Introduction to Cyber Threats: current status, perspectives and - - PDF document
Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro Cansian Agenda New Cybernetic Global Order Cyber threats. The present and future threat scenarios. The scenario in Brazil. Final
1
Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro Cansian Agenda
2
2
Intro
– IT governance. – Strategy. – Preparation
3
Contemporaneidade
4
“Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
“The almost obsessive persistence of serious penetrators is astonishing.”
“Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations ... insulated from risks of internationally embarrassing incidents” “The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems. “
2013 2012 2010 2009
3
Contemporaneidade
5
“Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
“The almost obsessive persistence of serious penetrators is astonishing.”
“Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations ... insulated from risks of internationally embarrassing incidents” “The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems. “
2013 2012 2010 2009
Contemporaneidade
6
“Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
penetrators is astonishing.”
“Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations ... insulated from risks of internationally embarrassing incidents”
“The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems. “
4
7 8
Fotos crédito: “Rising from the Underground: - By Damien Thorn Originally appeared in Nuts & Volts Magazine, March 1994.
5
– “Legion of Doom” (LoD)
– “Masters of Deception” (MoD).
– 9 may 1990. – Strikes LoD & MoD.
6
29 Dec 1998
12
7
7 Aug 1998
7 jan 1999 – http://bit.ly/Hqp9Oq
8
….
“ The signatories to this statement are asking hackers to reject all actions that seek to damage the information infrastructure of any country. DO NOT support any acts of "Cyberwar”. Keep the networks
for human progress.”
Signed (07-Jan-1999): 2600 http://www.2600.com/ Chaos Computer Club http://www.ccc.de/ Cult of the Dead Cow http://www.cultdeadcow.com/ !Hispahack http://hispahack.ccc.de/ L0pht http://www.l0pht.com/ Phrack http://www.phrack.com/ Pulhas http://p.ulh.as/ Toxyn http://www.toxyn.org/ Several members of the Dutch Hackers Community (contact Rop Gonggrijp, rop@xs4all.nl)
Seven Cyber { conflicts; events; facts }
16
9
Cuckoo’s Egg (1986)
17
Cuckoo’s Egg (1986)
– Lawrence Berkeley National Lab (CA)
– West Germany – Hanover
selling the results of his hacking to the KGB.
18
10
Morris Worm (1988)
– Cornell University – Hints 6.000 hosts on ARPANET. – 1o. Internet Worm.
– http://en.wikipedia.org/wiki/Morris_worm
19
Eligible Receiver (1997)
– No-Notice Interoperability Exercise Program
government networks.
– U.S. Pacific Command computer systems as well as power grids and 911 systems in nine major U.S. Cities
20
11
Solar Sunrise (1988)
a well-known vulnerability in UNIX-based computer system.
existed.
– Exploited the vulnerability and entered the system; planted a program to gather data; and then returned later to collec that. – 2 California High School students were arrested and pled guilty. – Their mentor, an 18 year-old Israeli, was also arrested and indicted. – http://en.wikipedia.org/wiki/Ehud_Tenenbaum
21
Moonlight Maze (1998 - …)
pattern of probing of computer systems at The Pentagon, NASA, US Dept. of Energy, private universities, and research labs that.
going on for nearly two years.
22
12
Buckshot Yankee (2008)
intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East.
States Central Command.
23
Operation Aurora (2009)
persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army.
– The attack began in mid-2009 and continued through December 2009.
24
13
Stuxnet (2009)
running on a Windows OS.
Iranian nuclear centrifuge by spinning
replaying the recorded system.
25
New Cybernetic Global Order
26
14
New Cybernetic Global Order
events that changed the way we deal with and understand cyber threats:
– Conficker (2008/2009) – Stuxnet (2010) – DuQu (2011) – Flame (2012)
27
New Cybernetic Global Order
28
15
The Waters Divided
29
2001
2011 … 2012…
How and when the things started changing
The Waters Divided
30
2001
2011 … 2012…
The first turning point
16
Before 2001…
groups.
technical community, geeks, academy…
– It was very restrict. – It was little about money and profit.
– But it was changing…
31
malware system.
both: hacked accounts and people. Why 2001 ?
32
17
2001 web bank malware
– But laundering and crime process was quite complex.
– The gang started operating in the city of Parauapebas in Pará State.
33
First counter operations in Brazil
spread all over the country.
against organized cybercrime in Brazil:
– Operation Cash Net (2001), – Operation Cavalo de Tróia I (2003), – Operation Cavalo de Tróia II (2004), – Operation Pegasus e Pegasus II (2005).
34
18
About 10 years without anything really new
– Steadily increasing criminal activities.
around the world:
– the more money comes into the net, more criminal activities.
35
The Waters Divided
36
2001
2011 … 2012…
The 2nd turning point
19
What changed around 2010 ? The end of “announced death”
problem appears (like a worldwide worm attack) it was always a announced death.
– It means: the security community had already warned about the problem, and the vulnerability had been previously and openly disclosed, i.e. a “zero day” was announced.
37
So, what did change? A lot of things changed through the 2000- 2010 decade.
– To discuss the new scenario, let’s use Stuxnet malware, as an example to show the waters division and the change point.
38
20
Stuxnet
– Discovered in June 2010.
Stuxnet initially spreads using MS Windows and targets Siemens SCADA industrial software and equipment.
targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems.
39
Stuxnet vs Iran
five Iranian organizations.
infrastructure.
40
21
41
Iranian president Mahmoud Ahmadinejad visits uranium enrichment facilities in 2008.
Picture taken on April 8, 2008. REUTERS / Presidential official website/Handout (IRAN).
42
22
Stuxnet inovations (1)
an unprecedented 4 undocumented vulnerabilities.
– Known as “zero-day exploits”.
