lifars - financial cybercrime
TRANSCRIPT
Financial CybercrimeOndrej KREHEL
Dusan PETRICKO
ONDREJ KREHEL CISSP, CEH, CEI, EnCECEO & FounderLIFARS LLC
4
DUSAN PETRICKOCISSP, CEHIncident Response ManagerLIFARS, LLC
Major Data Breaches Visualized
The Cost of Cybercrime
The average annualized cost of cybercrime in millions of US dollars per company across multiple sectors.
Source: Ponemon Institute
Types of Cyberattacks Experienced
Source: Ponemon Institute
Are Companies Ready?
Source: Ponemon Institute
of companies experienced a security breach in the past 24 months
of companies say another incident is imminent and could happen within the next 6 months
of companies said they did not have a fully functional CSIRT in place today to respond to those incidents
68%
46%
34%
Organizations That Face Cyber-attacks Need To Be Prepared To Respond To Them
Not Really – The Current State of Incident Response
Current State
InvestigationDetectionPreventionNo silver bullets
“We are living in the dark ages of security”
Amit Yoran, President of RSA
Average of 7 months to discover
Limited to log data
What to do when breached?
Existing Forensics Tools
Highly complicatedRequires dedicated team of experts
Too slowPrecious time wasted gluing bits and bytes
Limited history+100TB to store a single day of a 10G network
What’s Holding The Security team Back?
Still In The Dark
Only large enterprises can afford it
Only a few “gurus” can operateOnly 5% of alerts are being investigated
CostsExpensive – show boxs
Key Element of Most Cyberattacks
Social Engineering Lifecycle
Source: McAfee Labs
What Types of Attacks Do Financial Institutions Face ?
• Cyber Fraud
• Targeted Attacks (APT)
What is APT?• Advanced
• Attacker is advanced adversary• Persistent
• Attacker is heavily focused on target – snipper style• Threat
• Toolkit used are main stream, however modified to perfection
• Most attacks are targeted and very specific
Major APT Campaigns
APT Lifecycle
Case Study: AlienSpy at Wall Street
AlienSpy: Hacking-as-a-Service Evolved• Hacking-as-a-Service platform • Plans starting at $19.99• Highly customer-oriented, easy-to-use tool• Allowed anyone to perform sophisticated attacks• Evolved over time from the Frutas > Adwind > Unrecom • AlienSpy malware adopted by organized cybercrime
gangs
AlienSpy Interface
• Easy to navigate and very user-friendly AlienSpy interface makes it a very attractive and easy-to-use tool (even for non-tech savvy criminals)
https://www.youtube.com/watch?v=k3oZEJyWHBw
Evolution of the AlienSpy RAT
AlienSpy: Adoption by APT Groups• AlienSpy RAT heavily obfuscated using well-known tools
and cannot be detected by Antiviruses• Distributed by well-crafted spear phishing campaigns• Used in attacks against well-known global money
transfer firms • Often multiple attackers detected inside their systems
at the same time
Spear Phishing Example
• Real phishing email example
• Discovered leaked on PasteBin
Observed AlienSpy Attack Process
Observed AlienSpy Forensic Analysis
Observed AlienSpy Forensic Analysis
Observed AlienSpy Forensic Analysis• Obfuscated files
cannot be detected by antiviruses
• TRE.jar – unobfuscated payload
Observed AlienSpy Forensic Analysis• Malware loaded into
memory • AlienSpy malware
loaded from the buffer
Cost to the Victim
• A global money-transfer company present in over 100 countries was attacked by up to 15 parallel attackers
• Average loss - $28,000/month per attacker• Overall losses in excess of $5 million annually
The Worst Part?
AlienSpy is not alone – there are many others:
How to Handle Breaches?
Next-Gen Incident Response• Time = money• Use of Next-Gen automation tools to speed up the IR
process• Specialized external teams help reduce costs and increase effectiveness of response
• Taking down advanced threats of today requires military-style “cybersnipers”
Incident Response Lifecycle:
Q&AFor cybersecurity news, sign up for our weekly
newsletter: LIFARS.com/cybernews