Crime DOES Pay (Unless you get caught) Renana Friedlich, IR & Forensic Team Leader Hacktics Advanced...
-
Upload
eve-dreyer -
Category
Documents
-
view
220 -
download
1
Transcript of Crime DOES Pay (Unless you get caught) Renana Friedlich, IR & Forensic Team Leader Hacktics Advanced...
Crime DOES Pay(Unless you get caught)
Renana Friedlich, IR & Forensic Team LeaderHacktics Advanced Security Center, Ernst & YoungFebruary 2013
Crime DOES Pay – OWASP ConferencePage 2
Traditional Forensics
Crime DOES Pay – OWASP ConferencePage 3
Digital Forensics
He’s tough, but we’ll make him talk.
Crime DOES Pay – OWASP ConferencePage 4
Example – Bredolab
Russia
Netherlands France
Crime DOES Pay – OWASP ConferencePage 5
Agenda
► Computer Crime Definition
► Crime Detection
► Dealing with an Incident► Jurisdiction
► Punishment
► Case Studies
► Summary and Recommendations
Crime DOES Pay – OWASP ConferencePage 6
Computer Crime Definition
► What name would best describe this type of offense?
► Is it a new form of crime?
Computer as a weaponComputer as a target
Crime DOES Pay – OWASP ConferencePage 7
Rising Above the Noise Level
Vectors that may lead to detection:
Security systems
ProportionsSubject of
attack
Crime DOES Pay – OWASP ConferencePage 8
Relevant Parties for Detection
End Users
Security Vendors
HoneyNets
ISPs
Local Police
SOCs
And more …
Auditing Processes
Governmental Agencies
Crime DOES Pay – OWASP ConferencePage 12
Top 10 Detected Incidents
► Verizon 2012 Data Breach Investigations Report
Category Attack Overall Rank
Rank @ Large Org.
Hacking Use of stolen login credentials 3 1
Malware Backdoor 6 2
Hacking Exploitation of backdoor C&C channel 7 3
Physical Tampering 9 4
Malware Keylogger/Form-grabber/Spyware 1 5
Social Pretexting (classic social engineering) 11 6
Hacking Brute force and dictionary attacks 5 7
Hacking SQL injection 15 8
Social Phishing (or any type of *ishing) 20 9
Malware C&C (listens for and executes commands) 22 10
Crime DOES Pay – OWASP ConferencePage 13
Duration Until the Incident is Discovered
Early detection heavily depends on the organization’s security maturity level.
Regulatory Detection
Public Detection
Law Enforcement
Self Detection
0 20 40 60 80 100 120 140 160 180 200
156.5
87.5
51.5
28
Average time until detection( Days)
Crime DOES Pay – OWASP ConferencePage 14
Dealing with an Incident
Common ways of dealing with an incident:
Internal Care Law Enforcement Entity
Regulations
Incident Severity
Crime DOES Pay – OWASP ConferencePage 16
Local crime International crime
Law enforcement authorities ask for extradition
Accepted Denied
Jurisdiction
Crime DOES Pay – OWASP ConferencePage 17
Punishment
The penalty usually depends on the following factors:
Financial damage
Current & potential damage
Offender intentions &
personal gain
Crime DOES Pay – OWASP ConferencePage 18
Case Studies
Crime DOES Pay – OWASP ConferencePage 19
Case Study 1
► Attacker: Pablo Escobar (James Jeffery)
► Victim: Abortions website
Crime DOES Pay – OWASP ConferencePage 20
Case Study 2
► Attacker: Gary McKinnon
► Victim : USA military computers(“The biggest military computer hack of all time”)
► The US authorities tried to get an extradition
► Requested penalty: Up to 60 years in prison
Crime DOES Pay – OWASP ConferencePage 21
Case Study 3
Crime DOES Pay – OWASP ConferencePage 22
Take 1► Age – 19► Arrested for hacking to
computers at NASA, the Pentagon, and more.
► Didn’t try to get a hold of secrets, rather to prove that the systems were flawed.
Take 2
► Age – 28► Accused with charges of
conspiracy and fraud.► Increased or deleted cards
limit, then sold the stolen credit card numbers in the black market.
Case Study 3
1.5 years in prison 3 years probation + $503,000 fine
Crime DOES Pay – OWASP ConferencePage 23
Summary
► The chances of getting caught are slim.
► Even if an offender does get caught, there is a long way to go before he may stand trial.
► Since so “MANY” stand trial, penalty is disproportionate.
Crime DOES Pay – OWASP ConferencePage 24
And the Conclusion Is …
Crime Does Pay …
Crime DOES Pay – OWASP ConferencePage 25
Recommendations
Save logsPoor
Continuous log monitoringModerate
Build incident response capabilitiesGood
How good is your detection mechanism…?
Thank you.
Renana Friedlich,Incident response & forensic team [email protected], 054- 2661260