Cybercrime - Attack of the Cyber Spies

1,541 views

Published on

Globally cybercrime casused €83bn of damage, this presentation looks at the dangers and the measures you can take to stay safe. To view the webcast click here https://www.brighttalk.com/webcast/6331/90937

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,541
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hello everybody I’d like to welcome to you all to our webcast today. – my name is Andrew Horbury – I’m a Product Marketing Manager for Symantec Website Security Solutions. We are best known for providing SSL, Code signing and certificate automation and management tools. Due to the nature of our business a lot of what we see online gives us a fantastic insight into the threat landscape and the everyday threats that we see targeting consumers and businesses. This presentation is called attack of the cyber spies but the title only tells part of the story……. I’m going to talk about how we are being targeted, attacked and what we are potentially doing to make life easier for the cyber spies.Cybercrime is growing – but at what rate and who is being targeted? We as consumers are of course being targeted but at what level and what is the monetary value of what is being stolen? How are the targets and tactics changing, what's new and what is working. I’m, going to spend the next 40 minutes talking about this along the way there will be an opportunity for you to ask questions – and download resources….
  • I want to highlight where much of the information we are going to discuss today comes from and how it is sourced: As a company Symantec has established one of the most comprehensive sources of Internet threat intelligence in the world, which is compiled from around 70 million attack sensors which record thousands of events every second of every day in almost 160 countries. Symantec maintains one of the world’s most comprehensive vulnerability databases, which currently consists of more than 50K recorded vulnerabilities (spanning the last two decades) from almost 17K vendors representing over 43K products.  Spam, phishing, and malware data is captured through a variety of sources, including a system of more than 5 million decoy accounts; Over 3 billion email messages and more than 1.4 billion Web requests are processed each day across 14 data centres.  And then Symantec’s Website Security Solutions technology (this is the division of the business that I work in) scans over 1.5 million websites each year and on a daily basis scans over 130,000 URLs for malware and a further 1,400 vulnerability scans.
  •  
  • First I want to set the scene and give you an insight into what we see in the consumer world. On screen now, is a statistic that we track on an annual basis this is the total global cost of cybercrime. Which, for 2013, is EURO 83 billion. Last year, the cost was EURO75 billion, so we’ve seen a slight increase since 2012.These are figures from The Annual Norton Cybercrime Report which is a study that focuses on people – consumers like you and me. We’ve arrived at these numbers by taking the information directly reported to us by the 13,000 respondents to our annual cybercrime survey from 24 countries and extrapolating the figures to the worldwide population. We’ve also removed any anomalies – respondents who self-reported losses that were dramatically more than the average. The figure only includes direct costs and not the time spent resolving the crime.It’s also worth noting that though the total cost went up this year, we have seen consistent results year-over-year, across different respondent groups, providing further proof that the findings from this study are reliable, replicable and valid.The average victim of cybercrime loses EUR220, which represents a 50 percent increase over last year’s findings. Our research tells us that this is again the result of cybercriminals becoming more efficient in their attacks. While once fake antivirus software was the dominant threat, now we see ransomware has taken over. This has likely been a calculated move by cybercriminals, as ransomware is a lot more profitable for them. In previous years, we’ve seen a large percentage of people victimized by fake AV software, where they could be scammed out of EUR40-EUR100 – the “market price” of other, legitimate AV. However, with ransomware, where criminals pose as law enforcement or other authority, there is no limit to the amount they can demand from their victims.
  • Let’s take a closer look at the direct costs of cybercrime by focusing on the costs for particular countries and regions. Within our study, we extrapolated the direct cash costs for specific countries to bring the point home that cybercrime is a global problem that affects us all.Many of the figures for country and regional costs were similar to last years. One notable exception was the U.S., where losses have increased from 21 million to 38 million.
  • I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat).  The results were as follows (note:  multiple responses were permitted):1.  Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience),  46%2.  Organized crime, 42%3.  Competitors conducting industrial espionage, 41%4,  Nation state, 34%5.  Terrorist organization, 28%6.  None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
  • I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat).  The results were as follows (note:  multiple responses were permitted):1.  Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience),  46%2.  Organized crime, 42%3.  Competitors conducting industrial espionage, 41%4,  Nation state, 34%5.  Terrorist organization, 28%6.  None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
  • I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat).  The results were as follows (note:  multiple responses were permitted):1.  Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience),  46%2.  Organized crime, 42%3.  Competitors conducting industrial espionage, 41%4,  Nation state, 34%5.  Terrorist organization, 28%6.  None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
  • So what type of activity do we see and how can you prepare and react to it? I'm going to talk about different motivations, the insider threat and how you might detect and react and to them
  • The first thing to note is that Cyber criminals have time and money – some groups are very well resourced
  • They are also global and highly skilled….
