Combating Cyber Threats: Cyber Thread Information Program

1. UNCLASSIFIED
UNCLASSIFIED
Kansas City Terrorism Early Warning
Inter Agency Analysis Center
Cyber Threat Information Program
Missouri City/County
Manager’s Association
CYBER BRIEFING
May 7, 2015

2. UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
• South Carolina DOR. – 3.6 million SSNs stolen and
tax returns exposed. – ( Direct Cost = $14 million,
User fraud loss = $5.2 Billion)
• Shamoon (aka: Wiper) – Steals credentials wipes
boot record from 30,000 to 50,000 computers at
Saudi Aramco and RasGas.
• Banking DDOS against JP Morgan/Chase, PNC, Wells
Fargo, Bank Of America. Total of 8 banks attacked.

3. UNCLASSIFIED
UNCLASSIFIED
Recent Cyber Events
• TARGET ( 40 MILLION credit cards) and other
retailers.
• City of Wichita ( > 60,000 vendor financial
records)
• 14 banks, 12 cities and 10 police departments
disabled during the Ferguson unrest.

7. UNCLASSIFIED
UNCLASSIFIED
VIDEO 1

8. UNCLASSIFIED
UNCLASSIFIED
So What ?
• Computer network exploitation by threat actors enables:
• Massive financial losses
• Degradation/disruption of services
• Extortion
• Intellectual property theft
• Counterfeiting
• Theft of proprietary data
• Identity theft (personally identifiable information)
• Access to credit
• Loss of money and credibility

9. UNCLASSIFIED
UNCLASSIFIED
Agenda
• Threat Landscape
• Actors (Bad Guys)
• Attack types (Bad Stuff that Bad Guys do)
• Vulnerabilities (The things that Bad guys attack)
• Cyber Threats and Trends (The Future)
• What Can You Do ?

10. UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK

11. UNCLASSIFIED
UNCLASSIFIED
CYBER THREAT LANDSCAPE

12. UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Landscape
• Cyber Threat Actors
• State Sponsored
• Terrorist/Violent Extremists
• Insider Threat
• Hackers
• Hacktivists
• Criminals / Organized Crime

13. UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution

14. UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution

15. UNCLASSIFIED
UNCLASSIFIED
Hacker Evolution

16. UNCLASSIFIED
UNCLASSIFIED
Cyber Threat Motivations
• Notoriety
• Political Statement
• Money – Banks, Credit Cards, Extortion, etc.
• Intellectual Property / Trade Secrets
• Information for Negotiating Positions
(competitive advantage)
• Infrastructure Attack – Terrorism

17. UNCLASSIFIED
UNCLASSIFIED
Nation-State Terrorists Insiders Hackers Hacktivists Criminals
Commercial
Espionage
Fun/Curiosity/
Ego X
Money X X X X X
Retaliation/
retribution X X X
Political
Statement X X
Intellectual
Property X X X X
Negotiation
Information X X
Deny, Disrupt,
Degrade,
Destroy X X X X
Cyber Threat Motivations
(Intent)

18. UNCLASSIFIED
UNCLASSIFIED
Cyber Targets
• Government Networks
• Federal
• State
• Local
• Tribal and Territorial
• Critical Infrastructure and Key Resources (CIKR)
Networks
• Over 85% owned by private sector
• Industrial Control Systems/SCADA
• Embedded systems
• Business and Home Networks

19. UNCLASSIFIED
UNCLASSIFIED
Cyber Threats
• Supply Chain Exploitation
• Cyber exploitation, manipulation, diversion, or substitution of
counterfeit, suspect, or fraudulent items impacting US CIKR
• Disruption
• Distributed Denial of Service (DDOS) attack (effort to prevent site
or service from functioning efficiently or at all, temporarily or
indefinitely)
• Cyber Crime
• Criminals seeking sensitive, protected information for financial
gain

20. UNCLASSIFIED
UNCLASSIFIED
• Corporate Espionage
• Threat actors targeting US companies to gather intelligence and
sensitive corporate data for competitive advantage
• Advanced Persistent Threat
• Stealthy, coordinated cyber activity over long period of time
directed against political, business, and economic targets
• Industrial Control Systems/SCADA
• Threat actors disrupt ICS/SCADA based processes
Cyber Threats

21. UNCLASSIFIED
UNCLASSIFIED 21
Devices, Systems and Networks
• Desktops/Laptops
• OS/App
• Servers
• OS/App
• Printers
• Routers
• VPN
• DNS system
• PSAPS
• Public Notification Systems
• Mobile devices
• Household appliances
• Televisions
• Refrigerators
• Baby monitors

22. UNCLASSIFIED
UNCLASSIFIED
Embedded Systems
22
Computers built into other systems
Examples:
• Digital X-ray Machines, Medical Devices
• Computer Controlled Industrial Equipment
• Automobiles
• ATMs
• Printer/copier/fax machines
The underlying computer is likely to have unpatched vulnerabilities because
it is not on the System Administrators list of “computers,” or the system
must be upgraded by the vendor.

