13. Dos & DDOS
Ukrainian Members of Parliament have had
their mobile phones disabled due to IP-based
attacks
Multiple Distributed Denial of Service attacks by Ukrainian hackers,
are directed at Central Bank of Russia
DDoS attacks
against
governmental
infrastructure
14. Logical attacks on ATMs in this area
Logical attacks on ATMs are on the rise in Russia and Ukraine
14
http://krebsonsecurity.com/wp-content/uploads/2014/10/ncrmalware.png/
15. Cyber arms race has started
A lot of Cybersecurity knowledge is created in this region
15
http://www.tripwire.com/state-of-security/government/32-people-charged-for-one-of-the-largest-computer-hacking-and-securities-fraud-schemes-in-history/
Security
Start up
companies
International providers of
CTI services create
branches in this region to
make use of the talents
with professional skills New attack
methods
+
New Threat
actors
-
17. 17
• Implementation new
controls (people,
process, technology)
• Bolster protection,
detection, and
response capabilities
20152014 2016
April 1, 2014
Intel-134332
November
11, 2014
Intel-
1344337
November
25, 2014
Intel-
1495303
April 22,
2015
Intel-
1549023
January 4,
2016
Intel-
1712383
May 30,
2016
Intel-
127504
June 15,
2016
Intel-
1877630
Junly 30,
2015
Intel-
1575086
…Mexican actors modify POS terminals,
installed in La Paz stores…(April 1, 2014
Intel-134332)
…French actors arrested for possession of
skimming equipment… (November 11, 2011
13443377)
…Actors selling skimming software targeting
POS malware… (November 25, 2014
Intel-1495303)
…POS malware with
RAM scraping
functionality
advertised in
underground
markets… (May 30,
2016
Intel- 127504)
• Communicate “over the
horizon” threats with
business BoD&business
executives
• Continued monitoring of new
cyber crime threat tactics
• Access existing controls v.new POS
related Tactics, Techniques &
procedures (TTPs)
• Build plan, develop budget
• Make budget request to match new
threat reality
• Attack hits
the Bank,
• Security
starts
mitigating
Early warning Preparation Inflection Point
CTI provider
warnings
Bank
actions
…Actor advertising POS terminal
manipulation software…
(April 22, 2015 Intel-1549023)
…Observed increases in POS malware use
in Australia… (Junly 30, 2015 Intel-1575086)
…CTI provider suggests actors turning to
POS malware over skimmers because it
can increase profitability and security…
(January 4, 2016 Intel-171238)
Time to react improves with CTI
*) Real examples but
date/threat actor names/locations
have been changed
Cyber Threat Intelligence in action - example POS
18. 18
20152014 2016
April 1, 2014
Intel-134332
November
11, 2014
Intel-
1344337
November
25, 2014
Intel-
1495303
April 22,
2015
Intel-
1549023
January 4,
2016
Intel-
1712383
May 30,
2016
Intel-
127504
June 15,
2016
Intel-
1877630
Junly 30,
2015
Intel-
1575086
• Attack hits
the Bank,
• Security
starts
mitigating
Early warning Preparation Inflection Point
CTI provider
warnings
Bank
actions
*) Real examples but
date/threat actor names/locations
have been changed
Cyber Threat Intelligence in action - example POS
Time to react improves with CTI
19. Black Energy attack – time line
Still Investigating /
Low chance of
finding 2007 for BE-1
2012 for BE-2
2014 for BE-3
April 2015
October 24-25: Media
December 2015: Energy
https://socprime.com/en/blog/dismantling-blackenergy-part-3-all-aboard/
21. General CTI goals – Improve response gap!
How bad is it?
How
bad is
it?
22. General CTI goals – Improve prevention gap!
Can we avoid this from
happening again?
23. Subtypes of Cyber Threat Intelligence
Strategic
High level reports on changing risk
Understand tendencies
and new threats
Management
Decision makers
(CEO, COO, CRO,
CSO, CISO, CIO,
CFO, etc.)
Deliverables Why we need it Targeted at
24. Subtypes of Cyber Threat Intelligence
Strategic
Quality of strategic CTI reports: look at example reports and check if they
add value
to update your security strategy
Optimize your security budget planning and priorization
Can the CTI provider customize the report to you business needs?
Are there strategic CTI reports on special security topics (e.g. ATM or POS?)
What preparation time does the analyst need?
What is the quality of the analyst access? Can he speak financial language?
25. Subtypes of Cyber Threat Intelligence
Tactical
Attacker methodologies, tools, tactics,
techniques and procedures (TTPs)
Malware analysis
Incident reports
React to the exact threat
COO,CSO, CISO
Architects
Sysadmins
Deliverables
Why we need it
Targeted at
26. Tactical
What are the criteria's to determine the cyber threat level? Can the provider map his criticality
classes to your classification?