  • Reflecting what we saw in the earlier slide in terms of cybercrime. Attackers prefer to target companies and organisations in developed countries with relatively large populations and wealthy residents. This makes perfect sense as there is a large potential base of individuals to compromise with a high potential return. Spoken languages and countries where international transactions are more difficult and require local steps to launder the money are additional factors which influence attacker decisions – after all why make things difficult when they don’t necessarily have to be. Go for the low hanging fruit as there is plenty of it around. Looking at the graph above you can see there is a very definite sweet spot for the English speaking countries (or where English is acceptable to use) – because you can for the most part reuse and repurpose the attacks very easily.
  • Reflecting what we saw in the earlier slide in terms of cybercrime. Attackers prefer to target companies and organisations in developed countries with relatively large populations and wealthy residents. This makes perfect sense as there is a large potential base of individuals to compromise with a high potential return. Spoken languages and countries where international transactions are more difficult and require local steps to launder the money are additional factors which influence attacker decisions – after all why make things difficult when they don’t necessarily have to be. Go for the low hanging fruit as there is plenty of it around. Looking at the graph above you can see there is a very definite sweet spot for the English speaking countries (or where English is acceptable to use) – because you can for the most part reuse and repurpose the attacks very easily.
  • 7 December 2012 —Wealthy countries with smaller populations are also attacked, but to a much lesser degree (as is the case with Malta and Cyprus, on screen now). In addition, attacking groups may change their targets over time, switching target institutions to avoid attracting too much attention. Interestingly Belgium, a developed nation with a population of approximately 10 million and wealth per capita of just over $80 thousand appears to be a good target, but no configuration files we examined targeted its institutions. Financial institutions in Belgium tend to use more robust security measures like smart card readers which may well deter would-be attackers who move on to other countries with less security or more profitable institutions. Out-of-band transaction verification significantly reduces the ability to socially engineer a fraudulent transaction. Although this technology is not immune to attack, the institution inherently becomes a less desirable target because why make life more difficult for yourself. Evidence that if you do have layers of security and prevention mechanisms then if really does help to protect you in some way shape or form. In the same way a car criminal will try car doors until finally they come across an unlocked car – this is much easier and less risky than smashing a window.
  • 7 December 2012 —Wealthy countries with smaller populations are also attacked, but to a much lesser degree (as is the case with Malta and Cyprus, on screen now). In addition, attacking groups may change their targets over time, switching target institutions to avoid attracting too much attention. Interestingly Belgium, a developed nation with a population of approximately 10 million and wealth per capita of just over $80 thousand appears to be a good target, but no configuration files we examined targeted its institutions. Financial institutions in Belgium tend to use more robust security measures like smart card readers which may well deter would-be attackers who move on to other countries with less security or more profitable institutions. Out-of-band transaction verification significantly reduces the ability to socially engineer a fraudulent transaction. Although this technology is not immune to attack, the institution inherently becomes a less desirable target because why make life more difficult for yourself. Evidence that if you do have layers of security and prevention mechanisms then if really does help to protect you in some way shape or form. In the same way a car criminal will try car doors until finally they come across an unlocked car – this is much easier and less risky than smashing a window.
  • So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminals and we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
  • So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminalsand we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
  • So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminals and we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
  • The group has also targeted hundreds of different organisations in a whole host of regions and often undertakes campaigns concurrently. Symantec’s Threat Intelligence team have blogged extensively on this subject and believe that hidden lynx are the best of breed in terms of hackers for hire…..The Hidden Lynx attackers have demonstrated cutting-edge technical skills throughout these campaigns – if you’ve heard any of our webinars in the past you might well recall watering hole attacks – well it was this team that pioneered the watering-hole technique and had access to a number of zero-day vulnerabilities. Along with this, they have been seen attacking supply chains and lying in wait until they compromise their real targets through these channels. The attackers have proven to be very calculated, strategic and patient. Hidden Lynx are professional hackers-for-hire who allow prospective clients to contract with them in order to undertake campaigns. Given the type of skills and expertise offered it is likely that the group is made up of a considerable number of attackers, possibly somewhere between 50 to 100 operatives, who are split into at least two teams that focus on different activities using specific tools and methods. One team appears to focus on disposable tools with basic but effective techniques to attack several targets. Whilst the other main team is made up of elite attackers that use their tools more sparingly but focus primarily on high value targets.
  • As the previous slides have indicated criminals will look for your weakest link and your weakest link could be your employees, your website or even your unpatched servers.
