Decision Support System for Sustainable Resource - CARES
Transcript of Decision Support System for Sustainable Resource - CARES
SpeakersJarrett Kolthoff, President / [email protected]@SpearTipCyberCIweb: speartip.com
Jarrett Kolthoff, President / CEO of SpearTip, has 20 years of experience in the Information Security field. As a former Special Agent – U.S. Army Counterintelligence, he has experience in cyber investigations, counterintelligence, and Fusion Cell analysis that assist SpearTip’s clients to identify, assess, neutralize, and exploit threats leveled against their corporation. His civil case work includes investigations in anti-trust lawsuits, embezzlement, collusion, theft of intellectual property, and corporate espionage. He has testified in civil cases as an expert computer forensic witness in depositions in the U.S. Federal Court – Eastern District of Missouri, and has acted as a liaison between companies and law enforcement agencies.
Board Member, National Forensic Science Technology Center (NFSTC)
Adjunct Professor, Washington University in St. Louis – Cyber Security Master’s Program
Member, Association of Former Intelligence Officers (AFIO)
Member, Espionage Research Institute International (ERII)
Board Member & Past-President, St. Louis InfraGard Chapter
Board Member & Past-President, St. Louis Chapter of the International High Technology Crime Investigation Association (HTCIA)
SpeakersShawn Tuma, [email protected]@shawnetumablog: shawnetuma.comweb: brittontuma.com
Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:
Chair, Collin County Bar Association Civil Litigation & Appellate Law Section
College of the State Bar of Texas
Privacy and Data Security Committee of the State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
Social Media Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
International Association of Privacy Professionals
The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
• Emerging Threats / Market Analysis• Insider Threats• Malware Analysis• Fusion Cell Analysis• Espionage Case Studies• Computer Fraud & Abuse Act• Federal and Texas Law
Outline
5
Rapidly Emerging Underground
Industry (Several Examples Of
Successful Large Scale Operations)
• Organization: High
• Capability: High
• Intent
• “Hacktivisim”
• Financial / Political Gain
• Terrorist Organization Funding
Emerging Threats – Hacking Groups
6
U.S. DOJ – OIG Audit DivisionApril 2011
• Compares Technical vs. Counterintelligence• Proper Use of Fusion Cell Analysis• Practical Experience Over Just Training• Intrusion Cases vs. Other Cyber Crimes
Specialization – Forensics, Intrusion, Malware Analysis
7
Office of the National Counterintelligence Executive
• Report to Congress on Foreign Economic / Industrial Espionage Governments of China & Russia “Hacktivist” – Political & Social Agendas Theft of Intellectual Property & Dual Use Technology
8
Forrester Research – Value of Corporate Secrets
• Current Data Security Strategies Identify the Most Valuable Information Assets
Create a “Risk Register” – Compliance / Corporate Secrets
Assess Balance Between Compliance & Protecting Secrets
• Establish Baseline
Reprioritize Enterprise Security Investment
Increase 3rd Party Vigilance
Measure Effective – Key Performance Indicators (KPIs) and
“Audit the Auditor”
9
• Requests for Information (RFI). Foreign collectors make unsolicited direct and indirect requests for information
via personal contacts, telephone, e-mail, fax, and other forms of communication and often seek classified, sensitive, or export-
controlled information.
• Solicitation or Marketing of Services. Foreign companies seek entrée into US firms and other targeted
institutions by pursuing business relationships that provide access to sensitive or classified information, technologies, or
projects.
• Conferences, Conventions, and Trade Shows. These public venues offer opportunities for foreign adversaries to gain access to
US information and experts in dual-use and sensitive technologies.
• Official Foreign Visitors and Exploitation of Joint Research. Foreign government organizations,
including intelligence services, use official visits to US Government and cleared defense contractor facilities, as well as joint
research projects between foreign and US entities, to target and collect information.
• Foreign Targeting of US Visitors Overseas. Whether traveling for business or personal reasons, US travelers
overseas—businesspeople, US Government employees, and contractors—are routinely targeted by foreign collectors, especially
if they are assessed as having access to some sensitive information.
• Open Source Information. Foreign collectors are aware that much US economic and technological information is
available in professional journals, social networking and other public websites, and the media.
NON-CYBER COLLECTION EFFORTS
Insider Threat
• Building Diverse Team – Tech/JD/GRC/Biz/Linguist
• HUMINT / Network & Host Forensic / OSINT / TSCM
• Combination of disk forensics and memory forensics can paint a more complete picture.
• Time-Event Charts / Association Matrices / Link Analysis
• Analysis of Diverse Data – Mature Methodology
Fusion Cell Analysis
12
Malware Analysis• Contains information that may not be found on disk• Can locate keyloggers running on the system
• Can reveal malware that may not leave traces on disk
• Attackers making more use of “on the fly” memory modifications to foil disk forensics and antivirus
• Lsass.exe was trying to talk within the network environment on port 6666 (Process Injection)
13
IntroductionIt has become the industry standard, and a
necessity for enterprises, to defend their external perimeter with the latest firewalls and most advanced intrusion prevention systems (IPS).
Although these devices play an important role in any enterprise network, they all lack one crucial
capability and functionality:
Cyber Pre-Attack Intelligence
Cyber Threats
• SpearTip has identified a number of organizations, consisting of loose networks of hackers, who communicate through forums, social networks and more established communities
• The following are individual analyses of the players identified in the context of cyber-attacks against financial institutions
Advanced Cyber Threat Detection - Analysis Summary
THE FOLLOWING INFORMATION WAS ETHICALLY COLLECTED WHILE CONDUCTING CYBER SOURCE OPERATIONSON THOUSANDS OF CRIMINAL NETWORKS.
Cyber Counterintelligence provides the unique combination of up-to-date malware-related threat intelligence gathered from live botnets, correlated with an enterprise’s external IP addresses
• Information Stealers• Worms• DDoS Malware• Remote Access Tools• Downloaders• Spammers• HTTP-Proxy Malware• Exploit Kits (Currently Active)
Computer Fraud = Fraud 2.0• Deception, through the use of a computer
• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
18
Who knows the percentage of businesses that suffered at least one act
of computer fraud in last year?
90%(Ponemon Institute Study)
19
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”
IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”
The CFAA says
20
“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”
-United States v. Kramer
The Fourth Circuit says
22
This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now?
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
23
The CFAA access of or transmission to a protected computer that is
Without authorization, or
Exceeds authorized access
24
Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortion
25
More Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18 U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored Communications Act ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
• Identity Theft – 18 U.S.C. § 1028
26
Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13)
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51)• Unlawful Interception, Use, or Disclosure of Wire, Oral or
Electronic Communications (TPC § 16.02)• Unlawful Access to Stored Communications (TPC § 16.04)• Identity Theft Enforcement and Protection Act (BCC § 48.001)• Consumer Protection Against Computer Spyware Act (BCC §
48.051)• Anti-Phishing Act (BCC § 48.003)
27