Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.

1. Copyright © 2013. Accuvant, Inc. All Rights Reserved

2. Copyright © 2013. Accuvant, Inc. All Rights Reserved

3. Not Sci ence Fi ct i on

4. The Need f or a Secur i t y Al l y
Copyright © 2013. Accuvant, Inc. All Rights Reserved

5. Agenda
Accuvant:
• Who am I?
• Operation: High Roller
• Debrief
• Soldiers win the Battles, Allies win the wars
Tactics & techniques:
• Issues currently seen from the field
• Prediction time!
Conclusions
Copyright © 2013. Accuvant, Inc. All Rights Reserved

6. Jef f Dani el son
Computer Forensics specialist since 2003 and is a Security
Evangelist for a large national research-driven security partner.
Previously, Jeff was a Principal Solutions Consultant for a
leading Computer Forensics/eDiscovery and Cybersecurity
software solutions corporation as well as a lead investigator at a
Large financial services organization.
Certifications
•SANS GIAC Certified Forensic Analyst (GCFA)
•GIAC Certified Incident Handler (GCIH)
•EnCase certified Forensic Examiner (EnCE)
•EnCase certified eDiscovery Practitioner (EnCEP).
Copyright © 2013. Accuvant, Inc. All Rights Reserved

7. I n t he bl i nk of an eye

8. Oper at i on Hi gh- Rol l er
Copyright © 2013. Accuvant, Inc. All Rights Reserved

9. Ol d Tr i cks
The usual suspects:
Definition Spyeye: A proxyhorse A
Definition Zues: A Trojan Trojan
Definition Spear Phishing:
Man-in-the-Browser:
• Multiple Attack Strategies thattype that infectsinformationon a
Process of banking credentials for
horse to attack thatweb browser
steals harvest a focuses by
• Phish/Spear Phishing email online accounts and also initiateof
Man-in-the-browser keystroke
single user oradvantage
by taking department
logging and Form Grabbing. security
transactionswithin an organization,
vulnerabilities in person is logged
as a browser Zeus is
• Utilization of Past Malware
into their mainly through drive-by it
spread account, literally someone
to modify web pages, modify
addressed from making
• Zeus downloadswithin content or insert
possible to watch their bank in a
transaction the company
and phishing schemes.
• SpyEye First identified in by the second. inita
balance drop July 2007 of all
additional transactions, trust.
position when
was used to steal information from
completely covert fashion invisible
• Man-in-the-browser
the to bothStates Departmentweb
United the user and host of
Transportation application.
Non-patched systems was
the biggest culprit.
Copyright © 2013. Accuvant, Inc. All Rights Reserved

11. New Skewl
New and Improved:
Fraudulent Server: A server
Automation allowed repeated The
• Server-side components that interacts with the has been
client-side malware kills banking
thefts once the system the links
• Heavy automation launched at a portal to process
given bank or for a
to printable statements. It also
banking searches for and erases
the actual The account
platform. transaction
• Targeted to Large accounts (1M+ data is always updated confirmation
and current
balance) with heavy utilization. (including
emails and email copies of the
• Automated Bypass of Two-Factor
account login). Normally
statement. Finally, it also changes
Physical Authentication located in a crime-friendly ISP,
the transactions, transaction
and moved frequently.
values,
• Links and code are obfuscated
and account balance in the
• Small Population statement displayed on the victim’s
• Avoid Fraud Detection and Hide screen so the amounts are what
Evidence the
account holder expects to see.
Copyright © 2013. Accuvant, Inc. All Rights Reserved

13. Debr i ef
Fast Moving
Highly Knowledgeable of Banking processes
Focused and targeted
Hybrid Automation
• Spear Phishing
• Bank Account Usage Analysis
Highly Creative techniques, no new code.
The Focus is on small to medium-sized businesses and wealthy
consumers
Copyright © 2013. Accuvant, Inc. All Rights Reserved

14. A St or m I s Her e

15. W Secur i t y Consul t ant s?
hy
15 Copyright © 2013. Accuvant, Inc. All Rights Reserved

16. Sol di er s W n Bat t l es
i
• Specialists are key.
• Tools and Weapons
• “Thin and wide” vs “Deep and Narrow”
• Internal Battles should not be overlooked.
“Soldiers win the battle, the generals get the credit for
them”
-Napoleon Bonaparte
Copyright © 2013. Accuvant, Inc. All Rights Reserved

17. Al l i es W n The W
i ar
• Cyber Threat Intelligence
• Attribution “Who is attacking you”
• Regional and Vertical Partners
• Maturity of Weapons
• Can you
• Communicate Risk?
• Value of Weapons?
• Free or Commercial Intelligence?
• Be open to Trusted Advisors
• Get a good understanding of what is working, and what is
not in the industry
• Build a good relationship with local, state, and federal Law
Enforcement.
Copyright © 2013. Accuvant, Inc. All Rights Reserved

18. Debr i ef
Targeted Attacks increasing
• Red October Made popularin inthe 2012, Focused
Operation started2010, yetand was
First detected June recent believe
Discovered by in 2007 attacks
foundbe middle-eastInfiltrated over
on Twitter, Facebook andStuxnet
toon Dec 2012. 2009*, banking
in older than online Apple.
• Stuxnet records, capablefocused on nucleur
This attack of stealing
1K+ High level government
was aimed at Iran’s Natanz specific
• Watering Hole attacks datacomputers and likelyfocused
users browser habits and were
plant. Most was from a
such as passwords, banking
infected by malware Nation/State
credentials, cookiesdownloaded
specifically on government
and specific
• Gauss
when the user clicked on normally
esponiage, most likely from
configurations.
Hactivist groups, trusted links.
but could be
supported by a private firm or
rogue nation.
Current Global IT Security spend is 60 Billion
Visibility and Maturity of IT Security programs is necessary.
Everyone is now a target, not just highly visible targets.
Copyright © 2013. Accuvant, Inc. All Rights Reserved

19. Toget her a W W n*
Or have e i
Chance

20. I ss ues Seen i n t he Fi el d

21. I ssues
• Time
• Vet Security Partner (s)
• References
• External Vendors
• Vertical Professionals
• Why only one?
• Daily security vs Security projects
• Vice-versa
• Money
• Talk to the Asset owner
• Executive Buy-In program
• Threat Intelligence Report
Copyright © 2013. Accuvant, Inc. All Rights Reserved

22. Pr edi ct i ons f or 2013
• Legal will be put on “notice”
• IT Security will be brought under the Legal umbrella
• Fundamental Shifting
• The Bad Actors
• Containment
• Push to Pull
• Security is a Critical Business Function
2015 The Int ernet w l l no l onger be a ri ght , i t w l l
i i
be a pri vi l ege
Copyright © 2013. Accuvant, Inc. All Rights Reserved

23. Questions & Answers
Copyright © 2013. Accuvant, Inc. All Rights Reserved

24. Thank You
Jef f Dani el s on
Sec uri t y Evangel i s t
GCIH GCFA, EnCE, EnCEP
,
970- 407- 8307
j dani el s on@ Ac c uvant . c om
Copyright © 2013. Accuvant, Inc. All Rights Reserved

25. Copyright © 2013. Accuvant, Inc. All Rights Reserved

26. Copyright © 2013. Accuvant, Inc. All Rights Reserved

27. Copyright © 2013. Accuvant, Inc. All Rights Reserved

28. Copyright © 2013. Accuvant, Inc. All Rights Reserved

29. Copyright © 2013. Accuvant, Inc. All Rights Reserved