Welcome to Track4Techs#ChannelCon16
A Foundational IT Framework
Infrastructure Development Security Data
Sorting Through Security Threats
Moderate Concern
SeriousConcern
No Change / Less Critical Today
MoreCritical Today
Malware (e.g. viruses, worms, trojans, botnets, etc.) 37% 50% 51% 49%
Hacking (e.g. DoS attack, APT, etc.) 38% 49% 54% 46%
Privacy concerns 36% 45% 62% 38%
Data loss/leakage 42% 40% 66% 34%
Social engineering/Phishing 41% 38% 58% 42%
Understanding security risks of emerging areas 43% 36% 61% 39%
Lack of budget/support for investing in security 34% 34% 72% 28%
Physical security threats (e.g. theft of a device) 42% 33% 71% 29%
Regulatory compliance 37% 32% 75% 25%
Intentional abuse by insiders, i.e. staff, contractors 35% 31% 75% 25%
Human error among general staff 51% 30% 74% 26%
Enforcement of company security policy 38% 29% 74% 26%
Formal risk assessment 46% 28% 73% 27%
Human error among IT staff 41% 27% 80% 20%
Basic Malware Analysis WorkshopIan Trump, Solarwinds
• Ian Trump, CD, CPM, BA, CEH is Security Lead at LOGICnow working across all lines of
business to define, create and execute security solutions and promote a safe, secure
Internet for enterprises world-wide.
• 1989 to 1992 Canadian Forces (CF), Military Intelligence Branch
• 2002 to 2013, CF Military Police (Reserves), retired as a Public Affairs Officer in 2013.
• 2009 to 2010, Royal Canadian Mounted Police, Criminal Intelligence Analyst.
• 2010 Founding Partner and CTO Octopi Managed Services Inc. (OMS).
Ian Trump@phat_hobbit
Ian Trump@phat_hobbit
• Global Security Lead for LogicNow.
• Malware connoisseur and aficionado.
• First Home in Edinburgh, Scotland.
• Second Home in Terminal 5, Heathrow.
• Third Home in Winnipeg, Manitoba.
Snapshot of American Cyber Crime 2015
By Victim Top 4
1. Non-Payment/Non-Delivery
2. 419/Overpayment
3. Identity Theft
4. Auction
Snapshot of American Cyber Crime 2015
By Loss Top 4
1. Business Email Compromise
2. Confidence Fraud/Romance
3. Non-Payment/Non-Delivery
4. Investment
Combating the FUD
When reporting and discussing the scale and impact of malware and cyber crime in general:
Move away from sensationalism.
Move away from the consequence of breach.
Who is not as important as how.
Compromise indicators are more important than financial costs.
Data derived from large enterprise is not relevant to SMB/SME.
We need a standards based score card free from disclosure litigation.
How to Find Exploits & Payloads
800 sites dedicated to distributing stolen movies and television shows, 33% content theft sites contained malware.
Consumers are 28 times more likely to get malware from a content theft site than on similarly visited mainstream websites or licensed content providers.
45 percent of the malware was delivered through so- called “drive-by downloads” that invisibly download to the user’s computer—without requiring them to click on a link.
Email Threats
789%increase in phishing email campaigns from the first three months of 2016 due primarily to a ransomware upsurge against the last quarter of 2015.
2016, unprecedented rise in encryption ransomware attacks, and no signs of this trend abating.
Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber criminal enterprises.
In Q1 2016 93% of Phishing Emails Contain a Ransomware Payload
Payload
Bypassed Mail ProtectionBypassed Office 365 Mail SecurityBypassed Bit Defender MAV Web Protection Not EffectiveFully Patched and Updated MachineAdmin Rights removal would prevent (maybe – priv escalation)Bypassed Sophos Firewall
An American Workstation
A Malware Marketing Plan
April 2016 Zero Day Initiative released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows.
Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.
QuickTime for Windows now joins Microsoft Windows 2K3 & XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it.
Not under active attack, yet…..
Ransomware Marketing
The ransomware market ballooned quickly, reported, from a $400,000 US annual haul in 2012, to nearly $18 million in 2015.
The average ransom—the sweet spot of affordability for individuals and SMBs—is about $300 dollars, often paid in cash vouchers or Bitcoin.
Free Pen Test Service?
Test your defenses.
Malware is Not Magic
Malware needs to:
1. Exploit a system vulnerability or user vulnerability for access
2. Install some code in system memory
3. Modify the registry or WMI for persistence
4. Generate network traffic to a C & C node
5. Possibly drop file(s) onto the system
6. Run an encryption process against your files
If it is not doing the above it is not Malware
Kill Chain Analysis
Exploits
Build Zero Day
Reverse a Patch
Patch comes out, see what it fixes.
Reverse engineer patch to break what it fixes (exploit).
Build and test remote code exploit package.
Sell to cybercrime botnet herders in the underground.
Botnet spear-phishes, spam/phishes or conducts automated attacks.