  • Lets focus on the weak links in your infrastructure for a moment….in the last year we have seen an increase in zero-day vulnerabilities. There were 14 unreported vulnerabilities first seen being used in the wild in 2012.In the last three years much of the growth in zero-day vulnerabilities used in attacks can be attributed to two groups; the authors of Stuxnet and the Elderwood Gang. In 2010, Stuxnet was responsible for 4 of the 14 discovered zero-day vulnerabilities. The Elderwood Gang was responsible for 4 of the 14 discovered in 2012. The Elderwood Gang also used zero-day threats in 2010 and 2011, and they’ve used at least one so far in 2013. Generally speaking attackers use as many zero-day vulnerabilities as they need, not as many as they have – therefore they tend to keep their powder dry.Stuxnet and Elderwood make for an interesting contrast in the strategy of their use. Stuxnet remains the aberration, using multiple zero-day exploits in one attack. From what we know today, it was a single attack that was directed at a single target. Multiple zero-day exploits were used to ensure success so they would not need to attack a second time.By contrast the Elderwood Gang has used one zero-day exploit in each attack, using it continually until that exploit becomes public and it becomes patched. And once that occurs they move on to a new exploit. This makes it seem that the Elderwood Gang has a limitless supply of zero-day vulnerabilities and is able to move to a new exploit as soon as one is needed.
  • Looking at other vulnerabilities we can see that the number is slightly up in the last year, from 4,989 in 2011 to 5,291 in 2012. And whilst zero-day vulnerabilities present a very serious security threat, known (and even patched) vulnerabilities are dangerous if ignored. Many companies and consumers fail to apply published updates and patches in a timely way. Toolkits that target well-known vulnerabilities make it easy for criminals to target millions of PCs and find the ones that remain open to infection. And perhaps one of the most interesting points I want to make today is that, the vulnerabilities that are often the most exploited are not the newest.
  • And these vulnerabilities are being exploited looking at the graph on screen now you can see that the rate the rate of web based attacks blocked per day increased by 30 percent year on year, while the rate of discovery of vulnerabilities has only increased by 6 percent. As you can see cyber criminals still make extensive use of known vulnerabilities, it’s these unpatched loopholes that continue to be a popular means of carrying out attacks.The numbers are in itself I think quite telling particularly when you compare them to those searching for a security solution that cover the ‘threats of tomorrow. These numbers and the evidence that we’ve seen highlights how unsophisticated attacks on corporate networks can have an effect without resorting to expensive zero-day exploits. You know…. Whether it’s exploiting poor security practices, misconfigured security devices or staff that lack security training, companies should understand that it is possible to gain control of most parts of an organisation, even though no new attacks or methods are used.We’ve seen some data that indicates that the time from when a vulnerability is detected to when it is patched is “almost uniform in every country,” indicating that this is a global trend. It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes.
  • So what might be a popular way in?Webservers can be attacked by malware just like desktop PCsIn 2012, Symantec scanned over 1.5 million websites for malwareOver 130,000 URLs were scanned for malware each day, with 1 in 532 websites found to be infected with malwareApproximately 53 percent of websites scanned were found to have unpatched, potentially exploitable vulnerabilities (36 percent in 2011), of which 25 percent were deemed to be critical. The most common vulnerability found was for cross-site scripting vulnerabilities.With all these unpatched vulnerabilities in legitimate websites there is no need for malware author to set up their own. In fact 61% of all malicious web sites are legitimate sites – so as we can see this is a significant issue.
  • And if its not the website that is being used against us then it might well be your employees.
  • So lets look at insiders….Fortune magazine reports: If a police sketch artist were to draw the person who was trying to steal internal data and information, what would that person look like? A masked Houdini, would it be a haggard, red-eyed hacker working in a basement? Would it be a member of the criminal underground or national secret agent, acting under orders?Or is it more likely to be the familiar,friendly, smiling face within your own organisation?http://www.forbes.com/sites/ciocentral/2012/08/27/intelectual-property-theft-beware-the-enemy-within/So far we’ve really focussed on the faceless threat which is why we have countermeasures such as firewalls, antivirus software, and intrusion detection systems that are all aimed at these threats. Yet these measures do little to counter an even greater threat - that of malicious insiders within the organisation.And it seems that many organisations do not treat these threats seriously. Such threats include fraud, sabotage, and theft or loss of confidential information caused by trusted insiders. These threats go beyond negligence. They represent purposeful action on the part of insiders to act in opposition to the interests of the organisation, whether for financial gain, retribution, or some other motivation. I think we can divide these up into four distinct categories…The disgruntled employee - The employee who feels to have been personally disrespected, perhaps due to an expected pay raise that failed to materialise or perhaps they’ve had a negative review or a disagreement over time off, demotions, transfers or other similar issues. In this instance, revenge would seem to be is the employee’s motive.Profit-seeking employee – this is like hacking for profit – driven by greed – as money is a simple motivation for many people. They work for a wage; however, by stealing information, they can make more money selling the stolen data or modifying the data to steal an identity. The information could be relatively easy to access and steal for the employee, plus the theft can be rationalised because, as a malicious insider might say, “The company won’t even miss it.”An employee who is moving on to a competitor or starting a business – For someone starting a business in the same field, the theft of customer lists, business plans, and even simple forms or templates can be tempting. Alternatively, imagine the employee leaving to work for a competitor. Perhaps the new employerhas hinted that such an exchange of information could help the new employee progress at a faster rate.Finally it could be an employee who believes they own the code or product – In this instance, employees feel a sense of ownership over code they wrote or a product they developed. Therefore, they take the code for their future use or even for their next job.What do you need to focus on here? You need to know your peopleFocus on deterrence, not detectionIdentify information that is most likely to be valuable –Monitor ingress and egress -  look at and consider and potentially restricting the flow of information outbound from one network to another. look at solutions like data loss preventionBaseline normal activity – by that I mean start to consider base-lining normal user activity and looking at what could be perceived as abnormal activity.
