RSA Security Summit London April 2014 – Digital Fraud; Setting the Scene

Presentation by Stephen Nicholas from Deloitte titled;

Digital Fraud; Setting the Scene

Where consumers lead..

–          94% UK consumers have shopped online in the past year

–          16% year on year growth in online spend

–          UK supermarket 10% of online revenue directly through mobile app

–          83% UK consumers have banked online in the last year

–          £91bn online card spend in 2013

…Fraudsters follow

–          Identity theft and account take over

–          Card not present

–          False refund claims

–          Finance and credit card applications

–          2 in 3 organisations believe the risk of digital fraud has increased in the past 2 years

–          41% of organisations have experienced digital fraud attacks

 

What is driving this?

–          Few deterrents or penalties

  • Few convictions / prosecutions
  • Stolen funds rarely recovered

–          Sophistication and scale

  • Record volumes of attacks
  • Agility from fraudsters, responding to change and controls

–          Low barriers to entry

  • Commoditised supply chain
  • All components available as a service

Fraud supply chain and business model is very mature with services, support, secure sites for buying and selling etc. all readily available.

 

What does this mean?

–          Loss of goods

–          Financial losses

  • £301 million 2013 UK fraud losses on remote card spend.
  • £41 million (Reported) 2013 online banking fraud losses.  Note – this is just the ‘reported’ (admitted to) amount. It is likely that the real number is a lot higher.
  • £105 million online losses suffered by retailers in 2013

–          Brand damage

–          Cost of security

–          Rejected business

–          Deterred business

  • 1 in 3 consumer stop doing business with those responsible
  • 73% of digital fraud affecting organisations ability to deliver new digital content / services

 

What are organisations doing?

–          92% view investment in fraud controls as a priority

  • But are we really investing in security and fraud?
  • What are your challenges in getting funding from the board? Examples include;
    • High costs
    • Unclear RTO
    • Organisation
    • Unsure on solutions
    • Impact

 

Final thoughts;

–          Do you know your threat landscape?

–          Do you know your controls – what is in place, how well is it working?

–          Would you know if you are attacked / breached?

–          Do you have understood action plans ready for then there is an attack or breach?

Basically cyber crime / cyber fraud is getting more sophisticated, more organised and more frequent.  However while businesses appear to be aware of the issues and there are known, very large costs associated with this, most businesses are not yet making the changes to combat this.

How do we get better board and business engagement?

K

RSA Security Summit London April 2014 – InTh3Wild – The current state of cybercrime

Talk by Nick Edwards of RSA around the current state of cyber-crime titled;

InTh3Wild – The current state of cybercrime

Trends;

1.       As the world goes mobile, cybercrime will follow

Stats and facts around mobile;

2007 – Apple introduces iPone, Google unveils Android OS

2013 – Jan – Apple hits 40 billion downloads, May – Apple hits 50 billion downloads

2012 – Android malware explodes

1 billion android devices shipped by 2018

1 million android devices currently activated / day

86% of all Android malware is repackaged versions of legitimate apps with malicious payloads

Focus of mobile malware; eCommerce, Online banking, Online trading.

–          Much of the effort is around harvesting credentials rather than trying to commit fraud via the mobile app – likely due to the limited functionality of many mobile apps

2012 – 300 million mobile bankers.

2013 – 530 million mobile bankers

71% of organisations allow their users to use their own mobile devices for company business

–          Even if you’re using a container technology could credentials be stolen?

–          What could be harvested from ‘screen scraping;?

Games are also a common app used for attacks;

–          Angry birds in space had over 150 million downloads in the first two weeks

–          Only requires a very low percentage of people to install a malicious version for the malicious user to have access to many compromised devices.

Phishing / SMSishing – SMS spoofing and phishing such as sending texts that look like they come from your bank.

SMS sniffers that sniff and send your SMS details to the criminal

Voice – recent android Trojan can record phone calls – these have 2 purposes, harvesting information, and using your voice to fool biometric systems that rely on voice.

2.       Hactivism

Political messages and defacements

DDoS and other malicious activities ‘for hire’

Trying to make hactivism legitimate – e.g. Anonymous creadet US ‘we the people’ petition to make DDoS a valid form of protest

Many different organisations such as Syrian Electronic Army (SEA), Anonymous, …

News sites as well as businesses are often targets

3.       Account takeover

Identity theft

Take over of online accounts such as twitter, facebook

Tools readily available for identity theft such as components or the Zeus plugin.

