PREVENTION AND INVESTIGATION
OF HIGH-TECH CRIMES
2
Damage caused to the global
economy by cyber criminals
 THE CLASSICAL MEANS
OF SECURING INFORMATION
IS NO LONGER ABLE
T...
Group-IB's mission
IS TO PROTECT OUR CLIENTS IN CYBERSPACE
BY CREATING AND USING INNOVATIVE
PRODUCTS,
SOLUTIONS AND SERVIC...
Group-IB
Main activities:
 ONE OF THE LEADING INTERNATIONAL
COMPANIES THAT SPECIALIZE ON
PREVENTION AND INVESTIGATION OF
...
GROUP-IB’s
expansion
phases
GROUP-IB
CREATED
2003 2009 2010 2011 2015
ENTERS THE INTERNATIONAL
MARKET
BECOMES THE LARGEST
...
Our customers
Financial sector Energy, industry, IT
6
MEDIA
7
Examples of
investigations
carried out:
Carberp
1
2 3
 Russia’s biggest organized
online crime gang (in 2012)
 Investiga...
Examples of
investigations
carried out:
Hodprot
1 2 3
 One of the oldest groups involved
in online banking theft
 Measur...
Examples of
investigations
carried out:
Hameleon
1 2 3
 The first botnet designed to steal
money from personal bank accou...
Examples of
investigations
carried out:
Germes
1
2 3
 An international criminal gang
that provides an opportunity for
ill...
Examples of
investigations
carried out :
Dragon – DDoS botnet
1 2
 A DDoS attack against one of the
TOP 10 largest Russia...
Examples of
investigations
carried out :
BlackHole
13
1 2 3
 Author of BlackHole Exploit
Kit, Cool Exploit Kit, as well
a...
Main activities
Group-IBPREVENTION
AND MONITORING
COMPUTER FORENSICS
AND INVESTIGATION
SOFTWARE
DEVELOPMENT
CERT-GIB: MONI...
Company’s
structure
ANTIPIRACY
BOT-TREK
TDS NEW YORK
MOSCOW
SINGAPORE
COMPUTER
FORENSICS
MOBILE GROUPS
MALWARE
INVESTIGATI...
PREVENTION
AND MONITORING
CERT-GIB
computer
security incident
response team
1 2 3 4
 The first 24/7 CERT in
Eastern Europe
 Transcontinental suppo...
CERT-GIB
work methodology
PREVENTION AND
MONITORING
1 2 3 4
 Active monitoring  Gathering information
about an incident
...
19
CERT-GIB
 Monitoring of
information
security events
1 2 3 4 5
 Immediate response
to information
security incidents
...
CERT-GIB
cases
PREVENTION AND
MONITORING
Slenfbot takedown Virut takedown Grum takedown
20
antiphishing.ru PREVENTION AND
MONITORING
1 2 3
 A form for accepting reports
about suspicious sites used for
targeted at...
Brand Point Protection
A range of services on online brand protection
1 2 3 4 5
 Protection
against phishing
 Protection...
Antipiracy
Intellectual property protection on the Internet
1 2 3 4 5
 Protecting Movies,
software, music, e-
books, comp...
Information
security audit
1 2 3 4
 Application
security audit
in source codes
 Web application
security audit
 Industr...
Benefits
1 2 3 4 5
Increased market
value for your
company
Increased sales
revenues
Improved
business reputation
Incre...
COMPUTER FORENSICS
AND INVESTIGATION
Cyber crime
investigation
COMPUTER
FORENSICS AND
INVESTIGATION
NETWORK ATTACKS
 ONLINE BANKING THEFT
 DDOS ATTACK
 VOIP...
Computer forensics
and malware
investigation
1 2 3 4
 Digital evidence
collection
 Forensic investigation  Express fore...
Computer forensics
and malware
investigation
1 2 3 4
 Malware
investigation
 Comparison of
source codes with
software pr...
Independent financial
and corporate
investigations
Protection of a company’s financial and economic
interests against vari...
Benefits
1 2 3 4 5
 May be
compensated for
damages when the
perpetrators are
identified and
prosecuted
 Increased busine...
SPECIALIZED
SOFTWARE DEVELOPMENT
AND DEPLOYMENT
SOFTWARE
DEVELOPMENT
Bot-Trek
 Intelligent self-learning self-filling full-cycle
proprietary Ecosystem
 Functional unity...
34
Bot-Trek
Bot-Trek helps protecting against zero-day attacks, prevent or
prepare for further attacks or threats
Bot-Trek...
