Operation High Roller: The need for a security ally!

1,498 views

Published on

Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,498
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The marketplace is crowded with companies offering assessment services under various names. But while they all claim to do roughly the same thing, not all security assessments are created equal. Accuvant has built a successful assessment practice by employing the best assessment team in the industry. Accuvant’s assessment resources are security industry thought leaders, several are published authors, all have years of information security experience, and all have benefited from a broad exposure to different client environments, consulting methodologies, assessment techniques, and security technologies. Accuvant combines this talent and experience with an innovative approach to produce the most cost-effective and comprehensive assessment offerings in the industry
  • Operation High Roller: The need for a security ally!

    1. 1. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    2. 2. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    3. 3. Not Sci ence Fi ct i on
    4. 4. The Need f or a Secur i t y Al l y Copyright © 2013. Accuvant, Inc. All Rights Reserved
    5. 5. AgendaAccuvant: • Who am I? • Operation: High Roller • Debrief • Soldiers win the Battles, Allies win the warsTactics & techniques: • Issues currently seen from the field • Prediction time!Conclusions Copyright © 2013. Accuvant, Inc. All Rights Reserved
    6. 6. Jef f Dani el sonComputer Forensics specialist since 2003 and is a SecurityEvangelist for a large national research-driven security partner. Previously, Jeff was a Principal Solutions Consultant for aleading Computer Forensics/eDiscovery and Cybersecuritysoftware solutions corporation as well as a lead investigator at aLarge financial services organization. Certifications•SANS GIAC Certified Forensic Analyst (GCFA)•GIAC Certified Incident Handler (GCIH)•EnCase certified Forensic Examiner (EnCE)•EnCase certified eDiscovery Practitioner (EnCEP). Copyright © 2013. Accuvant, Inc. All Rights Reserved
    7. 7. I n t he bl i nk of an eye
    8. 8. Oper at i on Hi gh- Rol l er Copyright © 2013. Accuvant, Inc. All Rights Reserved
    9. 9. Ol d Tr i cksThe usual suspects: Definition Spyeye: A proxyhorse A Definition Zues: A Trojan Trojan Definition Spear Phishing: Man-in-the-Browser: • Multiple Attack Strategies thattype that infectsinformationon a Process of banking credentials for horse to attack thatweb browser steals harvest a focuses by • Phish/Spear Phishing email online accounts and also initiateof Man-in-the-browser keystroke single user oradvantage by taking department logging and Form Grabbing. security transactionswithin an organization, vulnerabilities in person is logged as a browser Zeus is • Utilization of Past Malware into their mainly through drive-by it spread account, literally someone to modify web pages, modify addressed from making • Zeus downloadswithin content or insert possible to watch their bank in a transaction the company and phishing schemes. • SpyEye First identified in by the second. inita balance drop July 2007 of all additional transactions, trust. position when was used to steal information from completely covert fashion invisible • Man-in-the-browser the to bothStates Departmentweb United the user and host of Transportation application. Non-patched systems was the biggest culprit. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    10. 10. New SkewlNew and Improved: Fraudulent Server: A server Automation allowed repeated The • Server-side components that interacts with the has been client-side malware kills banking thefts once the system the links • Heavy automation launched at a portal to process given bank or for a to printable statements. It also banking searches for and erases the actual The account platform. transaction • Targeted to Large accounts (1M+ data is always updated confirmation and current balance) with heavy utilization. (including emails and email copies of the • Automated Bypass of Two-Factor account login). Normally statement. Finally, it also changes Physical Authentication located in a crime-friendly ISP, the transactions, transaction and moved frequently. values, • Links and code are obfuscated and account balance in the • Small Population statement displayed on the victim’s • Avoid Fraud Detection and Hide screen so the amounts are what Evidence the account holder expects to see. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    11. 11. Debr i efFast MovingHighly Knowledgeable of Banking processesFocused and targetedHybrid Automation • Spear Phishing • Bank Account Usage AnalysisHighly Creative techniques, no new code.The Focus is on small to medium-sized businesses and wealthyconsumers Copyright © 2013. Accuvant, Inc. All Rights Reserved
    12. 12. A St or m I s Her e
    13. 13. W Secur i t y Consul t ant s? hy15 Copyright © 2013. Accuvant, Inc. All Rights Reserved
    14. 14. Sol di er s W n Bat t l es i • Specialists are key. • Tools and Weapons • “Thin and wide” vs “Deep and Narrow” • Internal Battles should not be overlooked. “Soldiers win the battle, the generals get the credit for them” -Napoleon Bonaparte Copyright © 2013. Accuvant, Inc. All Rights Reserved
    15. 15. Al l i es W n The W i ar • Cyber Threat Intelligence • Attribution “Who is attacking you” • Regional and Vertical Partners • Maturity of Weapons • Can you • Communicate Risk? • Value of Weapons? • Free or Commercial Intelligence? • Be open to Trusted Advisors • Get a good understanding of what is working, and what is not in the industry • Build a good relationship with local, state, and federal Law Enforcement. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    16. 16. Debr i efTargeted Attacks increasing • Red October Made popularin inthe 2012, Focused Operation started2010, yetand was First detected June recent believe Discovered by in 2007 attacks foundbe middle-eastInfiltrated over on Twitter, Facebook andStuxnet toon Dec 2012. 2009*, banking in older than online Apple. • Stuxnet records, capablefocused on nucleur This attack of stealing 1K+ High level government was aimed at Iran’s Natanz specific • Watering Hole attacks datacomputers and likelyfocused users browser habits and were plant. Most was from a such as passwords, banking infected by malware Nation/State credentials, cookiesdownloaded specifically on government and specific • Gauss when the user clicked on normally esponiage, most likely from configurations. Hactivist groups, trusted links. but could be supported by a private firm or rogue nation. Current Global IT Security spend is 60 Billion Visibility and Maturity of IT Security programs is necessary. Everyone is now a target, not just highly visible targets. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    17. 17. Toget her a W W n*Or have e i Chance
    18. 18. I ss ues Seen i n t he Fi el d
    19. 19. I ssues • Time • Vet Security Partner (s) • References • External Vendors • Vertical Professionals • Why only one? • Daily security vs Security projects • Vice-versa • Money • Talk to the Asset owner • Executive Buy-In program • Threat Intelligence Report Copyright © 2013. Accuvant, Inc. All Rights Reserved
    20. 20. Pr edi ct i ons f or 2013 • Legal will be put on “notice” • IT Security will be brought under the Legal umbrella • Fundamental Shifting • The Bad Actors • Containment • Push to Pull • Security is a Critical Business Function 2015 The Int ernet w l l no l onger be a ri ght , i t w l l i i be a pri vi l ege Copyright © 2013. Accuvant, Inc. All Rights Reserved
    21. 21. Questions & Answers Copyright © 2013. Accuvant, Inc. All Rights Reserved
    22. 22. Thank You Jef f Dani el s on Sec uri t y Evangel i s t GCIH GCFA, EnCE, EnCEP , 970- 407- 8307 j dani el s on@ Ac c uvant . c om Copyright © 2013. Accuvant, Inc. All Rights Reserved
    23. 23. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    24. 24. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    25. 25. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    26. 26. Copyright © 2013. Accuvant, Inc. All Rights Reserved
    27. 27. Copyright © 2013. Accuvant, Inc. All Rights Reserved

    ×