–          Can alert when users of compromised machines try to log onto banking sites and perform transactions etc. in real time

–          Keeps records of users history so they can answer questions around user behavior etc if prompted by customer services.

Security tools need to catch up with this to start dealing with these attacks that occur in real time

4.       Fraud as a Service

Cybercriminals increase effectiveness of fraud offerings

Ransomeware – scare tactics around crime and child porn etc. to extort money from users

Ransomeware – encrypts parts of or the entire computer and requires ransom to decrypt

Call centre service – fake call centres set up to call customers with compromised machines – set up locally so they sound correct and have knowledge of the local banks etc.

Analytics – crimeware now has the ability to provide ‘big data’ type analytics around its use, distribution, numbers of infected machines etc.

 

2014 – sneak peak;

–          More sophisticated mobile malware

–          Generic malware for advanced attacks

–          Bitcoin’s popularity / demand for stealing

  • Digital currencies and issues with them to become more prevalent

–          Trojans get more sophisticated

–          More breaches

Mobile is huge, criminals continue to become more organised and sophisticated with very low barriers to entry into the market.

Security must catch up!

K

 

RSA Security Summit London April 2014 – Keynote 2

The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.

Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program

This was a pretty good talk, covering at a high level a lot of topics;

The gap continues to widen!

–          Business wants faster, more agile, cheaper

  • But ‘keep us safe’
  • IT is not the only partner
  • IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
  • IT foundations are shaky

–          Technology change is relentless

  • Mobile, cloud, big data
  • Platforms, M&A

–          Changing compliance and standards

  • Privacy
  • Critical infrastructure

–          Attackers are getting smarter, sharing

  • Better and sharing than companies / law enforcement especially across geographic and political boarders
  • Training each other
  • Sold and free tools

Complexity will be the rule

–          Software defined Networks, data centres, everything!

–          Mobile really will be first – Pervasive access to everything, from everywhere, from everything

–          BYO… Device, Network, Data, Analytics, … Security

–          Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.

Big is going to get bigger!

–          If you are not there already data is going to get big

  • Are you ready for this?

–          Traffic volume is going to get big

  • Can you build a big enough gateway?
  • Can you afford the internal bandwidth?
  • Will you see the traffic?
    • Will you be able to analyse and understand it??

You may hear that bandwidth is cheap, but can we scale it enough?

Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?

Can you really analyse and understand all the traffic?

What is normal?

What is abnormal / malicious?

How much traffic circumvents the main business gateways?  User with 3/4g modems, users working on their own devices connecting to cloud services?

 

The ‘Kill Chain’ now has a bad ending;

–          Recovering from a disruptive attack will mean going far beyond traditional resiliency

–          They will know your DR; failover is not enough!

–          How will you rebuild, restore when;

  • Your primary and DR is gone
  • 75% of your endpoints
  • DNS? AD?
  • Data is corrupted / compromised and this corruption is replicated to the DR copies

 

Ways to stay ahead..

Or maybe how not to drown!

Establish core tenets;

–          Traditional weapons are not going to work

  • Don’t be the cavalry, those are tanks

–          Raise the bar and don’t make it easy

–          Prevention in small doses, detection is key

–          What gives you visibility; makes you stronger (collect and analyse data)

–          When you detect, response is key (strong incident response process)

Be thoughtful and surgical;

–          Think closely about control decisions

  • What other behaviours are you encouraging or creating?
  • Are they worse than the original risk?
  • Carrots are more effective than sticks!

–          One size doesn’t fit all

  • Don’t boil the ocean
  • Perfection is a lost cause
  • How can we have the largest risk impact?
  • Target high value assets
    • Consider People, Process, Data, Geography
  • Largest population

Communicate and Educate;

–          Be transparent – let people know WHY

–          Make it personal

–          Do it often and with data

–          Business relationships

  • Change in the C suite
  • Power is shifting

Use leverage;

–          Our security teams are not growing!