  • So lets look at insiders….Fortune magazine reports: If a police sketch artist were to draw the person who was trying to steal internal data and information, what would that person look like? A masked Houdini, would it be a haggard, red-eyed hacker working in a basement? Would it be a member of the criminal underground or national secret agent, acting under orders?Or is it more likely to be the familiar,friendly, smiling face within your own organisation?http://www.forbes.com/sites/ciocentral/2012/08/27/intelectual-property-theft-beware-the-enemy-within/So far we’ve really focussed on the faceless threat which is why we have countermeasures such as firewalls, antivirus software, and intrusion detection systems that are all aimed at these threats. Yet these measures do little to counter an even greater threat - that of malicious insiders within the organisation.And it seems that many organisations do not treat these threats seriously. Such threats include fraud, sabotage, and theft or loss of confidential information caused by trusted insiders. These threats go beyond negligence. They represent purposeful action on the part of insiders to act in opposition to the interests of the organisation, whether for financial gain, retribution, or some other motivation. I think we can divide these up into four distinct categories…The disgruntled employee - The employee who feels to have been personally disrespected, perhaps due to an expected pay raise that failed to materialise or perhaps they’ve had a negative review or a disagreement over time off, demotions, transfers or other similar issues. In this instance, revenge would seem to be is the employee’s motive.Profit-seeking employee – this is like hacking for profit – driven by greed – as money is a simple motivation for many people. They work for a wage; however, by stealing information, they can make more money selling the stolen data or modifying the data to steal an identity. The information could be relatively easy to access and steal for the employee, plus the theft can be rationalised because, as a malicious insider might say, “The company won’t even miss it.”An employee who is moving on to a competitor or starting a business – For someone starting a business in the same field, the theft of customer lists, business plans, and even simple forms or templates can be tempting. Alternatively, imagine the employee leaving to work for a competitor. Perhaps the new employerhas hinted that such an exchange of information could help the new employee progress at a faster rate.Finally it could be an employee who believes they own the code or product – In this instance, employees feel a sense of ownership over code they wrote or a product they developed. Therefore, they take the code for their future use or even for their next job.What do you need to focus on here? You need to know your peopleFocus on deterrence, not detectionIdentify information that is most likely to be valuable –Monitor ingress and egress -  look at and consider and potentially restricting the flow of information outbound from one network to another. look at solutions like data loss preventionBaseline normal activity – by that I mean start to consider base-lining normal user activity and looking at what could be perceived as abnormal activity.
  • And they are good at it
  • If they don’t get you one way they will try another…..
  • Here is one of those senior people – was targeted relentlessly – in the end they couldn’t get to him – so they wen to try someone else – someone easier to attack
  • And so how might they do this…? Criminals use well-known names and brands to trick people into disclosing confidential information or installing malware. Often, they use fake websites to fool people. The best-known example of this kind of attack, known as ‘phishing’, is when a fraudster uses a fake bank site to lure customers into revealing bank or credit card details and passwords.A more recent development has seen scammers use social media to lure people to fake websites where they disclose information, such as social media website passwords, in the hope of some reward such as free vouchers or a free phone. And this is part of the reasons why Malware is continuing to rise – Cybercriminals are taking advantage of social media, social media – social media is viral in nature and people of less suspicious of content from friends. And of course by installing malware then the known vulnerabilities can continue to be exploited and the readily availability of toolkits to distribute malware help the circle of life go on….79 percent of the companies experienced one or more Web-borne attacks in 2012, and 55 percent were affected by phishing attacks.
  • for those of you not familiar with Ransonware. Typically this is a tactic where an application is installed onto a PC which then locks it and can only be unlocked in return for a fee. There have been stories recently where Police departments have been caught out which is particularly ironic when you consider that the advice from law enforcement agencies the world over is to never pay the fee demanded by those holding a hostage, but one Massachusetts police department has admitted that it paid approximately US $700 to unlock one of its computers​ that had become infected with the CryptoLocker variant of the ransomware malware. The standard fee for unlocking appears to be a flat US$300 what they call "release fee" to free up the victim’s computer from some made up accusation. But, as the cybercriminals become more willy they have reasoned, if a victim is willing to pay US$300 for allegedly viewing “ something like pornography” then perhaps they may also like to buy other value added services, such as the option to wipe their criminal record and, as they’ve termed it – "avoid any problems at work and other places where criminal records can be checked", a snip at only US$450 extra! And of course – it’s all more money down the drain for the paranoid victim. 