During the POC: Could the historical data warned for breaches of customer data or internal
documents?
How is the information processed and analyzed? Is it really intelligence that you get?
Detection data
Public Source data
Commercial data
Operational
Environment
Data Information Intelligence
Sources
validated for
credibility of
relevance
Alternatives considered
ActionDissemination
Stakeholder
value
Collaboration
Leadership focused
Usable/Actionable
Credible
Clear
Concise
Complete
Relevant
Timely
Accurate
Gaps understood
Collection
Quallity
assurance
Accurate
target Group
28. Subtypes of Cyber Threat Intelligence
Operational
Deliverables Why we need it Targeted at
Actionable information on specific incoming
attack from news sources, social media, chat
rooms, business contacts, official sources,
data breach notifications
Adapt risk analysis
React to the exat threat
Security officers
Security
Architects
29. Operational
Can you easily change the CTI provider?
Does the CTI provider support secure M2M
communication for sensitive information
exchange (both directions)?
Can you integrate the information exchange
in your Security Management System?
CTI Provider A
CTI Provider B
CTI Provider C
30. Subtypes of Cyber Threat Intelligence
Technical
Attacker methodologies, tools, tactics,
techniques and procedures (TTPs)
Malware analysis
Incident reports
React to the exact threat CISO
Architects
Sysadmins
Deliverables Why we need it Targeted at
31. Technical
What is the quality of the information provided
Data feeds (e.g. IOCs): are important fields in standard formats missing or
the information is in the wrong field?
Information is outdated or already publicly known
Is your SIEM system capable to consume the CTI data coming from
the CTI Provider?
Is there a possibility for information enrichment?
Is there a content based image recognition to protect the companies
brands?
32. 32
Project Outcome: Creation of a CTI Competence Center
CTI
Competence
Center in our
Ukraine bank for
RBI Group
Improve maturity
level in CTI in the
group
Maintain
awareness of RBI
NWUs about new
and sophisticated
targeted attacks
and threats
Support RBI
NWUs in
integrating CTI
feeds to security
systems (IOC
Hub) Central overview
of Cyber Threat
Intelligence in the
RBI Group
Develop and
establish CTI
service
governance
process
33. If you are a global organization
use local advantages
34. CTI seen from the C-SUITE
1. Protect the company brands
2. Prioritize real threats relevant to
the enterprise
3. Influence right budgeting and staffing
4. Prevent and predict evolving cyber threats
5. Effective cyber risk communictions with top executives and
board members by Security
6. Better focus for the CISO (more time to tackle the problems from
a strategic and not from a reactive perspective)
Security
Maturity
Model
Ad Hoc
Opportunistic
Repeatable
Managed
Optimized
Predictions
&
Prioritizations
enabled
by
CTI
35. Reinhold Wochner, MSc., MBA
CRISC, CRMA, CISM, CGEIT, CISSP, CISA
speaker.wochner@web.de
Thank you
Editor's Notes
First malware-related power outage ever to be documented.
BlackEnergy had infected the networks of Prykarpattyaoblenergo and two other power companies
More then 200.000 people losing power in 23 December 2015 by BlackEnergy attack in the regional capital Ivano-Frankivsk.
Reports indicate the Ukraine attack was a well coordinated attack. Tactics like flooding the customer service lines to prevent indication that power was lost have been used. It also included a range of tactics to distract operators.
BlackEnergy started to spread to other sectors with the potential to discrupt major business processes (e.g. discovered at the Borispol airport and in telecom networks)
https://www.recordedfuture.com/blackenergy-malware-analysis/http://www.tripwire.com/state-of-security/latest-security-news/blackenergy-involved-in-targeted-attack-against-boryspil-airport-says-ukraine
Other Cyberattacks
Other attacks include hacking of electronic billboards or hijacking of CCTV cameras
Major Cyber Attacks
March 17, 2014 VTB and Alpha banks on-line banking services suffer major cyber attacks caused by a caucasus hacker group. Those two banks are two of the largest Russian banks.
Carbanak
One billion USD have been stolen by cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China
Other Cyber Attacks
Since April 2015 Ratopak Trojan against Russian/Ukrainian financial instituations (80 % targets in Russia, 10 % Ukrainian Banks)
Attacks against mobile phones
Ukrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks.
Attacks against governmental infrastructure
DoS and DDoS attacks against governmental infrastructure
Attacks against military institutions in NATO countries
Targeted spear phising attacks. According to Microsoft the attacker group sent out bogus “Privacy alert” emails, telling recipients that an attempt had been made to access their accounts from Ukraine, and they should change their password.
http://www.tripwire.com/state-of-security/security-data-protection/crimean-cyber-troubles-ramping/http://www.tripwire.com/state-of-security/security-data-protection/strontium-microsoft-warns-of-hacking-gang-targeting-government-and-nato-workers/http://www.bbc.com/news/world-europe-30453069