Information Sharing
Denise Anderson Executive Director
National Health Information Sharing amp Analysis Center (NH-ISAC) Chair National Council of ISACs
Agenda
bull What13 is an ISAC
bull Overview of NCI13 bull InformaMon Sharing -shy‐ What13 and How
bull Threats Seen
bull Case Studies
What is an ISAC
Why ISACs
Why ISACs
v Trusted enMMes established by CIKR13 owners and operators
v Comprehensive sector analysis aggregaMon anonymizaMon
v Reach-shy‐within their sectors with other sectors and with government13 to share criMcal informaMon
v All-shy‐hazards approach
v Threat13 level determinaMon for sector
vOperaMonal-shy‐Mmely accurate acMonable
ISACs bull AviaMon ISAC
bull CommunicaMons ISAC
bull Defense Industrial Base ISAC
bull Downstream Natural Gas ISAC
bull Electricity ISAC
bull Emergency Management13 amp Response ISAC
bull Financial Services ISAC
bull InformaMon Technology
bull MariMme ISAC
bull MulM-shy‐State ISAC
bull NaMonal Health ISAC
ISAC
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Agenda
bull What13 is an ISAC
bull Overview of NCI13 bull InformaMon Sharing -shy‐ What13 and How
bull Threats Seen
bull Case Studies
What is an ISAC
Why ISACs
Why ISACs
v Trusted enMMes established by CIKR13 owners and operators
v Comprehensive sector analysis aggregaMon anonymizaMon
v Reach-shy‐within their sectors with other sectors and with government13 to share criMcal informaMon
v All-shy‐hazards approach
v Threat13 level determinaMon for sector
vOperaMonal-shy‐Mmely accurate acMonable
ISACs bull AviaMon ISAC
bull CommunicaMons ISAC
bull Defense Industrial Base ISAC
bull Downstream Natural Gas ISAC
bull Electricity ISAC
bull Emergency Management13 amp Response ISAC
bull Financial Services ISAC
bull InformaMon Technology
bull MariMme ISAC
bull MulM-shy‐State ISAC
bull NaMonal Health ISAC
ISAC
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
What is an ISAC
Why ISACs
Why ISACs
v Trusted enMMes established by CIKR13 owners and operators
v Comprehensive sector analysis aggregaMon anonymizaMon
v Reach-shy‐within their sectors with other sectors and with government13 to share criMcal informaMon
v All-shy‐hazards approach
v Threat13 level determinaMon for sector
vOperaMonal-shy‐Mmely accurate acMonable
ISACs bull AviaMon ISAC
bull CommunicaMons ISAC
bull Defense Industrial Base ISAC
bull Downstream Natural Gas ISAC
bull Electricity ISAC
bull Emergency Management13 amp Response ISAC
bull Financial Services ISAC
bull InformaMon Technology
bull MariMme ISAC
bull MulM-shy‐State ISAC
bull NaMonal Health ISAC
ISAC
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Why ISACs
v Trusted enMMes established by CIKR13 owners and operators
v Comprehensive sector analysis aggregaMon anonymizaMon
v Reach-shy‐within their sectors with other sectors and with government13 to share criMcal informaMon
v All-shy‐hazards approach
v Threat13 level determinaMon for sector
vOperaMonal-shy‐Mmely accurate acMonable
ISACs bull AviaMon ISAC
bull CommunicaMons ISAC
bull Defense Industrial Base ISAC
bull Downstream Natural Gas ISAC
bull Electricity ISAC
bull Emergency Management13 amp Response ISAC
bull Financial Services ISAC
bull InformaMon Technology
bull MariMme ISAC
bull MulM-shy‐State ISAC
bull NaMonal Health ISAC
ISAC
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
ISACs bull AviaMon ISAC
bull CommunicaMons ISAC
bull Defense Industrial Base ISAC
bull Downstream Natural Gas ISAC
bull Electricity ISAC
bull Emergency Management13 amp Response ISAC
bull Financial Services ISAC
bull InformaMon Technology
bull MariMme ISAC
bull MulM-shy‐State ISAC
bull NaMonal Health ISAC
ISAC
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
ISACs bull Oil and Natural Gas ISAC (ONG)
bull Surface TransportaMon
bull Water ISAC
bull Over the Road ampMotor Coach ISAC
bull Public Transit13 ISAC
bull Real Estate ISAC
bull Research and EducaMon ISAC
bull Retail ISAC
bull Supply Chain ISAC