  • On screen now you can see a typical example of Ransomware and there are plenty of indications that Cryptolocker ransomware is wreaking havoc among unsuspecting users across the globe. At this point, all major AV providers have good protection against the Cryptolocker threat. However, as Microsoft reported a few months ago, roughly 25 per cent of computers are not running any real time protection against malware.  This statistic is based on data from a pool of computers in excess of 600 million. If we assume these numbers to be correct, then this suggests that there are at least 150 million computers that are easily susceptible to infection by Cryptolocker. That’s clearly a huge number and with the Cryptolocker ransom at around US$300 computer that’s a whole lot of money to be made – around $45 Billion! 
  • As we can see here from this graph the Ransomware threat is growing and growing and while it can be tempting to just pay up when faced with looming deadlines or potential loss of critical data, paying these fees will only further embolden the attackers. The police are setting a really bad example not just in terms of their response but also how they run their IT systems. In the case of Cryptolocker, the maxim of prevention is better than cure is most definitely true. A multi-layered approach is once again the best policy for dealing with this threat.
  • So lets look at targeted attacks and alternative ways in….earlier I spoke about assumptions that smaller business might not be targets…. Let take a look.
  • Targeted attacks are aimed at one person or a specific, group of people. Until relatively recently, writers of viruses were trying to spread their malware to as many computer users as possible in order to make a name for themselves. But today cybercriminals largely driven by financial motives and targeted assaults are replacing global widespread virus outbreaks because these are much more profitable. On screen now you can see that Public sector, banking and manufacturing are the most targeted industries.
  • So lets take a look at the sizes of businesses are being targeted….The graphic on screen now highlights that 50% of businesses targeted employ 2500+ but what’s surprised us more than anything recently is that for the last two years this makes up only half of the targeted attacks. The biggest growth we’ve seen was against smaller companies - those employing less than 250 people. This sector of the market made up 31% of all attacks. As we saw earlier the aim is make money, and criminals don’t care where the money comes from - they simply want to take it and will target who they think they can get it from and smaller business perhaps represent lower hanging fruit.
  • A Ponemon survey of 2000 IT Managers reports that 44% of those surveyed saying that a strong security policy is not a priority and 58% claiming that management do not see cyber attacks as a significant threat.
  • As we saw on a previous slide Executives are no longer the leading targets of choice – attackers have moved to knowledge workers - employees who work on or have access to company intellectual property. Sales employees are also a very popular target for attack. But all employees run the risk of being targeted and consequently should be protected.
  • You know…. Its not just about direct attacks or email….
  • The biggest innovation in targeted attacks was the emergence of watering hole attacks. This involves compromising a legitimate website that a targeted victim might visit and using it to install malware on their computer.
  • For example, this year we saw a line of code in a tracking script on a human rights organisation’s website with the potential to compromise a computer. It exploited a new, zero-day vulnerability in Internet Explorer to infect visitors. Our data showed that within 24 hours, people in 500 different large companies and government organizations visited the site and ran the risk of infection. The attackers in this case, used sophisticated tools and exploited zero-day vulnerabilities in their attacks, pointing to a well- resourced team backed by a large criminal organization or a nation state.
  • I want to give a quick example of a watering hole attack…This example is of an attack on a legitimate site visited by iOS developers. The Elderwood gang managed to exploit a vulnerability in this website and inject malware into it. This site is by no means a mainstream site but the visitors tend to be the type of mobile developers targeted. There were about 40+ developers infected in this attack. But these victims worked for companies such as Twitter and Facebook but also smaller app developers…. By planting malware on this site the attackers were able to infect any visitor. It is unclear if the attackers were looking for one specific company to attack, or any vendor of iOS applications who visited the site. It’s important to remember that the web site used in a waterhole attack is also a victim. As a company Symantec has solutions we have solutions that can help protect your site from attacks like this – we have Website security solutions that can encrypt the traffic to your site and also scan your site for any possible vulnerabilities and malware. I know if I were running a similar site to this one right now I’d be exploring how I could demonstrate to my visitors that they can be assured that what happened here could not happen to them
  • This type of attack is not really so new… Particularly if you work in in sales, you’ve always known that, when possible, it helps to call ahead and let a prospect know that you’ll be sending an email with a proposal, or the details they requested… Well, it would also seem that cyber criminals have been paying attention to this tactic and are doing the same thing – with alarming success.This pretty sophisticated Spear Phishing attack, cyber criminals are calling various accounting and finance department employees in targeted French companies — along with their subsidiaries in Romania and Luxembourg — and asking if they can email over an invoice.