23. UNCLASSIFIED
UNCLASSIFIED
Industrial Control Systems (ICS)
23
Controls processes such as manufacturing, product handling,
production, and distribution. Industrial Control Systems include
Supervisory Control and Data Acquisition systems (SCADA).
Examples
 Robotic assembly lines
 Water treatment
 Electric Power Grid
 Building controls

24. UNCLASSIFIED
UNCLASSIFIED
Internet Connected Communications
Communications systems that are not typically considered computer networks that
are, none the less, connected to external networks such as the Internet.
Examples:
• Telephone switching – PBX, VOIP
• Emergency notification systems
• First responder communications (Trunked voice/data
terminals)

25. UNCLASSIFIED
UNCLASSIFIED
Targeting and Attack Techniques
• Social engineering
• Spear phishing
• Spoofing e-mail accounts
• Exploiting vulnerabilities
• Malware
• Downloaders, Trojans, Keyloggers, etc.
• External memory devices (USB)
• Supply-chain exploitation
• Leveraging trusted insiders
• Denial of Service
• Mobile Device Attacks

26. UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
• Category of cyber attack against political, business, or economic
targets
• Federal agencies
• State agencies
• City governments
• Commercial and non-profit organizations
• Actors use full spectrum of computer intrusion techniques and
technology
• Characterized by focus on specific information objectives rather than
immediate financial gain
• Stealthy, coordinated, focused activity over a long period of time
Operators are skilled, motivated, organized, well-funded

27. UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
• Information objectives include:
• Gov’t policy/planning
• Corporate proprietary data
• Contract data
• International meetings (G20, IMF,
Climate Change)
• Sabotage
• Espionage
• Use of compromised
computers as intermediate hop
points in future compromises

28. UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Methodology
• Reconnaissance
• Initial intrusion into network
• Establish backdoor into the network
• Obtain user credentials (login ID, passwords)
• Escalate privileges, move laterally through the network
• Search for and exfiltrate data
• Maintain persistence

29. UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threat (APT)
Examples of APT in open reporting
• Operation Aurora – Damballa
• Finance, Technology, Media – 30+ Countries
• LURID APT – Trend Micro
• Diplomatic, Government, Space-related agencies and companies – 61
Countries
• Nitro – Symantec
• Gas, Oil, Energy, Chemical Sectors – 8 countries
• Shady Rat – Symantec
• Governments, corporations, nonprofits, 14 countries
• FLAME – Kaspersky
• Mid-eastern countries

30. UNCLASSIFIED
UNCLASSIFIED
VIDEO 2

31. UNCLASSIFIED
UNCLASSIFIED
Cyber Threats and Trends

32. UNCLASSIFIED
UNCLASSIFIED
Trends
• ENORMOUS increase in Cyber Attacks/Crime both in numbers
and sophistication.
• State sponsored attacks likely to increase. (Cyber Warfare is real
now.)
• Cyberweapon toolkits are common place utilized by not only state
sponsored attackers, but by any entity with medium/high skills.
• Cyber Crime As a Service is a full fledged business model.
• Anyone can use point and click services to deliver a devastating
attack.

33. UNCLASSIFIED
UNCLASSIFIED
Trends
Nation-States That Have Declared
Offensive Cyber Capability
• Iran
• India
• UK
• China
• Russia
• U.S.A.
• Australia
• Italy
• France
• Syria
• Germany
• Israel

34. UNCLASSIFIED
UNCLASSIFIED
Trends
Hactivists / Jihadists
• Alliances with ideologically similar groups
• More Skilled
• More Organized
• More Aggressive
• More of them

35. UNCLASSIFIED
UNCLASSIFIED
Trends
Cyber Criminals
• Can occasionally approach the sophistication
if not the endurance of State sponsored
attackers
• Adding much more emphasis to mobile
devices.
• Adds a physical dimension to the Cyber realm.

