20120208 Strategical approach to tacle cybercrime & the botnet threat


Published on

Presentation given in Berlin at AFE academy to explain dangers of cybercrime and the way to plan a strategy to improve cyber security

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

20120208 Strategical approach to tacle cybercrime & the botnet threat

  1. 1. How to prevent adisaster in cyberspace ?The need for an international approachto undermine the criminal cyber architecture Berlin, 8 february 2012 Combating Cybercrime in Europe – fighting botnets Optimised Tools for Investigation and Law Enforcement© 2012 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime
  2. 2. Presentation @LucBeirens Chief Commissioner Head of the Federal Computer Crime Unit Belgian Federal Judicial Police Direction Economical and financial crime Chairman of the EU Cybercrime task force representing the organization of heads of national hightech crime units of the EU
  3. 3. Topics - overview General trends today Cyber crimes and cyber criminals today What hinders the combat today ? A proposal for an integrated response Belgian experiences
  4. 4. General trends today Evolution towards e-society  replace persons by e-applications  Interconnecting all systems (admin, industrial, control) IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy Enduser is not yet educated to act properly
  5. 5. What do criminals want ? Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed Destabilaze (e-)society by causing troubles
  6. 6. How : cyber crimes today e-fraud => give money to the criminals spam => start for eFrauds / MW distrib hacking =>  change content of your website (defacing)  transfer money from the hacked system  espionnage => know your victim  use of hacked system => storage / spam / proxy / DNS / CC / DDOS DDOS distributed denial of service attacks
  7. 7. How to combatcyber criminals ?Analyse their methods and tools
  8. 8. Webserver / node Computer Crash Hacker Internet Info Access lineCmd blocked My IP is x.y.z.z Command & Botnet attack on a webserver / node Control Server
  9. 9. Interesting DDOS  2004 UK : gambling website down (+ hoster + ISP)  2005 Netherlands : 2 botnets : millions of zombies  2005 Belgium : Commercial firm during social conflict  2006 Sweden : Gov websites after police raid on P2P  2007 Estonia : political inspired widespread DDOS attack  2008 Georgia : cyber war during military conflict  2010 Worldwide : Wikileaks cyberconflict  2011 – 2012 : Anonymous attacks on Gov sites
  10. 10. What are botnets used for ?Getting data & making money ! Sometimes still for fun (scriptkiddies) Spam distribution via Zombie Click generation on banner publicity Dialer installation on zombie to make premium rate calls Spyware / malware / ransomware installation Espionage : banking details / passwords / keylogging Transactions via zombie PC Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)
  11. 11. Webserver / node Hacker Knowledge server Internet trigger event MW update Very frequent MW update request Malware update serverCommand & Malware update / knowledge transferControl Server
  12. 12. Cyber criminal’s toolbox malware => trojan horses  distribution via mail, p2p, social networks, websites  auto-update & auto-propagation in network  very high rate of new versions remote control of infected systems => botnets creation of knowledge databases  collected & keylogged info of infected pc keyservers in safe haven countries
  13. 13. But the criminal cyber architecturealso includes ... Underground fora and chatrooms  Botnets for hire  Malware on demand / off the shelf packages  Trade stolen Credit cards / credentials  Money laundering services Organized Cyber criminals  take over / set up ISP’s  infiltrate in development firms
  14. 14. And the victims ? Who ?  Communication networks and service providers  Companies especially transactional websites  Every internet user Reaction  Unaware of incidents going on => dark number  Victims try to solve it themselves  Nearly no complaints made => dark number Result ? The hackers go on developing botnets
  15. 15. Risks Economical disaster  Large scale : critical infrastructure  Small scale : enterprise Individual & corporate (secret) data Loss of trust in e-society
  16. 16. Combined threat What if abused by terrorists ? Cyber army ? ... simultaniously with a real world attack? How will you handle the crisis ? Your telephone system is not working !
  17. 17. Intermediate conclusions Society is very dependant of ICT eSociety is very vulnerable for attacks Urgent need to reduce risks on critical ICT Botnets as criminal cyber infrastructure is common platform for lots of cybercrimes => undermine it and you reduce crime
  18. 18. Traditional way of law enforcementto tackle cybercrime Reactive  Register complaint => judicial case  Hotlines (or cooperation with)  (Eventualy) undercover operations Proactive (?)  Who is doing what, where and how ?  Patrolling the net Effective (?) but not undermining cybercriminals
  19. 19. What hinders an effectivecombat of cyber crime ? Unawareness and negligence end user Lack of overall view on risks / incidents by  Enterprise managers  Political decision makers Combating : everyone on his own Lack of specialized investigators Jurisdictions limited by national borders Subscriber identity fraud Mobility of the (criminal) services in cloud
  20. 20. What actions are needed ?Everyone plays a role in e-securityWe have to do it as partnersWe have to do it in an integrated way
  21. 21. Goals for operationalcybercrime action plan As “society” (= gov & private sector) improve detection and get a view and act on  criminal cyberinfrastructure especially botnets  incidents threatening eSociety Strengthen robustness of ICT eSociety  ISP’s / Enterprises / End users Weaken and dismantle the criminal cyberinfrastructure  Each partner within his role & competence