  • The unsuspecting victim on the other end of the phone (who typically deals with numerous invoices a day) agrees to receive the emailed invoice. However, when they open the email they either click a link or download an attachment that contains a variant of the remote access Trojan W32.Shadesrat, which can be used to steal passwords and launch DDoS attacks.As we noted a few slides back cyber criminals typically don’t have to look long and hard for data about their victims. Email address and phone numbers are often available in various websites and directories, or in corporate information such as brochures, white papers, executive reports and more – so this one is a relatively simple attack to carry out but the rewards can be fruitful. IT seems is really is better to call ahead before sending malware….
  • So as we’ve seen the cybercrime threat is very real and as there is seemingly malware for every device then we really need to be aware of what we use and how we use it. PC users are targeted with banking Trojans, ransomware and rootkits, but Mac users also face threats such as phishing sites, fake antiviruses and spyware. When it comes to smartphones and tablets, cybercriminals have developed all sorts of malicious elements designed to target such devices. So it’s clear that no matter what type of device we have, it’s vulnerable to cybercriminal attacks. This is why it’s important to deploy security software on all of them. The most efficient way to do this is by using a multi-device solution but can you control all the devices being brought into your organisations?
  • So….. coming to the end of the presentation in terms of where to go next. I wanted to quickly share this slide with you - this is perhaps how you might want to consider addressing cyber risks.Stay ahead of threats, gain complete visibility across your organisation, focus on top cyber priorities, build a sustainable program not one that works for today, and to gain buy in present it in a business context - understand the risk and present it accordingly.
  • But by then isn't it already too late?
  • Cybercrime - Attack of the Cyber Spies

    1. 1. Cybercrime – Attack of the Cyber Spies 3 December 2013 Andrew Horbury Senior Product Marketing Manager Symantec Website Security Solutions
    2. 2. Cybercrime is a growing challenge 2
    3. 3. Agenda today 1 Cybercrime cost in numbers 2 Attack types and targets 3 Vulnerabilities 4 Insiders 5 Phishing and Ransomware 6 Watering holes and different attack tactics 7 Conclusion and resources 3
    4. 4. The global price tag of consumer cybercrime €83 BN Which is enough to host the 2012 London Olympics nearly 10 times over OTHER 17% FRAUD 38% REPAIRS 24% THEFT OR LOSS 21% €220 Average cost per victim 50% increase over 2012 4
    5. 5. The global price tag of consumer cybercrime .7 BN RUSSIA 9 28 BN USA EUROPE 27 BN CHINA BN 3 BN MEXICO INDIA 2.2 BN 6 BN .7 BN JAPAN BRAZIL AUSTRALIA SOUTH AFRICA 0.2 BN ALL AMOUNTS IN EURO .7 BN 5
    6. 6. Different motives – Different attacks Hacktivism Money DDoS Banking Trojan Defacement Extortion SQL Injection Scam Espionage/Sabotage 6
    7. 7. Different motives – Different attacks 1.Hacktivists, 46% 2.Organised crime, 42% 3.Competitors/industrial espionage, 41% Money Hacktivism 4.Nation state, 34% 5.Terrorist organisation, 28% DDoS Banking Trojan Defacement Extortion SQL Injection Scam Espionage/Sabotage 7
    8. 8. Different motives – Different attacks Hacktivism Money DDoS Banking Trojan Defacement Extortion SQL Injection Scam Espionage/Sabotage 8
    9. 9. What activity do we see? And how can you prepare and react? Motivation and Activity Employee Challenges How you will detect and react 9
    10. 10. Cyber Criminals have time and money 10
    11. 11. They are global and skilled 11
    12. 12. Billions Top Targeted Countries Per Financial Trojan Family Count $50,000.00 7 $45,000.00 6 5 $35,000.00 $30,000.00 4 $25,000.00 3 $20,000.00 $15,000.00 Trojan Family Count Population x Wealth per Capita $40,000.00 2 $10,000.00 1 $5,000.00 $- 0 Population x Wealth per Capita Trojan Family Count Linear (Trojan Family Count) 12
    13. 13. Billions Top Targeted Countries Per Financial Trojan Family Count $50,000.00 7 $45,000.00 6 5 $35,000.00 $30,000.00 4 $25,000.00 3 $20,000.00 $15,000.00 Trojan Family Count Population x Wealth per Capita $40,000.00 2 $10,000.00 1 $5,000.00 $- 0 Population x Wealth per Capita Trojan Family Count Linear (Trojan Family Count) 13
