,000 computers for a day to attack anyone.

UNCLASSIFIED

UNCLASSIFIED


Examples?Examples?During unrest associated with Ferguson

MO shooting.15 Banking institutions State, Counties, Cities, Police

departments (at least 12)Educational institutions

UNCLASSIFIED

UNCLASSIFIED


PreventionPreventionCan’t be prevented – Plan for itCan’t be prevented – Plan for it

Establishing connections with multiple ISPs.Establishing connections with multiple ISPs.

Ensure that service level agreements (SLA) Ensure that service level agreements (SLA) with ISPs contain provisions for DDoS with ISPs contain provisions for DDoS prevention (such as IP address rotation)prevention (such as IP address rotation)

Assure the network has redundant systems Assure the network has redundant systems and sufficient excess capacityand sufficient excess capacity

UNCLASSIFIED

UNCLASSIFIED


PreventionPrevention• Enable rate limiting at the network perimeterEnable rate limiting at the network perimeter• Create backup remote site networks with Create backup remote site networks with

multiple address capabilitymultiple address capability• Segment web services across multiple Segment web services across multiple

machines and networksmachines and networks• Host public facing websites with ISPs having Host public facing websites with ISPs having

capability to withstand significant DDoS attackscapability to withstand significant DDoS attacks

UNCLASSIFIED

UNCLASSIFIED


MITIGATIONMITIGATIONExecuting ISP address rotationExecuting ISP address rotation

Block source IP addresses that are generating Block source IP addresses that are generating DDoS traffic at the network boundary or within DDoS traffic at the network boundary or within the ISP infrastructurethe ISP infrastructure. . ( DDoS attacks can come ( DDoS attacks can come from tens of thousands of addresses that rotate from tens of thousands of addresses that rotate randomly, making this strategy difficult to implement.)randomly, making this strategy difficult to implement.)

Acquire increased bandwidth from the ISP Acquire increased bandwidth from the ISP (This (This solution is limited by your own servers ability to handle solution is limited by your own servers ability to handle the increased traffic.)the increased traffic.)

UNCLASSIFIED

UNCLASSIFIED

SQL Injection (SQL-I)SQL Injection (SQL-I)

WHAT IS IT?WHAT IS IT?A form of attack on a database-driven Web site A form of attack on a database-driven Web site

in which the attacker executes unauthorized in which the attacker executes unauthorized SQL commands by taking advantage of SQL commands by taking advantage of insecure bypassing the firewall.insecure bypassing the firewall.

Used to steal information Used to steal information from a database from a database and/or to gain access to an organization's and/or to gain access to an organization's host computers through the computer that is host computers through the computer that is hosting the database.hosting the database.

UNCLASSIFIED

UNCLASSIFIED


Who uses it?Who uses it?State sponsored, cyber criminals, State sponsored, cyber criminals,

Hackers, Hacktivists, Jihadists, Hackers, Hacktivists, Jihadists, Anonymous, script-kiddiesAnonymous, script-kiddies

Very effective tools are freely availableVery effective tools are freely available

Recipes for finding targets (call google Recipes for finding targets (call google dorks) are all over the open internet.dorks) are all over the open internet.

UNCLASSIFIED

UNCLASSIFIED


Local Examples?Local Examples?KCKPDKCKPD

Release of Accident records and Release of Accident records and related personal informationrelated personal information

WichitaWichitaRelease of vendor/personal financial Release of vendor/personal financial

informationinformation

UNCLASSIFIED

UNCLASSIFIED


PreventionPreventionLimit databased services Limit databased services

Assure all applications and operating systems are Assure all applications and operating systems are patched to current levelpatched to current level

Keep an eye for announced vulnerabilities Keep an eye for announced vulnerabilities

Dynamic monitoring at the firewall or application Dynamic monitoring at the firewall or application serverserver

Threat detection servicesThreat detection services

Applications configuration security ( Passwords )Applications configuration security ( Passwords )

UNCLASSIFIED

UNCLASSIFIED


MITIGATIONMITIGATIONWatch for “breach” announcementsWatch for “breach” announcements