35
Bot-Trek СI
Bot-Trek Cyber Intelligence (CI) – is the platform which is providing
companies around the world with real-...
36
Bot-Trek СI
Bot-Trek CI performs research, processes and correlates information from
multiple private and public resour...
37
Bot-Trek СI
Group-IB uses it’s own unique development for collecting and correlating data
Each block of data complement...
38
Bot-Trek TDS
The system is designed to identify Trojans, spyware, illegal remote administration
tools, exploits for wor...
39
Bot-Trek
Intelligent Bank (IB)
Protects online payments from fraud without installation
on the endpoint devices
Bot-Tre...
Benefits
1 2 3
 Minimization of financial losses
due to real-time fraud prevention,
rapid response to incidents and
reduc...
www.group-ib.com info@group-ib.com
41
facebook.com/groupib twitter.com/groupib
youtube.com/groupib linkedin.com/company/gr...
Upcoming SlideShare
Loading in...5
×

Group-IB: prevention and investigation of high-tech crimes

4,379

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,379
On Slideshare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Group-IB: prevention and investigation of high-tech crimes"

  1. 1. PREVENTION AND INVESTIGATION OF HIGH-TECH CRIMES
  2. 2. 2 Damage caused to the global economy by cyber criminals  THE CLASSICAL MEANS OF SECURING INFORMATION IS NO LONGER ABLE TO PREVENT INCIDENTS 2014 2013 2012
  3. 3. Group-IB's mission IS TO PROTECT OUR CLIENTS IN CYBERSPACE BY CREATING AND USING INNOVATIVE PRODUCTS, SOLUTIONS AND SERVICES 3
  4. 4. Group-IB Main activities:  ONE OF THE LEADING INTERNATIONAL COMPANIES THAT SPECIALIZE ON PREVENTION AND INVESTIGATION OF CYBER CRIMES AND HIGH-TECH CRIMES 1 2 3 4 5  Cyber Intelligence, monitoring and prevention of cyber threats  Investigation of cyber crimes and high-tech theft  Computer forensics and examination  Information security audit and security analysis  Development of innovative information security products 4
  5. 5. GROUP-IB’s expansion phases GROUP-IB CREATED 2003 2009 2010 2011 2015 ENTERS THE INTERNATIONAL MARKET BECOMES THE LARGEST COMPUTER FORENSICS LABORATORY IN EASTERN EUROPE CERT-GIB CREATED BECOMES AN ORGANIZATION WITH UNIQUE COMPETENCIES 20+ 30+ 100+ EMPLOYEES 5
  6. 6. Our customers Financial sector Energy, industry, IT 6
  7. 7. MEDIA 7
  8. 8. Examples of investigations carried out: Carberp 1 2 3  Russia’s biggest organized online crime gang (in 2012)  Investigation was carried out in close cooperation with the Russian Federal Security Service (FSB) and the Russian Ministry of Internal Affairs, with assistance from Sberbank of Russia  This was the first case in Russian law-enforcement practice, where all the members of the online crime gang were arrested 8
  9. 9. Examples of investigations carried out: Hodprot 1 2 3  One of the oldest groups involved in online banking theft  Measures were taken in several regions of Russia and CIS  Investigation led to the arrest of the 7 members of the criminal group 9
  10. 10. Examples of investigations carried out: Hameleon 1 2 3  The first botnet designed to steal money from personal bank accounts  The criminal used replaced SIM cards to carry out attacks against bank customers  More than 1 billion rubles were prevented from being stolen 10
  11. 11. Examples of investigations carried out: Germes 1 2 3  An international criminal gang that provides an opportunity for illegal earnings through principles similar to those of an affiliate program  Investigation led to the arrest of the organizer of the criminal gang  The largest botnet in Russia was dismantled. At the time of the arrest, the botnet had more than 6 million compromised computers. The botnet was designed for online banking theft 11
  12. 12. Examples of investigations carried out : Dragon – DDoS botnet 1 2  A DDoS attack against one of the TOP 10 largest Russian banks. The attack was carried out using a previously unknown botnet  The organizer of the attack was arrested on December 2012 in close cooperation with the Russian Ministry of Internal Affairs 12
  13. 13. Examples of investigations carried out : BlackHole 13 1 2 3  Author of BlackHole Exploit Kit, Cool Exploit Kit, as well as Crypt.am, a service for obfuscating mailware code to prevent its detection by antivirus programs  40% of infections recorded worldwide were carried out using Paunch’s tools  This was the first case in Russian law-enforcement practice, where author of Exploit Kit was arrested as a theft accomplice
  14. 14. Main activities Group-IBPREVENTION AND MONITORING COMPUTER FORENSICS AND INVESTIGATION SOFTWARE DEVELOPMENT CERT-GIB: MONITORING AND RESPONSE BRAND PROTECTION INFORMATION SECURITY AUDIT BOT-TREK: CYBER INTELLIGENCE & THREAT ANALYSIS BOT-TREK TDS COMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY INCIDENT INVESTIGATION INDEPENDENT FINANCIAL AND CORPORATE INVESTIGATIONS 14 ANTIPIRACY
