The document discusses modern cyber threats and how to combat them. It was presented by an ISACA panel. The panel covered identifying current threats like web 2.0 attacks, targeted messages, botnets, rootkits and data/identity theft. Specific threats discussed included Koobface worm, which spreads on Facebook, and spear phishing attacks. The panel also reviewed the top 10 botnets responsible for spamming and their characteristics. The panel advised on utilizing tools, techniques and tactics to identify incidents and determine network vulnerabilities.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Modern Cyber Threats and How to Combat Them Panel Discussion
1. Modern
Cyber
Threats
and
How
To
Combat
Them
An
ISACA
Panel
moderated
by
Todd
Fitzgerald
Panelists:
Jack
Callaghan
R.
Kinney
Wiliams
Ramsés
Gallego
2. Topics
to
be
covered
by
this
panel
1.
IdenIfy
What
Threats
are
Out
There
in
the
“Wild”
2.
Summarize
the
Key
Steps
to
an
Incident
IdenIficaIon
3.
UIlize
the
Tools,
Techniques,
and
TacIcs
to
Combat
Threats
4.
Determine
What
is
Really
Vulnerable
in
Their
Network
3. Current
Threats
• Web
2.0
and
client-‐side
a[acks
• Targeted
messaging
a[acks
• Botnets
• Rootkits
• Logic
Bombs
• Data
The^
• IdenIty
The^
4. Web
2.0
and
client-‐side
a[acks
• Social
network
a[acks
–
Twi[er,
MySpace,
Facebook,
LinkedIn,
etc.
• Mashup
Technology
• Dynamic
Altering
Exploits
on
sites
• Embedded
Malware
on
LegiImate
Sites
• 50K
new
malware
per
week
–
MulIple
vendors
5. Examples
• Mikeyy
worm
–
Twi[er
–
Apr
09
• Koobface
worm
–
Facebook
–
Sept
09
• Security
researchers
-‐
>60K
pieces
of
malware
on
Twi[er
in
2009
• Phishing
episodes
through
Facebook
accounts
–
May
09
• MulIple
legiImate
sites
with
malware
6. Koobface
Worm
• Koobface,
an
anagram
of
Facebook,
is
a
computer
worm
that
targets
the
Microso^
Windows
users
of
the
social
networking
websites
Facebook,
MySpace,
hi5,
Bebo,
Friendster
and
Twi[er.
Koobface
ulImately
a[empts,
upon
successful
infecIon,
to
gather
sensiIve
informaIon
from
the
vicIms
such
as
credit
card
numbers.
It
was
first
detected
in
December
2008
and
a
more
potent
version
appeared
in
March
2009.
• Koobface
spreads
by
delivering
Facebook
messages
to
people
who
are
'friends'
of
a
Facebook
user
whose
computer
has
already
been
infected.
Upon
receipt,
the
message
directs
the
recipients
to
a
third-‐party
website,
where
they
are
prompted
to
download
what
is
purported
to
be
an
update
of
the
Adobe
Flash
player.
If
they
download
and
execute
the
file,
Koobface
is
able
to
infect
their
system.
It
can
then
commandeer
the
computer's
search
engine
use
and
direct
it
to
contaminated
websites.
There
can
also
be
links
to
the
third-‐party
website
on
the
Facebook
wall
of
the
friend
the
message
came
from
someImes
having
comments
like
LOL
or
YOUTUBE.
If
the
link
is
opened
the
trojan
virus
will
infect
the
computer
and
the
PC
will
become
a
Zombie
or
Host
Computer.
6
7. Spear
Phishing
• TargeIng
of
specific
person
or
people
– Uses
fake
email
from
known
person
• Family
Member
• Business
Associate
– Almost
always
contains
key-‐logger
Trojan
– Used
to
retrieve
• Corporate
Data
• Financial
Data
• Personal
Data
7
9. Top
10
BotNets
• 1.
Rustock
(genera4ng
43%
of
all
spam)
– The
current
king
of
spam,
its
malware
employs
a
kernel-‐mode
rootkit,
inserts
random
text
into
spam
and
is
capable
of
TLS
encrypIon.
Concentrates
solely
on
pharmaceuIcal
spam.
• 2.
Mega-‐D
(10.2%)
– A
long-‐running
botnet
that
has
had
its
ups
and
downs,
owing
to
the
a[enIon
it
a[racts
from
researchers.
Concentrates
mostly
on
pharmaceuIcal
spam.
• 3.
Fes4
(8%)
– A
newer
spambot
that
employs
a
kernel
mode
rootkit
and
is
o^en
installed
alongside
Pushdo
on
the
same
host.
