Training Material [for NBA Evaluators-April 2013 version]-Phase-II.pdf
Fighting with friends · 2018. 3. 19. · Simda Operation Phases Phase 3 - Execute and Evaluate...
Transcript of Fighting with friends · 2018. 3. 19. · Simda Operation Phases Phase 3 - Execute and Evaluate...
-
INTERPOL For official use only
Fighting with friends
-
INTERPOL For official use only
Transnational Cybercrime Restriction in information
sharing
Legislative harmony Emerging technology & ease of criminal use
Volume of crime
-
INTERPOL For official use only
So, what does
do
-
INTERPOL For official use only
Analysis and on-site assistance
Digital Forensics Laboratory (DFL) & Support Team
-
INTERPOL For official use only
Coordinating and facilitating transnational cybercrime investigations and operations
Digital Crime Investigation Support (DIS)
Police
Police
Police
Police
Police-to-Police Cooperation
Cyber Threat Taskforce
Police Private Sector
Academia Action Plan
Post-Incident Collaboration
-
INTERPOL For official use only
DIS: Cyber Fusion Centre (CFC) Secure and neutral collaboration workspace to share and develop cyber intelligence & global operational support facility
-
INTERPOL For official use only
Simda Botnet Takedown (Q2 2015)
-
INTERPOL For official use only
Simda.AT botnet
Challenging • Hard to analyze • Hard to measure • Hard to take down • Hard-coded IPs
Significant impact • RA & identity theft • Mining & clickfraud • Network hijacking • Slave market
Worldwide • More than 770,000 PCs worldwide • More than 190 countries • Key infrastructure scattered over continents • C2s designed to shift after partial takedown
-
INTERPOL For official use only
Simda.AT infection vectors How were so many computers compromised?
Mass SQL injection? (compromised sites)
Spam e-mail? (male enhancing drugs)
Social engineering? (fake flash installer)
Scare tactics? (scareware affiliates)
Exploit kits? (Blackhole, Styx, Magnitude, Fiesta)
Other malware? (Kelihos, Waledac, Winwebsec)
BlackHat SEO? (Search Engine Optimization poisoning)
-
INTERPOL For official use only
Simda.AT infection vectors How were so many computers compromised?
Mass SQL injection! (compromised sites)
Spam e-mail! (male enhancing drugs)
Social engineering! (fake flash installer)
Scare tactics! (scareware affiliates)
Exploit kits! (Blackhole, Styx, Magnitude, Fiesta)
Other malware! (Kelihos, Waledac, Winwebsec)
BlackHat SEO! (Search Engine Optimization poisoning)
-
INTERPOL For official use only
What triggered the operation?
-
INTERPOL For official use only
-
INTERPOL For official use only
Simda Operation Phases
Phase 3 - Execute and Evaluate (Week of April 6th, 2015)
Phase 2 - Process and Preparation (March 30 – April 3rd, 2015)
Legal process filed in
Netherlands
Identification & Remediation
Prep Coordinate with internal and
external partners Communications/PR
Phase 1 – Coordinate, Investigate and Risk Assessment (Jan – March 30th 2015)
Coordinate with Law Enforcement Communications/PR Investigation & Risk Assessment
-
INTERPOL For official use only
International Public-Private Partnership
- Digital Crimes Unit (DCU) provided targeting to INTERPOL
- Initial & long term Simda analysis
- Provide AV cleaning solution
- PR communications
INTERPOL (FBI, NCA, Dutch High-Tech Crimes Unit)
- Coordinate filing of complaint to seize C&C IP addresses
- Coordinate criminal seizure of physical servers in Europe
- Coordinate identification and remediation of victims with DCU
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
- Provide AV cleaning solution
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
- Provide AV cleaning solution
- INTERPOL research partner
- Analyze & validate Simda samples
- Perform long term analysis
-
INTERPOL For official use only 28/08/2015
-
INTERPOL For official use only
Simda Operation – Preliminary Reflection
Success Factors • INTERPOL’s capabilities to coordinate with national police cyber units
• Using Law Enforcement powers to simultaneously take down C2s across the planet
• Industry’s capabilities to track and understand the infrastructure
• Private partners working as a collective to provide complementary solutions
• Leveraging PR via industry and INTERPOL to support notification and remediation
Learnings • The effective dissemination of victim data – need to balance privacy and mitigation
• IP addresses are not treated the same in all jurisdictions – harmonization needed
• Combining data from different sources – both helpful and confusing
Next steps • Take it beyond the one takedown
-
INTERPOL For official use only
Thank You-Merci-Gracias انتباهكم على الشكر جزيل نشكركم