  • ‘Trojan horse’ security projects;
    • SSO
    • Asset management
    • Change management
  • Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
    • Automation
    • Mobility
    • Software defined
      • Networks
      • Data Centre

Areas of Focus;

Identity

–          Provisioning and onboarding

–          Role management

–          Map identity and log streams

–          Profiling; map users to

  • Devices
  • Applications
  • Systems
  • Behaviours

Data

–          DLP isn’t the final word

–          Consider data bankruptcy

–          Focus on visibility and analytics

  • High value asset
  • Point of creation or storage
  • Visibility at the large endpoint

–          Contain where possible – mobile and virtual

–          Leverage master data management programs

  • Define data owners and criticality

–          Evaluate data categorisation technology

Customer Experience

–          They have many choices and security isn’t on their list

  • Offer enterprise versions of consumer services

–          Can you trade experience for visibility?

–          Provide for safe, open access

–          Leverage SSO to better map identity

 

Supply chain and third party risk

–          Understand supply chains

–          Enforce contracted policies

  • Network Access Control

–          Reduce access

  • Virtual desktops
  • Review privilege

–          Third party risk services

Incident detection and response

–          Single UI and alerting for visibility – feed in data from controls, and add context

Resiliency and Recovery

–          Non traditional DDoS targets

–          Table top based on known attacks

Threat model based on existing Business impact analysis

These 2 keynotes were a great way to start the days presentations.

K

RSA Security Summit London April 2014 – Keynote 1

First keynote speech of the day, delivered by Brian Fitzgerald, VP RSA Marketing

Security Redefined: Managing risk and securing the business in the age of the third platform

1st platform – 1970s – mainframe / mini computer – Terminals – Very high level of IT control – Millions of users, thousands of apps.

2nd platform – 1990 – LAN / Internet, Client / Server – PC – High level of IT control – Hundreds of millions of users, tens of thousands of apps – IT controlled; Perimeter bound

3rd platform – 2010 – Mobile / Cloud / Big Data / social – Mobile devices – Low level of IT control (especially end points, and cloud hosted solutions) – Billions of users, millions of apps – User centric; Boundaryless

 

Increased complexity and less control increases the need for analytics and intelligence.  Moving more from control to governance.

A new security world – becoming increasingly difficult to secure infrastructure.

Must focus on what is persistent; ensure we have control and visibility of

  • People
  • Flow of data
  • Transactions

A new security approach is required;

–          Move from Prevention (signature based) to Detection (intelligence driven)

Intelligence is a game changer – much data that we do not consider ‘security data’ is or will become security data – key to identifying unusual behaviour in the environment.

RSA’s Focus Areas;

–          Advanced Security Operations; Detecting and stopping advanced threats

–          Identity and Access Management; Securing the interactions between people and information

–          Fraud and Risk Intelligence; Preventing online fraud and cybercrime

–          Governance, Risk and Compliance; Understanding and managing organisational risk

In short IT is becoming increasingly distributed and complex, while at the same time moving out of the direct traditional control of IT and Security.  We must move to improving our visibility and ability to analyse data, along with the incident response people and processes to back this up and deal with the inevitable breaches.

K

RSA Security Summit London April 2014 – Security Redefined

Today is a day out of the office at the RSA security summit in London.

The theme of the day is ‘Security Redefined’.

This is the concept of the ‘third platform’ of IT – billions of users, global locations, and many many devices accessing our systems.  We can no longer have the strong perimeter based security paradigm where we keep the ‘bad guys’ out, we need to have a security strategy based on detection and risk with the assumption that we can and will suffer compromises.

This is not a new concept, but it is good to hear the ‘security heavy weights’ (or larger less agile firms, take your pick 😉  ) in the industry talking about this.

As usual I’ll be summarising and commenting on the keynotes and other presentations I attend today.

K

Verizon 2014 data breach investigations report preview

At the recent RSA conference Verizon shared a brief preview of their upcoming 2014 Data Breach Investigations report;

 

http://www.darkreading.com/attacks-breaches/verizon-shares-glimpse-into-upcoming-201/240166380

 

Basically, the long and short if it is that attackers are getting better and quicker this 75% (or more) of attacks succeeding within days or less, and only 25% (or less) of the time do organisations discover the attack within a similar timeframe.