    14. 14. Financial Trojans - Profile of Countries • Preferred targets: developed country, sizeable wealthy population • Fewer banks means, less variation needed by the attacker Country United Kingdom Germany Austria Netherlands Italy France Spain Ireland Finland Banks Population Wealth Per Capita Number of Threats 52 1873 752 277 729 644 322 472 313 62262000 81857000 8452835 16751323 60849247 65350000 46163116 4588252 5424360 128959 89871 66639 120086 119704 93729 92253 89327 38754 6 5 5 5 4 4 4 3 2 10561614 3180394 838897 417617 1294236 10839905 5445324 2061400 53357 22126 99526 75694 26361 85818 23968 36672 2 2 2 1 1 0 0 0 Portugal 154 Lithuania 141 Cyprus 137 Malta 27 Estonia 16 Belgium 107 Slovakia 29 Slovenia 25 Number of threats fund in EU countries 14
    15. 15. Financial Trojans - Profile of Countries • Preferred targets: developed country, sizeable wealthy population • Fewer banks means, less variation needed by the attacker Country United Kingdom Germany Austria Netherlands Italy France Spain Ireland Finland Banks Population Wealth Per Capita Number of Threats 52 1873 752 277 729 644 322 472 313 62262000 81857000 8452835 16751323 60849247 65350000 46163116 4588252 5424360 128959 89871 66639 120086 119704 93729 92253 89327 38754 6 5 5 5 4 4 4 3 2 10561614 3180394 838897 417617 1294236 10839905 5445324 2061400 53357 22126 99526 75694 26361 85818 23968 36672 2 2 2 1 1 0 0 0 Portugal 154 Lithuania 141 Cyprus 137 Malta 27 Estonia 16 Belgium 107 Slovakia 29 Slovenia 25 Number of threats fund in EU countries 15
    16. 16. Hidden Lynx Can penetrate tough targets 16
    17. 17. Hidden Lynx Diverse range of targets Can penetrate tough targets 17
    18. 18. Hidden Lynx Diverse range of targets Can penetrate tough targets Well resourced 50-100 people 18
    19. 19. Hidden Lynx Diverse range of targets Well resourced 50-100 people Can penetrate tough targets Concurrent campaigns 19
    20. 20. Hidden Lynx 2 20
    21. 21. Cybercriminals will look for your weakest link 21
    22. 22. Zero-Day Vulnerabilities 16 15 14 12 14 14 13 Total Volume 12 Stuxnet 10 Elderwood 9 8 8 6 2 4 4 2 3 4 0 2006 2007 2008 2009 2010 2011 2012 • One group can significantly affect yearly numbers • Elderwood Gang drove the rise in zero-day vulnerabilities 22
    23. 23. All Vulnerabilities 7,000 6,000 6,253 5,562 5,000 4,842 4,644 2006 2007 4,989 4,814 5,291 4,000 3,000 2,000 1,000 0 2008 2009 2010 2011 2012 • No significant rise or fall in discovery of new vulnerabilities in last 6 years 23
    24. 24. 30% increase in web attacks blocked… 247,350 190,370 2011 2012 24
    25. 25. Our Websites are Being Used Against Us 53% 61% of web sites serving malware are legitimate sites of legitimate websites have unpatched vulnerabilities 25% have critical vulnerabilities unpatched 25
    26. 26. Are your employees are the cybercriminals greatest ally? 26
    27. 27. Malicious Insiders could pose the greatest risk Who are they? 1. The disgruntled employee 2. The profit-seeking employee 3. A soon to depart employee 4. The one who owns the code 27
    28. 28. Malicious Insiders could pose the greatest risk Considerations • Know your people • Focus on deterrence, not detection • Identify information that is most likely to be valuable • Monitor ingress and egress • Baseline normal activity 28
    29. 29. Cybercriminals will find your most sensitive information even if you can’t 29
    30. 30. Your assumptions are wrong! Don’t’ assume you are not a target. Targets are not always the CEO or senior managers 30
    31. 31. Cybercriminals are Persistent and Flexible 31
    32. 32. Your assumptions are wrong! Don’t’ assume you are not a target. Targets are not always large orgs and governments 32
    33. 33. Use Case: Taidoor 33
    34. 34. Phishing (Brand impersonation) Criminals use well-known brands to trick people into disclosing information or installing malware. • 79% of companies experienced one or more Web-borne attacks in 2012, and 55 percent were affected by phishing attacks.* • 20% more brands were targeted by attackers in the first half of 2013 • 30% of people will still open a suspicious email *Webroot/Qualittics Research 2012 34
    35. 35. Ransomware • Anti-Fraud Service for Fraudsters • Multiple Pricing options • “FBI" Ransomware – Now offers optional extras – Authors resort to disturbing images in bid to make victims pay • Cryptolocker – Continues to cause problems – Roughly 25 per cent of computers are not running any real-time protection vs. malware – Encrypts files with full PKI encryption and sets a deadline – Offers a discount? 2  0.5 Bitcoins
    36. 36. 36
    37. 37. Ransomware is ever present • New variants encrypt data with strong cryptography • Making an appearance on mobile devices • Problem: People don’t back-up their data! 5.00% 4.50% 4.00% 3.50% 3.00% Percentage of Ransomware infections in the Netherlands 2.50% 2.00% 1.50% 1.00% 0.50% 0.00% January February March April May June July August 37
    38. 38. Targeted Attacks can come via partners, customers or suppliers Everyone is a target now. 38