ISAC
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Other13 OperaKonal EnKKes13 and Upcoming ISACs
bull AutomoKve
bull Chemical bull Food amp Ag
bull Nuclear bull CriMcal Manufacturing
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
What is the National Council of ISACs
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
NaKonal Council of ISACs
Began meeMng in 2003 to address common concerns and cross-shy‐sector interdependencies
Volunteer group of ISACs who meet13 monthly todevelop trusted working relaMonships among sectors on issues of common interest13 and work oniniMaMves of value to CIKR13
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
NCI13 Structure NaMonal Council of ISACs four designated operaMonalrepresentaMves from each ISAC sit13 on the Council
ISAC Plus all other enMMesrepresentaMves such asoperaMons centers who parMcipate in informaMon sharing
Leadership Chair Denise Anderson-shy‐FS-shy‐ISAC Vice-shy‐Chair ScoO Algeier-shy‐IT-shy‐ISAC Secretary Josh Poster-shy‐ST-shy‐ISAC
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Information Sources Communications
Best Practice Sharing -
Joint Statements -White Papers
Monthly Meetings
Daily amp Weekly ISAC
Calls
Briefings ENS Calls And Crisis
Calls
ListServ Trusted
Relationships ISAC Ops Centers
ISACs amp Other
Sectors
DHS amp Other Government Partners
Private Sector Liaison -NICC
Other Sources
(Hundreds)
PCIS
National Council of
ISACs
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Examples of AcKviKes
ndash Increase involvement13 of sectors without13 ISACs ndash Daily Weekly Monthly and Crisis calls ndash Cross13 Sector13 InformaKon Sharing13 Portal ndash Private13 Sector13 Liaison with the13 NICC13 ndash DrillsExercises Such as NLEs Cyber Storm
bull OCFndash Implement13 Real-shy‐Time sector Threat13 Level
ReporMng Directorate
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Points13 of13 Engagementbull NaMonal Infrastructure CoordinaMng Center (NICC) bull NaMonal Cybersecurity and CommunicaMons IntegraMon
Center (NCCIC) ndash DHS-shy‐led Unified OperaMons Watch ampWarning Center ndash Operates 24 hoursday 7 daysweek 365 days a year
bull Unified Command Group-shy‐composed of private and public sector representaMves ndash Meet13 monthly and during an incident13 as needed ndash Advise Assistant13 Secretary of CSampC on cybersecurity maOers provide subject13 maOer experMse and response as necessary during an incident13 that13 requires naMonal coordinaMon
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
wwwnationalcouncilofisacsorg nationalcouncilofisacsnatlisacsorg
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
InformaKon13 Sharing Valu e
Structur e
Trust
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Information Sharing Traffic Light Protocol
curren Restricted to a defined group (eg only those present in ameeting) Information labeled RED should not be shared withanyone outside of the group
curren This information may be shared with FS-ISAC members
curren Information may be shared with FS-ISAC members andpartners (eg vendors MSSPs customers) Information in this category is not to be shared in public forums
curren This information may be shared freely and is subject to standard copyright rules
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Types13 of13 InformaKon SharedCyber13 Threats VulnerabiliKes Incidents
uumlMalicious Sites uumlThreat13 Actors ObjecMves13
uumlThreat13 Indicators uumlTTPs Observables uumlCourses13 of AcMon13 uumlExploit13 Targets uumlDenial of Service AOacks
uumlMalicious Emails Phishing Spearphishing
uumlSogtwareVulnerabiliMes
uumlMalicious Sogtware uumlAnalysis and risk miMgaMon
uumlIncident13 response
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Primary Ways13 InformaKon Is13 Shared
uumlPortalAlerts uumlListservers uumlAutomaMon
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Sample of Sharing Thread
