from russia with love - modern tools used in cyber attacks

- A note on notes: The speaker strives to keep most of his slides empty, for that reason some slides contain extensive notes at the bottom (right here). Ignoreat your own peril…

copyright (2014) comForte 21 1

- Thomas Burg has an extensive background in systems programming, networking, and security. For more than 30 years, Thomas has worked with a range of computingplatforms, including Windows, UNIX, and HP NonStop. Burg is Chief Technology Officer for comForte, a software vendor specializing in security, connectivity, andmodernization solutions for the HP NonStop market. At comForte, he has helped guide the company’s strategic product direction and orchestrated a range of technologyinitiatives, such as the company’s SSL/SSH encryption suite, which was ultimately adopted by HP within the NonStop OS.

copyright (2014) comForte 21 2

copyright (2014) comForte 21 3

“Brain” was …• created by a pair of programmers from Pakistan• They did include their phone number and address in the first version (!)

copyright (2014) comForte 21 4

In 2011, the Chief Research officer of F-Secure (http://en.wikipedia.org/wiki/Mikko_Hypponen) travelled to Pakistan and did find the two guys who are nowworking as computer professionals

copyright (2014) comForte 21 5

Initially, viruses were spreading through BBS systemsEventually they started spreading through e-mailNew concepts were introduced:

Macro language viruses (Visual Basic for Word)Worms (self-replicating)

Still the viruses were mostly experimental, “hacking”, “to prove something could be done”. Sometimes they were damaging already though.

copyright (2014) comForte 21 6

New techniques for hiding and avoiding of detection arrived:rootkitsself-encrypting, polymorphismbotnets

The Cost of attacks / effects on global economy are risingVirus-infection has become part of ‘normal’ computer businessMost importantly, more and more viruses were simply created to make money – rather than to ‘prove something’. Hence the difference between “white hat”and “black hat” hackers.

copyright (2014) comForte 21 7

The Zeus botnet ring of 2007 provides a good example for ‘separation of duties’ among a ring of criminals“malware coders” create the malware“mules” launder the money“exploiters” get the money

Victims can be individuals, businesses, financial institutions

copyright (2014) comForte 21 8

The geography of Zeus shows how the Internet allows to attack anyone from anywhere:malware written in Eastern Europevictims targeted in USA and UK

copyright (2014) comForte 21 9

Recent breaches include Sony, RSA, New York Times, as of late 2013 Target…

copyright (2014) comForte 21 10

copyright (2014) comForte 21 11

The timeframe for an attack can easily be weeks or months as the attacks are “multi-staged”. ((Side note: none of these techniques are new; they are knowamong the security community for 10+ years.))

Note the “targeted server” – the attacker was looking for specific source code and found it. Servers (rather than user workstations) are increasingly becoming thetarget of attacks.

It is only the increased motivation of the attacker which made this possible

copyright (2014) comForte 21 12

It is still not known who was behind the RSA data breach – yet obviously the attacker had a very specific goal in mind and was clearly focused on that goal; evenif this involved a ‘multi-staged’ attack.

copyright (2014) comForte 21 13

copyright (2014) comForte 21 14

This slide sums up the massive changes in the “attack vectors”, namely the malware often central to an attack:• Shift from “simple” to “complex” viruses. Complex viruses are often _not_ detected by Antivirus software• Shift from “for fun”/”hacking” to commercial or state-sponsored interest

Beyond this, there is a new quality of the attacks: APT, Advanced Persistent Threats, see next slide

copyright (2014) comForte 21 15

copyright (2014) comForte 21 16

copyright (2014) comForte 21 17

copyright (2014) comForte 21 18

copyright (2014) comForte 21 19

copyright (2014) comForte 21 20

This presentation was intended to provide a quick overview how the “attack landscape” has changed in the last 18 years. The author believes it is ratherimportant to understand that todays’ attacks differ radically from the usual attacks on computer systems about a decade ago: Todays’ attacks are more and moremulti-stepped and sophisticated rather than (as in the good ol’ times) just employing a single weakness in the defenses.

This is _not_ to say that one should use the “head in the sand” approach.

copyright (2014) comForte 21 21

copyright (2014) comForte 21 22

copyright (2014) comForte 21 23