    39. 39. Top targeted sectors in 2013 Government / Public Sector / Academia Manufacturing Banking / Financial Services / Real Estate Computer/IT Energy Services Food/Agriculture Transport/Logistic Raw Material / Mining / Chemical July-Dec 2012 Jan-June 2013 WholeSales / Distributor 0 0.05 0.1 0.15 0.2 0.25 0.3 39
    40. 40. Targeted Attacks by Company Size 50% 2,501+ 50% 1 to 2,500 Employees 2,501+ 9% 1,501 to 2,500 2% 3% 5% 1,001 to 1,500 501 to 1,000 251 to 500 50% 31% 1 to 250 18% in 2011 Greatest growth in 2012 is at companies with <250 employees Small business often not well protected, but connected to others 40
    41. 41. Targeted Attacks by Company Size 50% 2,501+ 50% 1 to 2,500 Employees 2,501+ 9% 1,501 to 2,500 2% 3% 5% 1,001 to 1,500 501 to 1,000 87% of SMBs suffered a cyberattack last year, only 50% 44% see security as a 31% priority 251 to 500 1 to 250 18% in 2011 Greatest growth in 2012 is at companies with <250 employees Small business often not well protected, but connected to others 41
    42. 42. Targeted Attacks by Job Function 30% R&D 27% Sales 24% 25% C-Level 17% 20% 15% Senior 12% Shared Mailbox 13% 10% 5% Recruitment 4% Media 3% PA 1% 0% Attacks may start with the ultimate target, but often look opportunistically for any entry into a company 42
    43. 43. It’s not just about direct attacks or e-mail 43
    44. 44. Spear Phishing Watering Hole Attack Send an email to a person of interest Infect a website and lie in wait for them Targeted Attacks predominantly start as spear phishing attacks In 2012, Watering Hole Attacks emerged 44
    45. 45. Effectiveness of Watering Hole Attacks Watering Hole Attack in 2012 Infected 500 Companies All Within 24 Hours Watering Hole attacks are targeted at specific groups Can capture a large number of victims in a very short time 45
    46. 46. Watering Hole Targeted iOS Developers In 2013 this type of attack will become widely used Several high profile companies fell victim to just such an attack 46
    47. 47. Using the Phone to back up a Phishing Attack • What can attackers do to improve success rate of phishing email? • On 11 April 2013, an employee in an “Organisation A” in France received a phone call • French speaking caller, urges her to download an invoice from a link she will receive through email • Link doesn’t go to an invoice but instead installs a version of W32.Shadesrat, a well-known Remote Access Trojan • Suspicious, the employee shuts down the machine 15 minutes later and contacts the CISO 47
    48. 48. The Motive – Financially Driven • Targets accountants or finance department employees • These targets may have access to… • Sensitive commercial information • May have authority to carry out financial transactions • May have access to information that could facilitate future attacks • Email addresses • Phone numbers • Invoices • Account numbers 48
    49. 49. The potential attack space is growing... Internet of things Wearables (glasses) Password theft Targeted attacks Ransom Trojans 419 scams Bitcoin SQL injection Social media Financial Trojans Privacy Cloud SCADA attacks DDoS attacks WLAN hotspot Cyberwarfare Browser attacks Auction scams Mobile threats Smart cars Smart homes/TVs 49
    50. 50. How to detect when you’ve been breached 50
    51. 51. Addressing Cyber Risk Visibility of Risk Risk Awareness Technical Controls Insider Abuse Commodity Malware Procedural Controls Coordinated Attacks (APT) Policy Management Demonstrable Processes Changing Landscape Massive Data Volumes Massive Data Volumes Stay ahead of threats Complete visibility Focus on top priorities Build a sustainable program Present in business context
    52. 52. Who do you call when you’ve been attacked 52
    53. 53. PR IT Police Legal Business Leaders Forensics 53
    54. 54. Conclusion Avoid breaches and mitigate risks • Patch, patch, patch • Is your AV up to date? • Scan your sites for vulnerabilities and malware • Email and web gateway filtering • Host based intrusion detection • Two factor authentication • Look inside as well as out. 54
    55. 55. Where you can learn more Print Screen now • Internet Security Threat – – – – http://go.symantec.com/istr/ http://www.symantec.com/security_response/publications/ http://www.symantec.com/connect/blogs/elderwood-project-infographic @threatintel • Endpoint Security – http://go.symantec.com/sep12/ • Website Security Solutions – – – – – http://go.symantec.com/ssl http://www.symantec.com/connect/blogs/website-security-solutions @NortonSecured Monthly webinar channel – 4 December 2013 https://www.brighttalk.com/channel/6331 55
    56. 56. Thank you! Andrew Horbury andy_horbury@symantec.com @andyhorbury Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 56

    ×