  22. 22. Preserve evidence Webserver / node Report incident Stop activity Bring to court Hacker InternetTake out oforderAnalyse toidentify hacker& zombies Identify critical infrastructure Alarm procedures Preserve evidence Prevent infection & MW autopropagation Detect infections & desinfect Botnetservers CC, Knowledge, MW Actions against botnet architecture
  23. 23. Role of governments & international organizations Working according a strategy Develop international plans & reaction schemes for critical ICT infrastructure protection Develop legal framework  Obligation to report cybercrime incidents  Obligation to secure your computersystem (?)  Possibility for ISP to cut off infected machines (?)  Obligation to respond to requests of Gov authority when serious incidents happen
  24. 24. Telecommunications sector Prevent / reduce SPAM Have to make there infrastructure robust Report serious incidents to CERT Integrated reaction with authorities Implement strong authentication in internet protocols and services Detect negligent end users & react/help/cut off
  25. 25. Enterprises E-Security = business risk => management responsibility Think about how to survive when e-systems are under attack Enforce detection of incidents – IDS ? Report incidents to CERT ? to police ? Integrate strong authentication in e-business applications
  26. 26. Developers Strong authentication  Use the strongest available but ...  Think as a hacker How can a transaction on an infected PC be intercepted ? Store IP-addresses and timestamps  of the end user ! not of the router !  Needed in case of an incident !
  27. 27. Responsibilization of end user Awareness raising => media Training on e-security & attitude  already at school  in the enterprises Obligation to secure his PC properly ?
  28. 28. Role of police and justice ? Gather intelligence about Botnets Dismantle botnet servers in your country Analyse Botnet-servers to find traces to criminals Focus on knowledge servers & CC servers
  29. 29. EU Council strategy :COSI priorities and OAP ? Standing Committee on Operational Cooperation on Internal Security (COSI) EU Council body based on Lisbon Treaty (Art 71 TFEU) High-level representatives of MS Min Interior and EC Tasks  to facilitate and ensure effective operational cooperation and coordination in the field of EU internal security  to evaluate the general direction and efficiency of operational cooperation  to assist the Council in reacting to terrorist attacks or natural or man-made disasters (solidarity clause of Art 222 TFEU). Overview COSI strategic goals and operational 30 action plans cybercrime
  30. 30. Harmony : the COSIpolicy & implementation cycle Normally : 4 year cycle except first cycle : 2 year Policy  Create view on security risks and crime phenomenae  Determine priority domains (Cybercrime is prio 8)  Determine strategic goals 4 (2) year  Determine operational action plans OAP 1 year  1 Driver to follow up Cybercrime domain  1 or 2 leaders for each OAP 7 strategic goals 31
  31. 31. COSI Strategy goals1. Common legal standard (adapted)2. User identification by Internet Governance3. Enhance Police & Justice cyber capabilities4. Establish European Cybercrime Center5. Strategy to disrupt crim ict infra esp. botnet6. PPP for prevention and detection7. Reporting systems in each MS
  32. 32. Strategic Goal 4To establish the European Cybercrime Centre (ECC)to become the focal pointin the fight against cybercrime in the Unioncontributing to faster reactionsin the event of cyber attacks Overview COSI strategic goals and operational 33 action plans cybercrime
  33. 33. European Cybercrime centre Place, role, tasks, organization still not clear Study by Rand Europe => decision 1st half 2012 At Europol ? Improve law enforcement efforts tackling cybercrime Tasks  Intelligence focal point : monitoring, detection, collection, analysis, alerting, information => core AWF Cyborg ?  Develop a high level forensic capability  Liaise with MS LEA, industry and internet governance  R&D Develop good practices for prevention and PPP 34
  34. 34. Strategic Goal 5 To establish and implement a common Union approach to disrupt and dismantle the criminal infrastructure in cyberspace, especially botnets 35
  35. 35. InternationalBotnet actions
  36. 36. Problems with it ?
  37. 37. Belgian experience 1 national FCCU +25 Regional CCU=175 officers (computer forensics & cybercrime combat) 2 specialized Federal prosecutors minimum 1 ICT reference prosecutor / district FCCU analyses attacks on critical ICT infra BelNIS Gov Network information security  Develops and organizes ICT security strategy  Problem : no central authority Since 2009 : Cert.be for Gov and Critical infra
  38. 38. Belgian experience eBanking fraud => start of Malware analysis  Gain insight in how it’s working  Leads to detection of botnet-servers / bogus ISP’s Combined team cybercrime & financial investigators Building trust with law enforcement with other countries Collaboration with several partners and organizations => Information send to & analysed by Cert.be Effective in dismantling of Botnet-servers (70 since ‘09) Impact of 1 Malware distribution server ? Analysis shows  2 months 1,5 million downloads, 300.000 unique IP’s
  39. 39. Problems Botnet-servers often on victim’s servers  But is it really a victim ? No knowledge-servers in BE Language problem during analysis CC-server Is it the role of the police / Cert ?  If Cert does it (eg Finland)  => fast but do we go after criminals afterwards ?  Which incidents are severe enough to report to police ?  If police does it  Which botnet-servers do we analyse ?  Malware analysis => help from AV-industry ?
  40. 40. Do we really have an impact ? Several hundreds of botnets 5.000 – 10.000 botnet servers world wide Millions of infected end users => need for action in every country
  41. 41. Contact informationFederal Judicial PoliceDirection for Economical and Financial crimeFederal Computer Crime UnitNotelaarstraat 211 - 1000 Brussels – BelgiumTel office : +32 2 743 74 74Fax : +32 2 743 74 19E-mail : luc.beirens@fccu.beTwitter : @LucBeirensBlog : LucBeirens.blogspot.com