Received close to 500 so far and sMll coming in 90 made it13 through to employees before being blocked by perimeter asspam
SubjectImportant13 message from BANK Sender youraccountBANKmessagecom URL hxxpwww2webmasterradiofm FanPageProcssLogonhtml
0 hits last13 7days
Wersquove had about13 50 hits so far all arediscarded
TLP AMBER13 PROPRIETARY INFORMATION
BANK SubmiOed atakedown request13 for the phishing site
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Sample of ISAC Sharing
Indicators of Compromise IP Address Subject Line MD5 TTP Malware
Ask a question Anyone else seeing What do you do in this situation How do you handlehelliphelliphelliphellip
Share a Best Practice Herersquos how wehelliphellip
Share a Mitigation Strategy Herersquos a script you can usehelliphellip We did thishelliphellip
TLP AMBER13 PROPRIETARY INFORMATION
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
A Common Language
sect Structured Threat Information Expression is a common language a way for all to speak the same
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Trusted Automated eXchange of Indicator Information (TAXII)
sect The goal of TAXII is to facilitate the exchange of structured cyber threat information sect Designed to support existing sharing paradigms in a
more automated manner
sect TAXII is a set of specifications defining the network-level activity of the exchange sect Defines services and messages to exchange data sect Does NOT dictate HOW data is handled in the
back-end WHAT data is shared or WHO it is shared with
sect TAXII is NOT a sharing program sect TAXII is a protocol over which STIX can be
transported
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
What is13 Cyber13 Threat Intelligence8 Constructs13 of STIX
Atomic
Tactical
Operational
What threat activity are we seeing
What threats should I look for on my networks and systems and why
Where has this What weaknesses What can I threat been seen does it exploit do about it
Strategic
Who is responsible for this threat
Why do they do this
What do they do
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Threats Seen
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Cyber13 Threat Environment
bull Actors ndash NaMon States ndash Terrorists ndash Criminals ndash Insiders ndash AcMvistsHackMvists ndash Media13 ndash Vendors13
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Seen Last Weekhellip Nuclear Exploit13 Kit13
Open VAS Scanning
AnglerNeutrino
PlugX
DDoS
Dridex13
UpatreDyre
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
13
xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx
Malware-shy‐Exploit Kits Top Exploit13 Kits Seen
Blackhole EK ndash Paunch 1013 Infinity EK Flash player exploit13 Neutrino13 EK Mixes legiMmate non-shy‐legiMmate requests toobsfuscate the code Magnitude EK -shy‐ Ransomware Sweet Orange13 EK -shy‐ Website Fiesta EK -shy‐ Silverlight13 Angler EK hides behind legiMmate web code Crimeboss13 EK Java exploits
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Ransomware
-shy‐Crytolocker-shy‐CryptoWall -shy‐CryptoDefense-shy‐Torrent13 Locker -shy‐Darkleach
Top infecMons USAUCanadaUKIndia Also saw Singapore trend
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Delivery Mechanisms PhishingSpearphishing
Court13 NoMce InvoiceStatament13 Shipping Themes DHL Fedex UPS EZ Pass Bank Phish ndash Swigt Transfer Dhgate invoice eFax Salesforce Reward themes Airline ndash Delta13 WhatsApp ndash Yoursquove got13 a voicemail
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Malware Banking Trojans Top Trojans13 Seen13
Citadel Kronos Kulouz13 ndash Asprox Carperb13 Zeus13 Zberp13 -shy‐ hybrid13 Game-shy‐over Zeus (GOZ) -shy‐ P2P (arj) 914 Cridex ndash Bugat Feodo Dridex13 DyreShylock ndash July 2014 Takedown
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Dyre Spreads Like A Global Virushellip
June 2014 UK US
September 2014 Salesforcecom
Attacked