• 4.
Pushdo
(6.3%)
– A
mulI-‐faceted
botnet
or
botnets,
with
many
different
types
of
campaigns.
A
major
distributor
of
malware
downloaders
and
blended
threat
e-‐mails,
but
also
sends
pharma,
replica,
diploma
and
other
types
of
spam.
• 5.
Grum
(6.3%)
– Also
employs
a
kernel-‐level
rootkit.
A
wide
range
of
spamming
templates
changes
o^en,
served
up
by
mulIple
Web
servers.
Mostly
pharma
spam.
9
10. More
Top
10
BotNets
• 6.
Lethic
(4.5%)
– The
malware
acts
as
a
proxy
by
relaying
SMTP
from
a
remote
server
to
its
desInaIon.
Mostly
pharma
and
replica
spam.
• 7.
Bobax
(4.3%)
– Another
long-‐running
botnet
that
employs
sophisIcated
methods
to
locate
its
command
servers.
Mostly
pharma
spam.
• 8.
Bagle
(3.5%)
– The
name
derives
from
an
earlier
mass-‐mailing
worm.
Nowadays,
Bagle
variants
act
as
proxies
for
data,
and
especially
spam.
• 9.
Maazben
(2.0%)
– By
default,
uses
a
proxy-‐based
spam
engine.
However,
it
may
also
use
a
template-‐based
spam
engine
if
the
bot
runs
behind
a
network
router.
Focuses
on
Casino
spam.
• 10.
Donbot
(1.3%)
– Donbot
is
named
a^er
the
string
"don"
found
in
the
malware
body.
Mainly
pharma
spam.
10
11. Rootkits
• Usually
pinpoint
focus
for
target
• Hardcore
tech-‐driven
a[ack
• Either
ideology,
embezzlement,
or
“genng
back
at”
revenge
driven
• Hard
to
isolate
• Harder
to
remove/clean
up
• DefiniIon
from
Gary
Hoagland's
book:
– "A
rootkit
is
a
set
of
programs
and
code
that
allows
a
permanent
and
undetectable
presence
on
a
computer."
12. Examples
• TDSS
• Gromozon
• Mebroot
• Fu
and
FuTo
• Agony
• AFX
• MBR
rootkits
13. Logic
Bombs
• Disgruntled
employee
syndrome
• Usually
discovered
a^er
employee
leaves
• Very
destrucIve
• Hard
to
detect
before
first
“bomb”
is
triggered
14. ID
The^
methods
• Dumpster
Diving
• Online
“phishing”
–
11%
only
• Stealing
Wallets/Pocketbooks
• Home
Stealing
• Mailbox
Raiding
• Address
Fraud
• PretexIng
• Shoulder
Surfing
• “Vishing
and
Smishing”
• Skimming
• Data
Breach
14
15. DDOS
&
Other
A[acks
• The
long
standing
DDOS
a[ack
sIll
works
• Targeted
a[acks
going
for
detailed
data
retrieval
and
now
occurring
more
frequently
• SomeImes
a[acks
are
open
and
intenIonal
– Google
issue
with
Pakistan
from
several
years
ago
16. CombaIng
the
Threats
• User
awareness
and
training
• Incident
Response
capability
• In-‐bound
&
out-‐bound
filters
at
gateways
17. Countermeasures
• Web
2.0
a[acks
detected
via
behavior
based
protecIon
methods
(IDS/IPS
like)
• Develop
and
implement
IDS
and
IPS
devices
to
understand
scripIng
-‐
similar
to
browsers
• UIlize
filter
feedbacks
to
improve
filtering
• Develop
user
“distrust
by
default”
on
all
incoming
data
(both
Internet
and
e-‐mail
based)
unIl
protecIon
methods
improve
18. Threat
Analysis
• ExaminaIon
for
detailed
evaluaIon
– Significance
– Type
of
Malware
– ProbaIve
Value
– Meets
criteria
for
inclusion
• InterpretaIon
is
carried
out
separately
20. Types
of
Incident
Response
Tools
Needed
• File
System
NavigaIon
tool
• Hashing
tool
• Binary
Search
tool
• Imaging
tool
– Bit
Copy
– File
System
• Deep
Retrieval
tool
– Bit
Level
– File
System
• File
Chain
NavigaIon
tool
• Network
Log
File
Analysis
tool
21. Response
Tools
Available
• MulIple
types 1. Tools
Used
2. Log
Parser
– OperaIng
System
based
3. ProDiscover
• Windows
–
Microso^ 4. TCPView
• UNIX
–
mulIple
types 5. Microso^
tools
–
if
Windows
• Macintosh
6. TCPDump
7. Sysinternals.com
tools
–
if
Windows
– Environmental
Based 8. Foundstone.com
tools
– Network
Based 9. File
control
uIliIes
–
DD,
etc.