Notification processNotification process

Prevent further breaches (turn off access till Prevent further breaches (turn off access till it’s fixed)it’s fixed)

Aggressively pursue disclosuresAggressively pursue disclosures

Where applicable, get outside help (FBI, DHS, Where applicable, get outside help (FBI, DHS, USSS, Commercial services)USSS, Commercial services)

UNCLASSIFIED

UNCLASSIFIED

DEFACEMENTDEFACEMENT

WHAT IS IT?WHAT IS IT?Any unauthorized changes made to Any unauthorized changes made to

the appearance of either a single the appearance of either a single webpage, or an entire site. In webpage, or an entire site. In some cases, a website is some cases, a website is completely taken down and completely taken down and replaced by something new.replaced by something new.

UNCLASSIFIED

UNCLASSIFIED


Who uses it?Who uses it?Plethora of JihadistsPlethora of Jihadists

““Anonymous” AffiliatesAnonymous” Affiliates

Syrian Electronic ArmySyrian Electronic Army

POH (Plain old hackers)POH (Plain old hackers)

UNCLASSIFIED

UNCLASSIFIED


Examples?Examples?Akron OHAkron OH

Marines.comMarines.com

HuffingtonHuffington

MO.GOVMO.GOV

Check out Check out www.zone-h.comwww.zone-h.com (database of 180,000)(database of 180,000)

UNCLASSIFIED

UNCLASSIFIED


Prevention / MitigationPrevention / MitigationKeep Server systems and CMS apps up-to-Keep Server systems and CMS apps up-to-

datedate

Better passwordsBetter passwords

Don’t share system accounts outside Don’t share system accounts outside organizationorganization

Reputation monitoring servicesReputation monitoring services

Good backupsGood backups

UNCLASSIFIED

UNCLASSIFIED

Attacks That GetAttacks That GetThrough The FirewallThrough The Firewall

UNCLASSIFIED

UNCLASSIFIED

APT – The Really Bad Stuff• Computer network exploitation by threat

actors enables:• Massive financial losses• Degradation/disruption of services• Extortion• Intellectual property theft

• Counterfeiting• Theft of proprietary data

• Identity theft (personally identifiable information)• Access to credit• Loss of money and credibility

UNCLASSIFIED

UNCLASSIFIED

Computer Network Exploitation

(Try to stay on the left side

of the Cyber “Kill Chain”)

The Bad Guys are INSIDE the computer now.

UNCLASSIFIED

UNCLASSIFIED

Spear-PhishingSpear-Phishing

• Targeted e-mails containing malicious attachments or links

• E-mails forged to look as if they came from a legitimate source and have a subject that the victim is likely to open.

• Target e-mail addresses can be harvested from Web sites, social networks, etc.

• Targeting of CEOs, executives is called “whaling”.

63

UNCLASSIFIED

UNCLASSIFIED 64

Sample Phishing WebsiteSample Phishing Website

(Via fsecure.com)

UNCLASSIFIED

UNCLASSIFIED 65

Sample Phishing WebsiteSample Phishing Website

(Via fsecure.com)

Compromised police academy server in India

UNCLASSIFIED

UNCLASSIFIED 66

(Via nytimes.com)

UNCLASSIFIED

UNCLASSIFIED

PreventionConstant EducationConstant Education

Information Sharing between agenciesInformation Sharing between agencies

OPSECOPSEC

Cyber HygieneCyber Hygiene

PASSWORDS!!!!!!!!!!!!!PASSWORDS!!!!!!!!!!!!!

Response plansResponse plans

Cyber Tabletop ExercisesCyber Tabletop Exercises

Test Your CapabilitiesTest Your Capabilities

Figure Out Roles and ResponsibilitiesFigure Out Roles and Responsibilities

UNCLASSIFIED

UNCLASSIFIED

What is your plan?

How to recover?WHO ?COST ?

How to mitigateCRITICAL SERVICES

How to deal with the publicPUBLIC CONFIDENCELIABILITY

UNCLASSIFIED

UNCLASSIFIED

EVALUATE YOUR RISKEVALUATE YOUR RISK..