36. UNCLASSIFIED
UNCLASSIFIED
Trends
Shift in targeting preferences
• State / Local
• State networks
• Local Municipalities / Agencies
• FD, PD, Cities, NGOs
• Universities, Colleges, Votech
• Businesses

37. UNCLASSIFIED
UNCLASSIFIED
COMMON
ATTACK TYPES /
MITIGATION
STRATEGIES

38. UNCLASSIFIED
UNCLASSIFIED
Attacks from outside the firewall

39. UNCLASSIFIED
UNCLASSIFIED
Big Three Most Common Attacks
DDoS – Distributed Denial of Service
SQL-I - Structured Query Language Injection
Defacements

40. UNCLASSIFIED
UNCLASSIFIED
Commonly Seen Attacks
Attack Type (TTP – Tactics, Techniques,
Procedures)
What is it?
Who uses them?
Preferred targets?
Consequences?
Prevention / Mitigation.

41. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHAT IS IT?
A DDOS attack tries to render a website either inoperable or
inaccessible by using large numbers of computers sending
overwhelming numbers of requests at a computer.
The target can become so busy trying to answer bogus requests
that it cannot answer valid user requests and the website is
unusable.

42. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
WHO USES IT ?
Used to be well resourced adversaries (state
sponsored, cyber crime enterprise)
More recently seen from Hactivists, (Anonymous
Affiliates)
Anyone with $200 - $800 can rent a botnet with
10,000 computers for a day to attack anyone.

43. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Examples?
During unrest associated with Ferguson MO shooting.
15 Banking institutions
State, Counties, Cities, Police departments (at least 12)
Educational institutions

44. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
Can’t be prevented – Plan for it
Establishing connections with multiple ISPs.
Ensure that service level agreements (SLA) with ISPs
contain provisions for DDoS prevention (such as IP
address rotation)
Assure the network has redundant systems and sufficient
excess capacity

45. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
Prevention
• Enable rate limiting at the network perimeter
• Create backup remote site networks with multiple address
capability
• Segment web services across multiple machines and
networks
• Host public facing websites with ISPs having capability to
withstand significant DDoS attacks

46. UNCLASSIFIED
UNCLASSIFIED
Distributed Denial of Service (DDoS)
MITIGATION
Executing ISP address rotation
Block source IP addresses that are generating DDoS
traffic at the network boundary or within the ISP
infrastructure. ( DDoS attacks can come from tens of
thousands of addresses that rotate randomly, making this
strategy difficult to implement.)
Acquire increased bandwidth from the ISP (This solution is
limited by your own servers ability to handle the increased
traffic.)

48. UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
WHAT IS IT?
A form of attack on a database-driven Web site in which
the attacker executes unauthorized SQL commands by
taking advantage of insecure bypassing the firewall.
Used to steal information from a database and/or to
gain access to an organization's host computers
through the computer that is hosting the database.

49. UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Who uses it?
State sponsored, cyber criminals, Hackers,
Hacktivists, Jihadists, Anonymous, script-kiddies
Very effective tools are freely available
Recipes for finding targets (call google dorks) are
all over the open internet.

50. UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Local Examples?
KCKPD
Release of Accident records and related personal
information
Wichita
Release of vendor/personal financial information

51. UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
Prevention
Limit databased services
Assure all applications and operating systems are patched
to current level
Keep an eye for announced vulnerabilities
Dynamic monitoring at the firewall or application server
Threat detection services
Applications configuration security ( Passwords )

52. UNCLASSIFIED
UNCLASSIFIED
SQL Injection (SQL-I)
MITIGATION
Watch for “breach” announcements
Notification process
Prevent further breaches (turn off access till it’s fixed)
Aggressively pursue disclosures
Where applicable, get outside help (FBI, DHS, USSS,
Commercial services)

53. UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
WHAT IS IT?
Any unauthorized changes made to the
appearance of either a single webpage, or an
entire site. In some cases, a website is
completely taken down and replaced by
something new.

54. UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Who uses it?
Plethora of Jihadists
“Anonymous” Affiliates
Syrian Electronic Army
POH (Plain old hackers)

55. UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Examples?
Akron OH
Marines.com
Huffington
MO.GOV
Check out www.zone-h.com (database of
180,000)

59. UNCLASSIFIED
UNCLASSIFIED
DEFACEMENT
Prevention / Mitigation
Keep Server systems and CMS apps up-to-date
Better passwords
Don’t share system accounts outside organization
Reputation monitoring services
Good backups

60. UNCLASSIFIED
UNCLASSIFIED
Attacks That Get
Through The Firewall

61. UNCLASSIFIED
UNCLASSIFIED
APT – The Really Bad Stuff
• Computer network exploitation by threat actors
enables:
• Massive financial losses
• Degradation/disruption of services
• Extortion
• Intellectual property theft
• Counterfeiting
• Theft of proprietary data
• Identity theft (personally identifiable information)
• Access to credit
• Loss of money and credibility

62. UNCLASSIFIED
UNCLASSIFIED
Computer Network Exploitation
(Try to stay on the left side
of the Cyber “Kill Chain”)
The Bad Guys are INSIDE the computer now.