Profit.
Exploit Kit 4 Sale Cheap
In June, The Neutrino Exploit Kit is pushing an Exploit for CVE-2016-0189, a vulnerability that was reportedly used in targeted attacks on South Korean organizations earlier this year.
Microsoft fixed the vulnerability, which affects Internet Explorer’s scripting engines, in May.
Malvertising and ransomware campaigns have pivoted towards kits like RIG and Neutrino.
Angler and Nuclear are dead.
Neutrino dropping CryptXXX accounted for 75 percent of its observed exploit kit traffic while another 10 percent combined of Neutrino and Magnitude was dropping Cerber.
Exploit Mitigation
Reduce Attack Surface
Remove Administrative Rights
GPO’s, Free Software & User Awareness Traininghttp://www.thirdtier.net/ransomware-prevention-kit/
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited.
Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families
http://download.bitdefender.com/am/cw/BDAntiRansomwareSetup.exe
User Awareness Training
https://www.dhs.gov/stopthinkconnect
The Stop.Think.Connect. Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online.
https://www.fcc.gov/cyberplanner
In October 2012, the FCC re-launched Small Biz Cyber Planner 2.0, an online resource to help small businesses create customized cybersecurity plans.
https://securingthehuman.sans.org/security-awareness-training/overview
Comprehensive and customizable
Payload
Example Payload
CryptXXX 3.100 can still cause significant downtime by encrypting files on network shares.
Infected machines scan the /24 subnet of their local area network (LAN) in search of MS Windows shared drives.
CryptXXX downloads a DLL which acts as a credential stealing module.
StillerX appears to be fully-featured and targets the credentials of a wide range of applications from poker software to Cisco VPN credentials.
The following is a partial list of targeted data:
Browser data (history, cookies, stored credentials)Dialer credentialsDownload managers credentialsEmail credentialsFTP credentialsIM credentialsPoker software credentialsProxy credentialsRemote administration software credentialsVPN credentialsWNetEnum Cached PasswordsMicrosoft Credential Manager data
SMP & MSP Global Threat
Confidential
Case Study: MSP Ransomware Payload
igfxpers.exe
7 / 54 2016-01-24 15:28:26 UTC
Confidential
Case Study: MSP Ransomware Payload
igfxpers.exe
37 / 56 2016-05-31 15:28:26 UTC
Confidential
Case Study: MSP Ransomware Payload
notigfxpers.exe
22 / 53 2016-07-26 09:54:45 UTC
Confidential
Case Study: MSP Ransomware Payload
Confidential
Case Study: Ransomware Payload Analysis
3X.4X.1XX.8X – used as attack Proxy <- hosting provider in European country
Malware Analysis revealed a Trojan which dates to 2012 and is not crypto-locker. The Trojan is programmed to deliver a cryptolocker in the form of an executable payload from a purpose built web server.
3X.4X.9X.1XX – used as the delivery server for cryptolocker payload^ Hosting provider in different European country.
Encryption key appears to be a “one time” key generated at time of infection
Confidential
Case Study: Ransomware Payload Analysis
Confidential
8 20.538692 192.168.1.56 3X.4X.9X.1XX HTTP 291 GET/googde.php?ccc=R16M01D0_a7bac6_Koc8dhzAUpSN8BygjzdpL51CzOhpXOUdYAj1O8BT8BErzI8hZ3tGHXfHbJZ9i7BDcivYJOJs5zAhVxVIsgKyexrRpyRx4R7HJOMiA8uk3debBD3aLxB6LGzO5xIu3vYOD0lOm9J6r6cdEC7oUzUE8OPOn0E_1186__<br>
Logs from infrastructure and service providers revealed the following:
IP Addresses used in the attack are from Germany, Netherlands, Hong Kong (VPN Provider?), Singapore (VPN Provider?), UK, Spain & Russia.
The Russian IP address was the origin of a great deal of spam from a ransomware campaign.
Investigation and evidence gathering continues. Some countries cooperative others, not so much.
Basic Malware Analysis Platform
Virtual Machine (Vmware Player, Oracle Box)
Windows XP SP3 or Windows 7 (requires some config work)
Apps: Adobe Flash, Java, Silver Light, Adobe Reader (6 to 9 months out of date)
– unpatched MS Office viewers, with File Converters (docx, pptx, xlsx, etc.)
No AV installed (occasionally even Windows Defender may prevent shit)
Wireshark and Regshot installed
Virus Total Access
Payload Analysis
https://virustotal.com/en/ip-address/69.89.31.222/information/
Advanced Malware Analysis Platform
Cuckoo Sandbox - Throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Thug – is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of plugins like Adobe Reader, Flash and Java.
Bro – is a powerful network analysis framework that is much different from the typical IDS you may know.
Volatility - is a tool for memory forensics. It's free and written in Python, so it runs well on both Windows and Linux.