THREAT + VULNERABILITY THREAT + VULNERABILITY + CONSEQUENCE+ CONSEQUENCE

==RISKRISK

UNCLASSIFIED

UNCLASSIFIED

WHO CAN YOU CALL?WHO CAN YOU CALL?Fusion Center:

KC Regional Terrorism Early WarningCyber Threat Intelligence Program

[email protected](816) 413-3588

Missouri Information Analysis Center

St Louis Terrorism Early Warning

UNCLASSIFIED

UNCLASSIFIED

OR

ID

NV

WY

MTND

SD

UT

WA

CO

NE

MN

KS

OKNMAZ

TX

AR

LA

AL GA

FL

TN NC

SC

MSSoutheast Regional Coordinator – Heather Perez (CFIX)

Western Regional Coordinator - Dana Kilian - NCRIC

AK

CA

Troy Campbell – Co-Chair – KCTEWDevin King – Co-Chair – LA-SAFE

National Capital Regional Coordinator - Fleming Campbell (WRTAC)

WI

IA

MO

ILIN

MI

ME

KY

OH

VAWV

PA

NY

NJ

NHMA

RI

MD

CT

DE

VT

DC

Northeast Regional Coordinator - Brett Paradis (CTIC)

Midwest Regional Coordinator – Kelley Goldblatt (MC3)

Central Regional Coordinator - John Burrell - MATIC

NFCA Cyber Intelligence Network (CIN)

UNCLASSIFIED

UNCLASSIFIED

WHO CAN YOU CALL?WHO CAN YOU CALL?

The Department of Homeland Security (DHS)The Department of Homeland Security (DHS)The National Cybersecurity & Communications The National Cybersecurity & Communications

Integration Center (NCCIC) Integration Center (NCCIC)

The U.S. Computer Emergency Readiness Team (US-The U.S. Computer Emergency Readiness Team (US-CERT) CERT)

The Industrial Control Systems Cyber Emergency The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Response Team (ICS-CERT)

The National Coordinating Center for The National Coordinating Center for Telecommunications (NCCTelecommunications (NCC)

74

UNCLASSIFIED

UNCLASSIFIED


The USSS – US SECRET SERVICEThe USSS – US SECRET SERVICEYour Nearest field office usually has a Your Nearest field office usually has a

local Electronic Crimes Task Forcelocal Electronic Crimes Task Force

Has Critical Incident Response TeamsHas Critical Incident Response Teams

75

UNCLASSIFIED

UNCLASSIFIED


The Federal Bureau of The Federal Bureau of Investigations (FBI)Investigations (FBI)Your Local FBI Cyber Division Your Local FBI Cyber Division

FBI CyWatch FBI CyWatch

FBI Critical Incident Response Group FBI Critical Incident Response Group (CIRG) Strategic Information and (CIRG) Strategic Information and Operations Center (SIOC) Operations Center (SIOC)

76

UNCLASSIFIED

UNCLASSIFIED


KC Regional Terrorism Early WarningCyber Threat Intelligence Program

[email protected](816) 413-3588

UNCLASSIFIED

UNCLASSIFIED

Discussion

UNCLASSIFIED

UNCLASSIFIED

ContactContact::

Troy CampbellTroy CampbellKCTEWKCTEW

Cyber Threat Intelligence Cyber Threat Intelligence ProgramProgram

[email protected]@kcpd.org

(816) 413-3588(816) 413-3588

UNCLASSIFIED

UNCLASSIFIED

Cyber Information Sharing Cyber Information Sharing IssuesIssues

UNCLASSIFIED

UNCLASSIFIED

Cyber Information Sharing –A Challenging Process

UNCLASSIFIED

UNCLASSIFIED

Issues in IntelligenceIssues in IntelligenceInformation SharingInformation Sharing

• No Cross Community Standards• Formats• Flow Paths

• Classification Downgrades• Identity requests• Standard terminology• Two-way information Flows

unclassified kansas city terrorism early warning inter agency analysis center cyber threat...

Documents

risk slide

credibility slide

unclassified video

financial gain slide

cyber crime criminals

negotiation information

protected information

credit loss of money