Slides from Tony Martin-Vegue's presentation at Security BSides, Seattle: February 20, 2016.
"Can cyber extortion happen to you? Practical tools for assessing the threat"
Abstract:
Ransom is more than just the stuff of Hollywood thrillers. Action packed extortion schemes are as old as history itself, but today’s criminals are trading in information. Extortion rackets such as the Ashley Madison and Sony Pictures Entertainment hacks are well-known cases and many security professionals have experienced ransom attempts of their own, ranging from CryptoWall and CryptoLocker malware to DDoS attacks that promise to continue until the attackers are paid.
This session will take a detailed look at the different threat actors that perpetrate these attacks and how companies can assess the risk and potential impact of an incident. Participants will learn how to model threats, identify assets at risk, determine the impact and calculate risk. These methods help security professionals understand the impact of various forms of cyber ransom, determine if it is applicable to their organization and how to communicate risk effectively to management.
When an organization faces a cyber ransom, quick action is needed to respond to the attackers, safeguard systems and bring systems back online. Participants will also learn how to strengthen their incident response plans and make risk-aware decisions.
5. LEGAL DEFINITION
”The obtaining of property from another induced
by wrongful use of actual or threatened force,
violence, or fear, or under color of official right.”
- 18 U.S.C.A. §871 et seq.; §1951
8. Attack website with a small and
short attack
Simultaneous attack on others in
the sector
Send a ransom note demanding
payment
Increase DDoS attack
intensity/duration OR move on
ANATOMY OF AN ATTACK
9. WHY DOES IT WORK?
ATTACKER
• Attack is Very low cost per hour
• Can attack multiple websites in
the time allotted
• Scalable – can scale up in
bandwidth to make a point or
scale down to save costs
• The attacker knows what they are
capable of (information
asymmetry)
DEFENDER
• Costs a company on average of
$40,000 an hour1
• Can be only or primary source of
revenue
• Reputational issues
• Have no idea if attack is isolated
or worst nightmare
1 Source: Incapsula DDoS Survey: http://lp.incapsula.com/rs/incapsulainc/images/eBook%20-
%20DDoS%20Impact%20Survey.pdf
10. DD4BC
Source: Recorded Future, DD4BC, Armada Collective, and the Rise of Cyber Extortion;
https://www.recordedfuture.com/dd4bc-cyber-extortion/
12. KNOWN PAYMENTS
NITROGEN SPORTS
• EU based sports betting site
• Patrons pay in Bitcoin
• DDoS Attacks started in
September 2014
• Attackers continually asked for 2
BC
• Copycats also attacked
PROTON MAIL
• Swiss encrypted email provider
• On November 4th, 2015 they
were hit with one of the largest
DDoS attacks seen in Europe –
50gbps
• Armada Collective demanded
$6000 in ransom which was paid
• A copycat attacked, hoping to
get paid
13. DETECTION AND RESPONSE
•Risk models should include DDoS for ransom
•Cost/benefit analysis on DDoS protection services
•Update incident response plans
•Review and update crisis team members
27. ANATOMY OF A RISK ASSESSMENT
Risk
Loss Event Frequency
Threat Event
Frequency
Vulnerability
Threat
Capability
Control
Strength
Loss Magnitude
Primary Loss
Secondary
Loss
28. RISK ANALYSIS
•US-based credit union founded in 2008
•Has on online banking presence with several thousand
customers
•In 2014, was hit with one DDoS for ransom attack for 30
minutes; response costs were high but no loss of customers
•Last attack, we decided to wait it out until the attackers
stopped
31. DERIVE RISK
Loss Event Frequency
1x to .1x / year
Vulnerability
Threat Capability
Low- Bottom 16%
Control Strength
Very Low – Only protects
against the bottom 2%
Probable Loss
$40,000 / hour
Risk
ALE: 9k
32. RESIDUAL RISK
Loss Event Frequency
1x to .1x / year
Vulnerability
Threat Capability
Low- Bottom 16%
Control Strength
Very High – Protects against
all but the top 2%
Probable Loss
$40,000 / hour
Risk
ALE: $260
33. FINAL THOUGHTS
•Ransomware can and does happen to anyone – plan for it
•Other types of extortion are rare, but model the threats
and see if you are fit the target profile
•Update your incident response plans & BC/DR plans
•A good risk analysis can help execs make better decisions
•Have a way for extortionists to contact you
•Partner with law enforcement BEFORE something bad
happens do this Monday