IDA Pro - is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
Methodology Pre Phase
A. Upload Suspect File to Virus Total
Phase 1 file to virus total
A. VM Snap ShotB. Regshot 1C. WireShark On
Phase 2
A. Infection
Phase 3A.Regshot 2 & CompareB. Observe WireShark TrafficC. Trace IP to Host Country
Post Phase
Restore VM From Snap Shot
Selling Security Services in a Malware Filled World
Backup: One = Good; Two = Twice-as-Good
Selling Security Using Downtime & Loss
Calculate downtime:
Business’s Revenue Last Year * projected growth rate = Revenue PotentialRevenue /50 (weeks) = Revenue per Week /5 (days) = Revenue per day
Payroll Period /15 days or 30 days = Payroll cost per day
Downtime Cost 1 = Payroll cost per day + Revenue cost per day
But:
Selling Security Using Downtime & Loss
Revisit Revenue Potential
Business’s Revenue Last Year * projected growth rate = Revenue Potential
But, Interactions, “Retail’s Reality: Shopping Behavior After Security Breaches” reported that 12 percent of a retailer’s customers said they stopped shopping at that retailer after a breach; about 36 percent said they will shop at the retailer less frequently.
Revenue Potential -12% to -36% of Revenue Potential Lost = Downtime Cost 2
Total Downtime Cost = 1 + 2
Selling Security Using Downtime & Loss
Show the calculations for the business
Business’s Revenue Last Year (250K) * projected growth rate 15% = Revenue Potential of $287,500.00 /50 = $5750.00 /5 = $1150.00 per day downtime
Payroll Period (8K) /30 = $266.00 per day downtimeDowntime cost 1 = $1416.00 per day downtime
Revenue Potential of $287,500.00 X 15% = $43,125.00/50 = $862.00 /5 = $172.50 per day downtime Downtime cost 2
$ 1588.50 per day downtimeWould 800.00 per month be a decent price for this client?
Selling Security Using Downtime & Loss
85 percent of retail-breach victims said they tell others about the incident.
34 percent complain on social media.
20 percent comment directly on the retailer’s website.
Customer notifications, investigations, restoration of services/data, increased marketing, PR costs, discounts to customers, cost of vendor relationships, lawsuits, fines & penalties, bank charge backs, increased CC processor fees, insurance premium increases, contractual penalties, implementation (frequently rushed) of new security measures, development (frequently rushed) of security policies and security procedures.
Layered Security Offering
Hosted Cloud Based Backup (BaaS)
User Awareness Training Program
Vulnerability Scanning
Patch & Update Systems & IoT Devices (PMaaS)
Harden Systems - Remove Admin/Restrict User Activates
Harden Systems - Reduce Attack Surface (Remove Flash)
Deploy Anti-Virus & Web Protection (Keep it up to date)
Deploy Mail Protection (MPaaS)
Be Prepared!
You Are Not AloneEnd user security training support & program
Cybersecure www.cybersecure.org
Professional Security Certification program
Security+ https://certification.comptia.org/certifications/security
CASP https://certification.comptia.org/certifications/comptia-advanced-security-practitioner
Organizational Security Certification program
Security Trustmark+ https://www.comptia.org/standards/trustmarks
Regional Security Councils & Security Education Programs
IT Security Community https://www.comptia.org/communities/it-security
Cybersecurity jobs heat map https://www.comptia.org/about-us/newsroom/press-releases/2015/10/27/nist-funding-cybersecurity-jobs-heat-map-to-highlight-employer-needs-and-worker-skills
Resources
https://www.logicnow.com/ctg-ian
Conclusions
Soon, the Internet of Things will hold all things hostage, except love.
Hack All the IoT
PLAGUE
That is the virus. Leonardo da Vinci. The problem is we have twenty six ships at sea and we don't know which ones are infected.
DUKE ELLINGSON
Well then, put the ships' ballasts under manual control.
PLAGUE
There's no such thing anymore, Duke. These ships are totally computerized. They rely on satellite navigation, which links them to our network, and the virus, wherever they are in the world.
Mitigation Matrix
WAN to LAN End Point End Point LAN to WAN End Point
CIA – Layered Security
Security Best Practices + Security Services = Robust Layered Defence (12+)
Proactive Security Services
Reactive Security Services
Detective Security Services
Managed from one console
Hosted Services
Scalable Services Things You Can Do
Thank You & QA
One of the few quirks of my military career was to convince the recruiter and command to partially fund a liberal arts degree in History, specifically Eastern European and Religious Studies, specifically Apocalyptic Studies of the non-
zombie related kind. One could argue that knowing a little about the countries we may be fighting in/for and who the crazy-nut-bar-going-to-die-for-the-cause
groups were may prove to be militarily useful.
– Ian Trump 2014
Coming in December
Live from HQ…A new continuing education event
for IT pros
Details/Call for speakers
coming soon
Up Next3:30 Enterprise Mobile Development
4:30 Wine Down Reception
Thank You