  15. 15. Company’s structure ANTIPIRACY BOT-TREK TDS NEW YORK MOSCOW SINGAPORE COMPUTER FORENSICS MOBILE GROUPS MALWARE INVESTIGATION COMPUTER INVESTIGATION DEPARTMENT FINANCIAL INVESTIGATION DEPARTMENT CERT-GIB COMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY AUDIT AND CONSULTING DEPARTMENT PERSONAL SECURITY SERVICE ANALYTICS DEPARTMENT LEGAL DEPARTMENT SOFTWARE DEVELOPMENT 15 BOT-TREK
  16. 16. PREVENTION AND MONITORING
  17. 17. CERT-GIB computer security incident response team 1 2 3 4  The first 24/7 CERT in Eastern Europe  Transcontinental support  Countermeasures against the following types of threats :  .RU, .РФ, .SU: a competent organization on combating cyber threats NEW YORK SINGAPORE MOSCOW CERT-GIB is the first round-the-clock computer security incident response team in Eastern Europe Monitoring and response groups are present in different parts of the globe : North America  Europe  Asia Phishing, spam, DDoS attacks, malware, botnets An expert organization of the Coordination Center for TLD RU/РФ 17
  18. 18. CERT-GIB work methodology PREVENTION AND MONITORING 1 2 3 4  Active monitoring  Gathering information about an incident  Incident classification  Incident neutralization • Monitoring of information security incidents: phishing, spam emails, malware, etc. • Accepting requests through a form on its website, through e-mail, and by a hotline • Monitoring of professional communities • Establishing the source of a threat • Threat analysis • Identifying the persons involved in the threat • Conducting forensic investigations • Phishing • Malware • Dissemination of confidential information • DoS/DDoS attack • Spam • Other threats • Suppressing the causes of the incident • Contacting foreign CERTs and CSIRTs for cooperation (if necessary) • Reporting to the requesting party • Transfer of materials to law enforcement agencies (if necessary) 18
  19. 19. 19 CERT-GIB  Monitoring of information security events 1 2 3 4 5  Immediate response to information security incidents  Conducting internal and external investigations  Providing legal support to the entire complex of measures and their outcome An independent unit at Group-IB, which monitors and responds to information security incidents  Collection, investigation and processing of digital evidence and event logs Customer ISIRT №1 ISIRT №2 ISIRT №3 ISIRT №… VPN
  20. 20. CERT-GIB cases PREVENTION AND MONITORING Slenfbot takedown Virut takedown Grum takedown 20
  21. 21. antiphishing.ru PREVENTION AND MONITORING 1 2 3  A form for accepting reports about suspicious sites used for targeted attacks against Internet users. The project has been existing since 2012 with the participation of CERT-GIB experts  Information acquired is immediately sent to CERT-GIB analysts, who quickly process the incoming report and take necessary measures to neutralize the malicious web resources  A socially oriented project – after sending in a report, users are given the opportunity to share information about the antiphishing.ru project on social networks 21
  22. 22. Brand Point Protection A range of services on online brand protection 1 2 3 4 5  Protection against phishing  Protection of intellectual property  Protection of business reputation  Monitoring counterfeit product markets  Monitoring the mobile app market PREVENTION AND MONITORING A system for an early detection of phishing incidents and other incidents involving illegal use of brands on the Internet A package of measures aimed at preventing illegal distribution of digital content and elements of intellectual property on the Internet Monitoring the electronic media, blogs, forums and other resources on the Internet to identify information distorting or tarnishing a business reputation Finding and identifying sales channels and sources of counterfeit products in order to stop such illegal activities Identifying and responding to cases of illegal use of a brand in stores selling mobile apps that violate copyrights and/or intended to attack our customer’s clients 22
  23. 23. Antipiracy Intellectual property protection on the Internet 1 2 3 4 5  Protecting Movies, software, music, e- books, computer games  Service contains both automatic and manual monitoring  Unique competencies and strong relationship with various authorities  Supporting legal platforms  Protecting your revenue PREVENTION AND MONITORING Group-IB protects all kinds of digital content that can be found on the Internet. Group-IB anti-piracy software automatically monitors the Internet (Russian and English- speaking segments) finds all links with illegal content. A team of operators process this data and take measures Group-IB is a competent organization with the Coordination center for tld RU/РФ and cooperate with top hosting-providers and domain name registrars  We redirect the audience from pirate web-sites to legal platforms  A number of pirate web- sites are ready to comply and operate legally  Up to 90% of all illegal links are removed from the Internet  The popularity of official platforms grows as well as the revenue  The image is proteсted 23