10. Wireshark
(packet
sniffer)
– Management
Based 11. Nmap
(security)
Open
Source
Network
Scanner
21
22. Understanding
the
Risk
The
Market
Value
of
SensiIve
Data
980€-4.900€ 147€
Trojan to steal
account information
Birth certificate
490€ 98€
Credit Card Number Social Security card
with PIN
78-294€ 6€-24€
Billing data Credit card number
6€
147€ PayPal account
Driver's license logon and password
22
23. Malware:
what
is
it
really?
• Malware is software designed to infiltrate or damage a computer
system without the owner's informed consent. The expression is a
general term used by computer professionals to mean a variety of
forms of hostile, intrusive, or annoying software or program
code
• Software is considered malware based on the perceived intent of the
creator rather than any particular features. Malware includes
computer viruses, worms, trojan horses, most rootkits, spyware,
dishonest adware, crimeware and other malicious and unwanted
software
23
24. A bigger problem than we think
• Malware is now economically motivated and backed by
organized crime and foreign interest
• The development of highly critical malware such as targeted
attacks is also on the rise
• The level of sophistication behind malware makes it extremely
difficult for traditional solutions to detect and remove
• There are many bot networks to de-fraud business models and
consumers through sophisticated social engineering
24
25. What
is
spyware?
• Spyware is software installed on a computer that gathers information without
the user's knowledge and relays that information to advertisers or other 3rd
parties
• Several subcategories of spyware:
– Adware
• Advertising-supported software that displays pop-up advertisements whenever the
program is running. Often collect personal information and web surfing habits
– System monitors
• Programs that capture everything you do on your computer, from keystrokes, emails and
chat room dialogue, to which sites you visit and which programs you run
– Trojan horses
• Malicious programs that appear harmless but steal or destroy data or provide unauthorised
external access
25
26. How
spyware
infiltrates
• People
don’t
purposefully
and
knowingly
install
spyware
– Can
be
included
with
applicaIons
you
want
to
install,
such
as
peer-‐to-‐peer
clients
or
desktop
uIliIes
– Some
silently
load
when
you
visit
a
seemingly-‐innocent
Web
page
(‘The
Ghost
in
the
browser’)
• Installed
silently
in
the
background
–
most
users
never
know
their
computers
are
infected
27. Spyware
threats
organizaIons
• Wastes
compuIng
resources
– Sends
back
informaIon
periodically,
o^en
daily
– Consumes
an
organisaIon’s
bandwidth
• Exposes
proprietary
informaIon
– It
could
send
files
to
a
compeItor’s
server
– It
could
monitor
e-‐mail
and
send
out
the
contents
• Poses
serious
security
risks
– It
could
send
emails
on
behalf
of
the
user
– It
could
provide
a
spy
or
hacker
with
a
backdoor
into
the
systems
– It
could
change
documents
and
specificaIons
on
systems
to
damage
research
or
other
projects
• May
introduce
compliance
risks
27
28. How
botnets
are
used
to
commit
financial
fraud
•
A
bot
network
consists
of
a
“controller”
and
compromised
zombie
PCs.
There
have
been
cases
of
bot
networks
containing
up
to
1.5
Million
zombie
PCs
like
in
the
Dutch
botnet
case
•
The
bots
that
infect
systems
can
perform
several
acIons
such
as
relay
spam,
launch
malware
and
perform
ID
the^
•
Some
of
the
common
methods
for
bot
infecIon
is
through
websites
that
contain
exploits
and
vulnerabiliIes
that
acIvely
transmit
malware
to
the
PC
visiIng
the
site.
•
Components
can
also
be
downloaded
such
as
AcIveX
controls,
etc
that
will
then
deal
with
the
rest
of
the
infecIon
process
•
Social
engineering
techniques
also
exist
to
infect
systems
through
spam,
phishing
and
other
content.
Once
a
PC
has
become
infected
it
can
receive
remote
commands
from
the
“bot
master”
remotely
28
29. And
they
are
using
new
methods
•
Botnets
are
beginning
to
use
P2P
networks
to
gain
control
of
more
computers
•
Researchers
were
previously
able
to
shut
down
a
botnet
by
targeIng
its
Command
&
Control
center
(and
IRC
channel
or
website).