October 2014 Romania Germany
and Switzerland
November 2014 Over 100 firms
targeted
December 2014 Australia and
China
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Delivery Mechanisms
Drive-shy‐by Downloads and Watering13 Holes
Forbescom13 Energystarcom13 AusPost-shy‐trackingcom13 VAgov NBCcom13 ndash Citadel 2013
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Vulnerability Scanning
bull Port13 Scans ndash Open ports bull Vulnerability Scans -shy‐ Wordpress Joomla Java
Flash Open13 SSLbull Infrastructure
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
VulnerabiliKes
bull OpenSSLHeartbleed ndash Old vulnerability ndash Allows more data than allowed tondash Website vulnerability ndash Banks took rap unfairly
bull GNU BashShellshock ndash Old vulnerability 1994 ndash Unix based Linux Apple Mac13 OX13 ndash Went13 public13 Wednesday 924 ndash Exploits and scanning seen almost13 immediately
be read
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Breaches Malware ChewBacca Dexter Black POS
Oslash Target 70 million -shy‐ 2013 Oslash OPM 215 million Oslash Primera BCBS 112 million Oslash Community Health Systems 45 million Oslash Anthem13 BCBS 80 million Oslash SonyHacking Team13
2015 Breaches IdenKfied by the ITRC as of13 8112015
bullTotal Breaches13 5500 approx
bullTotal Records Exposed 818004561 bullIdenAty The4 Resource Center
Backoff
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
DDoS Oslash Sony PlayStaMon ndash Lizard Squad Oslash OperaMon13 Ababil13 Oslash Las Vegas ndash Gaming Industry Oslash Israel Oslash DD4BCOslash World Cup
Q1 2015 Compared to Q4 2014
15 decrease in avg aOack Mme35 increase in total DDoS aOacks 42 increase in SSDP DDoS aOacks (routers) 22 increase in aplicaMon layer DDoS aOacks 7 decrease in average aOack bandwidth (170 Gbps) 37 increase in infrastructure layer DDoS aOacks Akamai
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Wiper Malware Oslash Shamoon ndash 2012
Oslash ANack on 30000 Saudi Aramco WorkstaMons Oslash Corrupts files and wipes devices
Oslash South Korean ANacksndash13 2013 Oslash 2 banks media company and insurance company Oslash Patch systems targeted and used to infect13 Oslash Wiped windows Linux and UNIX13 OS
Oslash Las Vegas13 Casinondash 2014 Oslash Wiped and destroyed files with VB bomb
Oslash Sony ndash 2014 Oslash SMB Worm13 Tool listening implant backdoor proxy
tool destrucMve hard drive tool destrucMve targeted cleaning tool network propogaMon wiper
Oslash Financial data destroyed financial system13 sMll inoperable ndash asks for delay in filing
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
The Media and Vendors MalverMsing Watering Holes
Syrian Electronic13 Army
Media Vendor Spin Incidents
bull HeartBleed13 Open SSL bull Hedge Fund ANack -shy‐ BAEbull Russians ANack Financial System13 bull Russians Hack 14 Billion Passwords -shy‐ Hold Security
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Other13 Threats
bull Call Center ndash Phishing bull Mobile bull Social Media ndash Sony ExecuMve on American Airlines bull Industrial Control Systems -shy‐ Havex bull Espionage ndash VirusTotal tesMng for malware
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
Case Studies
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
DDoS ndash DD4BC
Since April 2015 bullSubject Line bullFrom From DD4BC Team ltd4bct[AT]gmail[]comgt bullSubject DDOS ATTACK
Size 500 Mbps to 50 Gbps Duration Up to 1 hour Ransom Demand 25-40 BTC
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
UnitedNYSE
NYSE July 8 2015 1132am 1145am chatter Noon definitive word
UNITED 826 am Reservation System
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
United13 Parcel13 Service
bull USSS NCCIC FS-shy‐ISAC ndashCollaborate to releasemalware analysis and risk miMgaMon recommendaMons
bull Shared with Retailers AssociaKon
bull UPS Detected13 and used13 to miKgate Malware
QuesKons
QuesKons
Top Related