  24. 24. Information security audit 1 2 3 4  Application security audit in source codes  Web application security audit  Industrial control systems and SCADA systems security audit  Penetration tests PREVENTION AND MONITORING Investigation helps to reveal vulnerabilities and gaps that can lead to information security threats Web applications are analyzed for the presence of vulnerabilities. After the analysis, the customer receives recommendations on how to address such vulnerabilities and improve security Investigation helps to evaluate the level of security of key elements of an industrial network infrastructure against possible malicious internal and external impacts A method of controlling the security of applications and AISs (automated information systems) by exploring the feasibility of an unauthorized access to the customer’s information by potential attackers 24
  25. 25. Benefits 1 2 3 4 5 Increased market value for your company Increased sales revenues Improved business reputation Increased trust in the brand  Compensation for damages caused PREVENTION AND MONITORING By managing the security and volume of your company’s intangible assets, such as copyrights, know-how, trademarks, and business reputation Removal of sources of illegal spread of counterfeit goods and confidential information. Interruption of cash flows to attackers’ projects Wiping out false and untrue reviews negatively affecting your company’s business image from search results Timely detection of unauthorized use of your brand and notifying you to ensure the safety of that brand. Customer centricity prompts positive feedback from current customers and attracts new ones Legally prosecuting criminals illegally using your brand, and subsequently receiving compensation for damages caused by their activities 25
  26. 26. COMPUTER FORENSICS AND INVESTIGATION
  27. 27. Cyber crime investigation COMPUTER FORENSICS AND INVESTIGATION NETWORK ATTACKS  ONLINE BANKING THEFT  DDOS ATTACK  VOIP HACKING  UNAUTHORIZED ACCESS TO WEBSITES, DATABASES, SERVERS, AND MAIL  NETWORK BLACKMAIL / EXTORTION TARGETED ATTACKS / INDUSTRIAL ESPIONAGE  TARGETED VIRUS ATTACKS  WIRETAPPING OF NETWORK CHANNELS  INSTALLATION OF MALICIOUS LOGICS  INSTALLATION OF DIGITAL BACKDOORS SABOTAGE AND INSIDE  INFORMATION LEAKAGE  INFORMATION DESTRUCTION  DATA MANIPULATION TO COMMIT FRAUD  ACCESS DENIAL ECONOMIC CRIMES  HIGH-TECH FRAUD  EXTORTION  DISCLOSURE OF TRADE SECRETS AND CONFIDENTIAL INFORMATION  ILLEGAL USE OF TRADEMARKS AND BRANDS CYBER CRIME INVESTIGATION 27
  28. 28. Computer forensics and malware investigation 1 2 3 4  Digital evidence collection  Forensic investigation  Express forensics  Participation of experts in special investigation activities COMPUTER FORENSICS AND INVESTIGATION Gathering information about an incident and determining the for evidential information storage sources. Preserving and presenting evidential information in accordance with state laws To analyze the incident, obtain and secure evidence admissible in court proceedings Conducting forensic investigations in a very short time Minimizing the possibility of evidence being destroyed due to unskilled actions, and providing proper legal status to technical measures 28
  29. 29. Computer forensics and malware investigation 1 2 3 4  Malware investigation  Comparison of source codes with software products  Mobile device investigation  Outsourcing of services COMPUTER FORENSICS AND INVESTIGATION Identifying the functional capabilities of executable files and establishing network addresses. Analyzing and decoding configuration files and other ancillary data Conducting computer investigations into modern plagiarism in the field of IT Investigating mobile devices at logical and physical levels, as well as at the file system level Combining services into a single complex, thus enabling to efficiently manage incidents and minimize time and financial costs 29
  30. 30. Independent financial and corporate investigations Protection of a company’s financial and economic interests against various internal and external abuses 1 2 3 4 5  Investigation of violations within a company and verification of the facts of a probable fraud  Independent and objective assessment of potential abuses by employees  Investigation of misappropriation of assets and property; returning such assets and property and/or taking measures established by law  Revealing cases of hidden conflict of interests and relationships that are contrary to business ethics  Comprehensive analysis of the reliability of suppliers, manufacturers, business partners, sales agents, own employees, and other parties COMPUTER FORENSICS AND INVESTIGATION 30