Hackers
are
now
using
P2P
networks
to
connect
bots
in
a
more
“horizontal,”
peer
manner,
which
makes
shunng
down
the
botnets
much
more
difficult
29
30. The
problem
of
keylogging
• Keyloggers
are
programs
that
run
in
the
background
recording
all
keystrokes
and
which
may
also
send
those
keystrokes
(potenIally
including
passwords
or
confidenIal
informaIon)
to
an
external
party
• 2
types
of
Keylogger
programs:
– Commercial
– Viral
(included
as
part
of
blended
threat
with
Worm,
Trojan
Horse,
BOT,
etc..
30
34. SophisIcated
Social
Engineering
• Common
social
engineering
techniques:
– Spear-‐Phishing
and
other
highly
targeted
scams
– Spam
with
exploits
– Phishing
emails
that
direct
users
to
web-‐sites
with
hidden
Trojans
– Malware
through
IM
channels
34
36. InfecIon
strategies
used
by
hackers
• Common
infecIon
strategies
used
by
hackers
– A
web
site
is
physically
hacked
and
seeded
with
Trojans
(i.e.
Superbowl
website
case)
– Phishing
emails
with
exploits
– Malware
through
IM
channels
– Malware
a[ached
to
freeware
and
shareware
– Malware
in
the
form
of
video
codecs
– InfecIon
through
botnets
36
37. Overview
of
Targeted
A[acks
• CharacterisIcs
of
Targeted
A[acks:
– Involve
“Highly
CriIcal”
malware
tailored
towards
a[acking
a
specific
target
(i.e.
Bank
Of
America)
– Such
malware
target
a
specific
set
of
confidenIal
informaIon
to
capture
and
send
to
a
3rd
party
– Targeted
a[acks
always
involve
a
hacker
hired
to
design
malware
to
bypass
specific
defenses
– A[acks
are
very
localized;
therefore,
distribuIon
is
limited.
In
most
cases
AV
labs
do
not
receive
a
sample
which
results
in
no
signature
file
– Current
security
soluIons
will
not
detect
the
malware
because
the
hacker
has
prepared
against
commonly
used
AV
programs
– Hackers
are
using
sophisIcated
stealth
techniques
such
as
rootkits
to
hide
the
presence
of
malware
37
38. InformaIon?
Ready
available!
• IT
departments
know
about
sites...but
so
do
all
the
other
departments!
– QuesIon
is…do
we
know
who,
when,
where
and
how?
– More
importantly…do
we
have
the
means
to
stop
it?
• InformaIon
is
easy
to
find!
(131,000,000
results
returned
on
Google
when
the
search
term
‘How
To
Hack’
is
used)
• Hacking
tools
can
be
easy
to
use
– Some
don’t
require
any
programming
skills
at
all!
(Keyloggers
can
come
with
nice
user
interfaces,
such
as
‘ The
Perfect
Keylogger’)
with
a
‘Next’,
‘Next’,
‘Next’
install!
38
42. Example
-‐
Denial
of
Service
• You visit a web site and
click on a link
• A few seconds later,
many applications start to
run in the computer
• You can only close the
program to prevent the
attack. The machine does
not work
42
43. Example
RedirecIon
of
sites
• You connect to online
banking to see your
accounts
• A hostile applet sends an
identical page
• You introduce your
credentials while a hacker
is receiving them or they
are being sent to an
Internet directory
43
44. Example
Sending
files
in
background
• A postcard is received by
email
• An applet executes an
animation
• That applet is copying the
last Word document and is
sending it in the
background to the Internet
44
45. Example
Harm
exectutables
• There is type of
attack that seems to
be from known
companies who
invite to install the
last security patch or
Service Pack
• The executable file
is a Trojan or
malicious code that
puts our
environment at risk
45
46. Example
-‐
Phising
and
scam
• Pakistan
Earthquake
–
We
found
the
URL
h[p://
pakistanhelp.com
• We
analyzed
it
and
we
saw
that
there
were
signs
of
phising
• In this case, the ‘help’ options include the download of
an Excel file to be sent by fax
• A real and legal organization would never do this….
46
47. Strategy: Protect every vector
Antivirus/
Antispyware Data Leak
Prevention
Secure Content Manager
Firewall
VPN
47
48. Strategy: Consider other
approaches
Internet
• Effectiveness vs. Efficiency
• SaaS approach
• UTM devices
• More than one solution will
leverage your security
• Education, education, education
• Centralised management
48
49. THANK
YOU
Modern
Cyber
Threats
and
How
To
Combat
Them
An
ISACA
Panel
moderated
by
Todd
Fitzgerald
Panelists:
Jack
Callaghan
R.
Kinney
Wiliams
Ramsés
Gallego