Fighting with friends · 2018. 3. 19. · Simda Operation Phases Phase 3 - Execute and Evaluate...

INTERPOL For official use only

Fighting with friends


Transnational Cybercrime Restriction in information

sharing

Legislative harmony Emerging technology & ease of criminal use

Volume of crime


So, what does

do


Analysis and on-site assistance

Digital Forensics Laboratory (DFL) & Support Team


Coordinating and facilitating transnational cybercrime investigations and operations

Digital Crime Investigation Support (DIS)

Police

Police

Police

Police

Police-to-Police Cooperation

Cyber Threat Taskforce

Police Private Sector

Academia Action Plan

Post-Incident Collaboration


DIS: Cyber Fusion Centre (CFC) Secure and neutral collaboration workspace to share and develop cyber intelligence & global operational support facility


Simda Botnet Takedown (Q2 2015)


Simda.AT botnet

Challenging • Hard to analyze • Hard to measure • Hard to take down • Hard-coded IPs

Significant impact • RA & identity theft • Mining & clickfraud • Network hijacking • Slave market

Worldwide • More than 770,000 PCs worldwide • More than 190 countries • Key infrastructure scattered over continents • C2s designed to shift after partial takedown


Simda.AT infection vectors How were so many computers compromised?

Mass SQL injection? (compromised sites)

Spam e-mail? (male enhancing drugs)

Social engineering? (fake flash installer)

Scare tactics? (scareware affiliates)

Exploit kits? (Blackhole, Styx, Magnitude, Fiesta)

Other malware? (Kelihos, Waledac, Winwebsec)

BlackHat SEO? (Search Engine Optimization poisoning)


Simda.AT infection vectors How were so many computers compromised?

Mass SQL injection! (compromised sites)

Spam e-mail! (male enhancing drugs)

Social engineering! (fake flash installer)

Scare tactics! (scareware affiliates)

Exploit kits! (Blackhole, Styx, Magnitude, Fiesta)

Other malware! (Kelihos, Waledac, Winwebsec)

BlackHat SEO! (Search Engine Optimization poisoning)


What triggered the operation?


Simda Operation Phases

Phase 3 - Execute and Evaluate (Week of April 6th, 2015)

Phase 2 - Process and Preparation (March 30 – April 3rd, 2015)

Legal process filed in

Netherlands

Identification & Remediation

Prep Coordinate with internal and

external partners Communications/PR

Phase 1 – Coordinate, Investigate and Risk Assessment (Jan – March 30th 2015)

Coordinate with Law Enforcement Communications/PR Investigation & Risk Assessment


International Public-Private Partnership

- Digital Crimes Unit (DCU) provided targeting to INTERPOL

- Initial & long term Simda analysis

- Provide AV cleaning solution

- PR communications

INTERPOL (FBI, NCA, Dutch High-Tech Crimes Unit)

- Coordinate filing of complaint to seize C&C IP addresses

- Coordinate criminal seizure of physical servers in Europe

- Coordinate identification and remediation of victims with DCU

- INTERPOL research partner

- Analyze & validate Simda samples

- Perform long term analysis









INTERPOL For official use only 28/08/2015


Simda Operation – Preliminary Reflection

Success Factors • INTERPOL’s capabilities to coordinate with national police cyber units

• Using Law Enforcement powers to simultaneously take down C2s across the planet

• Industry’s capabilities to track and understand the infrastructure

• Private partners working as a collective to provide complementary solutions

• Leveraging PR via industry and INTERPOL to support notification and remediation

Learnings • The effective dissemination of victim data – need to balance privacy and mitigation

• IP addresses are not treated the same in all jurisdictions – harmonization needed

• Combining data from different sources – both helpful and confusing

Next steps • Take it beyond the one takedown


Thank You-Merci-Gracias انتباهكم على الشكر جزيل نشكركم

Fighting with friends · 2018. 3. 19. · Simda Operation Phases Phase 3 - Execute and Evaluate...

Documents

Transcript of Fighting with friends · 2018. 3. 19. · Simda Operation Phases Phase 3 - Execute and Evaluate...