  31. 31. Benefits 1 2 3 4 5  May be compensated for damages when the perpetrators are identified and prosecuted  Increased business stability brought about by lower financial costs on information security  Minimizing existing risks by promptly obtaining information about an incident that occurred and preventing such risks from existing in the future  Increased speed of responding to incidents thanks to the use of advanced forensic and e- discovery practices  Reduced financial costs of building your own infrastructure and training forensic and e- discovery experts COMPUTER FORENSICS AND INVESTIGATION 31
  32. 32. SPECIALIZED SOFTWARE DEVELOPMENT AND DEPLOYMENT
  33. 33. SOFTWARE DEVELOPMENT Bot-Trek  Intelligent self-learning self-filling full-cycle proprietary Ecosystem  Functional unity of knowledge, experience and technology Bot-Trek Ecosystem provides companies software for identification, strategic planning and rapid response to current global risks and security threats 33
  34. 34. 34 Bot-Trek Bot-Trek helps protecting against zero-day attacks, prevent or prepare for further attacks or threats Bot-Trek products allow: Real-time monitoring of permanently changing cyber threats environment Usage of specific indicators to assess level of business threats Acquiring new knowledge which is necessary to protect company today and in future Depending on your business risks Bot-Trek provides: Protection against theft in payment systems, online banking and mobile devices Protection against targeted attacks (APT’s) Identification and rapid response to actual global risks and security threats Tools for strategic security planning and risk assessment SOFTWARE DEVELOPMENT
  35. 35. 35 Bot-Trek СI Bot-Trek Cyber Intelligence (CI) – is the platform which is providing companies around the world with real-time personalized analytical information for strategic planning, identification and rapid response to urgent global risks and threats to security. 1 2 3 Impacts of changes in external ‘Cybercrud’ are monitored and assessed Additional information is correlated and collected so that Bot-Trek CI can provide global sector information of various types of high-tech threats Processing huge volumes of raw data, Bot-Trek CI provides the customer with only reliable and relevant information for your decision making process SOFTWARE DEVELOPMENT
  36. 36. 36 Bot-Trek СI Bot-Trek CI performs research, processes and correlates information from multiple private and public resources SOFTWARE DEVELOPMENT
  37. 37. 37 Bot-Trek СI Group-IB uses it’s own unique development for collecting and correlating data Each block of data complement the next, providing better coverage and level of protection for our clients SOFTWARE DEVELOPMENT
  38. 38. 38 Bot-Trek TDS The system is designed to identify Trojans, spyware, illegal remote administration tools, exploits for workstations and mobile botnets. Delivered as a “device + service” model, Bot-Trek TDS is an effective tool for outsourcing routine processes, such as server administration, signature updating and log analysis. 1 2 3 4 Bot-Trek TDS complements other intrusion Detection systems, already installed at the customer’s infrastructure The standard complete set has low demand for hardware platform and can be deployed on the customer’s own platform remotely and easily integrated with the SIEM and IPS systems There are almost no false positives. Hence, each incident detected is a reason for specific actions and not just a “practice alert” Confidentiality of corporate informationis preserved because traffic does not go beyond the customer’s infrastructure. 5 There is no need to hire and certify a separate highly-paid employee because the CERT-GIB takes full charge of expert analysis of detected events 24/7/365 SOFTWARE DEVELOPMENT
  39. 39. 39 Bot-Trek Intelligent Bank (IB) Protects online payments from fraud without installation on the endpoint devices Bot-Trek IB was designed as a SaaS solution and does not require changes in an enterprise infrastructure or online banking software. The client part is loaded together with the online banking website. 1 2 3 4 Identifies new types of attacks and malicious codes Identifies client devices infected by malicious codes by detecting web injects Protects against phishing and pharming attacks Identifies remote connections to a client device 5 Classifies malicious codes SOFTWARE DEVELOPMENT
  40. 40. Benefits 1 2 3  Minimization of financial losses due to real-time fraud prevention, rapid response to incidents and reduction in the costs of supporting victims  Minimization of reputational risks due to reduced number of victims  Compensation for financial losses due to comprehensive investigation with possible lawsuit after 40 SOFTWARE DEVELOPMENT
  41. 41. www.group-ib.com info@group-ib.com 41 facebook.com/groupib twitter.com/groupib youtube.com/groupib linkedin.com/company/group-ib
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×