Using four zero-day exploits is unusual, as they are valued.
– Attackers had never seen using more than
43
Stuxnet inovations (2)
– A PLC with malicious code.
44
23
Stuxnet inovations (3) - The PLC rootkit
ability to control real-life physical systems.
The attackers are capable of injecting code into industrial control systems and hiding that code from the designers and operators.
It gives the attackers full control over the day-to-day functionality of the physical system under attack.
45
Unnoticed threats
Experts initially estimated Stuxnet started spreading around March or April 2010.
46
24
47
Update - http://shar.es/jAdrD
Remembering Conficker
Conficker, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.
– It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet. – It’s unusually difficult to counter because of its combined use of many advanced malware techniques.
Conficker infected millions of computers in over 200 countries, making it the largest known computer worm infection since the 2003.
48
25
Stuxnet & Conficker
49
Stuxnet also exploited a Microsoft's Windows bug patched in 2008.
to devastating effect by the notorious Conficker worm in late 2008. So, nowadays it’s possible to assure that Conficker was a testbed to Stuxnet. After Stuxnet
50
Time
26
Duqu
Stuxnet.
– As we saw, Stuxnet was designed to sabotage industrial control systems.
control capabilities, and sophisticated keylogging and spying tools.
– It seems to be intended to infiltrate and gather sensitive information. – Possibly for use in a future attack of another kind.
51 52
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file
http://www.pcworld.com/article/242114/duqu_new_malware_is_stuxnet_2.html
"Stuxnet and Duqu Part of Larger Cybermalware Campaign"
27
Flame: the tool “after” DuQu (1)
individual modules. It can perform a variety of malicious actions, most of which are related to data theft and cyberespionage.
programming language that's highly uncommon for malware development.
– LUA is often used in the computer gaming industry.
53
Flame: the tool “after” DuQu (2)
complex. Its creators used domain names registered with fake names to communicate with infected computers in the Middle East for at least four years ago (24 domains registered since 2008).
using a spoofed Microsoft digital certificate.
– A technique used by Stuxnet, using a sophisticated cryptographic attack method.
54
28
55
http://bit.ly/QWQexh
Shared code indicates Flame and Stuxnet creators worked together
(2007 ??), the Flame platform already existed.
– Date its creation is supposed summer 2008, and already it had modular structure.
The Stuxnet code of 2009 used a module built on the Flame platform.
– Probably created specifically to operate as part of Stuxnet.
platform continued independently from Stuxnet.
56
29
You got the idea:
Cybersecurity Landscape.
– Complex code. – Using undocumented vulnerabilities. – Coordinated actions & long preparation. – Spreading quietly times ago. – Lots of investment and knowledge. – Developed by well-financed team(s).
57
Were we are:
58
30
Since is understood there are new threads, let’s understand how to see the new scenario
59
What is needed in order to a cyber attack?
60
31
Vulnerabilities are related to:
61
Hardware; Software; Peopleware; Access are related to:
62
Configuration; Communication channels; Media operators; Financial support;
32
Payload related to:
63
… the load effect of an attack that has been delivered to a target.
A cyber attack payload elements :
64
33
Elements of an indirect cyberattack. The indirect effects are, most often, the main objective of a cyber attack.
– Example: an attack over a software running
appliance forever.
target is the generator.
65
The analysis of a cyber attack
66
34
The analysis of a cyber attack:
67
If possible, should be based on:
responsible for a cyber attack;
– The goal is to assign an attack to a source through technical means, based on information provided by the cyber attack itself.
68
35
The problem with the attribution is…
69
.
70
Attribution helps to define the intent. HOWEVER ... if the counterparty has no stated intentions, it will be virtually impossible to determine the intent with reliability.
36
So, the problem really is…
71
Determining intent and attribution are often complicated and improperly biased, by lack of information.
Were we are:
72
37
The threat scenarios What are the most important and challenger threats related to technological developments
73
Technological developments and threats:
74
Cloud computing: Ten out of ten biggest problems in the security area include cloud computing.
http://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
38
Technological developments and threats:
75
39
Technological developments and threats:
78
doorways for cyber-crime and cyberspionage.
completely new to technology and totally ignorant about online self security.
Social Media Usage Increases Risk of Malware
40
The threat scenarios
future we should be aware of:
– Cloud computing. – IoT. – Social Networks (People & Systems).
79
Were we are:
80
41
And how about Brazil ?
81
The scenario in Brazil
infrastructure in Brazil is not quite different from the rest of the world.
has been ”pooked “ all the time.
fewer prepared to react.
82
42
June 2011 attacks over Brazil
government websites and the disclosure
ranking politicians claimed by hacking group LulzSec is part of a string of cyber attacks that have taken place in Brazil.
– This is considered the largest cyber offensive in Brazilian history.
83
Brazil concerns
cyber attacks on Brazil critical infrastructures.
84
43
Brazil CDCiber unit - 2011
cyber defense unit staffed by the Armed Forces to protect the country’s critical infrastructure and enable the mitigation of cyber attacks.
– Running by the Institutional Security Office (GSI), the body responsible for security measures in Brazil public federal administration.
85
But…
Security and Defence Agenda (SDA) released their Global Cyber Defense Report.
– The report examines the current state of cyber-preparedness around the world – It was created to help governments and
defense compares to other countries and
86
44
But…
the bottom of the international league for cybersecurity, ranked alongside Romania and India, with Mexico being the only major country to be even worse.
– In short: Brazil does not have the IT security it needs.
87
Agenda
88
45
Final Considerations
89
Considerations
many ramifications;
– We must have a holistic vision.
as single player responsibility.
90
46
Considerations
issue of defense.
integrated inter-relationships among the areas of critical infrastructure constituents in a country.
91
adriano@acmesecurity.org
92