63. UNCLASSIFIED
UNCLASSIFIED
Spear-Phishing
• Targeted e-mails containing malicious attachments or links
• E-mails forged to look as if they came from a legitimate
source and have a subject that the victim is likely to open.
• Target e-mail addresses can be harvested from Web sites,
social networks, etc.
• Targeting of CEOs, executives is called “whaling”.
63

64. UNCLASSIFIED
UNCLASSIFIED 64
Sample Phishing Website
(Via fsecure.com)

65. UNCLASSIFIED
UNCLASSIFIED 65
Sample Phishing Website
(Via fsecure.com)
Compromised police academy server in India

66. UNCLASSIFIED
UNCLASSIFIED 66
(Via nytimes.com)

67. UNCLASSIFIED
UNCLASSIFIED
Prevention
Constant Education
Information Sharing between agencies
OPSEC
Cyber Hygiene
PASSWORDS!!!!!!!!!!!!!
Response plans
Cyber Tabletop Exercises
Test Your Capabilities
Figure Out Roles and Responsibilities

68. UNCLASSIFIED
UNCLASSIFIED
What is your plan?
How to recover?
WHO ?
COST ?
How to mitigate
CRITICAL SERVICES
How to deal with the public
PUBLIC CONFIDENCE
LIABILITY

69. UNCLASSIFIED
UNCLASSIFIED
EVALUATE YOUR RISK.
THREAT + VULNERABILITY +
CONSEQUENCE
=
RISK

70. UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
Fusion Center:
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
kctew@kcpd.org
(816) 413-3588
Missouri Information Analysis Center
St Louis Terrorism Early Warning

72. UNCLASSIFIED
UNCLASSIFIED

73. OR
ID
NV
WY
MT
ND
SD
UT
WA
CO
NE
MN
KS
OK
NM
AZ
TX
AR
LA
AL GA
FL
TN NC
SC
MS
Southeast Regional
Coordinator –
Heather Perez (CFIX)
Western Regional
Coordinator -
Dana Kilian - NCRIC
AK
CA
Troy Campbell – Co-Chair – KCTEW
Devin King – Co-Chair – LA-SAFE
National Capital Regional
Coordinator -
Fleming Campbell (WRTAC)
WI
IA
MO
IL
IN
MI
ME
KY
OH
VA
WV
PA
NY
NJ
NH
MA
RI
MD
CT
DE
VT
DC
Northeast Regional
Coordinator -
Brett Paradis (CTIC)
Midwest Regional
Coordinator –
Kelley Goldblatt (MC3)
Central Regional
Coordinator -
John Burrell - MATIC
NFCA Cyber Intelligence Network (CIN)

74. UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The Department of Homeland Security (DHS)
The National Cybersecurity & Communications Integration Center
(NCCIC)
The U.S. Computer Emergency Readiness Team (US-CERT)
The Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT)
The National Coordinating Center for Telecommunications (NCC)
74

75. UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The USSS – US SECRET SERVICE
Your Nearest field office usually has a local
Electronic Crimes Task Force
Has Critical Incident Response Teams
75

76. UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
The Federal Bureau of Investigations (FBI)
Your Local FBI Cyber Division
FBI CyWatch
FBI Critical Incident Response Group (CIRG) Strategic
Information and Operations Center (SIOC)
76

77. UNCLASSIFIED
UNCLASSIFIED
WHO CAN YOU CALL?
KC Regional Terrorism Early Warning
Cyber Threat Intelligence Program
kctew@kcpd.org
(816) 413-3588

78. UNCLASSIFIED
UNCLASSIFIED
Discussion

79. UNCLASSIFIED
UNCLASSIFIED
Contact:
Troy Campbell
KCTEW
Cyber Threat Intelligence Program
tcampbell@kcpd.org
(816) 413-3588

82. UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing Issues

83. UNCLASSIFIED
UNCLASSIFIED
Cyber Information Sharing –A Challenging Process

84. UNCLASSIFIED
UNCLASSIFIED
Issues in Intelligence
Information Sharing
• No Cross Community Standards
• Formats
• Flow Paths
• Classification Downgrades
• Identity requests
• Standard terminology
• Two-way information Flows