So attackers are getting into our networks very quickly and successfully, and we are still in general very bad at discovering the compromises until it is far too late.

This looks like a continuation of some of last years key messages, you will be breached, networks are so complex and pours, and applications still so very vulnerable.  Detection is key, having the ability to quickly spot, and act on, indicators of compromise (IOC).  Security must improve its detective and response capabilities;

Cyber Criminals keep getting better at what they do, the security is failing to keep pace.

What are your thoughts, how can we improve the situation?

One thing I often wonder about is the role of security in not only keeping up with the threat landscape and how to prevent (well reduce the likelihood of) breaches, and to ensure they are discovered, but to also communicate this to the wider IT and business teams.

How do we get the wider business and IT community to ‘get that security cannot be an afterthought’?

Across multiple different roles, much of my life seems to have been filled up with debates about what the minimum security requirements are, and what has to be down to scrape through regulatory audits.  The discussion should focus on what needs to be done to protect the data in our care.  Have you successfully moved this discussion on and changed a businesses culture to be focussed on how to deliver securely?

Some upcoming posts will cover both thoughts on how to deal with the evolving advanced threat landscape and advanced attacks, and also ways we can get security to have the right priority and focus – we don’t have to just deliver, we can deliver securely!

K

RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors.  During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

–          Web shells

–          Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

–          Code signing of backdoor malware so it installed without warnings

–          Utilising SETHC RDP backdoor

–          Proxy tools installed on servers to avoid corporate proxies

–          Proxy away malwae that connected out using stolen credentials

–          Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal.  This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables).  The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

  • Details of the exploit were      clearly captured in the web server logs – highlighting the need for      proper log correlation and alerting.
  • They logged into the web      server with the Admin password within 10 minutes of stealing the hash – 2-factor      authentication should be used for web accessible accounts where possible.       If passwords must be used, a large salt must be added to the hashes.
  • Once they were on this      server they quickly moved to control / access many other servers on the      compromised network.
  • Various ‘entrenchment      methods used to ensure their presence was hard to remove including;
    • They used various web       shells from simple one lines ones all the way to advanced ones with       trojan like capabilities. Web shells are malicious files written in web       scripting languages.  They have some benefits over trojans such as       being rarely detected by AV programs, run within the web server so blend       with other traffic and hard to block, and no need to beacon home.
    • Registering malicious       DLLs so that the commands they run were interpreted by the malicious DLL       making them harder to detect
    • Modifying the       System.Web.dll file (this is a core.net       dll) enabling specifically crafted posts to the server that without a #       at the start would just result in a 404 page
    • Installation of       custom variants of the ‘Trojan.Derusbi’ malware.  This monitors all       open TCP ports on the server for a specific simple, but pseudo random,       handshake.  When it sees one it responds with a handshake.  The       remote user can then control the trojan with various obfuscated commands.        These include file traversal, starting / stopping processes,       uploading / downloading files, time stomping (deleting or modifying time       stamp related information on files – makes forensics more challenging),       opening reverse shells, locating and decrypting passwords stored in       browsers such as IE and Firefox.
    • Sethc backdoor –       replacing the setch exe with cmd or explorer, or making a registry change       to the setch entry.  If RDP is enabled, connecting, then pressing       SHIFT 5 times will then bring up CMD, explorer, or the debugger.
  • On top of this they also      downloaded a lot of other malicious files and ‘secondary tools’ including      many variants of the Derusbi trojan, notepad.exe (actually multi purpose      malware including proxy capabilities, time stomping, user impersonation,      Run As etc.), credential loggers etc.
  • The attack appears to      target Windows Server 2003, 2003r2 and XP variants. – ensure you are      using current versions of operating systems, and that they remain fully      patched
  • Obfuscation of code for the      various malware tools was heavily used.  While it is often not      complex to manually de-obfuscate the code, this technique helps malware      avoid detection by automated tools and also means the code / scripts don’t      look like they are code to the untrained eye if an admin or someone      stumbles across them.
  • Credential capture /      logging was attempted in various ways on compromised machines in the      estate including; Hash Dumping (grabbing hashes then likely using rainbow      tables to crack them), Keystroke logging, MSGINA (MS Graphical      Identification and Authentication – key part of MS logon process) man in      the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.

K